s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys()

We should not supprise the callers by returning more keys than we asked to
filter by and avoids duplicating the protected_users logic within
samba_kdc_set_fixed_keys().

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys()

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: teach samba_kdc_message2entry_keys() to handle old and older keys too

We return the requested kvno if given, otherwise we include the
old and older keys for CLIENT|FOR_AS_REQ or SDB_F_ADMIN_DATA lookups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: add old and older keys to sdb_entry

This is the first step to return the password history
in order to avoid badPwdCount updates for failing
pre-authentication with passwords from the recent history.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: pass flags and kvno down to samba_kdc_message2entry_keys()

We need a ways to ask for a specific kvno if SDB_F_KVNO_SPECIFIED
is requested. And also include the old and older keys from
the password history in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: finally remove unused 'struct sdb_entry_ex'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in hdb_samba4_{first,next}key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in hdb_samba4_fetch_kvno()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in netr_samlogon_generic_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in mit_samba_get_{first,next}key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in mit_samba_get_principal()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in samba_wdc_reget_pac()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libnet: avoid using sdb_entry_ex and use sdb_entry directly

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_{first,next}key() only need sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_fetch() only needs sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused sdb_entry_ex_to_kdb_entry_ex()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: use sdb_entry_to_krb5_db_entry() directly

We should avoid sdb_entry_ex, as it will be removed soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused sdb_entry_ex_to_hdb_entry_ex()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: use sdb_entry_to_hdb_entry() directly

We should avoid sdb_entry_ex, as it will be removed soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: hdb_samba4_fetch_fast_cookie() don't need sdb_entry_ex

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_seq() only needs sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_fetch_server() only needs sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_fetch_krbtgt() only needs sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_fetch_client() only needs sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_lookup_realm() only needs sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: only pass sdb_entry to samba_kdc_message2entry()

It no longer needs sdb_entry_ex.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: only pass sdb_entry to samba_kdc_trust_message2entry()

It no longer needs sdb_entry_ex.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: only ZERO and free sdb_entry in samba_kdc_trust_message2entry()

sdb_entry_ex only contains sdb_entry, so this is still doing
the same, but we want to remove sdb_entry_ex soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: s/entry_ex->entry\./entry->/g in samba_kdc_trust_message2entry()

We should avoid using entry_ex->entry as sdb_entry_ex will be removed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: only ZERO and free sdb_entry in samba_kdc_message2entry()

sdb_entry_ex only contains sdb_entry, so this is still doing
the same, but we want to remove sdb_entry_ex soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: s/entry_ex->entry\./entry->/g in samba_kdc_message2entry()

We should avoid using entry_ex->entry as sdb_entry_ex will be removed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: only pass sdb_entry to samba_kdc_message2entry_keys()

sdb_entry_ex will be removed as it just contains sdb_entry.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused principal argument to samba_kdc_trust_message2entry()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: split out a samba_kdc_fill_user_keys() helper function

This will simplify further changes, e.g. asking for a specific kvno
or returning the password history in order to prevent
badPwdCount updates with passwords in the history.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove Primary:Kerberos usage from samba_kdc_message2entry_keys()

Most likely the kerberos libraries don't support DES anymore, so
there's no point in exposing them at all.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: only pass keys to samba_kdc_set_random_keys()

This prepares the removal of sdb_entry_ex.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: only pass sdb_keys to samba_kdc_set_fixed_keys()

This prepares the removal of sdb_entry_ex.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: add a samba_kdc_sort_keys() function using TYPESAFE_QSORT()

This is better than calloc/free each time.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: expose a sdb_entry_free() function

We'll remove sdb_entry_ex soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: expose sdb_entry_to_hdb_entry() function

We'll remove sdb_entry_ex soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: expose a sdb_entry_to_krb5_db_entry() function

We'll remove sdb_entry_ex soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let samba_kdc_entry take references to sdb_entry and kdc_entry

kdc_entry can be hdb_entry or krb5_db_entry.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: make the logic between ZERO_STRUCTP(entry_ex) and sdb_free_entry(entry_ex) clearer

samba_kdc_[trust_]message2entry() always starts with
ZERO_STRUCTP(entry_ex) and cleans up on error with
sdb_free_entry(entry_ex), leaving a cleared structure again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let sdb_entry have a typed samba_kdc_entry pointer

Both layers are owned by us so there's no need for an void
pointer.

