winbindd: Show warning message on tc connection errors too

Some of these conditions could never be hit.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

wafsamba: Remove unused configure check

This check would trigger compiler warnings due to the extra argument
passed to eprintf(). HAVE__VA_ARGS__MACRO isn't used anywhere, so we can
remove the check.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Clean up socket when finished

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Don't use invalid escape sequences

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that denied attributes are still issued in claims

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add functions to fetch the schemaIDGUID of an attribute or class

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Check that test parameters are not going unseen

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that RODC-issued device groups are regenerated

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that RODC-issued claims are regenerated

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for RODC-issued armor tickets

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for constrained delegation with RODC-issued tickets

This works as long as both tickets are issued by the same RODC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add remove_client_claims_tgt_from_rodc()

This method removes the PAC_CLIENT_CLAIMS_INFO buffer *and* makes it
appear as if a ticket were issued by an RODC. Because that's more
efficient than decrypting and modifying the ticket twice.

View with 'git show -b'.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Let ticket_with_sids() create RODC-issued tickets

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add signed_by_rodc()

This can be used to modify a service ticket to appear as if it were
signed by an RODC krbtgt.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Move issued_by_rodc() to base class

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Fix additional_details account creation caching

In Python, maps are not hashable and hence cannot be used as cache keys.
To get around this, we were converting the account details map to a
tuple of (key, value) pairs with the following expression:

((k, v) for k, v in details.items())

However, this was actually creating a lazily-evaluated generator object.
The hash of this object was based on its address in memory, not on its
contents, which meant that account options with the same details could
have different hash values if the generators occupied different memory
addresses, or (less likely) that account options with different details
could hash to the same value if the second generator happened to inhabit
the same memory address as the first one. The result was that account
caching didn't work as intended.

Attempt to fix that by using a frozenset instead of a generator object,
and making sure that all our values are tuples (and thus hashable).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add simple resource-based constrained delegation test

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Only add AES enctype bits at domain functional level 2008 and above

At lower levels we should not expect these bits to be present.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Cache drsuapi connection

We call get_keys() a lot, and it's more efficient if we aren't creating
a new connection for every new account we create.

To allow us to maintain a single cached connection, remove the samdb
parameter from get_keys() and get_secrets(). No-one was using it anyway.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Generate full ticket signatures with trailing RODC id

This matches the use of make_rodc_zeroed_checksum() in the preceeding
loop, and means that RODC-signed service tickets no longer fail to
decrypt.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:ndr: Use f-string to format exception message

If 'object' happened to be a tuple, we would get one of the following
errors:

TypeError: not enough arguments for format string
TypeError: not all arguments converted during string formatting

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb: Correctly cast pointers for assert_string_equal()

This is a change in cmocka to avoid hiding possible errors.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 07:53:54 UTC 2023 on atb-devel-224

selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time

This reduces the elapsed time to 6m from 20m on my laptop.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224

lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate

The value can be quite large, the allocation will take much
longer than the actual match and is repeated per candidate
record.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python:netcmd: Decode return value of find_netbios() from bytes into string

ERROR(<class 'TypeError'>): uncaught exception - replace() argument 1 must be
str, not bytes
  File "bin/python/samba/netcmd/__init__.py", line 230, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 966, in run
    if b1.diff(b2):
       ^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 790, in diff
    if object1 == object2:
       ^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 557, in __eq__
    return self.cmp_attrs(other)
           ^^^^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 656, in cmp_attrs
    p = [self.fix_domain_netbios(j) for j in m]
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 656, in <listcomp>
    p = [self.fix_domain_netbios(j) for j in m]
         ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "bin/python/samba/netcmd/ldapcmp.py", line 542, in fix_domain_netbios
    res = res.replace(self.con.domain_netbios.lower(), self.con.domain_netbios.upper())
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

BUGS: https://bugzilla.samba.org/show_bug.cgi?id=15330

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb: Avoid ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join

"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.

When deferring the writing out to the DB of link replication to the very end, there
is a greater opportunity for the deletion of an object to have been sent with the
other objects, and have the link applied later.

This tells the repl_meta_data code to behave as if GET_TGT had been sent at the
time the link was returned, allowing a link to a deleted object to be silently
discarded.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest/drs: Demonstrate ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join

"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.

By deferring the writing out to the DB of link replication to the very end, we have a
better chance that all the objects required are present, however the situation may
have changed during the cycle, and a link could still be sent, pointing to a deleted
object.

