auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers

This adds a generic way to get to the raw (verified) PAC
and will be used in multiple places in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ctdb-tests: Add some tool unit tests to ensure that timeouts work

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Feb 10 05:34:08 UTC 2020 on sn-devel-184

ctdb-tools: Allow shorter runtime limit to be specified

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tools: When in test mode set process group in top-level ctdb tool

If ctdbd hangs when shutting down in post-test clean-up then killing
the process group can kill the test.  When in test mode, create a
process group but only in the top-level ctdb tool - the natgw and lvs
helpers also run the ctdb tool.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Use $PWD/bin/ if it exists when running in-tree

When running tests from a top-level build, a stale build in ctdb/bin/
will be preferred and may cause confusing results.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Make $ctdb_dir absolute

This is used to set several variables so it might as well be cd-proof.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-daemon: Fork when not interactive and test mode is enabled

There is no sane way of keeping stdin open when using the shell to
background ctdbd in local_daemons.sh.  Instead, have ctdbd fork when
not interactive and when test mode is enabled.  become_daemon() can't
be used for this: if it forks then it also closes stdin.

For the interactive case, become_daemon() wasn't doing anything
special, so do nothing instead.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-daemon: Make some conditions more explicit

These don't need to depend on do_fork.  Child logging should be set up
whenever the daemon is not interactive.  The stdin handler should be
setup whenever test mode is enabled.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-daemon: Pass more information to ctdb_start_daemon()

No functional changes.

This is staging for a change that makes ctdbd fork when test mode is
enabled but interactive is not set.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Don't actually close stdin in fake ssh

A subsequent file descriptor allocation may return 0 and unexpected
things may then happen.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Redirect stdin from /dev/null when running a test

Otherwise, if the test is run via ssh it will "unexpectedly" find
itself at the other end of a pipe.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

Revert "ctdb-tests: Enable job control when keeping stdin open"

This doesn't work when stdin is not a tty.

This reverts commit ea754bfdec9d537c500036d4d521bd41d34c0835.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

smbd: Remove overriding file_attributes with unix_mode in the VFS

Internally to open.c this is still used, but that can go away next.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb  7 22:27:48 UTC 2020 on sn-devel-184

smbd: Allow a Posix create context to override the unix mode

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Add posix create ctx to CREATE_FILE for posix operations

This will replace overloading file attributes

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Add a "done:" exit for get_posix_fsp()

We'll have another exit with the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Make unix_perms_from_wire() public

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Add make_smb2_posix_create_ctx()

Will be used internally to pass an artificial posix create context
into VFS_CREATE_FILE from the SMB1 unix extension calls

Pair programmed with: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>

smbd: Ignore incoming POSIX create context

We will use this internally and can only expose this once SMB3.11 unix
extensions are activated for the client.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Add smb2_create_blob_remove()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Allow passing in NULL to smb2_create_blob_find()

Will simplify callers a bit, and it does not change semantics
significantly. Zero create blobs won't find anything anyway.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Add posix create context definition

Pair programmed with: Jeremy Allison <jra@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>

libsmb: Add required #includes to smb_util.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Add required includes to smb2_create_blob.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Remove "const" from smb_create_blob->tag

I want to TALLOC_FREE that soon, and we do a talloc_strdup into this anyway.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3: lib: Now remote_machine is static, we can depend on it being non-NULL.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb  7 18:26:15 UTC 2020 on sn-devel-184

s3:lib: Remove unneded call to set_local_machine_name()

We return the netbios name by default if not set.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:lib: Use a static buffer for (local|remote)_machine

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli:smb: Don't use forward declartions for GnuTLS typedefs

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14271

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Feb  7 13:48:27 UTC 2020 on sn-devel-184

samba-tool gpo: tighter matching for ini names

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Feb  7 12:03:34 UTC 2020 on sn-devel-184

python: use raw string for regex with escape

Python regards 'GPT\.INI$' as a string containing an invalid escape
sequence '\.', which is ignored (i.e. treated as the literal sequence
of those 2 characters), but only after Python has grumbled to itself,
and to you if you enabled DeprecationWarnings.

The proper thing to do here is use r-strings, like r'GPT\.INI$', which
tell Python that all backslashes are literal. Alternatively (as we do
once in this patch), the backslash can itself be escaped ('\\').

There are more problems of this nature in the build scripts.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>

pytests: heed assertEquals deprecation warning en-masse

TestCase.assertEquals() is an alias for TestCase.assertEqual() and
has been deprecated since Python 2.7.

