tests/krb5: Test retrieving a denied gMSA password over an unsealed connection

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Make use of ‘ldb’ parameter

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Add more unit tests for GKDI functions

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Make use of DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Implement DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag

View with ‘git show -b’.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Correctly extract older NT hash

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Note that lockout tests use password checks

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Fix malapropism

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove unnecessary cast

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyglue: Remove unnecessary declaration

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix grammar

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth:credentials: Remove unnecessary declaration

This declaration is a hold‐over from the Python 2 module initialization
pattern.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth:credentials: Fix code spelling

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: Reformat code

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-gmsa: Do not attempt password set on remote LDAP connections

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4:dsdb: Add dsdb_update_gmsa_keys()

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Move the responsibility for determining whether an account is a gMSA out of gmsa_recalculate_managed_pwd()

and into its callers.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Indicate to the LDAP server physical passwords that need to be refreshed

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Store found managed password ID as part of gMSA update structure

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Store account DN as part of gMSA update structure

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Only reuse the current password ID as the previous password ID when appropriate

This should already be the case given the current logic, but let’s make
it explicit.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Add a note that administrators should not set the clock too far in the future

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: No longer pass DSDB_SEARCH_ONE_ONLY flag to dsdb_search_dn()

As dsdb_search_dn() ignores this flag, passing it in doesn’t achieve
anything.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Explicitly return success error code

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests that gMSA keys are updated in the database when appropriate

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Import MAX_CLOCK_SKEW more directly

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Extract method to unpack supplementalCredentials blob

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Skip loop iteration if attribute has no values

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb: Check result of py_ldb_msg_keys()

Passing NULL into PyObject_GetIter() can cause a segmentation fault.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ctdb-scripts: Do not de-duplicate the interfaces list

Using xargs with sort -u to de-duplicate this list was my idea and
causes a couple of things to go wrong.  The use of xargs causes
double-quotes to be lost.  The resulting $public_ifaces value also
contains newlines.  The newlines could be removed with an additional
xargs at the end of the pipeline... but that would add an extra level
of quote stripping.

I have unsuccessfully tried to find an alternative, but still elegant,
command pipeline that de-duplicates the list, while maintaining
quoting.

So, just drop the de-duplication.

This might make interface_ifindex_exists_with_options() slightly less
efficient.  However, that function walks the whole list, only
terminating early when a match is found on both interface and options,
so at least it will be correct.

Include an extra testcase.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Apr 18 09:08:34 UTC 2024 on atb-devel-224

python: Fix NtVer check for site_dn_for_machine()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 17 19:32:11 UTC 2024 on atb-devel-224

lib: Remove an obsolete comment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 09:01:34 UTC 2024 on atb-devel-224

smbd: Remove sconn->using_smb2

We have the same information available via conn_using_smb2()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

smbd: Add conn_using_smb2()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

smbd: Change protocol selection to not use "sconn->using_smb2"

To me this is pretty confusing, it seems to overload this struct
element.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

ctdb: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 00:54:55 UTC 2024 on atb-devel-224

ctdb: Remove common/line.[ch]

This was an implementation of getline(3), use that instead.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

ctdb: Use stdio's getline() in ctdb_connection_list_read()

This is the only user of common/line.[ch], which can go next.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

lib: Use fdopen_keepfd()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

rpc_server3: Use fdopen_keepfd()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

lib: Add fdopen_keepfd()

Capture the dup/fdopen pattern

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

lib: Give lib/util/util_file.c its own header file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

ctdb-scripts: Add options to generate smb.conf interfaces include file

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ctdb-scripts: Rename and relocate function get_all_interfaces()

get_all_interfaces() functions gets all names for all public interfaces.
However name is misleading. Thus renamed it to get_public_ifaces() and
moved it under functions.

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Process ip add/drop events for options:dynamic only

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-interface: Change API for interface 'options'

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-interface: Add parsing for interface 'options'

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-interface: Add extra parameter 'options' to interface definition

Signed-off-by: Vinit Agnihotri<vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

param: Add additional key 'options' for interfaces

The key 'options' specifies if server should spawn/kill listning sockets
in event of add/dropped ip addresses on specified interface.

