git.samba.org - samba.git/log

s4:kdc: tunnel the check_client_access status to hdb_samba4_audit()

Otherwise useful information gets lost while converting
from NTSTATUS to krb5_error and back to NTSTATUS again.
E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as
NT_STATUS_ACCOUNT_LOCKED_OUT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5294dc80090482d5669126802672eb2c89e269cf)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Thu Mar 17 10:12:38 UTC 2022 on sn-devel-184

s4-kdc: Handle previously unhandled auth event types

Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in:

commit 791be84c3eecb95e03611458e2305bae272ba267
Author: Stefan Metzmacher <metze@samba.org>
Date: Wed Mar 2 10:10:08 2022 +1300

s4:kdc: hdb_samba4_audit() is only called once per request

Normally these auth event types are overwritten with the
KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the
pre-authentication check, and happens to fail the client access check
(e.g. because the account is disabled), we get error messages of the
form:
hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR

To avoid such errors, use the error code provided in the request
structure to obtain a relevant status code in cases not handled
explicitly.

For unexpected values we return KRB5KRB_ERR_GENERIC
in order to hopefully prevent success. And within make test
we panic in order let a ci run fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b01388da8a72c11c46bb27e773b354520bc6ac88)

s3:libads: Fix creating local krb5.conf

We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 16 14:26:36 UTC 2022 on sn-devel-184

(cherry picked from commit 68d181ee676e17a5cdcfc12c5cc7eef242fdfa6c)

s3:libads: Check print_canonical_sockaddr_with_port() for NULL in get_kdc_ip_string()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 12c843ad0a97fcbaaea738b82941533e5d2aec99)

s3:libads: Remove obsolete free's of kdc_str

This is allocated on the stackframe now!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit cca189d0934790418e27d9d01282370b1e6a057f)

s3:libads: Allocate all memory on the talloc stackframe

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 652c8ce1672dfead00c7af6af22e3bb3927764ec)

s3:libads: Use talloc_asprintf_append() in get_kdc_ip_string()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 812032833aa65729dbbfd4313a6e3fe072c88530)

s3:libads: Improve debug messages for get_kdc_ip_string()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 7f721dc2eee0064a1ddd480fcaf77bf1659c7a26)

s3:libads: Leave early on error in get_kdc_ip_string()

This avoids useless allocations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 313f03c78487ae49747b8143220ecbfe8ad9310a)

s3:libads: Remove trailing spaces in kerberos.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 567b1996796e5d3cf572653f38817d832fa135ca)

testprogs: Add test that local krb5.conf has been created

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit d2ac90cdd5672330ed9c323fc474f8ba62750a6f)

s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()

In SMBC_server_internal(), when authentication fails, the errno value is
currently hard-coded to EPERM, while it should be EACCES instead. Use the
NT_STATUS map to set the appropriate value.

This bug was found because it breaks listing printers protected by
authentication in GNOME Control Panel.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14983

Signed-off-by: Elia Geretto <elia.f.geretto@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 16 19:44:18 UTC 2022 on sn-devel-184

(cherry picked from commit 70b9977a46e5242174b4461a7f49d5f640c1db62)

s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names

authenticate_ldap_simple_bind*() needs to pass the
result of the cracknames operation into the auth stack
as user_info->client.{account,domain}_name, because
user_info->client.{account,domain}_name is also used
when forwarding the request via netrLogonSamLogon*
to a remote server, for exactly that the values are
also used in order to map a AUTH_PASSWORD_PLAIN into
AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
contains the account and domain names passed in the
netr_IdentityInfo value.

Otherwise it would not be possible to forward the
LDAP simple bind authentication request to a remote
DC.

Currently this only applies to an RODC that forwards
the request to an RWDC.