When we run our tests with in python developer mode (`PYTHONDEVMODE=1
make test`) we get 580 DeprecationWarnings about this.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>

nmblib: avoid undefined behaviour in handle_name_ptrs()

If *offset is length - 1, we would read ubuf[(*offset)+1] as the lower
bits of the new *offset. This value is undefined, but because it is
checked against the valid range, there is no way to read further
beyond that one byte.

Credit to oss-fuzz.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14242
OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20193

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb  7 10:19:39 UTC 2020 on sn-devel-184

librpc ndr: Change loop index to size_t

Change the loop index in ndr_check_padding to size_t.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libprc ndr tests: Fix ndrdump test ntlmssp_CHALLENGE_MESSAGE

Fix the expected data in fuzzed_ntlmssp-CHALLENGE_MESSAGE.txt, as it
contained source code line numbers.

Andrew this test needs to be altered to us a regular expression and
remove the dependency on source line numbers.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc ndr: ndr_pull_advance check for unsigned overflow.

Handle uint32 overflow in ndr_pull_advance

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc ndr tests: Unsigned overflow in ndr_pull_advance

Check that uint32 overflow is handled correctly by ndr_pull_advance.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc ndr: NDR_PULL_ALIGN check for unsigned overflow

Handle uint32 overflow in NDR_PULL_ALIGN

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc ndr tests: uint32 overflow in NDR_PULL_ALIGN

Check that uint32 overflow is handled correctly by NDR_NEED_BYTES.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc ndr: Heap-buffer-overflow in lzxpress_decompress

Reproducer for oss-fuzz Issue 20083

Project: samba
Fuzzing Engine: libFuzzer
Fuzz Target: fuzz_ndr_drsuapi_TYPE_OUT
Job Type: libfuzzer_asan_samba
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6040000002fd
Crash State:
  lzxpress_decompress
    ndr_pull_compression_xpress_chunk
      ndr_pull_compression_start

Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Test behaviour of DNS scavenge with an existing dNSTombstoned value

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14258

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Feb  6 16:24:25 UTC 2020 on sn-devel-184

dsdb: Correctly handle memory in objectclass_attrs

el->values is caller-provided memory that should be thought of as constant,
it should not be assumed to be a talloc context.

Otherwise, if the caller gives constant memory or a stack
pointer we will get an abort() in talloc when it expects
a talloc magic in the memory preceeding the el->values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14258

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

source4/scripting/bin: Swap machine account password scripts

I regularly get requests for my simple script to print the
password from the secrets.tdb (or secrets.ldb on the AD DC).

This removes the old script that only reads the secrets.ldb.

Neither new nor old script has tests, however it seems
better to have it in the tree where it can be found rather
that me digging it out of my outbound e-mail.

Originally posted here:
 https://lists.samba.org/archive/samba/2017-November/212362.html

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smb2_server: use sendmsg/recvmsg instead of writev/readv

This avoids a few function calls inside the kernel
in order to reach sock_sendmsg() quicker:

    entry_SYSCALL_64_after_hwframe
       do_syscall_64
          __x64_sys_writev
             do_writev
                vfs_writev
                   do_iter_write
                      do_iter_readv_writev
                         sock_write_iter
                            sock_sendmsg

    entry_SYSCALL_64_after_hwframe
       do_syscall_64
          __x64_sys_sendmsg
             __sys_sendmsg
                ___sys_sendmsg
                   sock_sendmsg

As a side effect it will be useful for SMB-Direct invalidation
messages via msg->msg_control and CMSG_*.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: create a pcap file for the environment setup

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: create pcap files for invidual env services

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: move {setup,cleanup}_pcap() to selftest/target/Samba.pm

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: force LC_ALL=en_US.utf8 LANG=en_US.utf8

That makes sure we have the same as on gitlab runners
(see bootstrap/config.py).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:rpclient: simplify rpc_tstream_next_vector()

We always now how many bytes our caller requires,
so there's no need to use tstream_pending_bytes().

This makes it possible to read socket_wrapper generated
captures again, as wireshark requires the fixed (16 bytes) DCERPC
header to be in one TCP packet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:torture: make rpc.handles.random-assoc test even more robust

This improves commit bebee47e6386476e9948089484f89d213fcc2660 a bit
further.

