s4:dsdb/descriptor: pass parent guid to dsdb_module_schedule_sd_propagation()

This is preparation to optimize the security descriptor propagation
in the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/descriptor: skip duplicates in descriptor_extended_sec_desc_propagation()

During replication we may need to fallback to using DRS_GET_TGT,
which means that we'll get a lot of objects more than once,
the most important one it the partition root object.

It means we'll also do the security descriptor propagation more than
once for these objects, which is extrememly costly for the partition
root objects and other objects near the root.

I analyzed a domain where we collected ~ 50000 descriptor_changes
registrations for the initial replication of ~ 22000 objects
in the database.
For that domain we spend ~ 4 hours for the security descriptor
propagation in descriptor_prepare_commit(), while the replication
itself was finished in less than 2 minutes.

With this change we reduce the number of registered/processed
descriptor_changes down to ~ 22000, while is reduces the time
from ~ 4 hours to just ~ 3 minutes 20 seconds!

The statitics changed from:

descriptor_prepare_commit: changes: num_registered=50000
descriptor_prepare_commit: changes: num_processed=50000
descriptor_prepare_commit: objects: num_processed=12000000

to:

descriptor_prepare_commit: changes: num_registrations=50000
descriptor_prepare_commit: changes: num_registered=22000
descriptor_prepare_commit: changes: num_processed=22000
descriptor_prepare_commit: objects: num_processed=80800

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/descriptor: add statistics for security descriptor propagation

In order to analyze the security descriptor propagation we remember
how much work we registered/processed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/descriptor: split out struct descriptor_transaction

This will make it easier to add more details to the per transaction
state.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/join: improve logging of join_replicate()

It's useful to have timestamps to see the
time used for replication and committing.
We also warn the user that the committing stage
may take some time.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

wafsamba: require PYTHONHASHSEED=1 to be exported

This avoids a lot of trouble with random build failures,
if people try to use waf directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 29 23:31:38 UTC 2022 on sn-devel-184

ctdb/packaging/RPM: don't use waf directly

./configure && make && make install is will always work.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

configure/Makefile: export PYTHONHASHSEED=1 in all 'configure/Makefile' scripts

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

wafsamba: let test_duplicate_symbol.sh export PYTHONHASHSEED=1

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:selftest/provisions: make use of 'make testenv' and avoid direct waf

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/fuzzing/README.md: don't use waf directly

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

buildtools: remove unused testwaf.sh

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Don't NULL out "::$DATA"

Slight simplification now possible after introducing and using
fsp_is_alternate_stream() almost everywhere.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 29 22:24:38 UTC 2022 on sn-devel-184

smbd: Don't NULL out the "::$DATA" in openat_pathref_fsp()

Slight simplification now possible after introducing and using
fsp_is_alternate_stream() almost everywhere.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Simplify reply_rmdir()

We don't need to check this here, create_file_default and callees take
care of this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Add a DEBUG to create_file_unixpath()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix create_file_unixpath()'s stream handling

Make create_file_unixpath() robust against callers explicitly passing
in ":$DATA" as a stream name indicating the default stream. Right now
we NULL this out in callers, but this might change in the future.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: GENCACHE_RAM isn't used anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4-auth: Remove last traces of LanMan authentiation support in the AD DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184

s4-auth: Only build auth_developer module in developer mode

This is a silly module for provoking NTSTATUS replies for testing and
was useful many moons ago for determining the NTSTATUS -> DOS table that
windows uses.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4-auth: Do not trigger RODC replication unless missing all passwords

With the NT hash becoming optional we cannot make blind assumptions that
a missing value means we are on an RODC needing the password replicated.

