smbd: Pass "char*" to dos_mode_from_name()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Pass stat_ex and files_struct to dos_mode_from_sbuf()

Will enable simplification of dos_mode_msdfs()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Extend openat_pathref_dirfsp_nosymlink()

Turn it into openat_pathref_fsp_nosymlink() which opens not only
directories but normal files and symlinks too. If it finds a symlink,
return NT_STATUS_STOPPED_ON_SYMLINK and all the metadata we can find:
struct stat_ex plus the symlink target.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

test: skip the open-eintr test

With 7bb8af3f74c we already had to tune the error_inject VFS object to filter
out the openat-calls coming from filename_convert_dirfsp&friends. With
the next patch openat() will be called from even more places, and I
don't really see a good way to properly deal with EINTR in all the
places where it can happen. The real case where EINTR is something we
need to handle properly I guess is with kernel oplocks active: open()
waits for another process to give up its kernel oplock, which opens
the window for EINTR to become a valid case to properly take care
of. For all other opens I would be willing to live with the fact that
we just return an error message that might be different from Windows.

To detect that kernel oplock case properly, with O_PATH we have to
look at the /proc/self/fd/<n> reopen or the O_EMPTY_PATH FreeBSD
flavor from inside the error_inject module I guess. But then, the
second time we come around the corner we have to let it pass.

Difficult to properly test, disable the test for now.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Fully fill in fsp in openat_pathref_fsp_nosymlink_internal()

Prepare for allowing openat_pathref_fsp_nosymlink() to open real files
in the next patches.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Lift up conn->cwd from openat_pathref_dirfsp_nosymlink()

The goal of this patch is to make the next patches smaller. Next
patches will also make openat_pathref_dirfsp_nosymlink() open real
files, not only directories.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Factor out full_path_extend()

This logic will be used in another place in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Add read_symlink_reparse()

Fake up a symlink reparse point structure from an on-disk reparse
point.

Turn in-share absolute symlinks into relative ones for the client to
properly follow symlinks. Pass on everything else as-is. In particular
clients follow symlinks pointing at \\server\share\...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Apply some README.Coding to dos_mode_from_sbuf()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Simplify dos_mode_msdfs()

This is exactly what dos_mode_from_name() does.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Move dos_mode_from_name() up in dosmode.c

Is useful in dos_mode_msdfs() as well.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Slightly simplify smbd_dirptr_get_entry()

Implementing virtually empty directories for "dont descend" looks
easier to me this way. It should also be an optimization, because now
we don't walk the whole directory anymore after . and .., which always
come first anyway.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

.gitlab-ci:bootstrap: remove ubuntu1804*, add debian12, upgrade opensuse 15.5

Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Use Debian 11 for the 32 bit host as the compile
 currently fails - just exits without information - mid-way on Debian 12]

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jun 30 08:51:17 UTC 2023 on atb-devel-224

third_party: Update socket_wrapper to version 1.4.2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jun 29 16:06:11 UTC 2023 on atb-devel-224

s3:utils: smbget fix a memory leak

Using smbget to download files recursively (-R).

If smbget found that a file is already existed in the destination,
smbget would said 'File exists', return early, and 'newname' allocated
memory is never freed, this is found by valgrind.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15403

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 28 07:02:34 UTC 2023 on atb-devel-224

s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is missing

We log a warnings if access is not granted from a security descriptor in
msDS-AllowedToActOnBehalfOfOtherIdentity, so we should use the same log
level if msDS-AllowedToActOnBehalfOfOtherIdentity is not available at
all.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 27 06:39:08 UTC 2023 on atb-devel-224

s4:kdc: Include default groups in security token

This is consistent with the behaviour of the existing function
_authn_policy_access_check() and of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Implement Heimdal hook for resource-based constrained delegation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Be less strict regarding acceptable delegation error codes

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Remove useless sdb → hdb error code translation

samba_kdc_check_s4u2proxy() is never going to return an SDB_* error
code, so these conditions can never be hit.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Initialize pointers with NULL

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202306200407 (commit fc2894beeaa71897753975154a5f7fd80b923325)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Don't mask open error if fstatat() fails

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jun 26 16:53:21 UTC 2023 on atb-devel-224

tests: Show smbd returns wrong error code when creating on r/o fs

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

error_inject: Enable returning EROFS for O_CREAT

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

error_inject: map EROFS

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: Don’t overwrite error code

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 26 12:11:30 UTC 2023 on atb-devel-224

s4:kdc: Add comment to clarify that we fetch the client claims

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: clear client and device claims from trusts

As we don't support the Claims Transformation Algorithm [MS-CTA]
we better clear claims as they have no valid meaning in our domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make [client,device]_claims_blob const pointers

This is so that we can have them point to ‘null_data’ if we so choose.

