s4:scripting: Generate HRESULT definitions as part of the build process

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Ensure generated error definition files are closed after use

This helps to avoid warnings like this one:

/data/samba/source4/scripting/bin/gen_hresult.py:178: ResourceWarning: unclosed file <_io.TextIOWrapper name='/data/samba/bin/default/libcli/util/hresult.c' mode='w' encoding='UTF-8'>
  main()
ResourceWarning: Enable tracemalloc to get the object allocation traceback

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Remove global list of errors

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Use common function to parse error descriptions

The version of parseErrorDescriptions() from gen_error_common is almost
the same as the one we’ve been using. One minor difference is that
ErrorDef.error_code is now an integer rather than a string.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Remove blank line

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Correctly report number of parsed lines

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Let error definition generation scripts tolerate empty lines

Commit beb99b80612556bc47e72a63f89fca75839d91d4 add a similar check just
for gen_hresult.py.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Initialize line number to (possibly) more appropriate value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Initialize ‘isWinError’ in constructor

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

libcli:util: Update NTSTATUS definitions

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

libcli:util: Update HRESULT definitions

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4:scripting: Align integer types

Commit a41112fcc984c19d5123e4a49a5f5fd4341e811d updated the generated
code, but not the corresponding generation script.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

docs: Update idmap_ad.8 that rfc2307 is the default

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 12 14:51:56 UTC 2024 on atb-devel-224

python:gp: Print a nice message if cepces-submit can't be found

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jan 10 09:54:34 UTC 2024 on atb-devel-224

s3:rpc_server: Mark _lsa_CreateTrustedDomainEx as NOT_IMPLMENTED

There is no PDB backend supporting this.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan  9 14:17:40 UTC 2024 on atb-devel-224

s3:rpc_server: Mark _lsa_CreateTrustedDomain as NOT_IMPLMENTED

There is no PDB backend which is supporting this.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dcesrv_reply: just drop responses if the connection is already terminating

There's no reason to waste resources...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  9 11:26:55 UTC 2024 on atb-devel-224

dcesrv_core: add dcesrv_call_state->subreq in order to allow tevent_req_cancel() on termination

Requests might be cancelled if the connection got disconnected,
we got an ORPHANED or CO_CANCEL pdu.

But this is all opt-in for the backends to choose.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

witness.idl: add flag(NDR_PAHEX) to some hex based enums

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

witness.idl: make some types public in order to be used elsewhere

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

witness.idl: Set cifs as auth service name for the witness interface

Windows clients use the 'cifs' service name to bind to the witness interface.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

tdb: fix python/tdbdump.py example

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

examples/scripts: add smbXsrvdump

A simple python tool to dump smbXsrv TDB databases.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbXsrv.idl: add python bindings

This is useful for some scripting examples and debugging...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbstatus: let --json dump also session channels

This makes if easier to see how tcp connections belong
to a session or client_guid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbstatus: let --json report the client_guid a session belongs to

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbXsrv_session: store session_global->client_guid

This is very useful for debugging...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:sessionid: export smbXsrv_session_global via sessionid->global

This will allow smbstatus --json to dump more details.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib/util: let is_zero_addr() return true for AF_UNSPEC

It means the completely zero'ed structure is detected
as zero address, as AF_UNSPEC is 0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:smbd multichannel: improve smbXsrv_connection_dbg()

client_guid as well as local and remote address help a lot
for debugging...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:smbd multichannel: let a cross-node session binding NT_STATUS_REQUEST_NOT_ACCEPTED

This is better than NT_STATUS_USER_SESSION_DELETED, as it means the
client can keep it's session alive. Otherwise a windows client believes
the whole session is gone and all other channels are invalid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:smbd multichannel: always allow multichannel to the ip of the queried connection

We can announce the ip of the current connection even if it's
a moveable cluster address... as the client is already connected to it.