Instead, check for supplementalCredentials as well.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4-auth: Remove unused acct_flags parameter

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

waf: Document the confusing --nonshared-binary, --builtin-libraries, --private-libraries and --bundled-libraries

These options are confusing to all who encounter them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8731

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 28 10:06:01 UTC 2022 on sn-devel-184

vfs_gpfs: Initialize litemask to 0

The change from commit fb13c7c94f to query exact values for atime,
mtime, ctime and size  is not necessary, as none of these are used in
this codepath. Initiale litemask to 0 instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15027

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar 28 09:10:58 UTC 2022 on sn-devel-184

samba-tool: Check specified domain and realm against our own

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 28 03:11:51 UTC 2022 on sn-devel-184

samba-tool: Return correct result for _get_user_realm_domain()

We were returning the realm and the domain in the wrong order.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool delegation: Clarify msDS-AllowedToDelegateTo delegation command documentation

This makes the difference between msDS-AllowedToDelegateTo and
msDS-AllowedToActOnBehalfOfOtherIdentity more clear.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool delegation: Add commands to add/remove principals for RBCD

These commands allow updating the
msDS-AllowedToActOnBehalfOfOtherIdentity attribute with principals
allowed to delegate to an account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool delegation show: Display information for RBCD

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool delegation: Add function to display security descriptor for RBCD

We also check some features of the security descriptor, and display
warnings if they are not as expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14954

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:selftest: Remove ad_dc_ntvfs env from several tests

It doesn't make sense to run tests against ad_dc and ad_dc_ntvfs in
those cases.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos

There is no need to specify the enctype and it isn't supported by MIT Kerberos
anyway.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 21:54:11 UTC 2022 on sn-devel-184

testprogs: Manually reformat test_pkinit_pac.sh

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: Reformat test_pkinit_pac.sh with shfmt

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: Rename test_pkinit_pac_heimdal.sh

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos

There is no need to specify the enctype and it isn't supported with MIT
Kerberos.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: Remove the usage of enctype in test_pkinit_simple.sh

This is not needed anymore and the default is AES in the meantime.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: Change from $foo to "${foo}" variable style

This is selected from and to improve the understanding of:

    testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos

    There is no need to specify the enctype and it isn't supported with MIT
    Kerberos.

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

testprogs: Manually reformat testit commands in test_pkinit_simple.sh

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: Fix calculating failed in test_pkinit_simple.sh

We only want to increase it if a test is failing. If something is expected to
fail, we should not count that as failed.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: Format test_pkinit_simple.sh with shfmt

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: Rename test_pkinit_heimdal.sh

We want one common test which works against Heimdal and MIT Kerberos.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs: Fix kerberos_kinit with additional options

The additional options need to come before we specify the principal

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Setup PKINIT for MIT Kerberos

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add Smart Card and file based PKINIT support

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:tests: Run Heimdal PKINIT tests only against ad_dc env

There is not difference kerberos-wise between those two envs.

This reverts 661e1a229e85f566c5fc5d43ea03fbb29847439a.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: If we set the kerberos debug level to 10 write a trace file

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove trailing white spaces in kdc-service-mit.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Improve debug message of samba_kdc_fetch_server()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4: dns: Add customizable dns port option

Signed-off-by: Thomas Debesse <dev@illwieckz.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 25 20:25:28 UTC 2022 on sn-devel-184

smbd: expand DEBUG statement in smbd_dirptr_get_entry() to include the dir and direntry name

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 25 19:05:06 UTC 2022 on sn-devel-184

examples: Update winbindd.stp and its generator script

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 25 17:57:18 UTC 2022 on sn-devel-184

s3:winbind: Convert Ping parent/child call to NDR

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:winbind: Return NTSTATUS from wbint_Ping() RPC function

There are no users of this function but the next commit will convert the
struct-based WINBINDD_PING call to a local RPC wbint_Ping() call.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:winbind: Convert wcache_opnum_cacheable() to a whitelist

It avoids having to explicitly blacklist new DCE/RPC calls.

This is the current list of non cacheable calls:

NDR_WBINT_PING
NDR_WBINT_QUERYSEQUENCENUMBER
NDR_WBINT_ALLOCATEUID
NDR_WBINT_ALLOCATEGID
NDR_WBINT_CHECKMACHINEACCOUNT
NDR_WBINT_CHANGEMACHINEACCOUNT
NDR_WBINT_PINGDC
NDR_WBINT_LISTTRUSTEDDOMAINS

It includes the ListTrustedDomains call recently converted to a local
RPC call.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

samba-gpupdate: Implement enhanced logging

This ports the enhanced logging capabilities from
AltLinux gpupdate. It generates log messages such
as:
2022-03-02 11:28:54.872|[E40104]| Failed to set interfaces for zone | {'val': 'work'}
2022-03-02 11:28:55.017|[E40104]| Failed to set interfaces for zone | {'val': 'home'}

