tests: user: fix PEP8 spacing around operator

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests: user: gmsa dNSHostName is a required field

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests: samdb: Make use of the domain_sid property

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: fix json encoder should handle Exception

This happens if --json is used and a CommandError is raised, so will affect other commands too where --json is used.

This happens in the print_json_status method.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: models: add Container model

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: models: add kwargs to __json__ and as_dict methods

Allows passing arguments through

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: pep8: fix import sorting after move

Only touch files where samba.domain.models import was moved

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: move models out of the netcmd package

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: create domain module to move models into

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: gmsa: show viewers also works if SID is not found

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: gmsa: add and remove don't fetch trustee if it is a SID

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: gmsa: add_trustee and remove_trustee change argument to sid

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: gmsa: fix typo if trustee is not found

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: gmsa: create should allow custom SDDL

gMSA update already supported it but not create

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: models: improve Computer constructor adding "$" handling

In some cases the previous code would end up creating computers where the account name ended on double "$"

Rewrote constructor to handle more cases, for example only an account name is provided, only a name is provided, or both.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: models: allow scope to be overridden in query

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: models: add User.get_sid_for_principal helper

Unlike User.find, this will not fetch the User if an SID is provided.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: models: User.find also tries object_sid

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: samdb: Make connecting_user_sid a property

This is following the same design as other similar properties like samdb.domain_sid, only it doesn't need a setter.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: samdb: Move get_connecting_user_sid to samdb

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: check again for NULL values

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224

libcli/security: claims_conversions: check for NULL in claims array

If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.

There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()

Previously any errors noticed during the main loop would be ignored.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224

samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export

Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has
silently unlinked the given target file.  Instead, the administrator now needs
to specify a file that does not exist.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-libnet: Prepare for a "rolling update" keytab export

This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-auth/kerberos: Do not add true duplicates to exported keytab

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

selftest: Add tests for "samba-tool domain exportkeytab" with existing files"

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

samba-tool domain exportkeytab: Raise a proper CommandError

This avoids giving just a backtrace for things like exporting a keytab
to an existing file.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export

We should never raise RuntimeError if we have a better option.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"

This will keep stale keys in the keytab, which may be useful for wireshark
but is not correct if the keytab is used for accepting Kerberos tickets,
as tickets encrypted with old passwords would still be accepted.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()

The two callers of this function want two very different things, the
common point was wanting to call smb_krb5_kt_seek_and_delete_old_entries()
however this is now done earlier in sdb_kt_copy() with
smb_krb5_remove_obsolete_keytab_entries() or an unlink() in
libnet_export_keytab().

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry()

This just adds the key directly, it is not related to if salting is used or not.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/tests: Add test that gMSA keytab export works and matches direct keytab export

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords()

This is unused in Samba currently, but is a subtle race that will be difficult
to debug if this is ever used, so this makes things easier for some future
developer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab"

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-kdc: Prepare for gMSA support by recording it on the entry

This will allow the "samba-tool domain exportkeytab" code to do special gMSA
processing and in the future will allow the KDC to know it needs to check
if the keys in the DB need refreshing.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

auth/credentials: Allow generation of old Kerberos keys also

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

auth/credentials: Make cli_credentials_get_aes256_key into generic key access

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

auth/credentials: Dynamically calculate the salt principal (unless speccified)

This helps pull the salt principal calculation into a single spot.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

auth/credentials: Use salt on credentials object for Creds.get_aes256_key()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

auth/credentials: Add bindings for getting and setting the salt principal

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA

Only gMSA accounts, and only for authoriszed users, can export be exported without
local sam.ldb access.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Make "samba-tool domain exportkeytab" prune old keys

This slowly prepares this to be an update tool, not just a one-off export tool

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES

This allows us to mask out RC4 and insist on the modern AES types
where that makes sense.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-auth/kerberos: Remove unused paremters to create_keytab()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

libnet: Prepare to allow "samba-tool domain exportkeytab to support -H

We need to allow a samdb to be passed from the python to support
using a specific DB or remote server for gMSA passwords.