This change means in a typical ctdb cluster, where we only have public
addresses, the client can at least have more than one multichannel'ed
connection to the public ip.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/security: remove PRIMARY_{USER,GROUP}_SID_INDEX defines from security.h

These and more are also defined in security_token.h, which is later included
from security.h anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/smb: add new SMB2_SHAREFLAG_ defines in smb2_constants.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: move access override for previous versions to the SMB layer

Doing the previous version access checks and semantics at the SMB
layer means we can simplify the shadow_copy2 and remove the kludge.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan  8 16:58:26 UTC 2024 on atb-devel-224

smbd: check for previous versions in check_any_access_fsp()

Now that check_any_access_fsp() is broadly used consistently to
restrict access for all modifying operations, we can add a check for
previous versions to check_any_access_fsp() and it gets enforced
consistently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: use check_any_access_fsp() for all access checks

Replaces the direct access to fsp->access_mask with a call to
check_any_access_fsp() which allows doing additional checks if needed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: replace CHECK_WRITE() macro with calls to check_any_access_fsp()

The additional check if fd underlying fd is valid and not -1 should not be done
at this place. I actually would prefer an write to fail with EBADF if this
happens, as it's likely easier to debug why this happened. These days we should
always have a valid fd.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: set fsp->fsp_flags.can_write to false for access to previous-versions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: return correct error when trying to create a hardlink to a VSS file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: fix check_any_access_fsp() for non-fsa fsps

smbd_check_access_rights_fsp() requires *all* rights in access_mask to
be granted by the underlying ACL, but the semantics of this function
is supposed to grant access if any one of the rights in
access_requested is allowed.

Fix this by looping over the requested access mask. If
smbd_check_access_rights_fsp() returns sucess, mask will be non-null
and when assigned to access_granted, the subsequent check will pass,
fail otherwise.

I'm not doing an early exit on purpose because a subsequent commit
adds additional security checks that are done in the subsequent code
path common for fsa and non-fsa fsps.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: rename check_access_fsp() to check_any_access_fsp()

The semantics of the access check in check_access_fsp() itself is to
allow access if *at least* one or more rights of the rights in
access_mask are allowed. The name check_any_access_fsp() better
reflects this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: set fsp_flags.is_fsa to true on printer file handles

Printer file handles went through SMB_VFS_CREATE_FILE() and are network
callable, so it makes sense to set this on them.

This ensures that check_access_fsp() doesn't take the codepath calling
smbd_check_access_rights_fsp(), but just checks the request rights from
fsp->access_mask.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: return the correct error in can_rename()

This is what Windows returns for this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbtorture: expand smb2.twrp.write test

Test more modifying operations are blocked and access masks are correct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/libcli/raw: implemement RAW_SFILEINFO_LINK_INFORMATION

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: remove error_inject from shadow_write share

Frankly, I can't remember why I added this as part of bug 13688. The
goal of the corresponding test is to verify a write on a read-only
file handle fails. As the file is opened O_RDONLY, the write will fail
anyway and there's no need to inject the error.

To make things worse, having the error injected meant we didn't notice
when the underlying logic of forcing the open to be done with O_RDONLY
was done as O_RDWR, resulting in the write on the handle to succeed.

This happened when we introduced reopen_from_fsp(): the initial
pathref open of a path with a twrp value was correctly detected and
handled by shadow_copy2_openat(). However, when converting the pathref
open to a real one via reopen_from_fsp(), shadow_copy2_openat() only
sees the magic /proc/fd path and has no way of inferring that this was
originating from a prevous version open with a twrp value.

Tl;dr: we can just remove this error injection, it is not needed, the
correct fix is to implement this in the SMB layer which is done in the
subsequent commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13688

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: let list_servers.NT1 really use NT1 protocol

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Fri Jan  5 01:43:51 UTC 2024 on atb-devel-224

vfs_worm: add connect function to cache parameters

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

set_process_capability: log which capability was set or failed to be set

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_ceph: use extra 'ceph_*at()' calls when available

As of libcephfs version-10.0.3 the high-level API has few more '*at()'
calls. Prefer those newer hooks over path-based when having an
appropriate directory fd (namely: ceph_mkdirat, ceph_openat,
cepth_unlinkat, ceph_symlinkat, ceph_readlinkat).