But note that LDAP simple binds (as on Windows) only
work for users in the DCs forest, as the DsCrackNames
need to work and it can't work for users of remote
forests. I tested that in a DC of a forest root domain,
if rejected the LDAP simple bind against a different forest,
but allowed it for a users of a child domain in the
same forest. The NTLMSSP bind worked in both cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184

(cherry picked from commit 40f2070d3b2b1b13cc08f7844bfe4945e9f0cd86)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Mar 16 14:40:08 UTC 2022 on sn-devel-184

auth: let auth logging prefer user_info->orig_client.{account,domain}_name if available

The optional user_info->orig_client.{account,domain}_name are
the once really used by the client and should be used in
audit logging. But we still fallback to
user_info->client.{account,domain}_name.

This will be important for the next commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 24b580cae23860a0fe6c9d3a285d60564057043d)

s4:auth: rename user_info->mapped_state to user_info->cracknames_called

This makes it much clearer what it is used for and
it is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in
authsam_check_password_internals().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 427125d182252d8aee3dd906ee34a909cdbb8ef3)

winbindd: don't set mapped_state in winbindd_dual_auth_passdb()

mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals()

This doesn't apply here. We should also handle wbinfo -a
authentication UPN names, e.g. administrator@DOMAIN,
even if the account belongs to the local sam.

With this change the behavior is consistent also locally on DCs and
also an RODC can handle these requests locally for cached accounts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8dfdbe095a4c8a7bedd29341656a7c3164517713)

nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN

When winbindd forwards wbinfo -a via netrLogonSamLogon* to a remote
DC work fine for upn names, e.g. administrator@DOMAIN.

But it currently fails locally on a DC against the local sam.

For the RODC only work because it forwards the request to
an RWDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e1d2c59d360fb4e72dafe788b5d9dbb0572bf811)

s3:auth: make_user_info_map() should not set mapped_state

mapped_state is only evaluated in authsam_check_password_internals()
of auth_sam.c in source4, so setting it in the auth3 code
doesn't make any difference. I've proved that with
an SMB_ASSERT() and a full pipeline not triggering it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c56cb12f347b7582290ce1d4dfe3959d69050bd9)

s4:auth: fix confusing DEBUG message in authsam_want_check()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a12683bd1206df4d4d87a3842d92e34a69e172b7)

s4:auth: check for user_info->mapped.account_name if it needs to be filled

mapped_state is a special hack for authenticate_ldap_simple_bind_send()
in order to avoid some additional work in authsam_check_password_internals().

But that code will be changed in the next commits, so we can simplify
the logic and only check for user_info->mapped.account_name being NULL.
As it's the important factor that user_info->mapped.account_name is
non-NULL down in the auth stack.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c7b8c71b2b71bb9d95c33d403c4204376f443852)

s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for audit logging

mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 52787b9c1e9370133ff4481c62c2e7b9393c2439)

s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging

mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ca6948642bc2ff821ec4ca8ab24902b1ba9e8397)

s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging

mapped_state is completely irrelevant for audit logging and
will also be removed in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 99efe5f4e9ce426b28cef94d858849707ce15739)

s4:smb_server: don't set mapped_state explicitly in auth_usersupplied_info

We already use talloc_zero() and mapped_state will be removed in the
next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 859c7817350553259eb09c889bc40afebb60064a)

auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_info

We already use talloc_zero() and mapped_state will be removed in the
next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9a4ac8ab2e2c8ee48f6bf5a6ecf7988c435ba1c6)

s4:auth: encrypt_user_info() should set password_state instead of mapped_state

user_info->mapped_state has nothing to do with enum auth_password_state,
user_info->password_state is the one that holds the auth_password_state value.

Luckily user_info->password_state was never referenced in the
encrypt_user_info() callers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a6fb598d9dcbfe21ef285b5f30fabcb88a259c93)

s4:auth: a simple bind uses the DCs name as workstation

I've seen that in LogonSamLogonEx request triggered
by a simple bind with a user of a trusted domain
within the same forest. Note simple binds don't
work with users for another forest/external domain,
as the DsCrackNames call on the bind_dn fails.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 31db704882bbcd569c2abb764ac1d3691ee0a267)

s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation = lp_netbios_name()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5c04c01354944fc3a64bb109bf3e9bf89086cc6f)

rodc: Add tests for simple BIND alongside NTLMSSP binds

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 62fb6c1dc8527db6cf0f08d4d06e8813707f767a)

s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon

Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.