We currently fail in this situation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

tsocket: Increase tcp_user_timeout max_loops

Often, on rackspace GitLab CI runners, we get:

UNEXPECTED(failure): samba.unittests.tsocket_tstream.test_tstream_more_tcp_user_timeout_spin(none)
REASON: Exception: Exception: 0xf == 0xf
../../lib/tsocket/tests/test_tstream.c:405: error: Failure!

This allows us more spins before we fail the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15328
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

idmap_hash: remember new domain sids in idmap_hash_sid_to_id()

This change means that idmap_hash_id_to_sid() can return mappings
for new domains learned in idmap_hash_sid_to_id().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 10 11:35:06 UTC 2023 on atb-devel-224

idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later

If we are going to return ID_UNMAPPED later anyway, there's no need to
defer that decision by returning ID_REQUIRE_TYPE first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: split out a idmap_hash_sid_to_id() helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: split out a idmap_hash_id_to_sid() helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: we don't need to call idmap_hash_initialize() over an over again

It's always the first function that's called from idmap_methods.

This also demonstrates that we currently always return NT_STATUS_OK,
even if we haven't mapped all map entries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: remove unused error checks

id_map_ptrs_init() is used in the callers in order to
set everything up as expected.

Other backends also just trust the caller.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: fix comments about the algorithm

Only support ~ 50k users per domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

idmap_hash: provide ID_TYPE_BOTH mappings also for unixids_to_sids

While sids_to_unixids returns ID_TYPE_BOTH mappings,
unixids_to_sids() returns the callers asked for, which
fills gencache with the non ID_TYPE_BOTH mappings.
As a result also the sids_to_unixids fast path via
gencache won't return ID_TYPE_BOTH mappings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_autorid: fix ID_REQUIRE_TYPE for more than one SID for an unknown domain

When we see a trusted domain SID for the first time,
idmap_autorid returns ID_REQUIRE_TYPE only for the first sid
and leaves the others with ID_TYPE_NOT_SPECIFIED.
It means the winbindd parent only retries the first sid.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15318

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbindd: don't call set_domain_online_request() in the idmap child

Most idmap backends don't need access to the domain controllers.
And the related code is not needed for the backends.

Commit 17c86a2c5a5a5e2b194362e5f36f0f99910222c5 changed
the logic of set_domain_online_request() completely!
Instead of triggering a dc probe in the background,
it is now doing a blocking connection.
And doing this in the idmap child is completely useless.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15317

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

audit_logging: Use `json_int_t` instead of `int` for `json_add_int` value type

Functions like `add_lock_to_json` and `add_profile_item_to_json` pass
some values to `json_add_int` with `intmax_t` types. This may cause
arithmetic overflow when the value grows very fast, such as the
read_bytes profiling data.
Use `json_add_int` instead of `int` to avoid the overflow.

RN: Make json output show intmax_t value properly

Signed-off-by: Li Yuxuan <liyuxuan.darfux@bytedance.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar  9 21:33:43 UTC 2023 on atb-devel-224

audit_logging:tests: Add big_int test for `json_add_int`

Show that `json_add_int` can't handle value larger than int32 due to
overflow.

Add knownfail.

Signed-off-by: Li Yuxuan <liyuxuan.darfux@bytedance.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:util: prefer mallinfo2() over mallinfo() if available

Prefer mallinfo2() with 'size_t' fields over deprecated
mallinfo() (with 'int' fields which may wrap around zero
and so be inaccurate on a 64-bit system) and move relevant
checks to lib/util/wscript_configure because mallinfo()
is not used beyond 'samba-util'.

Suggested-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsgetdcname: do not assume local system uses IPv4

Return the first IPv4 and the first IPv6 address found for each DC.
This is slightly inelegant, but resolves an issue where IPv6-only
systems were unable to run "net ads join" against domain controllers
that have both A and AAAA records in DNS.

While this impacts performance due to the additional LDAP ping attempts,
in practice an attempt to connect to an IPv6 address on an IPv4-only
system (or vice versa) will fail immediately with
NT_STATUS_NETWORK_UNREACHABLE, and thus the performance impact should be
negligible.

