auth: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Correct parameter order in header

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix diagnostic messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix error messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Check ldb_dn_new() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove double-free

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove double-free

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make use of auth_generate_security_token()

We don’t need the whole session info structure to perform an access
check.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Fix typos

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Split out new function to generate a security token

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Remove unnecessary return statements

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix debugging strings

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix typos

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Factor out PAC blob functions into new source file

pac-glue.c has become rather large, and can do without these PAC
blob–handling functions.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add missing includes and declarations

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli: Add missing include

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Include missing headers

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for authentication policies

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow specifying whether PA-DATA types are to be checked

Not all tests are intended to test that the correct PA-DATA types are
returned. This parameter allows us to skip checking for cases where we
don’t care.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow server and workstation accounts to perform a SamLogon

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow specifying machine credentials to _test_samlogon()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Rename ‘server’ to ‘dc_server’

This makes it more clear that this is in fact the DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon:schannel: Fix NULL pointer dereference

We should not pass a NULL pointer into netlogon_creds_client_init().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data

Certain clients rely on this behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Improve edata checking

Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA
or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA
and fall back to METHOD_DATA if that fails.

The environment variable EXPECT_NT_STATUS indicates that the KDC
supports returning a status code in the e-data field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Clean up code

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms

We should not limit the possible encryption algorithms to the currently
known ones.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224

s4:torture: Replace calls to deprecated function

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 17 00:24:38 UTC 2023 on atb-devel-224

s4:dsdb: Check return value of allocation functions

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Check ldb_binary_encode_string() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Check ldb_binary_encode_string() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-auth: Log correct function name

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon:schannel: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Run in interactive mode if no args are supplied

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: Safely clear structure members

Using Py_CLEAR() ensures that these structures are observed in a
consistent state by any Python code that may run during deconstruction.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Return status code if configuration prohibits NTLM

Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb:large_ldap: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb:large_ldap: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Use correct variable

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Use more specific assertion methods

These methods produce better error messages if an assertion fails.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Remove unnecessary variable

It is conciser to use ‘r’ to refer to update_forest_info.entries[i].

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Use result of setup_local_server() instead of object field

The code is clearer if we consistently refer to the same variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor security descriptor test

Use more specific unittest methods.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor confidential attributes test

Use more specific unittest methods, and remove unused code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor ACL test

Use more specific unittest methods; remove some unused variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyglue: use Py_ssize_t in random data generation functions

Prefer 'Py_ssize_t' over 'int' in random data generation functions
to match both Python and (internally used through the library layer)
GnuTLS APIs, and use PyUnicode_FromStringAndSize() where the data
size is known.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Fixed comments to correctly match the
 new check for just negative numbers]

lib:util: prefer size_t for random data generation functions

Prefer 'size_t' over 'int' in generate_random_buffer(),
generate_secret_buffer() and generate_nonce_buffer() to
match an underlying gnutls_rnd() calls.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Change ad_dc environment to be 2016 functional level

This is not yet supported in full, but this makes ad_dc match our full set of available features.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest: Allow provision_ad_dc() to take functional_level as an argument

The $$$$$$$ is removed as it does not do what you think it does.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest: Return fl2008dc to being an alias for ad_dc_ntvfs

The change to make this independent in fc9845da69cabcc1bf046d7899b2c4aeae743170
was incorrect, as no distinct name was specified so this would conflict with
the ad_dc_ntvfs environment over the IP and name "localdc".

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008

This will allow fl008dc to become an alias of ad_dc_ntvfs again.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest: Move linked_attributes test to ad_dc selftest environment

The ad_dc_ntvfs environment will be set to use a 2008 schema
(matching the 2008 FL it runs at) and this test needs a 2016 schema.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

samba-tool domain join: Allow "ad dc functional level" to change which
level we claim to be during an AD join

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

samba-tool domain provision: Use "ad dc functional level" to control max functional level

This allows the DC to self-declare a higher level and so allow a 2016
domain to be created, for testing and controlled implementation purposes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python: Add function to get the functional level as a python intger from smb.conf

The lp.get() returns the normalised string from the enum handler

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

param: Add new parameter "ad dc functional level"

This allows the new unsupported functional levels to be unlocked, but with an smb.conf
option that is easily seen.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

samba-tool domain provision: Use common functional_level.string_to_level()

This is instead of manually parsing the functional level strings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python: Move helper functions for functional levels into a new file

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

rpc_server3: Pass winbind_env_set() state through to rpcd_*

Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224

lib: Add security_token_del_npa_flags() helper function

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

rpc: Remove named_pipe_auth_req_info6->need_idle_server

Involves bumping up the version number

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"

More code, but will be more flexible in the future.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

rpc: Add global_sid_Samba_NPA_Flags SID

This will be used as a flexible way to pass per-RPC-connection flags
over ncalrpc to the RPC server without having to modify
named_pipe_auth_req_info6 every time something new needs to be
passed. It's modeled after global_sid_Samba_SMB3.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

librpc: Simplify dcerpc_is_transport_encrypted()