It means an LDAP simble bind will now honour
'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2ad44686229ba02f98de5769c26a3dfeaf5ada2b)

s3:auth: let make_user_info_netlogon_interactive() set USER_INFO_INTERACTIVE_LOGON

This is not really relevant for now, as USER_INFO_INTERACTIVE_LOGON is
not evaluated in the source3/auth stack. But better add it to
be consistent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 012bd9f5b780f7a90cf3bd918f044ea67fae7017)

dsdb/tests: add test_login_basics_simple()

This demonstrates that 'old password allowed period' also
applies to LDAP simple binds and not only to GSS-SPNEGO/NTLMSSP binds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3625d1381592f7af8ec14715c6c2dfa4d9f02676)

dsdb/tests: prepare BasePasswordTestCase for simple bind tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0b1fbc9d56e2a25e3f1527ee5bc54880bdc65fc6)

dsdb/tests: introduce assertLoginSuccess

This makes it possible to catch failures with knownfail entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 751ce671a4af32bc1c56433a5a1c8161377856c5)

dsdb/tests: make use of assertLoginFailure helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 03ba5af3d9eaeb5f0c7c1a1a61ef2ac454eb8392)

dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps]

This will make further changes easier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5a3214c99048a88b0a9f509e3b5b38326529b02c)

dsdb/tests: passwords.py don't need to import BasePasswordTestCase

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 90754591a7e4d5a3af70c01425930f4ec063c516)

python:tests: let insta_creds() also copy the bind_dn from the template

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a30a7626254c863f95b98c97ea46ff54b98078ad)

s4-kdc: Fix memory leak in FAST cookie handling

The call to sdb_free_entry() was forgotten.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15000

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 11:05:55 UTC 2022 on sn-devel-184

(cherry picked from commit b7bc1f6dddc1c5fee8a39422823f167db1f24bb2)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Mar 14 15:24:28 UTC 2022 on sn-devel-184

third_party/heimdal: import lorikeet-heimdal-202203101710 (commit df8d801544144949931cd742169be1207b239c3d)

This fixes the regressions against KDCs without FAST support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 11 18:06:47 UTC 2022 on sn-devel-184

(cherry picked from commit 9b48e7f7eda5e368c1192d562c268885c1f68d8b)

selftest: use 'kdc enable fast = no' for fl2000 fl2003

This makes sure we still run tests against KDCs without FAST support
and it already found a few regressions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit f1a71e24864367a55a30813dd642e7ef392b5ac9)

s4:kdc: make use of the 'kdc enable fast' option

This will useful to test against a KDC without FAST support
and find/prevent regressions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 2db7589d69abebad16b66d933114367f815d5fc3)

docs-xml: add 'kdc enable fast' option

This will be useful to test against a KDC without FAST support
and find/prevent regressions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 12b623088cf48cf9e4a046441810ef20e1f079b8)

third_party/heimdal: import lorikeet-heimdal-202203101709 (commit 47863866da25cc21d292ce335a976b8b33fa1864)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 67bdc922f9836779f1b37805575c5c4eea9ba3e6)

VERSION: Bump version up to Samba 4.16.0rc6...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc5 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.16.0rc5.

Signed-off-by: Jule Anger <janger@samba.org>

s4:kdc: redirect pre-authentication failures to an RWDC

The most important case is that we still have a previous
password cached at the RODC and the inbound replication
hasn't wiped the cache yet and we also haven't triggered
a new replication yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Mar 8 14:30:45 UTC 2022 on sn-devel-184

s4:kdc: let pac functions in wdc-samba4.c take astgs_request_t

NOTE: This commit finally works again!