Ceph commit: https://github.com/ceph/ceph/commit/3831aa12f3067d8cc362f39f7136dd53cb946d22

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15516

Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Gunther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jan  4 21:09:54 UTC 2024 on atb-devel-224

lib: Confine the copy_no_nl memcpy to debug_gpfs_log()

gpfswrap_add_trace() seems not to have a format string that could
understand the %.*s notation.

While there this removes >4k of r/w memory from every smbd.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan  4 17:06:19 UTC 2024 on atb-devel-224

lib: Avoid memcpy in debug_lttng_log()

tracef() understands the %.*s format.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib: Avoid memcpy in debug_systemd_log()

sd_journal_send() understands the %.*s format.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

script/autobuild.py: add some --private-libraries=ALL testing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan  4 12:45:58 UTC 2024 on atb-devel-224

wafsamba: fix the usage of --private-extension-exception

It was completely unused...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

wscript: use opt.PRIVATE_EXTENSION_DEFAULT('private-samba')

The problem was that we used opt.PRIVATE_EXTENSION_DEFAULT('samba4') and
libndr as private will become libndr-samba4 and that already exists as
libndr-samba4 as we don't append the extension if it's already there.

So meant with --private-libraries=ALL we hit the following problem:

$ ./configure --private-libraries=ALL
$ make smbd/smbd
Waf: Leaving directory `/samba/bin/default'
Task dependency cycle in "run_after" constraints:
{task ...: cshlib dcerpc-samba4.empty.c.12.o,ndr_winbind_c.c.229.o -> libdcerpc-samba4.so}
make: *** [Makefile:131: smbd/smbd] Error 1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

script/autobuild.py: nonshared-test works now

I guess the problem was related to wrapper libraries...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

third_party/*_wrapper: use SAMBA_LIBRARY(force_unversioned=True)

This prevents --private-libraries=ALL from creating unuseable
wrapper libraries, as they can't work with symbol versioning.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

wafsamba: introduce SAMBA_LIBRARY(force_unversioned=False)

This can be used in order to avoid a library to be
catched by --private-libraries=ALL.
It is needed for our wrapper libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:smbd multichannel: always refresh the network information

To maintain SMB Multichannel, windows client might periodically query with
FSCTL_QUERY_NETWORK_INTERFACE_INFO to get SMB server's network information,
in my case windows server 2022 would do this every 10 minutes (600 seconds).

Consider a scenario: the network information might have changed between
these queries, some become link down, new interface is link up, network
speed is changed, and etc. So far smbd might not aware of these changes and
still report out-of-date network information to windows client, until we
manually send a SIGHUP to smbd in order to trigger load_interfaces():
smbd_sig_hup_handler() > reload_services () > load_interfaces()
This might be a bit inconvenient because it is hard to decide when should
we manually send a SIGHUP to smbd for refreshing network information.

This patch adds load_interfaces() at fsctl_network_iface_info(), while smbd
received FSCTL_QUERY_NETWORK_INTERFACE_INFO would go through this and refresh
local_interfaces, then respond to client with up-to-date network information;
also refresh num_ifaces to make sure interfaces count is consistent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15547

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>

ctdb: add comments to "addip"/"delip" when CTDB_{CONTROL,EVENT,SRVID}_IPREALLOCATED happens

"addip"/"delip" are different from "moveip" so they don't need to
call ipreallocate() nor send_ipreallocated_control_to_nodes().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb: let "moveip" end with CTDB_CONTROL_IPREALLOCATED to all connected nodes

This matches the behavior of takeover_send/recv() from
ctdb_takeover_helper.c.

It means we consistently call the ipreallocated event scripts
and also send CTDB_SRVID_IPREALLOCATED after moving ips.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb: remove unused ctdb_message_disable_ip_check()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb: let "moveip" also use disable_takeover_runs()

That makes the behavior more consistent compared to a takeover run
started from the within ctdbd.