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Use MSG_SMB_IP_DROPPED

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

messaging: Add new SMBD message

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Handle ip drop event and close listening socket

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Open socket for additional ip address

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-interface: Add new API to validate interface info for given interface index

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-addrchange: Change API to fill up if_index value from netlink msg

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Set event callback for interface change notification

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs: Document new tdbdump -x option

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Tue Apr 16 18:37:17 UTC 2024 on atb-devel-224

tdb: Add test for tdbdump -x

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tdb: Add tdbdump option to output all data as hex values

This can be useful for debugging tdb databases, the hex output of the
key can be used for "net tdb" or ctdb commands.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tdb: Add test for tdbdump command

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tdb: Return failure as exit status from test_tdbbackup.sh

When this test is called from wscript, only the exit code is checked.
Track failures and return as non-zero exit code.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs

Add missing free for entry variable and its members : key and principal
Found definite memory leaks via valgrind as shown below.

Leak 1 :
==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433
==1686==    at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686==    by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101)
==1686==    by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500)
==1686==    by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686==    by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686==    by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
==1686==    by 0x127F45: process_request_send (winbindd.c:502)
==1686==    by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686==    by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686==    by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686==    by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686==    by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686==    by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686==    by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686==    by 0x1232F3: main (winbindd.c:1718)

Leak 2 :
==1686==    at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686==    by 0x62255E4: krb5_copy_principal (copy_princ.c:38)
==1686==    by 0x621D003: krb5_mkt_get_next (kt_memory.c:503)
==1686==    by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686==    by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686==    by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
==1686==    by 0x127F45: process_request_send (winbindd.c:502)
==1686==    by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686==    by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686==    by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686==    by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686==    by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686==    by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686==    by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686==    by 0x1232F3: main (winbindd.c:1718)

Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224

s4:dsdb: Implement msDS-ManagedPassword attribute

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224

s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Catch failures to authenticate with gMSA managed passwords

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Expand out knownfails for gMSA getpassword tests

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Set up passwords and password IDs of new gMSAs

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Add functions for Group Managed Service Accounts implementation

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Factor out a function to remove all password related attributes

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Reformat source code

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for gMSAs

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:nt_time: Add NT_TIME_MAX constant

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:gkdi: Reformat code with ‘ruff’

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:gkdi: Add Gkdi.from_key_envelope() method

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:gkdi: Add notes on GKDI time periods

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/gkdi: Change ‘current_gkid’ parameter to ‘current_time’

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/gkdi: Remove implicit clock skew offset

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/gkdi: Allow current time to be overridden

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make use of ‘expect_edata’ parameter

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused variable

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Fix code spelling

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused import

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Fix typo

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Reformat code

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Fix set declaration

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Replace deprecated method assertRaisesRegexp()

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: Consider ldapi connections to be encrypted

Modifications to unicodePwd require an encrypted connection. This change
allows unicodePwd to be modified over an ldapi connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: Store whether an LDAP connection is over ldapi

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: Add copy of non‐privileged ops specifically for ldapi connections

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: Rename privileged ops to indicate they are used for ldapi

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: Fix code spelling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: Remove trailing whitespace

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Move some KDS root key tests around to prepare for gMSA server side

Once we have a gMSA server side the impact of deleting root keys becomes real
and so we must do this in a quiet place where it can not impact on other things.

Likewise, we want the samba.tests.dsdb_quiet_provision_tests tests to run
somewhere that is not doing other things, so we can see what a bare provision
will do.  We must not allow test ordering inside the file to cause tests that
create root keys to run before checking if provision created a usable root key.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

selftest: Remove duplicate setup of "spn/upn namespaces" in the customdc testenv

The call to $self->setup_namespaces() was allways in error, as the design
is to have the in the state that it was backed up in, but before commit
08be28241b808845c4b51a4c47765a9416ca3aa7 the error return was not
checked and so this was harmless.

The customdc environment is not tested in selftest currently, as
it is intended to be used for manual testing of domains from backup
files not as an automatically constructed environment.

This makes:
 BACKUP_FILE=samba-backup-2024-04-11T14-10-20.437096.tar.bz2 SELFTEST_TESTENV=customdc make testenv
work again.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s3:auth: Add support standalone server with MIT Keberos 1.21

This adds support for MIT Kerberos minimal PAC. Tickets from pure
Kerberos realms with MIT Kerberos 1.21 or newer will always include a
minimal PAC. The PAC include the checksum buffers and a logon_name PAC
buffer.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:auth: Split auth3_generate_session_info_pac() into functions

This gets rid of the multiple goto and just have a single destructor
goto.
Best view this commit with `git show -b <sha> --color-moved=zebra`

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:auth: Re-format auth3_generate_session_info_pac()

This is in preparation to split up the function into several functions.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:auth: Remove trailing spaces

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbdotconf: Enable "winbind debug traceid" by default

The traceid debug header field is a useful feature, let's make it
default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15631

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Apr 15 18:47:41 UTC 2024 on atb-devel-224