This aligns us with the following Heimdal change:

   commit 11d8a053f50c88256b4d49c7e482c2eb8f6bde33
   Author:     Stefan Metzmacher <metze@samba.org>
   AuthorDate: Thu Feb 24 18:27:09 2022 +0100
   Commit:     Luke Howard <lukeh@padl.com>
   CommitDate: Thu Mar 3 09:58:48 2022 +1100

       kdc-plugin: also pass astgs_request_t to the pac related functions

       This is more consistent and allows the pac hooks to be more flexible.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 27ee5ad713b760e8226537d79c529ace1efb07bf)

third_party/heimdal: import lorikeet-heimdal-202203031927 (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab)

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f33f73f82fb2d5d96928ce5910e2d0d939c2ff57)

s3:utils: assign ids to struct to list shares correctly

The commit "99d1f1fa10d smbd: Remove unused "struct connections_key"" removes
also the assignment of information to connections_data, which are needed to list
shares.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14999

Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Mon Mar 7 15:27:48 UTC 2022 on sn-devel-184

(cherry picked from commit 9e9e6955ba93691545ea35e39ebdc285cd484406)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Mar 8 11:31:47 UTC 2022 on sn-devel-184

s3:tests: Add a test to check the output of smbstatus.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14999

Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit b108e039ab13ee9f8f2c629c5b57085a462d14db)

s3: smbd: Fix our leases code to return the correct error in the non-dynamic share case.

We now return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same
(non-dynamic) share. This will enable us to pass another
Windows test suite leases test.

We now behave the same as Windows10.

Remove knownfail.d/smb2-lease-duplicateopen

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 20:12:12 UTC 2022 on sn-devel-184

(cherry picked from commit 408be54323861c24b6377b804be4428cf45b471e)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Mar 7 11:49:31 UTC 2022 on sn-devel-184

s4: torture: Add new SMB2 lease test test_lease_duplicate_open().

Checks we return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same share.

Checked against Windows10. Currently fails against smbd
so add knownfail.d/smb2-lease-duplicateopen

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
(cherry picked from commit ca3896b6f8bbcad68f042720feceedfa29ddbd83)

s4: torture: Add new SMB2 lease test test_lease_duplicate_create().

Checks we return INVALID_PARAMETER when trying to create a
new file with a duplicate lease key on the same share.

Checked against Windows10. Samba already passes this
but we didn't have a test before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
(cherry picked from commit bf22548d11fe67ea3f4ec10dff81773d626e4703)

s3:trusts_utils: use a password length of 120 for machine accounts

This is important when we change the machine password against
an RODC that proxies the request to an RWDC.

An RODC using NetrServerPasswordSet2() to proxy PasswordUpdateForward via
NetrLogonSendToSam() ignores a return of NT_STATUS_INVALID_PARAMETER
and reports NT_STATUS_OK as result of NetrServerPasswordSet2().
This hopefully found the last hole in our very robust machine account
password handling logic inside of trust_pw_change().

The lesson is: try to be as identical to how windows works as possible,
everything else may use is untested code paths on Windows.

A similar problem was fixed by this commit:

    commit 609ca657652862fd9c81fd11f818efb74f72ff55
    Author: Joseph Sutton <josephsutton@catalyst.net.nz>
    Date:   Wed Feb 24 02:03:25 2021 +1300

        provision: Decrease the length of random machine passwords

        The current length of 128-255 UTF-16 characters currently causes
        generation of crypt() passwords to typically fail. This commit
        decreases the length to 120 UTF-16 characters, which is the same as
        that used by Windows.

        BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 23 08:49:54 UTC 2022 on sn-devel-184

(cherry picked from commit 5e2386336c49fab46c1192db972af5da1e916b32)

upgradehelpers.py: add a comment to update_krbtgt_account_password()

The backend generates its own random krbtgt password values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ad0b5561b492dfa28acfc9604b2358bb8b490703)

provision: add a comment that the value of krbtgtpass is ignored in the backend

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 725c94d57d3d656bc94633dacbac683a4c11d3e6)

upgradehelpers.py: let update_machine_account_password() use 120 character passwords

We already changed provision to use 120 character passwords with commit
609ca657652862fd9c81fd11f818efb74f72ff55.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6bb7c0f24918329804b7f4fb71908e8fab99e266)

provision: use 120 characters for the dns account password

We should use the same as for the computer account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3b91be36581de1007427d539daffdaa62752412d)

samba-tool/join_member: let py_net_join_member() choose the password

It means we'll let trust_pw_new_value() generate the password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 59ac782452c4993274fa837256a8b9c5675e707b)

s3:py_net: allow machinepass=None to py_net_join_member()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 576bdb08c51c47c390cc390fbefdcfee275b7f0f)

s4/auth/simple_bind: correctly report TLS state

It went wrong in 366f8cf0903e3583fda42696df62a5337f22131f

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184

(cherry picked from commit 309f1982263677045d407463eb19a2444c165a63)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Mar 7 10:11:23 UTC 2022 on sn-devel-184

pytest:auth_log: expect TLS connections when using ldaps

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit f37682747898591b37405f9e96a8135c15638637)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996

s4:kdc: hdb_samba4_audit() is only called once per request

So we need to restructure the logic a bit.

NOTE: This commit finally works again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Tue Mar 1 23:28:22 UTC 2022 on sn-devel-184

(cherry picked from commit 791be84c3eecb95e03611458e2305bae272ba267)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Wed Mar 2 11:24:26 UTC 2022 on sn-devel-184

s4-kdc: Adapt to move from HDB auditing to KDC auditing constants

This is to adapt to:

    commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
    Author: Luke Howard <lukeh@padl.com>
    Date:   Thu Jan 13 14:37:29 2022 +1100

        kdc: move auth event definitions into KDC header

        Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
        kdc-audit.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit c9b0b4bfc4e2e0b08b21f39bf56fd5395d66d66f)

s4:kdc: Adapt to removal of publicly accessible request structure members

We now have to use the accessor functions instead.

This is an adaptation to Heimdal:

commit ec24edf7005c340018450a202d27ca75fcf322d4
Author: Luke Howard <lukeh@padl.com>
Date:   Thu Jan 20 09:15:24 2022 +1100

    kdc: add accessor functions for KDC request structure

    Add accessor functions for use by Samba and other plugin developers.
    Documentation is in kdc/kdc-accessors.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9399a15fabb5a1b8470b1069a098132e2fdb7f0f)

s4:kdc: Adapt to hdb_entry_ex removal

Rather than having a 'free_entry' member that can be called to free an
hdb_entry, we now implement the free function in HDB. We perform the
free only if the context pointer is non-NULL.

We also remove the ZERO_STRUCTP() in sdb_entry_to_hdb_entry(), as the
context pointer is now part of the 'hdb_entry' structure itself, and
this would undesirably zero it out.

This is an adaptation to Heimdal commits:

commit c5551775e204d00c7ee8055ab6ddbba7e0590584
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:15:55 2022 +1100

    hdb: decorate HDB_entry with context member

    Decorate HDB_entry with context and move free_entry callback into HDB structure
    itself. Requires updating hdb_free_entry() signature to include HDB parameter.
    A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
    member) into hdb_entry.

commit 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:54:40 2022 +1100

    hdb: eliminate hdb_entry_ex

    Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
    an additional context member in hdb_entry which is managed by the free_entry
    method in HDB).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 94d387abd5031c12989f925ee5eb733432402d1d)

s4:kdc: Increment plugin minor version

This is an adaptation to Heimdal:

commit 40e4a4df09c2d6c3ba7bf14df1dee74a0bc18110
Author: Luke Howard <lukeh@padl.com>
Date:   Mon Jan 10 12:50:37 2022 +1100

    kdc: use astgs_request_t for client/server name (TGS)