Simplify logic by using security_token_count_flag_sids()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Use security_token_count_flag_sids() in open_np_file()

Simpler logic in the caller

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

libcli: Add security_token_count_flag_sids()

To be used in a few places when checking special-case Samba SIDs.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May  9 02:58:45 UTC 2023 on atb-devel-224

winbind: Test wbinfo -u with more than 1000 users

winbind asks dcerpc_samr_LookupRids in one batch, where samr.idl has

NTSTATUS samr_LookupRids(
[in,ref]      policy_handle *domain_handle,
[in,range(0,1000)] uint32 num_rids,
[in,size_is(1000),length_is(num_rids)] uint32 rids[],
[out,ref]     lsa_Strings *names,
[out,ref]     samr_Ids *types
);

limiting num_rids to 1000 entries. Test this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

build:wafsamba: Fix TypeError in read_submodule_status()

    parts = l.split(" ")
            ^^^^^^^^^^^^
TypeError: a bytes-like object is required, not 'str'

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

gp: get_gpo() should re-raise the Exception, not return

If we return from this failure, then `new_gpo` is
set to `None` and we will fail in some obscure
way within a CSE later (since we append `None` to
the GPO list). Instead, re-raise the Exception so
we see that an error happened when fetching the
GPO.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ntvfs:posix: avoid parsing empty blob in posix_eadb_add_list()

Strictly speaking, this is not a bug because parsing loop will just skip
an empty ({NULL}, 0) blob. But it's better to avoid this case because
UBSan (as of clang-17 at least) may complain on such a parsing attempt:

source4/ntvfs/posix/posix_eadb.c:56:62: runtime error: applying zero offset to null pointer
    #0 0x7f9d71ce7b2a in posix_eadb_add_list source4/ntvfs/posix/posix_eadb.c:56
    #1 0x7f9d71ce7b2a in push_xattr_blob_tdb_raw source4/ntvfs/posix/posix_eadb.c:178
    #2 0x7f9d71cec1f5 in py_wrap_setxattr source4/ntvfs/posix/python/pyposix_eadb.c:64
    #3 0x7f9d88bd4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
    [... a lot of Python calls skipped...]

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb: do not offset against NULL pointer in ldb_ldif_read()

Fix the following error observed running samba.test.registry
compiled with clang-17 and UBsan:

lib/ldb/common/ldb_ldif.c:881:9: runtime error: applying non-zero offset 137438953440 to null pointer
    #0 0x7faa0eb3932f in ldb_ldif_read lib/ldb/common/ldb_ldif.c:881
    #1 0x7faa0eb3aec6 in ldb_ldif_read_string lib/ldb/common/ldb_ldif.c:1004
    #2 0x7faa077ed759 in dsdb_set_schema_from_ldif source4/dsdb/schema/schema_set.c:1113
    #3 0x7faa068fcbbf in py_dsdb_set_schema_from_ldif source4/dsdb/pydsdb.c:929
    #4 0x7faa1d1d4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
    [... a lot of Python calls skipped...]

I.e. number of elements should be checked against zero
before making an attempt to access an element by index.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/scripting: fix % len(res) was in the wrong place

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May  5 05:54:11 UTC 2023 on atb-devel-224

s4/dsdb: fix unnecessary backslash

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/scripting: fix a few trailing semicolons in gen_{hresult,ntstatus,werror}.py

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/scripting: fix a few invalid docstring args

One arg "dn" was removed, the others just had a typo.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb/tests: fix assignment to for loop variable

because the loop variables are all called 'k' and the inner and outer loop both use 'k'.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Don’t call memcpy() with a NULL pointer

Doing so is undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May  5 03:52:30 UTC 2023 on atb-devel-224

lib:addns: Don’t call memcpy() with a NULL pointer

Doing so is undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Improve _test_samr_change_password() method

Instead of using anonymous credentials, we now connect using the
passed-in credentials.

We now correctly construct nt_password and nt_verifier so as to
successfully change the password, instead of having to distinguish
between a WRONG_PASSWORD error and an error caused by the password
change being disallowed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Don’t delete silo until all tests have finished

It’s possible that we reuse the same silo across multiple tests. In that
case, we should not delete it until we are sure we have finished with
it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add remove_attribute() helper function

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Have set_forced_key() also set the NT hash

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/credentials: Add set_nt_hash()

This method allows setting the NT hash directly. This is useful in cases
where we don’t know the password, such as with a computer or server
account.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:lib: Fix typos

These typos were also spotted by a mailing list user:

https://lists.samba.org/archive/samba-technical/2023-April/138190.html

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove unused parameter

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make _tgs_req() more configurable

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make use of check_tgs_reply()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow specifying an encoded security descriptor

If we get a string, we’ll still assume it’s a DN and create a security
descriptor using it.

This is useful in cases where we don’t have a DN (e.g., the account is
not created yet).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Rename ‘objectclass’ to use correct case

This means that tests can now specify values for ‘objectClass’ in
additional_details which override the default value.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’

Make it clear that this relates to authentication, not authorization.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>