We can’t assign the result of data_blob_talloc() to a const pointer, so
we go through an intermediary non-const pointer for the
device_claims_blob case.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Remove unnecessary NULL check

pac_blobs_add_blob() already checks whether the blob argument is NULL,
and skips adding the blob if so.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac()

For now we only pass in the krbtgt that verified the client pac
and optionally the krbtgt that verified the device pac.

These can be different depending on the domain of the related
principals.

If we want to apply SID filtering in future we may also need
to pass in the krbtgt that verified the delegated_proxy_pac,
but that needs more research and if not required for the
following changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: adjust formatting of samba_kdc_update_pac() documentation

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Enforce authentication policy service restrictions when getting a PAC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Check authentication policy server restrictions

For a constrained delegation request, we need to pass ‘delegated_proxy’
(and the delegated proxy PAC, if one was provided) into
samba_kdc_update_pac() so that we can verify that the delegating server
is allowed to authenticate to the target server.

The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Check authentication policy device restrictions

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add comment stating that policies aren’t looked up for S4U clients

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Test that client policies are not enforced with S4U

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Fix RBCD comments

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Don’t unnecessarily specify ‘id’

In tests where we have multiple accounts of the same type, we use the
‘id’ parameter to ensure that these accounts are all different, as some
restrictions are bypassed if an account authenticates to the selfsame
account. However, this is unnecessary if we already specify (with
‘use_cache=False’) that the cache is not to be used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Remove unused ‘server’ parameter in pac_verify()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors

Such errors were not logged in the past, either, but that was accidental
— a result of failing too early for an authentication event to be set —
rather than the auditing being deliberately designed that way.

Now that we have added the KDC_AUTH_EVENT_CLIENT_FOUND event, we want to
ensure that PREAUTH_REQUIRED errors continue to go unlogged.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Update Samba KDC plugin to match new Heimdal version

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add test for authenticating with disabled account and wrong password

This shows us that the client’s access is checked prior to passwords
being checked.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/auth_log_pass_change: Fix flapping test

It appears that discardMessages() is still not entirely reliable. Ensure
that we filter out any messages from the Administrator’s authentication.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

netcmd: domain: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c

Commit 6bd3b4528d4b33c8f7ae6341d166bea3a06cd971 diverged the const
declarations in the header, this brings them back in alignnment as
is Samba's normal practice.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 26 00:26:37 UTC 2023 on atb-devel-224

s4:kdc: Use talloc_get_type_abort()

We subsequently dereference the result without performing a NULL check.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Create a temporary talloc context on which to allocate

‘client->context’ is too long-lived to use for allocating short-term
data.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Flip sense of condition

A negative condition incurs more cognitive load.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Unify common code paths

Perhaps view with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case

This will help to reduce code duplication and the number of branching
code paths.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc()

We may not always want this SID to be present. For example, to enforce
authentication policies as Windows does, we’ll want the client’s
security token without this SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Have samba_kdc_update_pac_blob() do less

Previously this function obtained the auth_user_info_dc structure, then
used it to update the PAC blob. Now it does only one thing: fetch the
auth_user_info_dc info and return it to the caller, who can then call
samba_get_logon_info_pac_blob().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Log errors in samba_kdc_update_pac_blob()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code

This gives it more control over the final Kerberos error code, so that
we won’t always get ERR_GENERIC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add singular out path to samba_kdc_update_pac_blob()

This ensures that we always clean up resources.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make krb5_principal parameters const

The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add helper function to determine whether a device is allowed to authenticate

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add helper function to determine whether authentication to a server is allowed

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add functionality to log client and server authentication policies

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Log authentication policies for NTLM authentication

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Add audit info parameters to check_password_recv()

These pointers can be set by implementing functions in order for them to
be logged in auth_check_password_recv().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Set ‘authoritative’ even if there is an error

This is consistent with all the other functions that set
‘authoritative’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Add functionality to log client and server policy information

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Add function to return the JSON null object

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Fix typos

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test authentication policy audit logging

For each test, we check the authentication logs and ensure the messages
are as we expect.