The behavior is the same but ctdb_message_disable_ip_check() used
a legacy code path and the next commits will also touch some
of the moveip logic...

The logic and comments are copied from control_reloadips().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

ctdb: send a CTDB_SRVID_IPREALLOCATED message after CTDB_EVENT_IPREALLOCATED

Event scripts run the "ipreallocated" hook in order to notice that some ip addresses
in the cluster potentially changed.

CTDB_SRVID_IPREALLOCATED gives C code a chance to get notified as well once the event
scripts are finished.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

s3:utils: Fix the auth function to print correct values to the user

In order to show correct values in the password prompt displayed by
cli_credentials_get_password*(). We need to set the domain and username
in the credentials system.

The credentials supplied via the SMB URL have a higher priority than the
command line options.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15538

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan  4 11:26:52 UTC 2024 on atb-devel-224

s3:utils: Handle the domain before username and password

The cli_credentials_get_password*() function will interactively ask the
user for a password if none has been supplied via another ways. To show
the correct domain and username in the prompt, we need handle domain
and user first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15538

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

smbd: Fix traversing snapshot dirs that vanished in current fileset

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15544

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan  2 20:37:01 UTC 2024 on atb-devel-224

shadow_copy: Add test for missing directory in "current" fileset

Right now we can't traverse a subdirectory in a snapshot which was
deleted in the current set of files.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15544

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Happy New Year 2024!

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: do_call: use modern DBG macros

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 29 13:50:05 UTC 2023 on atb-devel-224

s4/ldap_backend: abandonrequest: use modern DBG macros

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: CompareRequest: use modern DBG macros

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: modifydnrequest: use modern DBG macros

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: delrequest: use modern DBG macros

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: addrequest: use modern DBG macros

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: modifyrequest: use modern DBG_ macro

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: SearchRequest: use modern DBG_ macro

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: unwilling: use modern DBG_ macro

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: encode: use modern DBG_ macro

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: change a printf %d to %u for results

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/ldap_backend: fix a NULL dereference

Signed-off-by: Bjoern Jacke <bjacke@samba.org>>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbind_nss_netbsd: fix missing semicolon

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15541

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

docs-xml: use XML_CATALOG_FILES env var if defined

Thanks to Thierry LARONDE for the fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15540

Signed-off-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

doc-xml: fix name of vfs_linux_xfs man page

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15542

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:crypto: Add tests for GKDI key derivation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 22 06:31:29 UTC 2023 on atb-devel-224

lib:crypto: Add implementation of GKDI key derivation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Raise an error if root key data is the wrong length

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that root key data is the correct length in bytes

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Create root key just for implicit root key tests

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Check properties of current GKDI key

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

fuzz: allow max size conditional ACE round-trip failure

The encoder, being cautious not to overstep the arbitrary 10000 byte
boundary, might not encode an exactly 10000 byte condition. This
is an off-by-one, but in the safe direction.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65118

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 22 00:51:13 UTC 2023 on atb-devel-224

libcli/security: sddl conditional ACE: write -0 when asked

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: rearrange conditional ACE sddl_write_int

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: tests for signed zeros in sddl condtional ACEs

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc: Do not allow u16string to be encoded in a big‐endian context

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc: Change type of ‘u16string’ from ‘const uint16_t *’ to ‘const unsigned char *’

A u16string is supposed to contain UTF‐16 code units, but
ndr_pull_u16string() and ndr_push_u16string() fail to correctly ensure
this on big‐endian systems. Code that relies on the u16string array
containing correct values will then fail.

Fix ndr_pull_u16string() and ndr_push_u16string() to work on big‐endian
systems, ensuring that other code can use these strings without having
to worry about first encoding them to little‐endian.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc: Add missing spaces to error messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3/lib: add log_panic_action()

Can be used to log a nice stack backtrace with full debug symbols by setting
"panic action" to something like

    panic action = cd /home/slow/git/samba/master && /home/slow/git/samba/master/selftest/gdb_backtrace %d

This is similar to log_stack_trace(), but that doesn't come with debug symbols.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>