This simplifies the code a lot and allows further cleanups.
Eventually we can remove sdb_entry_ex and only use sdb_entry,
as Heimdal also removed hdb_entry_ex.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused samba_kdc_entry->entry_ex

It will only ever point to an sdb_entry_ex
and becomes a stale pointer fast, as
sdb_free_entry() called before any talloc_free()
can happen (with a destructor still set).

Note the talloc parent of samba_kdc_entry
is the samba_kdc_db_context longterm context.

The next commits will fill samba_kdc_entry_destructor
with logic again, but for now remove the unused code.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: split out a sdb_keys_free() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: rename free_sdb_key() as public sdb_key_free() function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: make free_sdb_entry() static

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let samba_kdc_entry_destructor() call sdb_free_entry()

It's basically the same as free_sdb_entry(), but the next
step will make free_sdb_entry() private.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: don't leak salt in free_sdb_key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: call krb5_free_keyblock_contents() in free_sdb_key()

This is much clearer than doing it in sdb_free_entry() already.
It also simplifies the next cleanups.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused sdb_entry_ex->free_entry()

It seems we need to take a closer look at the
memory hierachy of the sdb_entry related code.

I'll check that during the next commits,
but for now just remove use the unused hook.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libnet: ask for SDB_F_ADMIN_DATA in order to create a keytab entry

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libnet: sdb_free_entry() already clears everything

There's no need to know about '.free_entry'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let sdb_free_entry clear sdb_entry_ex at the end

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let sdb_entry_ex_to_krb5_db_entry() initialize 'k' at the beginning

This is clearer and make further changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let sdb_entry_to_hdb_entry() initialize *h at the beginning

This is clearer and make further changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused mkvno from sdb_key

This is not related to the kvno of the key,
the mkvno tells the HDB layer that the keys need to
be decrypted with a master key (with the given [m]kvno).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos

Even if the msDS-KeyVersionNumber of the main krbtgt
account if larger than 65535, we need to have
the 16 upper bits all zero in order to avoid
mixing the keys with an RODC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14951

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Make an if-statement in ReadDirName() a bit more readable

Align to make the () structure more obvious

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 23 17:53:09 UTC 2022 on sn-devel-184

smbclient: strequal() -> ISDOT/ISDOTDOT

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use ISDOT/ISDOTDOT in ReadDirName()

With those macros, we check n[0] twice now, but I think the compiler
should either optimize that out or if it can't this will be in the CPU
cache, so the second check should be practially free. I can't imagine
this makes any difference but the better readability.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix a misleading comment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Avoid an "else"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Use talloc_zero, save a ZERO_STRUCT

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Add a pair of {}

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Slightly simplify add_interface()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Make non_widelink_open() robust for non-cwd dirfsp

If you pass in dirfsp!=conn->cwd_fsp and a stream fsp, we don't chdir
to the parent pathname, and thus we also don't overwrite
fsp->base_fsp.

fsp->base_fsp!=NULL is thus the wrong condition to restore the
original base fsp name: If we open a stream with a non-cwd_fsp dirfsp,
we would overwrite fsp->base_fsp->fsp_name with NULL.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

replace: add explicit function pointer casting from dlsym() to avoid warnings

This avoids a lot of warnings on AIX.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 23 13:27:45 UTC 2022 on sn-devel-184

lib/replace: Do not typedef int bool

We need a genuine boolean type, as otherwise expressions like

bool foo = (4 & 4);
if (foo == true) {
exit(1);
} else {
exit(2);
}

could evaluate differently on non-modern platforms, and
that would be a real pain to debug.

_Bool and bool are in C99

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15028

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 23 12:31:47 UTC 2022 on sn-devel-184

gitlab-ci: Drop Debian 10

It should be enough to build on the latest Debian version. We have older
Ubuntu versions already.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Update to openSUSE 15.3

This drops openSUSE 15.1 and 15.2 to save some CI resources.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Drop Fedora 34

It should be enough to run on the latest Fedora version. This should save us
some CI minutes. We have CentOS runners and I would prefer to add CentOS9
Stream.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Use Ubuntu 20.04 for Coverity

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Remove unused variable for ubuntu1604

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3: smbd: Don't allow setting the delete on close bit on a directory if it contains non-visible files and "delete veto files = no".

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15023

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 22 17:48:25 UTC 2022 on sn-devel-184

s3: torture: Add 2 new tests SMB2-DEL-ON-CLOSE-NONWRITE-DELETE-NO, SMB2-DEL-ON-CLOSE-NONWRITE-DELETE-YES.