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 24 23:40:47 UTC 2022 on sn-devel-184

s3: smbd: smbd_smb2_setinfo_send(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

This is the last SMB_VFS_FSTAT that uses fsp->fsp_name->st, so
remove knownfail.d/durable-v2-setinfo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 24 17:21:29 UTC 2022 on sn-devel-184

s3: smbd: smbd_smb2_getinfo_send(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: cmd_vfs: cmd_set_nt_acl(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: cmd_vfs: cmd_open(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: pysmbd.c: init_files_struct(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: call_trans2setfilepathinfo(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: call_trans2qfilepathinfo(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: rename_internals_fsp(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: mkdir_internal(). 2 of 2. All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: mkdir_internal(). 1 of 2. All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: open_file(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: non_widelink_open(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: open_internal_dirfsp(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: open_internal_dirfsp() add missing file_free() in error path.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: mdssvc: All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: VFS: vxfs: All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.

If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: In set_ea_dos_attribute(), if we've stored btime and set XATTR_DOSINFO_CREATE_TIME successfully, we need to clear ST_EX_IFLAG_CALCULATED_BTIME.

This is no longer a calculated field, every call to fdos_mode() will
set it as non-calculated.

https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: smbd: In set_ea_dos_attribute() cause root fallback code to exit via the same place.

We're going to add another action on success next.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4: torture: Add regression test for re-opening a durable handle after calling SMB2 setinfo (end of file).

This is an implementation of a test written by Apple for their
client. Currently fails to reconnect due to btime being overwritten
incorrectly in the SMB2 setinfo path.

Add knownfail.d/durable-v2-setinfo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: Expose samba_kdc_message2entry_keys()

This allows the KDC to share the supplementalCredentials parsing code
with other parts of Samba that could use it.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 24 10:17:32 UTC 2022 on sn-devel-184

s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()

By putting this in the caller we potentially allow samba_kdc_message2entry_keys()
to be reused by a non-KDC caller.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Pull auth_sam_trigger_repl_secret() up one layer to samba_kdc_message2entry()

This avoids making a call out in samba_kdc_message2entry_keys() and allows
for potential reuse of the key parsing code.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add const to "msg" parameter in samba_kdc_message2entry_keys()

This will help with a future caller.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys()

We should not supprise the callers by returning more keys than we asked to
filter by and avoids duplicating the protected_users logic within
samba_kdc_set_fixed_keys().

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys()

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: teach samba_kdc_message2entry_keys() to handle old and older keys too

We return the requested kvno if given, otherwise we include the
old and older keys for CLIENT|FOR_AS_REQ or SDB_F_ADMIN_DATA lookups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: add old and older keys to sdb_entry

This is the first step to return the password history
in order to avoid badPwdCount updates for failing
pre-authentication with passwords from the recent history.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: pass flags and kvno down to samba_kdc_message2entry_keys()

We need a ways to ask for a specific kvno if SDB_F_KVNO_SPECIFIED
is requested. And also include the old and older keys from
the password history in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: finally remove unused 'struct sdb_entry_ex'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in hdb_samba4_{first,next}key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in hdb_samba4_fetch_kvno()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in netr_samlogon_generic_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in mit_samba_get_{first,next}key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in mit_samba_get_principal()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: avoid using sdb_entry_ex in samba_wdc_reget_pac()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libnet: avoid using sdb_entry_ex and use sdb_entry directly

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_{first,next}key() only need sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: samba_kdc_fetch() only needs sdb_entry

sdb_entry_ex will be removed shortly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused sdb_entry_ex_to_kdb_entry_ex()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: use sdb_entry_to_krb5_db_entry() directly

We should avoid sdb_entry_ex, as it will be removed soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused sdb_entry_ex_to_hdb_entry_ex()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: use sdb_entry_to_hdb_entry() directly

We should avoid sdb_entry_ex, as it will be removed soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: hdb_samba4_fetch_fast_cookie() don't need sdb_entry_ex

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>