smbd: Remove dptr_struct->spid

This was only set but never read

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Simplify SeekDir() with an early return

Review with git show -w

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Simplify struct dptr_struct

We can access the file name via "dir_hnd"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Simplify ms_has_wild() with strpbrk()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use ISDOT() in dptr_create()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_ceph: use fsp_get_pathref_fd in ceph fstatat and close vfs calls

Replace fsp_get_io_fd with fsp_get_pathref_fd as these calls do use
pathref fsps. fsp_get_io_fd asserts that the fsp is not pathref and
asserts (on a debug build) or returns -1 (non debug build).

Prior to these changes running ls on the root of the share failed.
Logging from the failure case:
```
openat_pathref_fsp: smb_fname [.]
openat_pathref_fullname: smb_fname [.]
fsp_new: allocated files structure (1 used)
file_name_hash: //. hash 0x3dfcc1c2
check_reduced_name: check_reduced_name [.] [/]
cephwrap_realpath: [CEPH] realpath(0x55604da9a030, .) = //.
check_reduced_name realpath [.] -> [//.]
check_reduced_name: . reduced to //.
cephwrap_openat: [CEPH] openat(0x55604da9a030, ., 0x55604da81f00, 133120, 0)
cephwrap_openat: [CEPH] open(...) = 10
cephwrap_fstat: fsp_get_io_fd: fsp [.] is a path referencing fsp
[CEPH] fstat(0x55604da9a030, -1)
fsp_get_io_fd: fsp [.] is a path referencing fsp
cephwrap_fstat: [CEPH] fstat(...) = -9
fd_openat: name ., flags = 04000 mode = 00, fd = 10.  NT_STATUS_INVALID_HANDLE
openat_pathref_fullname: Opening pathref for [.] failed: NT_STATUS_INVALID_HANDLE
```

This change also seems to match the recommendations in the `When to use
fsp_get_io_fd() or fsp_get_pathref_fd()` section of The_New_VFS.txt
document.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15307

Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Gunther Deschner <gdeschne@redhat.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 13 20:04:38 UTC 2023 on atb-devel-224

Add gitleaks configuration file to avoid false positives

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Feb 13 18:45:21 UTC 2023 on atb-devel-224

smbd: Remove smbXsrv_open_global0->db_rec

The only user by now was net serverid wipedbs, and there it was easy to replace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Feb 13 10:49:43 UTC 2023 on atb-devel-224

smbd: Use dbwrap_do_locked() in smb2srv_open_recreate()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: rename 'op' into 'global' in smbXsrv_open_cleanup_fn()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

smbd: let smbXsrv_open_cleanup() delete broken records

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

smbd: Use dbwrap_do_locked() in smbXsrv_open_cleanup()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Use dbwrap_do_locked() in smbXsrv_open_close()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Use dbwrap_do_locked() in smbXsrv_open_update()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Use dbwrap_do_locked() in smbXsrv_open_global_allocate()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Make smbXsrv_open_global_allocate() store the record

Micro-step towards using dbwrap_do_locked()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Simplify smbXsrv_open_global_store()

Avoid the dependency on global->db_rec. This makes the callers more
verbose, but it makes the data dependencies much more obvious. This
will enable removing smbXsrv_open_global0->db_rec at some point.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Move smbXsrv_open_global_verify_record() down in smbXsrv_open.c

Avoid prototypes

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Use generate_nonce_buffer() in smbXsrv_open_global_allocate()

We don't need anything cryptographic for persistent file handle ids

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15302

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 11 08:48:05 UTC 2023 on atb-devel-224

gp: gp_sudoers_ext warn w/out visudo installed

Rather than print an ugly error message from
Popen, display a warning to the user if visudo
is missing.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Fri Feb 10 20:31:37 UTC 2023 on atb-devel-224

gp: Log ext failure with file and line number

Rather than dumping a traceback when there is a
failure, simply log the file name, line number
and the error message instead. This is much
cleaner.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc()

It is up to the caller to choose if it wants to clean up the user_info_dc
memory early, we do so only in the KDC as was allocated on a context
provided to samba_kdc_update_pac_blob(), whereas auth_winbind uses
a locally managed tevent state as the memory context.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb  8 01:05:47 UTC 2023 on atb-devel-224

auth: Free empty SID arrays

In the unlikely event that these arrays are empty, they can be freed
early.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Use consistent ordering for etypes

The 'etype' field in a Kerberos request is ordered. Make this fact
clearer by using a tuple or an array to represent etypes rather than a
set.

get_default_enctypes() now returns encryption types in order of
strength. As a consequence, the encryption type chosen by the MIT KDC
matches up with that chosen by Windows, and more tests begin to pass.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Discard non-base SIDs when creating SamInfo2