We currently allow setting the delete on close bit for
a directory containing only explicitly hidden/vetoed files
in the case where "delete veto files = yes" *and*
"delete veto files = no". For the "delete veto files = no"
case we should be denying setting the delete on close bit
when the client tries to set it (that's the only time Windows
looks at the bit and returns an error to the user). We
already do the in the dangling symlink case, we just
missed it in the !is_visible_fsp() case.

Mark SMB2-DEL-ON-CLOSE-NONWRITE-DELETE-NO as knownfail
for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15023

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

WHATSNEW: Mention our matrix room as well

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Mon Mar 21 13:52:06 UTC 2022 on sn-devel-184

WHATSNEW: IRC is irc.libera.chat according to https://samba.org/samba/irc.html

Signed-off-by: Thomas Debesse <dev@illwieckz.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server/samr: Use extended DN when searching for user

Switch to dsdb_search() for looking up the user for changing the
password, and specify that we want extended DNs. Using the SID or GUID
avoids a race condition if the DN of the user changes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 18 12:45:17 UTC 2022 on sn-devel-184

samba-tool group: Add --special parameter to add predefined special group

This allows default security groups that have been added since Windows
Server 2008 R2, such as Protected Users, to be created in pre-existing
domains. An error message is generated if a group already exists with
the same name, DN, or SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

functionalprep.sh: Add test for samba-tool add group --special

Test that we can add the special Protected Users group, and that we get
an appropriate error message when attempting to add it a second time.

We add these tests here so that we can make use of an old provision that
does not already have the Protected Users group added.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/sam: Ensure that Protected Users group cannot be deleted

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server/samr: Simplify lp_ctx expression

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:auth: Disable NTLM authentication for Protected Users

We also move the authentication to after checking whether the user is
protected, so that if a user in the Protected Users group tries to
authenticate with a wrong password, the bag password count is not
incremented and the account is not locked out. This does not match
MS-APDS, but matches the behaviour of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add KDC support for Protected Users group

Accounts in the Protected Users group acting as clients lack support for
the RC4 encryption type. TGTs issued to such accounts have a lifetime
restricted to four hours, and are unable to be proxied or forwarded.

To determine at lookup time whether a client account is a member of
Protected Users, we now also create an auth_user_info_dc structure when
creating the database entry for an AS-REQ, rather than only when
creating a PAC for a TGT, or when recreating the PAC from an RODC-issued
TGT.

This means that the user's groups are now expanded even for AS-REQs that
result in an error (such as a PREAUTH_REQUIRED error), but this is
required to be able to correctly determine the account's available
encryption types, which are needed soon after fetching the user account.

Currently, the TGT lifetime may exceed four hours (for Heimdal
specifically). This may happen if PKINIT is used, and either the
pkinit_max_life_from_cert_extension option is TRUE and
pkinit_max_life_bound is greater than four hours, or
pkinit_max_life_from_cert is greater than four hours.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add function to get user_info_dc from database

The resulting user_info_dc is kept in the 'samba_kdc_entry' structure,
so it can be reused between calls.

This allows us to simplify samba_kdc_get_pac_blobs(), as it no longer
need to return a user_info_dc structure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: simplify samba_kdc_message2entry by using data_blob_string_const("computer")

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

dsdb/common: Add helper function for determining if account is in Protected Users group

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:provision_users.ldif: Add Protected Users group

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/passwords: Test that LDAP password changes work for Protected Users

We want to disable SAMR password changes for Protected Users, but need
to ensure that other methods of changing the password still work.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/password_lockout: Test NTLM and SAMR password changes with Protected Users

Test that NTLM and SAMR password changes cannot be used for Protected
Users, and that lockouts are not triggered for attempting to use them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add tests for the Protected Users group

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

auth/credentials: Add encrypt_samr_password()

This method encrypts a samr_Password structure with the current session
key, which allows for interactive SamLogon from Python.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest/dbcheck: Fix up msDS-RevealedUsers links with deleted target DN

Replicating test accounts to the RODC and then deleting them caused
stale msDS-RevealedUsers links to remain in the database.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add helper function to modify ticket flags

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add account to cleanup list before adding it to database

This ensures accounts are still cleaned up if a test fails before adding
it to the cleanup list.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add more encryption type constants

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Remove accounts in reverse order of addition

This prevents problems if accounts are added as children of other
accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>