    Store the client and server principal name from the TGT and request
    (respectively) in the astgs_request_t rather than using local variables.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 068f2bf117ab9968011fdb8d60b98bb37d529658)

third_party/heimdal_build: Don't generate .x source files

This is an adaptation to Heimdal:

commit 9427796f1a65906f12768b28abdb5a928222f3c6
Author: Jeffrey Altman <jaltman@secure-endpoints.com>
Date:   Wed Jan 5 15:45:23 2022 -0500

    Generate .x source files as .c source files

    The generated .x source and .hx header files are plain C source files.
    Generate them as .c source files and avoid unnecessary file copying
    and special makefile rules.

    Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7cb68fdba75c362cdfd8f3bf08bcd9c22bbe4556)

s4:kdc: Explicitly set plugin minor version

This is an adaptation to Heimdal:

commit 7cc4b7a9e624f5eecfbb38607d4cc0870a895671
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 13:08:11 2022 +1100

    kdc: KDC plugin API contract notes

    Add some notes about the KDC plugin API contract, and require plugins to
    explicitly indicate which version of the API they support (remove the macro
    alias for the current version).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 675f913e54d8fddb9173c1e67b9d14885cc1d878)

third_party/heimdal_build: Add SFU source file

This is an adaptation to Heimdal:

commit 0287558838de79313e38026d2f0905ffc987d0b8
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Dec 24 13:49:55 2021 +1100

    kdc: move Services for User implementation out of krb5tgs.c

    Move the Services for User (SFU/S4U) implementation -- protocol transition and
    constrained delegation -- into its own compilation unit, with an interface that
    only takes an astgs_request_t, so it can be easily factored out into a plugin
    module in the future.

    This refactoring is also careful to update all client names in the request
    structure after the SFU/S4U validation has successfully completed.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b9f4ea8bdb70476d6cc6df962bf6b28805588ed5)

s4:kdc: Adapt to removal of auth audit event types

This is an adaptation to Heimdal:

commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 09:42:03 2022 +1100

    hdb: consolidate preauth audit event types

    Instead of having distinct preauth success/failure events for different
    mechanisms, have a single event; the mechanism can be disambiguated by querying
    the HDB_REQUEST_KV_PA_NAME key.

    Note: there is still an explicit event for long-term key-based success/failure
    in order to help the backend implement lockout.

    Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
    than in each mechanism. Success is still audited in the mechanism to allow
    client pre-authentication success to be noted even if something subsequent
    (e.g. encoding a reply, memory allocation) fails. The generic catch-all for
    success remains.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f234361abea4166ce4e10cfa4e7f4096b83480a9)

s4:kdc: Rename windc to kdc plugin

This is an adaptation to Heimdal:

commit fcff5933ade652343d7c169659da92fac0e6e0d4
Author: Luke Howard <lukeh@padl.com>
Date:   Mon Jan 3 11:10:18 2022 +1100

    kdc: rename windc to kdc plugin

    Rename the "windc" plugin API to the more general "kdc" plugin API, for two
    reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
    controller, and the plugin API has accreted methods that are not specific to
    emulating a domain controller (such as referral_policy and finalize_reply).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 83586e8f5846fff7a8bbe47e743e03166b559584)

s4:kdc: Add referral policy callback

This is now used instead of a configuration option.

This is an adaption to Heimdal:

commit 3fa47f5a1a422e178d968a8ec0d59889eaa71548
Author: Luke Howard <lukeh@padl.com>
Date:   Sun Jan 2 21:51:43 2022 +1100

    kdc: add referral_policy callback to windc plugin

    Add a referral policy hook to the TGS as a more elegant way of resolving
    referral detection for Samba). The hook can either rewrite the server_princ in
    the request, or it can return an error to disable built-in referral processing.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a5799cea037a4613ba4d1073fff6e6151ed06c76)

s4:kdc: Add 'not authorised' auth events

This is an adaptation to Heimdal:

commit d683780b1d728bf8c5b794a1f66842e5a25bd360
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 23:44:05 2022 +1100

    kdc: separate PKINIT/GSS authorization failure

    Create a new audit event for PKINIT/GSS authorization (impersonation) failure

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0d37a1928100e229bea46701b41d4efa72e10266)

s4:kdc: Adapt to removal of auth event details

This is an adaptation to Heimdal:

commit e15e711b13e2fb33f4480a054cba60b6c4c0183b
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 18:05:51 2022 +1100

    kdc: remove auth_event_details audit key

    The auth event details audit key (formerly, parameter to auth_status)
    contained, variously, an encryption type name; a PKINIT client certificate
    name; or, a GSS initiator name. Audit these instead using individual keys that
    reflect the values' contents.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7989ef0aa7b75b2e5af7be445fc64cbf49b2985c)

s4:kdc: Refactor HDB API

This is an adaptation to Heimdal:

commit b1dcc1a47485165ada778ef3c3463cfc0779d183
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Dec 31 17:24:58 2021 +1100

    kdc: refactor Samba-specific auditing API in terms of existing API

    Make Samba-specific HDB auth status API a wrapper on the existing auditing API,
    with a view towards unifying the two APIs in a future commit.

    The term "auth status" is replaced with "auth event", and the HDB auth_status
    method is replaced with a more general purpose audit method which has access to
    the entire request structure.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a2f7987d58372cfc52bc5f9786c0719439956fee)

third_party/heimdal_build: Add source files to build

This is an adaptation to Heimdal:

commit be708ca3cf98900c61919f8ff7ced4428b5d1f32
Author: Nicolas Williams <nico@twosigma.com>
Date:   Wed Dec 22 17:01:12 2021 -0600

    gsskrb5: Add simple name attributes support

    This adds Kerberos mechanism support for:

     - composite principal name export/import
     - getting rudimentary name attributes from GSS names using
       gss_get_name_attribute():
        - all (raw) authorization data from the Ticket
        - all (raw) authorization data from the Authenticator
        - transit path
        - realm
        - component count
        - each component
     - gss_inquire_name()
     - gss_display_name_ext() (just for the hostbased service name type
                               though)

    The test exercises almost all of the functionality, except for:

     - getting the PAC
     - getting authz-data from the Authenticator
     - getting the transit path

    TBD (much) later:

     - amend test_context to do minimal name attribute checks as well
     - gss_set_name_attribute() (to request authz-data)
     - gss_delete_name_attribute()
     - getting specific authorization data elements via URN fragments (as
       opposed to all of them)
     - parsing the PAC, extracting SIDs (each one as a separate value)
     - some configurable local policy (?)
     - plugin interface for additional local policy

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f2ca9c5db7e1bb20cfc6705633b48c32b1496334)

third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825)

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 51569b3152a952d07fddaa3a70d60c920618c704)

third_party/heimdal_build: Define fallthrough macro for switch statements

This is an adaptation to Heimdal:

commit ddc61136100b32346c4c4efa2bb6ddb5baedfb3e
Author: Nicolas Williams <nico@twosigma.com>
Date: Fri Jan 14 16:32:04 2022 -0600

Use fallthrough statement attribute

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fccf9859786dfb50b317ea2296c2494997f0ae09)

third_party/heimdal_build: Determine whether time_t is signed

Without this, Heimdal will assume time_t is unsigned, and a wrong
assumption will cause 'infinite' ticket lifetimes to be reckoned as from
the past, and thus requests will fail with KDC_ERR_NEVER_VALID.

This is an adaptation to Heimdal:

commit 9ae9902249732237aa1711591604a6adf24963fe
Author: Nicolas Williams <nico@twosigma.com>
Date:   Tue Feb 15 17:01:00 2022 -0600

    cf: Check if time_t is signed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar  1 18:07:50 UTC 2022 on sn-devel-184

(cherry picked from commit 9eb27f296ae2b797803fffbb7f4cb34d8eb06f34)

s4:kdc: Don't pass empty PAC buffers to krb5_pac_add_buffer()

Heimdal will no longer allow us to pass a dummy zero-length buffer to
krb5_pac_add_buffer(), so we have to pass a buffer of length 1 instead.