Our SamLogon tests are now all passing.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test groups returned by SamLogon

Levels NetlogonValidationSamInfo2 and NetlogonValidationSamInfo4 behave
as might be expected, so we pass those tests. NetlogonValidationSamInfo
returns no resource groups and doesn't set the NETLOGON_EXTRA_SIDS flag,
and we fail its test.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Return validation structure from _test_samlogon()

This lets us check the groups that are returned.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow tests to set SamLogon validation level

We'll want to test various levels to ensure they all behave as expected.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Move _test_samlogon() to base class

We'll want to make use of it in the group tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/dsdb/samldb: Disallow setting a domain-local group as a primary group

Windows also disallows this. Note that changing a primary group to a
domain-local group is allowed by both Windows and Samba.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Expect setting domain-local group as primary group to fail

This will no longer be allowed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Correct primary group handling

Heretofore we have treated the primary group SID specially, storing it
in a fixed position as the second element of the user_info_dc->sids
array, and filtering out other copies in the PAC_LOGON_INFO base
structure. This filtering has made it difficult to distinguish between
the case where the primary group is a universal or global group, located
in the base RIDs, and the case where it is a domain-local group, missing
from the base RIDs; especially since the attributes of a domain-local
primary group are lost by being stored in the PAC. Domain-local primary
groups are normally disallowed by Windows, but are allowed by Samba, and
so it is reasonable to support them with at least some measure of
consistency.

The second element of user_info_dc->sids is still reserved for the
primary group's SID, but we no longer filter out any other copies in the
array. The first two elements are no more than the SIDs of the user and
the primary group respectively; and the remaining SIDs are as if taken
without modification from arrays of SIDs in the PAC. user_info_dc->sids
should therefore become a more faithful representation of the SIDs in
the PAC. After adding resource SIDs to it with
dsdb_expand_resource_groups(), we should have a result that more closely
and in more cases matches that of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Use correct primary group SID in token group test

This test will thereby continue to pass when we correct the handling of
primary groups.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Remove assertion that primary group is not duplicated in user_info_dc

This assertion is one we will be breaking shortly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for the primary group

Primary groups are handled differently from normal groups of which a
user is simply a member. Of particular note is the case where a
domain-local group is made a primary group; a case normally disallowed
by Windows, but not by Samba. Therefore we want tests for it.

Our testing framework must be able to set the user's primary group, and
to clean up afterwards; to set the primary group RID of a PAC; and to
check that the primary group RID is as expected in the PAC returned to
us.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Align integer types

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Simplify search expression

We want to find objects for which the groupType attribute has at least
one of GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_UNIVERSAL_GROUP set. For
this the OR comparator is perfectly suited. It produces a true result if
at least one set bit is shared between both operands.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldap: Make use of LDB_OID_COMPARATOR constants

These constants allow one to tell at a glance what search operation is
being performed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldap: Cut down on string substitution

Constant strings can be inserted directly into format strings, reducing
the amount of string substitution to be performed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Make more liberal use of SID index constants

Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Shorten long SID flags combinations

The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add resource SID compression

The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.

In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Pass through entire PAC flags value in auth_user_info

Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

named_pipe_auth: Bump info5 to info6

In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Make use of torture_assert_sid_equal()

This macro produces a slightly more useful message if the assertion
fails.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests of NETLOGON_RESOURCE_GROUPS flag handling

This lets us test what happens in TGS-REQ exchanges to the KDC, when the
flags and resource groups are simply passed through into the new PAC,
regardless of what value the flags hold.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow setting or resetting PAC flags

This lets us test what happens when the flags in the PAC, such as
NETLOGON_RESOURCE_GROUPS, are given "interesting" values.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add group tests simulating PACs from a trusted domain

Crucially, in these tests the user's domain and its SID are different
from our domain and its SID. These tests will assert that in such a case
resource groups are added to the PAC and handled correctly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow changing the SID of a user's PAC

This lets us simulate a ticket of a user from another domain.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add some more test cases for PAC group handling

Change some of the attributes in TGS-REQ PACs to ensure they are handled
correctly.

Add a test of a PAC containing resource SIDs for a service without
resource SID compression support, ensuring the SIDs are correctly
removed.