I just got this:

  connect samr pipe1
  use assoc_group_id[0x00000001] for new connections
  connect lsa pipe2
  got assoc_group_id[0x00000001] for p2
  samr_Connect to open a policy handle on samr p1
  use policy handle on lsa p2 - should fail
  closing policy handle on samr p1
  connect samr pipe3 - should fail
  Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ac for ncacn_np:localdc[\pipe\samr,validate,assoc_group_id=0x00000001,abstract_syntax=12345778-1234-abcd-ef00-0123456789ac/0x00000001] NT_STATUS_UNSUCCESSFUL
  connect lsa pipe4 - should fail
  Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ab for ncacn_np:localdc[\pipe\lsarpc,validate,assoc_group_id=0x00000001,abstract_syntax=12345778-1234-abcd-ef00-0123456789ab/0x00000000] NT_STATUS_UNSUCCESSFUL
  connect samr pipe5 with assoc_group_id[0xFFFFFFFF]- should fail
  Failed to bind to uuid 12345778-1234-abcd-ef00-0123456789ac for ncacn_np:localdc[\pipe\samr,validate,assoc_group_id=0xffffffff,abstract_syntax=12345778-1234-abcd-ef00-0123456789ac/0x00000001] NT_STATUS_UNSUCCESSFUL
  connect lsa pipe6 with assoc_group_id[0x00000000]- should fail
  UNEXPECTED(failure): samba4.rpc.handles on ncacn_np with validate.mixed-shared(ad_dc_ntvfs)
  REASON: Exception: Exception: ../../source4/torture/rpc/handles.c:500: status was NT_STATUS_OK, expected NT_STATUS_UNSUCCESSFUL: opening lsa pipe6
  FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
  A summary with detailed information can be found in:

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: avoid double chdir() in chdir_current_service()

Since 8e81090789e4cc3ba9e5aa792d4e52971909c894 we're doing chdir() twice, first
into conn->connectpath, then into conn->origpath.

Before commit 8e81090789e4cc3ba9e5aa792d4e52971909c894 if
chdir(conn->connectpath) succeeded, we wouldn't do the second chdir().

While at it, simplify the logging logic: if chdir() fails in this core function,
just always log is as error including the unix token.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14256
RN: smbd does a chdir() twice per request

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Feb  6 11:44:07 UTC 2020 on sn-devel-184

s3/lib: RIP smb_user_name

This has been replaced in previous commits by consistently using
current_user_info.smb_name.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/auth: use set_current_user_info() in auth3_check_password_send()

This delays reloading config slightly, but I don't see how could affect
observable behaviour other then log messages coming from the functions in
between the different locations for lp_load_with_shares() like
make_user_info_map() are sent to a different logfile if "log file" uses %U.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/auth: use set_current_user_info() in auth3_generate_session_info_pac()

This delays reloading config slightly, but I don't see how could affect
observable behaviour other then log messages coming from the functions in
between the different locations for lp_load_with_shares() like
make_session_info_krb5() are sent to a different logfile if "log file" uses %U.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/rpc_server/netlogon: use set_current_user_info() in _netr_LogonSamLogon_base()

Note that we're now sanitizing the username we got from the client, as we do
everywhere else.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: remove sub_set_smb_name()/reload_services()

This means switching auth backend based on %U include, ie

  passdb backend = tdbsam
  include = smb.conf.%U

and smb.conf.SOMEUSER contains

  passdb backend = smbpasswd

won't work anymore.

We're still calling set_current_user_info() and reload_services() later on
in this function, so everything else still works as before.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4/auth: use talloc_alpha_strcpy() in auth_session_info_fill_unix()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/rpc_server: use talloc_alpha_strcpy() in _winreg_InitiateSystemShutdownEx()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/lib: use talloc_alpha_strcpy() in sub_set_smb_name()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/lib: use talloc_alpha_strcpy() in set_remote_machine_name()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/lib: use talloc_alpha_strcpy() in set_local_machine_name()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:auth: use talloc_alpha_strcpy() in auth3_session_info_create()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3/auth: use talloc_alpha_strcpy() in create_local_token()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib/util: add talloc_alpha_strcpy()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: setting current_user stuff here is redundant

This is already handled by set_sec_ctx() below, we just have to pass in the
values instead of setting it here in this function before calling set_sec_ctx().

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

wafsamba: Do not use 'rU' as the 'U' is deprecated in Python 3.9

See https://docs.python.org/3.9/whatsnew/3.9.html#changes-in-the-python-api

"open(), io.open(), codecs.open() and fileinput.FileInput no longer accept 'U'
(“universal newline”) in the file mode. This flag was deprecated since Python
3.3. In Python 3, the “universal newline” is used by default when a file is
open in text mode. The newline parameter of open() controls how universal
newlines works."