This is an adaption to Heimdal:

commit 190263bb7a56fc775b50a6cd0dc91820d2b2e5eb
Author: Jeffrey Altman <jaltman@secure-endpoints.com>
Date:   Wed Jan 19 22:55:33 2022 -0500

    assert non-NULL ptrs before calling mem funcs

    The definitions of memcpy(), memmove(), and memset() state that
    the behaviour is undefined if any of the pointer arguments are
    NULL, and some compilers are known to make use of this to
    optimise away existing NULL checks in the source.

    Change-Id: I489bc256e3eac7ff41d91becb0b43aba73dbb3f9
Link: https://www.imperialviolet.org/2016/06/26/nonnull.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9936038fae72fb440864be543e9afd500444d502)

third_party/heimdal_build: Add KDC_LIB macro definitions

This is an adaptation to Heimdal:

commit 7bb00a40eabbed2bc1c268f5244bfb9736d9bebe
Author: Luke Howard <lukeh@padl.com>
Date: Tue Jan 4 13:08:35 2022 +1100

kdc: fix Windows build

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6d8fec7006e8eadf5967a6f2f5add7d3c2c7bd3e)

auth: Cope with NULL upn_name in PAC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ef95fb439237910b945b8d6a3ad4a140a8d6d1ea)

s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()

This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f6fe86924c2ca756083d3628d5dbace0b12d06b0)

smbd: Fix a use-after-free

stat_cache_lookup() allocates its result on top of talloc_tos().
filename_convert_smb1_search_path() creates a talloc_stackframe(),
which makes the names which were supposed to be allocated on the "ctx"
parameter of filename_convert_smb1_search_path() go away too
early. Reparent the results from stat_cache_lookup() properly.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 1 20:59:55 UTC 2022 on sn-devel-184

(cherry picked from commit 8c97743511e4d53f795f2469a28aabfb96da0dfa)

VERSION: Bump version up to Samba 4.16.0rc5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger@samba.org>

VERSION: Disable GIT_SNAPSHOT for the 4.16.0rc4 release.

Signed-off-by: Jule Anger <janger@samba.org>

WHATSNEW: Add release notes for Samba 4.16.0rc4.

Signed-off-by: Jule Anger <janger@samba.org>

waf: re-add missing readlink test

this was another portability regression that came with the moving to waf

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13631

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 23:12:51 UTC 2022 on sn-devel-184

(cherry picked from commit 45cb14ac80889ac913f7f76dbfaebcb4d5ee14fd)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Sun Feb 27 20:03:27 UTC 2022 on sn-devel-184

readlink test: inverse return code

We need to return 0 in case readlink is *broken* here - this is because our waf
CHECK_CODE function does only allow generating defines in case the test succeeds

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13631

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e225ab70db0cc01454d319eaca5265d7e33f396c)

vfs_aixacl: add proper header file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7239

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 396c17160c19c6df43123074bf62268c6ed0f9e4)

wscript: s/default/required/ _static_modules for the acl modules

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14974

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 89e903985b6968c5becc69b757b23144b1aba66e)

acl: fix function arguments for AIX' and Solaris' sys_acl_get_fd()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14974

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 183ab5ced8377b63ad07d2e810396d3b414f4a7d)

s3:winbind: Use the canonical principal name to renew the credentials

The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)

Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Fri Feb 25 18:08:19 UTC 2022 on sn-devel-184

s3:winbind: Store canonical principal and realm in ccache entry

They will be used later to refresh the tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)

s3:libads: Return canonical principal and realm from kerberos_return_pac()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)

lib:krb5_wrap: Fix wrong debug message and use newer debug macro

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)

lib:krb5_wrap: Improve debug message and use newer debug macro

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)