Add a Samba 4.17 compatibility test for a service with resource SID
compression support.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Improve assertion failure message

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove tests of KDCs without resource SID compression support

As part of mitigations of CVE-2022-37966, we no longer regard the
msDS-SupportedEncryptionTypes attribute of the KDC when determining its
supported encryption types. Thus, these tests that try to disable SID
compression support by setting this attribute run to no purpose.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4: Add 'const' to some parameters

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Make sid_list_match() static

It's not used anywhere other than this file.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Check for talloc failure in dsdb_expand_nested_groups()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set

MS-PAC section 2.5 states that if the resource_groups member is
non-NULL, or resource_groups.groups.count is not zero, the
NETLOGON_RESOURCE_GROUPS flag MUST be set. Thus, there's no need to
process resource groups if the flag is not set.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Remove early return from make_user_info_dc_pac()

'rg' is never NULL, so this codepath is never taken. But if it were, we
would return early and entirely neglect filling in the UPN_DNS_INFO from
the 'pac_upn_dns_info' parameter. So remove the early return.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Exclude resource groups from a TGT

Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Assert that group attributes match

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Store group attributes in auth_user_info_dc

Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.

Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb: Add samdb_result_dom_sid_attrs()

This function is modelled on samdb_result_dom_sid(). It allocates,
rather than a dom_sid, an auth_SidAttr object, which we can pass to
other functions accepting an auth_SidAttr.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli/security: Add auth_SidAttr utility functions

These functions are modelled on add_sid_to_array() and
add_sid_to_array_unique(). They differ in that they operate not on an
array of dom_sid, but of auth_SidAttr, and take an additional 'attrs'
parameter of type uint32_t.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth.idl: Add auth_SidAttr type

This type incorporates, alongside a SID, a group attributes member,
through which attributes from a PAC or the AD database can be conveyed
into the completed PAC. A useful benefit this provides is the ability to
distinguish and exclude domain-local groups, which only belong in
service tickets, from the PAC of a TGT.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Skip over asserted identity SIDs when comparing groups

We've already tested for the existence of these SIDs, and the assumption
that they are always the last element in a PAC is false. We must check
all the SIDs in each array, skipping over ones that were found to be
asserted identity SIDS.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: Zero-initialise netr_NetworkInfo structure

This ensures that no members contain garbage data.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Declare supported encryption types of service account

If SID compression support is disabled for a created account,
msDS-SupportedEncryptionTypes will be set to a value that includes the
RESOURCE_SID_COMPRESSION_DISABLED bit, but no actual encryption type
bits. Since stricter encryption type handling was introduced to address
CVE-2022-37966, this combination has been interpreted as an expression
of no encryption type support, and trying to make a Kerberos request to
a service with such a combination of bits will fail with
ERR_ETYPE_NOSUPP.

To allow us to make Kerberos requests to test service accounts again, we
must set some actual encryption type bits.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

waf: Add support for MemorySanitizer

This currently only works with binaries. As there is no shared library for
MSAN it only is statically linked against binaries. This means if we have e.g.
a python script trying to load ldb, it will fail with undefined symbols.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb  6 23:49:04 UTC 2023 on atb-devel-224

s3:torture: Remove unused variable

source3/torture/test_smb1_dfs.c:3264:11: error: variable 'accessmode' set but
not used [-Werror,-Wunused-but-set-variable]
        uint16_t accessmode = 0;
                 ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:utils: Remove unused variable

source3/utils/log2pcaphex.c:138:13: error: variable 'i' set but not used
[-Werror,-Wunused-but-set-variable]
        static int i = 0;
                   ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:netapi: Remove unused variables

source3/lib/netapi/tests/netfile.c:40:22: error: variable 'i2' set but not used
[-Werror,-Wunused-but-set-variable]
  struct FILE_INFO_2 *i2 = NULL;
                      ^
source3/lib/netapi/tests/netfile.c:41:22: error: variable 'i3' set but not used
[-Werror,-Wunused-but-set-variable]
  struct FILE_INFO_3 *i3 = NULL;
                      ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:modules: Initialize pointer with NULL

source3/modules/vfs_glusterfs.c:827:6: error: variable 'glfd' is used
uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
  if (pglfd == NULL) {
      ^~~~~~~~~~~~~
source3/modules/vfs_glusterfs.c:853:6: note: uninitialized use occurs here
  if (glfd == NULL) {
      ^~~~
source3/modules/vfs_glusterfs.c:827:2: note: remove the 'if' if its condition is
always true
  if (pglfd == NULL) {
  ^~~~~~~~~~~~~~~~~~~
source3/modules/vfs_glusterfs.c:763:17: note: initialize the variable 'glfd' to
silence this warning
  glfs_fd_t *glfd;
                 ^
                  = NULL