We only test AS-REQs and TGS-REQs with the Heimdal KDC at the moment,
assuming that MIT doesn’t support logging for those cases.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test more authentication logging of TGT lifetimes

It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Improve authentication policy creation

Don’t require passing in an ID to create an authentication policy.
Instead, have create_authn_policy() generate one for us.

We now return an actual AuthenticationPolicy object rather than just a
DN. This will give the tests more details to work with about the
policies.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netcmd: domain: add error handling to domain claims commands

Similar to the auth commands commit prior to this.

Where we wre catching LdbError before we now catch ModelError, all
exceptions that are known and handled in the model layer will have a
user-friendly error message.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: add error handling to domain auth commands

Where we wre catching LdbError before we now catch ModelError, all
exceptions that are known and handled in the model layer will have a
user-friendly error message.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: add model exceptions and error handling

* Only handle what we know, otherwise raise the existing LdbError
* Cutom messages added in the model layer so we don't have to do it in
  the commands themselves

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: model stores ldb message for save

The message is stored in self._apply which also gets called by
self.refresh()

This is the better thing to do than fetching in save.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: man page updates for auth silo and policy cli

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: silo member command tests

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: model field tests

Add tests for model fields to ensure they behave as expected when
calling from_db_value and to_db_value methods.

Add a base class for the tests themselves via a mixin as unittest
doesn't support abstract test case classes.

For each field, from_db_value and to_db_value must either be a list or
a property that returns a list.

The list contains input values and expected values, the expected value
can also be a callback for more complex comparison, this is used for
the possible claim values xml.

It is important that singular values and list values are tested, and
also None to ensure that fields properly get unset when a model is
saved.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: silo member add and remove does not write whole list

Writing the whole list at once can lead to data loss if multiple
administrators are doing this at the same time.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: remove parse_guid and parse_text as they are no longer used

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: claims: base class is no longer required

base.py has been removed as this has all been moved to the model layer

as the auth commands ldb is now just a local variable

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: claims: move claim value type lookup by attribute to model

Also, there was no need for the cached property previously in the
command, as the command only calls this once.

Fetching all value types seems excessive now with the new model layer,
we just fetch the one we need and get a model object back.

Use the method lookup, it's consistent with the rest, and raise either
LookupError or ValueError.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: claims: make use of AttributeSchema and ClassSchema models

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: add models for ClassSchema and AttributeSchema

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: auth silos: remove base class

There is no point to the base class anymore.

And since the model layer has dramatically simplified the code in the
commands, ldb can just be a local variable.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: add test for silo if policy is a dn

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: move get_policy method from base class to the model

There isn't much left of the base class, the next thing is to remove
it.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: move method print_json to command base class

This is used in quite a few commands, move to base class.

This ensures the correct encoder class and settings are always used,
and they are only defined in one place.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: fix import sort/grouping as per python standard

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: move ldb_connect method to base class

This method is needed by just about every command and moving it here
is another step towards elinimanting the base classes in domain/auth
and domain/claim.

The base classes are almost empty now, since introducing the model
layer. The next step is to get rid of these base classes completely.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: PEP257 fix incorrect docstring quotes

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: claims: use consistent naming for options

The name of the option should be the same as the attribute name.

You can still tell where it's being used (display_name), especially
now with the model layer:

    ClaimType.get(ldb, display_name=name)

The silo commands tend to use the `cn` field, while the claims
commands use the `displayName` field, but the option is always called
`name` for consistency.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: claim commands use the model layer

This makes it consistent with the auth silo code, both should now make
use of the models.

Claims commands are now using the model layer with one exception and
that is the get_attribute_from_schema and get_class_from_schema
methods in the base class.

These will be made into models in another commit.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: fix claims constant name was wrong should be claim type CN

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

netcmd: domain: fix attributes created by test setUp method

Discovered this while converting the claims cli commands to use the
models, some tests failed.

The reason for this was that they relied on the attributes in the list
ATTRIBUTES to exist.

However, then we have to also prefix the attributes we create in the
test_claim_type_create test.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>