The gMSA passwords will not use this code, but we need to be
consistant.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python: Explain strange enable_net_export_keytab() behaviour is no longer due Heimdal

This code is now common between Heimdal and MIT Kerberos, but can still be missing
for builds of "samba-tool" that do not include the whole AD DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

packaging: Provide a systemd service file for samba-bgqd

There might be scenarios where the background queue daemon should be
running all the time instead of being started on demand. This makes
especially sense for bigger printing servers with a lot of printers. It
takes ~1 sec to get a printer from cups, so a print server with 100
printers needs 100 seconds to update the printer_list.tdb. The service
will be killed because of idle in the meantime.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15600

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 14 12:19:56 UTC 2024 on atb-devel-224

s3/smbd: If we fail to close file_handle ensure we should reset the fd

if fsp_flags.fstat_before_close == true then close_file_smb will call
vfs_stat which can fail. If it does fail then the fd associated
with the file handle will still be set (and we will hit an assert
is the file handle destructor) when calling file_free.
We need to set fd to -1 to avoid that. To achieve that we capture and
return the vfs_stat_fsp failure status while still processing the rest
of the fd_close logic.

[2024/02/20 09:23:48.454671,  0, pid=9744] ../../source3/smbd/smb2_close.c:226(smbd_smb2_close)
  smbd_smb2_close: close_file[]: NT_STATUS_ACCESS_DENIED
[2024/02/20 09:23:48.454757,  0, pid=9744] ../../source3/smbd/fd_handle.c:40(fd_handle_destructor)
  PANIC: assert failed at ../../source3/smbd/fd_handle.c(40): (fh->fd == -1) || (fh->fd == AT_FDCWD)
[2024/02/20 09:23:48.454781,  0, pid=9744] ../../lib/util/fault.c:178(smb_panic_log)
  ===============================================================
[2024/02/20 09:23:48.454804,  0, pid=9744] ../../lib/util/fault.c:185(smb_panic_log)
  INTERNAL ERROR: assert failed: (fh->fd == -1) || (fh->fd == AT_FDCWD) in smbd (smbd[192.168.10) (client [192.168.100.15]) pid 9744 (4.21.0pre1-DEVELOPERBUILD)
[2024/02/20 09:23:48.454844,  0, pid=9744] ../../lib/util/fault.c:190(smb_panic_log)
  If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2024/02/20 09:23:48.454869,  0, pid=9744] ../../lib/util/fault.c:191(smb_panic_log)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Mar 13 10:34:45 UTC 2024 on atb-devel-224

smbd: simplify handling of failing fstat() after unlinking file

close_remove_share_mode() already called vfs_stat_fsp(), so we can skip the
fstat() triggered in fd_close() by fsp->fsp_flags.fstat_before_close being true.

This avoids getting an EACCESS error when doing an fstat() on the removed file
which seems to happen with some FUSE filesystems.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15527

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

ctdb: Remove an unnecessary cast

nl->srvid is uint64_t, as is the srvid parameter of ctdb_daemon_send_message()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 13 08:43:16 UTC 2024 on atb-devel-224

smbd: Fix a DBG message

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

smbd: Avoid a ZERO_STRUCT() with direct struct initialization

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar 12 14:33:14 UTC 2024 on atb-devel-224

tools: Fix whitespace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Fix and modernize a few DBG statements

There were still a few function names in DBGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Give smbXsrv_session.c its own header file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

vfs: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Simplify smb_krb5_send_to_kdc_state_destructor()

Replace a call to dbwrap_fetch_locked() with the higherlevel
dbwrap_delete().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Fix a comment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbXsrv_version: Use a struct assignment

Make sure everything is initialized

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbXsrv_version: Remove unused smbXsrv_version_global0->db_rec

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbXsrv_version: Use a struct assignment instead of ZERO_STRUCT

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbXsrv_version: Modernize DEBUG statements

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib: Simplify _hexcharval

Saves a few bytes and conditional jumps

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Add parentheses for easier readability

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

torture: Fix an error message

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib: Simplify copy_unix_token()

Avoid an else with implicit NULL initialization

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libsmb: Simplify an if-condition

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib: Make GUID_to_ndr_buf() return void

The whole point of struct GUID_ndr_buf is that this never fails.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Remove get_Protocol()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Remove the last use of get_Protocol()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Add conn_protocol()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Modernize a DEBUG statement

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Simplify fsp_fullbasepath()

snprintf deals well with NULL/0 buffers. Basically this undoes
6555fa9d8fbc and 193df617. 6555fa9d8fbc gave cppcheck as a reason for
this patch, but if I look into susv4's snprintf definition I find:

If n is zero, nothing shall be written and s may be a null pointer.