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4:modules: Move structs with dynamic arrays to end of struct

source3/modules/vfs_io_uring.c:70:22: error: field 'cqe' with variable sized
    type 'struct io_uring_cqe' not at the end of a struct or class is a GNU
    extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
        struct io_uring_cqe cqe;
                            ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:modules: Ignore -Wunused-but-set-variable for autogenerated code

source3/modules/getdate.c:1192:9: error: variable 'yynerrs' set but not used
    [-Werror,-Wunused-but-set-variable]
    int yynerrs;
        ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:printing: Remove unused variable

source3/printing/tests/vlp.c:144:19: error: variable 'job_count' set but not
    used [-Werror,-Wunused-but-set-variable]
        int i, num_jobs, job_count = 0;
                         ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:printing: Remove trailing whitespaces in vlp.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib:ldb-samba: Correctly handle search scope

lib/ldb-samba/ldb_ildap.c:482:47: error: implicit conversion from enumeration
    type 'enum ldb_scope' to different enumeration type 'enum ldap_scope'
    [-Werror,-Wenum-conversion]
                msg->r.SearchRequest.scope = req->op.search.scope;
                                           ~ ~~~~~~~~~~~~~~~^~~~~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

nsswitch: Fix getting data out of pam_get_data()

nsswitch/pam_winbind.c:3360:24: error: cast from 'time_t **' (aka 'long **') to
    'const void **' must have all intermediate pointers const qualified to be safe
    [-Werror,-Wcast-qual]
                             (const void **)&pwdlastset_update);
                                            ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4:samdb: Remove unused variable

source4/dsdb/samdb/ldb_modules/acl.c:1646:49: error: variable 'rep_val_cnt' set
    but not used [-Werror,-Wunused-but-set-variable]
        unsigned int del_val_cnt = 0, add_val_cnt = 0, rep_val_cnt = 0;
                                                       ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s4:samdb: Remove trailing whitespaces

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:winbind: Remove unused variable

source3/winbindd/winbindd_ads.c:1399:6: error: variable 'ret_count' set but not
    used [-Werror,-Wunused-but-set-variable]
        int ret_count;
            ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:rpcsrv:eventlog: Remove unused variable

source3/rpc_server/eventlog/srv_eventlog_nt.c:634:11: error: variable
  'num_records_read' set but not used [-Werror,-Wunused-but-set-variable]
        uint32_t num_records_read = 0;

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:smbd: Don't assign variable to itself

source3/smbd/msdfs.c:367:14: error: explicitly assigning value of variable of
    type 'char *' to itself [-Werror,-Wself-assign]
        servicename = servicename;
        ~~~~~~~~~~~ ^ ~~~~~~~~~~~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:libsmb: Remove unused variable 'i'

namecache.c:129:9: error: variable 'i' set but not used
  [-Werror,-Wunused-but-set-variable]
        size_t i, count;
               ^

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

auth/credentials: Fix unitialized data

Fixing Red Hat internal covscan report:
Field "salt_data.magic" is uninitialized when calling "smb_krb5_create_key_from_string".

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

auth/credentials: Fix trailing whitespaces

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

pidl: avoid py compile issues with --pidl-developer

We get these warnings-as-errors:

librpc/gen_ndr/py_netlogon.c:61903:53: error: stray ‘\’ in program
61903 |    PyErr_Format(PyExc_TypeError, "Expected type %s",\  //<PIDL> Parse::Pidl::Samba4::Python::ConvertObjectFromPythonData  lib/Parse/Pidl/Samba4/Python.pm:2005

but the '\' is unnecessary and unconventional anyway, since we're in a
function argument list.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb  3 03:27:54 UTC 2023 on atb-devel-224

tevent/pytevent: remove no-op define

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tevent/pytevent: remove py2 ifdefs

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tdb/pytdb: remove useless HAVE_ITER non-flag

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tdb/pytdb: remove py ifdefs

This already would not compile with Python 2, because Py_TPFLAGS_HAVE_ITER
is not defined

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/ndr/py_security: remove python 2 ifdefs

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/ndr/py_misc: remove python 2 ifdefs

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb/pyldb: remove py2 ifdefs

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

gp: Test samba-tool gpo cse register/unregister/list

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

gp: samba-tool gpo cse register/unregister/list

Add samba-tool commands for managing registration
of Client Side Extensions.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Python: remove pydoctor

Removes:

* waf pydoctor
* waf wafdocs
* make pydoctor

There is no "make wafdocs" it only appears to be in wscript.

The reasoning being is these are broken and appear to not have been run for some time.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb  2 21:15:54 UTC 2023 on atb-devel-224

mdssvc: fix kMDScopeArray parsing

In macOS Ventura marshalling of kMDScopeArray in the "openQueryWithParams"
request has changed from

  string: kMDScopeArray
  sl_array_t(#1): {
    string: /foo/bar
  }

to:

  string: kMDScopeArray
  sl_array_t(#1): {
    sl_array_t(#1): {
      string: /foo/bar
    }
  }

With this patch we check both encodings. Bug fixed according to user feedback.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15299
RN: Spotlight doesn't work with latest macOS Ventura

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

tevent: version 0.14.1

- Build fix for GNU/Hurd
- Build fix for Solaris, after removal
  of ports backend (bug #15298)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb  2 18:27:08 UTC 2023 on atb-devel-224