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14266

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Feb  6 07:30:13 UTC 2020 on sn-devel-184

winbindd: handling missing idmap in getgrgid()

A similar hunk was added via commit
89f753c1fc824fef29aebb7d783ab7e09cd1f04e ("winbind: Use xids2sids in getpwuid"),
but it was missing in commit
e2dda192e7f8b65a5f02120be56cf0f07d03679f ("winbind: Use xids2sids in getgrgid")

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14265

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Feb  5 17:56:58 UTC 2020 on sn-devel-184

s3:auth_sam: map an empty domain or '.' to the local SAM name

When a domain member gets an empty domain name or '.', it should
not forward the authentication to domain controllers of
the primary domain.

But we need to keep passing UPN account names with
an empty domain to the DCs as a domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:selftest: test authentication with an empty userdomain and upn names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:auth_sam: introduce effective_domain helper variables

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:auth_sam: make sure we never handle empty usernames

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:auth_sam: unify the debug messages of all auth_sam*_auth() functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:auth_sam: replace confusing FALL_THROUGH; with break;

There's no real logic change here, but is makes it easier to
understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14247

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

bootstrap: Remove un-used dependency python3-crypto

This became unused in bbeef554f2c15e739f6095fcb57d9ef6646b411c
(except for repl_cleartext_pwd.py, a development script) and we now use
GnuTLS via a Samba wrapper.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14255

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:param: make sure secrets_db_connect() no longer creates on empty secrets.ldb

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Feb  5 10:13:02 UTC 2020 on sn-devel-184

s4:param: make use of secrets_db_create() in provision_store_self_join()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:param: add secrets_db_create() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli/nbt: avoid talloc_reference() in nbt_name_*_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:rpc_server/lsa: remove some useless talloc_reference() calls

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libcli:smb: Improve check for gnutls_aead_cipher_(en|de)cryptv2

This is available since version 3.6.10, but 3.6.10 has a bug which got fixed
in 3.6.11, see:

    https://gitlab.com/gnutls/gnutls/-/merge_requests/1085

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14250

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb  4 06:44:00 UTC 2020 on sn-devel-184

selftest: simplify logic in setup_env

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: avoid comparison against undefined value

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/target/samba: do not look for undef environment

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/target/samba: add missing methods

These methods are being called but have not been provided.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/s3: prefer empty string over undef to add nothing to config

To fix a warning.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/s3: actually close parent copy of smbd's STDIN

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/s4: remove illegal function signature

The character ':' has no meaning in function signatures. Perhaps ';' was
intended, which would have marked the later arguments as optional --
which is the default with no signature. All callers always provide all
the arguments anyway.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/s4: don't put pcap file in / by default

If the SOCKET_WRAPPER_PCAP_DIR is not defined, let's assume it wasn't
wanted rather than choosing /.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/s4: properly initialise an empty hash

The '%ret = {}' construction was bad because '{}' is a hash-ref, which
counts as a single scalar value, but a true hash like '%ret' must be
initialised with an even number of scalar values (usually in pairs, like
'($a => $b, $c => $d)').

I think this meant %ret was initialised as something harmless like
'(<HASH(0x55ce39781278)> => undef)'.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: avoid redeclaring perl variables

None of these ones are doing any harm, we just want to silence these
warnings.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/target/samba: avoid overwriting $pkinitdir

We were declaring the same variable twice with two different paths,
"$cadir/Users/$pkinitprincipalname" here and
"$ctx->{prefix_abs}/pkinit" about 5 lines down.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: enable perl warnings

After this we will see more noise with each test run, and these
warnings will be addressed in following commits.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

build: Do not check if system perl modules should be bundled

We do not ship any perl modules in third_party at this time, so
this check is pointless and breaks the build for --bundled-libraries=ALL.

As reported by aaptel on https://gitlab.com/samba-team/samba/-/merge_requests/1104#note_281050331

This changes our autobuild script to cover this case in the
samba-static job.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

vfs_gpfs: Remove discard_const_p() from gpfswrap_quotactl() calls

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Mon Feb  3 21:53:05 UTC 2020 on sn-devel-184

vfs_gpfs: Remove discard_const_p() from gpfs_putacl() calls

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

vfs_gpfs: Remove discard_const_p() from gpfswrap_quotactl() calls

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

gpfswrap: Make pathname "const char *" in gpfswrap_quotactl()

Update wrapper function to match the definition in gpfs.h.

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

gpfswrap: Make pathname "const char *" in gpfswrap_get_winattrs_path()

Update wrapper function to match the definition in gpfs.h.

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

gpfswrap: Make pathname "const char *" in gpfswrap_set_winattrs_path()

Update wrapper function to match the definition in gpfs.h.

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

gpfswrap: Make pathname "const char *" in gpfswrap_get_realfilename_path()

Update wrapper function to match the definition in gpfs.h.

Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>