This removes the checks and makes sure we fulfill the requirement of
susv4 that states that buf can only be NULL if buflen is 0.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Remove unused declarations in smbXsrv.idl

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: add tests for "samba-tool user list --locked-only"

Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Mar 12 10:54:49 UTC 2024 on atb-devel-224

samba-tool: add "samba-tool user list --locked-only"

Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libgpo: Do not segfault if we don't have a valid security descriptor

Program received signal SIGSEGV, Segmentation fault.
ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713
713 NDR_CHECK(ndr_push_security_descriptor_revision(ndr, NDR_SCALARS, r->revision));

Thread 1 (Thread 0x7ffff7ece740 (LWP 21460) "python3"):
 #0  ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713
        _flags_save_STRUCT = 0
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        _status = <optimized out>
        __FUNCTION__ = "ndr_push_security_descriptor"
 #1  0x00007ffff617237f in ndr_push_struct_blob (blob=blob@entry=0x7fffffffdb20, mem_ctx=0x555555aa3bd0, p=0x0, fn=0x7ffff6074ad0 <ndr_push_security_descriptor>, fn@entry=0x7ffff60706c8 <ndr_push_security_descriptor@plt>) at ../../librpc/ndr/ndr.c:1438
        _status = <optimized out>
        ndr = 0x555555bf41b0
 #2  0x00007ffff607cccf in marshall_sec_desc (mem_ctx=<optimized out>, secdesc=<optimized out>, data=data@entry=0x7fffffffdb80, len=len@entry=0x7fffffffdb78) at ../../libcli/security/secdesc.c:241
        blob = {data = 0x7fffffffdb40 "`\333\377\377\377\177", length = 140737352374299}
        ndr_err = <optimized out>
        __FUNCTION__ = "marshall_sec_desc"
 #3  0x00007ffff29edd94 in GPO_marshall_get_sec_desc_buf (self=<optimized out>, args=<optimized out>, kwds=<optimized out>) at ../../libgpo/pygpo.c:119
        gpo_ptr = <optimized out>
        status = <optimized out>
        data = 0x0
        len = 0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15599

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar  6 15:44:19 UTC 2024 on atb-devel-224

libgpo: Fix trailing spaces in pygpo.c

Reviewed-by: David Mulder <dmulder@samba.org>

ctdb-scripts: Remove usage of releaseip-pre, takeip-pre pseudo-events

These were generated by 06.nfs.script.

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar  6 07:09:06 UTC 2024 on atb-devel-224

ctdb-scripts: Remove unnecessary 06.nfs.script

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-doc: Put NFS in grace on startipreallocate

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-doc: Factor out grace period function

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-client: Remove unused function

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-scripts: Add handling for startipreallocate

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb: send a CTDB_SRVID_START_IPREALLOCATE message after CTDB_EVENT_START_IPREALLOCATE

Event scripts run the "start_ipreallocate" hook in order to notice
that some ip addresses in the cluster potentially changed.

CTDB_SRVID_START_IPREALLOCATE gives C code a chance to get notified as well
once the event scripts are finished.

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-takeover: Use CTDB_CONTROL_START_IPREALLOCATE

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-server: Implement CTDB_CONTROL_START_IPREALLOCATE

Trigger a "startipreallocate" event, but only if in RUNNING runstate.
"startipreallocate" is intended to allow an NFS server to be put into
grace on all nodes before any locks are released as part of releaseip
during failover.  If node A is leader and initiates a takeover run
then node B may be connected/active but may not have completed
startup.  In this case, the attempt to put NFS-Ganesha into grace on
node B will fail, startipreallocate will fail, and the node will be
banned.

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-protocol: Add new control CTDB_CONTROL_START_IPREALLOCATE

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-daemon: Implement startipreallocate event

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-protocol: Add new event startipreallocate

A new event is needed for NFS lock reclaim to ensure all nodes are in
grace before any locks are released. This event must take place before
releaseip.

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-common: Remove old runstate/string translation functions

The canonical versions are in protocol utils.

These were unused apart from some stray forward declarations in
tools/ctdb.c and a single call in ctdb_set_runstate(), where
ctdb_runstate_to_string() can be used instead.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

ctdb-common: Remove unused variable ctdb_eventscript_call_names.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>