build: fix disk-free quota support on Solaris 10

Samba has no code to support quota on Solaris 10 (and possibly other
os's such as AIX) using the new quota interface. The new interface
serves both disk size/free space reporting (clamping the underlying
file system numbers with quota), and direct manipulation of the user's
quota.

However, there's legacy code that supports only disk size/free space on
Solaris 10. In the waf build, this code is not compiled because there is
no test for it.

This patch adds a test to see whether the legacy code can be used.

Issue reported and fix tested by Andrew Morgan <morgan@orst.edu>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11788

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Mar 13 01:37:58 CET 2016 on sn-devel-144

smbd: Only check dev/inode in open_directory, not the full stat()

This is needed because the smb2.create.mkdir-dup test creates a race,
and against an AD DC this can cause a flapping test if the lstat() and
stat() calls are made either side of the chown() due to creation of a
file by administrator.

Fix based on original patches by myself, by Douglas Bagnall
<douglas.bagnall@catalyst.net.nz>.  and Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11780

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 12 09:43:21 CET 2016 on sn-devel-144

lib/socket/interfaces: Fix some uninitialied bytes.

Valgrind reports the following:

==26599== Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s)
==26599==    at 0x7014707: ioctl (in /usr/lib64/libc-2.22.so)
==26599==    by 0x79D1585: query_iface_speed_from_name (interfaces.c:152)
==26599==    by 0x79D1BBA: _get_interfaces (interfaces.c:277)
==26599==    by 0x79D1E80: get_interfaces (interfaces.c:368)
==26599==    by 0x508A7E3: load_interfaces (interface.c:612)
==26599==    by 0x150B30: main (net.c:963)
==26599==  Address 0xffefff0d8 is on thread 1's stack
==26599==  in frame #1, created by query_iface_speed_from_name
(interfaces.c:130)
==26599==
==26599== Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s)
==26599==    at 0x7014707: ioctl (in /usr/lib64/libc-2.22.so)
==26599==    by 0x79D15CC: query_iface_speed_from_name (interfaces.c:164)
==26599==    by 0x79D1BBA: _get_interfaces (interfaces.c:277)
==26599==    by 0x79D1E80: get_interfaces (interfaces.c:368)
==26599==    by 0x508A7E3: load_interfaces (interface.c:612)
==26599==    by 0x150B30: main (net.c:963)
==26599==  Address 0xffefff0d8 is on thread 1's stack
==26599==  in frame #1, created by query_iface_speed_from_name
(interfaces.c:130)

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: mark samba4.winbind.struct.domain_info.ad_member as flapping

See https://lists.samba.org/archive/samba-technical/2016-March/112861.html

  found 517 lines matching '^UNEXPECTED' in 641 files matching 'samba.stdout$'
   175 UNEXPECTED(failure): samba4.winbind.struct.domain_info(ad_member:local)
    19 UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
    12 UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_encrypt_decrypt_wrong_key(ad_dc_ntvfs)
    12 UNEXPECTED(failure): samba4.drs.delete_object.python(promoted_dc).delete_object.DrsDeleteObjectTestCase.test_ReplicateDeletedObject1(promoted_dc)
    12 UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_decrypt_wrong_r2(ad_dc_ntvfs)
    11 UNEXPECTED(failure): samba4.ldap.notification.python(ad_dc_ntvfs).__main__.LDAPNotificationTest.test_max_search(ad_dc_ntvfs)

We'll see if we also need to add
samba4.winbind.struct.domain_info.s3member
before we're able to identify and fix the problem.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar 12 02:14:39 CET 2016 on sn-devel-144

s4:dsdb/test/sort: avoid 'from collections import Counter'

This is only available in python 2.7 and >= 3.1

This should fix make test with python 2.6.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/test/notification: make test_invalid_filter more resilient against ordering races

We saw a lot of flapping tests with:

    [1793(11038)/1892 at 1h55m26s]
    samba4.ldap.notification.python(ad_dc_ntvfs)(ad_dc_ntvfs)
    UNEXPECTED(failure):
    samba4.ldap.notification.python(ad_dc_ntvfs).__main__.LDAPNotificationTest.test_max_search(ad_dc_ntvfs)
    REASON: Exception: Exception: Traceback (most recent call last):
      File
    "/memdisk/autobuild/fl/b1782183/samba/source4/dsdb/tests/python/notification.py",
    line 181, in test_max_search
        self.assertEquals(num, ERR_TIME_LIMIT_EXCEEDED)
    AssertionError: 11 != 3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth

An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ctdb-client: Increase the timeout for TRANS3_COMMIT control

On a busy system, TRANS3_COMMIT control can take upto or longer than
3 seconds.  On timeout, there are few possible outcomes.

1. The transaction has completed on all nodes and TRANS3_COMMIT control
   has returned.  In such a case, there is no problem.

2. The transaction has completed on the local node, but TRANS3_COMMIT
   control is still active.  In such a case, ctdb_transaction_commit()
   can return successfully.  If this is being called from ctdb, then
   ctdb will exit.  This will cause ctdb daemon to trigger recovery
   since the client exited while transaction is active.  This will cause
   unnecessary recovery.

3. Database recovery was started and ctdb_transaction_commit() will
   retry till the recovery completes the transaction.

Increasing the timeout to 30 seconds will avoid the spurious database
recoveries when TRANS3_COMMIT control takes longer to finish.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Mar 11 19:59:53 CET 2016 on sn-devel-144

smbd: Prevent a crash

smb2srv_session_close_previous_check crashes if
ndr_pull_smbXsrv_session_globalB fails for some reason. It depends on "is_free"
to be correctly set. All we can do for an invalid database is to discard the
record and set it free.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 11 00:12:18 CET 2016 on sn-devel-144

s3: smbd: Simplify logic inside rename_internals_fsp() part 2

Removes the use of an extraneous 'struct smb_filename *'
which wasn't being created correctly, only as a place
holder for two char * pointers.

Use split_stream_filename() to create the char * pointers
directly and make it clearer what we're up to here.

The logic here is still complex, but I'm satified
it does the correct thing.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3: smbd: Simplify logic inside rename_internals_fsp() part 1.

Use standard parent_dirname() function instead of hand-hacking
using strrchr_m(xxx, '/'). Next commit should enable removal
of synthetic_smb_fname_split().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:lib: Move internal lp_posix_pathnames() call out of utility function synthetic_smb_fname_split().

Make it a passed in parameter instead.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:lib: Remove the const SMB_STRUCT_STAT * parameter from synthetic_smb_fname_split().

Only one caller uses this, and this can be handled externally.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:lib: Rewrite synthetic_smb_fname_split() to use split_stream_filename().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:lib. Add split_stream_filename() Not yet used.

Will replace internals of synthetic_smb_fname_split().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

selftest: add some test cases to net ads join

Perform a testjoin between steps to verify join status
Perform most testjoins with machine account because that's
the more common case.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Mar 10 14:41:13 CET 2016 on sn-devel-144

selftest: run net ads join test in a private client env

net ads join command changes machine password, thus affecting
the test environment beyond the thing we want to test.

This cange runs the test in a private client env, with its
own hostname, newly-generated machine SID, and a separate
secrets.tdb, thus not affecting the running AD member server,

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:rpc_server: dcesrv_generic_session_key should only work on local transports

This matches modern Windows servers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 10 10:15:21 CET 2016 on sn-devel-144

s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error

Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top

This is the only way to get a reliable transport session key.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp

It requires a transport session key, which is only reliable available
over SMB.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: the backupkey tests need to use ncacn_np: for LSA calls

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np

ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: remove unused functions in clispnego.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: remove unused cli_session_setup_kerberos*() functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair

It will be possible to use this for more than just NTLMSSP in future.

This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: unused ntlmssp.c

Everything uses the top level ntlmssp code via gensec now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: make use gensec based SPNEGO/NTLMSSP

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: keep service and hostname separately in ads_service_principal

Caller will use them instead of the full principal in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function

It will be possible to use this for more than just NTLMSSP in future.

Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()

This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE

This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: add missing TALLOC_FREE(frame) in error path

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s4:selftest: simplify the loops over samba4.ldb.ldap

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true

The LDAP client library uses tstream and that handles non blocking
sockets natively.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s4:libcli/ldap: fix retry authentication after a bad password

We need to start with an empty input buffer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP

This is now handled by GENSEC_FEATURE_LDAP_STYLE.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE

We want also work against old Samba servers which didn't had
GENSEC_FEATURE_LDAP_STYLE we negotiate SEAL too. We may remove this in a few
years. As all servers should support GENSEC_FEATURE_LDAP_STYLE by then.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE

We need to handle NTLMSSP_NEGOTIATE_SIGN as
NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
is requested.

This works arround a bug in Windows, which allow signed only
messages using NTLMSSP and LDAP.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define

This will be used for LDAP connections and may trigger
backend specific behaviour.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/ndr: add ndr_ntlmssp_find_av() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

ntlmssp.idl: make AV_PAIR_LIST public

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

security.idl: add LSAP_TOKEN_INFO_INTEGRITY

This is used in [MS-KILE] and implicit in [MS-NLMP].

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: use ntlmssp_version_blob() in the server

We already set NTLMSSP_NEGOTIATE_VERSION in
gensec_ntlmssp_server_start(), so it's always
set in chal_flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION

This matches a modern Windows client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: add ntlmssp_version_blob()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE

We don't set NTLMSSP_NEGOTIATE_OEM_{DOMAIN,WORKSTATION}_SUPPLIED anyway.

This matches modern Windows clients.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication

This matches a modern Windows client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option

NTLMSSP_NEGOTIATE_VERSION only indicates the existence of the version
information in the packet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"

This implicitly fixes bug #10708.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10708

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()

This will be used by winbindd in order to correctly implement WINBINDD_CCACHE_NTLMAUTH.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE

This can used in order to use the WINBINDD_CCACHE_NTLMAUTH
code of winbindd to do NTLMSSP authentication with a cached
password.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend

These can be used to implement the winbindd side of
the WINBINDD_CCACHE_NTLMAUTH call.

It can properly get the initial NEGOTIATE messages
injected if available.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:auth_generic: make use of the top level NTLMSSP client code

There's no reason to use gensec_ntlmssp3_client_ops, the
WINBINDD_CCACHE_NTLMAUTH isn't available via gensec anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()

We should avoid using NULL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:torture/test_ntlm_auth.py: replace tabs with whitespaces

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/ntlmssp: add gensec_ntlmssp_server_domain()

This is a hack in order to temporary export the server domain
from NTLMSSP through the gensec stack.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:auth_generic: add auth_generic_client_start_by_sasl()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:auth_generic: add auth_generic_client_start_by_name()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/gensec: make gensec_security_by_name() public

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)

We do that for all other gensec_security_by_*() functions already.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/gensec: keep a pointer to a possible child/sub gensec_security context

This is a hack in order to temporary implement something like:
gensec_ntlmssp_server_domain(), which may be used within spnego.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:pygensec: make sig_size() and sign/check_packet() available

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()

This is important in order to support gensec_[un]wrap() with GENSEC_SEAL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:librpc/gse: don't log gss_acquire_creds failed at level 0

Some callers just retry after a kinit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:librpc/gse: fix debug message in gse_init_client()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X

Newer MIT versions (maybe krb5-1.14) will also support this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: remove unused ads_connect_gc()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

dcerpc.idl: make WERROR RPC faults available in ndr_print output

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

epmapper.idl: make epm_twr_t available in python bindings

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/util_net: add support for .ipv6-literal.net

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-selftest: Make export keytab test heimdal specific

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4-libnet: Implement export_keytab without HDB

This is used by 'samba-tool domain exportkeytab'. This loads the HDB
Samba backend thus needs access to samdb. To avoid using heimdal
specific code here, we could talk to samdb directly and write a
keytab file.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>