The alternative approach, using an smb.conf setting to control whether
the logic prefers a single address of one family or the other ends up
being a bit awkward, as it pushes the problem onto admins and tools such
as "realm join" that want to dynamically synthesize an smb.conf on the
fly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15325

Signed-off-by: Nathaniel W. Turner <nturner@exagrid.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar  9 19:12:15 UTC 2023 on atb-devel-224

libsmb: Convert cli_posix_stat_send/recv() to modern conventions

It's unusual these days to pass output arguments in the _send
function, instead save the result in the _state struct

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

librpc: Simplify dcerpc_default_transport_endpoint()

We don't need strcmp for just 1 byte

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli: Shrink .data segment by 43264 bytes

A case statement only references const strings, pointers in an array
need to be relocated at exec() time.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli: Shrink .data segment by 43264 bytes

A case statement only references const strings, pointers in an array
need to be relocated at exec() time.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

build: Fix a long line

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpcd: Use size_t for walking an array

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Directly initialize a "fsp1"

Don't leave it dangling

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: DBG_DEBUG raw create contexts received from the client

Got

smbd_smb2_request_process_create: Got 2 create blobs
[0]
[0000] 93 AD 25 50 9C B4 11 E7   B4 23 83 DE 96 8B CD 7C   ..%P.... .#.....|
[0000] 05 00 00 00                                         ....
[1]
[0000] 51 46 69 64                                         QFid

from cifs.ko, trying to find out where the "05 00 00 00" comes from..

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Add dump_data_addbuf()

Helper function to build up debug strings

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Move the dump_data_pw() prototype to the other dump_data_* ones

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Remove a talloc_stackframe()

This made sense before we used dom_sid_str_buf() in the DEBUG
statements.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli/util: Avoid an includes.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libcli/security: Avoid includes.h

Don't rebuild libcli/security when not necessary

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: librpc/gen_ndr/security.h needs DATA_BLOB

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Fix whitespace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Remove a variable only ever set to NULL

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Replace a "== false" with a "!"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libsmb: Avoid a duplicate memset(.., 0, ..);

tevent_req_create() does a talloc_zero() on "state" already

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

samba-tool: Ensure modifying GPO increments GPT.INI vers

When we modify a GPO, we must increment the
version number in the GPT.INI, otherwise client
machines won't process the update.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15327

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

samba-tool: Test that modifying GPO increments GPT.INI vers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15327

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

samba-tool: Subclass GPOCommand for calling samdb_connect

These sub commands will need to call samdb_connect in an upcoming
commit. Subclass from GPOCommand to make this possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15327

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

s4-dsdb:tests: Correctly handle LdbError

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar  8 05:37:08 UTC 2023 on atb-devel-224

s4-dsdb:tests: Fix AD DC performance tests

Calling cmd._run() directly would fail due to the 'command_name'
attribute being absent, so these tests would fail to run. Fix this by
using the samba.netcmd.main.samba_tool helper function.

Check the return code as well for good measure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb: Make ldb_msg_remove_attr O(n)

Previously it was O(n²).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove old device info and device claims tests

They have been made superfluous by newer declarative tests in
claims_tests.py and device_tests.py.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for device claims

These test the interaction between claims and groups in the PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for device info

These tests verify that the groups in the device info structure in the
PAC are exactly as expected under various scenarios.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Overhaul check_device_info()

With expected_device_groups, tests can now specify particular group
arrangements they expect to see.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow creating a target server account with or without compound ID support

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Don't specify extra enctypes for the krbtgt

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow adding members to a group and changing its type in a single operation

This is needed in order to get some specific group setups for tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add test for compressed claim

Create a claim large enough to cause it to be compressed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test we get correct values for integer syntax claims

Windows erroneously shifts integer syntax claim values four bytes to the
right, resulting in incorrect values (if only one claim is present) or
corrupt claims data that cannot be unpacked (if other claims are
present). There's no reason to emulate such broken behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Require domain_sid to be non-None when passing a RID to map_to_sid()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow group_setup to be None in setup_groups()

'git show -b' shows that not much actually changes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test more descriptive security descriptor

This one has more flags set, so we can test whether we're getting our
string representation right.

Samba prints the flags in a different order from Windows, but fixing
that now would be too risky and involve far too much churn for minimal
benefit. (Consider how many tests verify security descriptors against
string constants...) Instead, allow one of two possible security
descriptors.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Document and tidy up existing claims tests

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow creating accounts supporting claims or compound identity separately

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Make arguments to get_target() keyword arguments

This avoids mistakes by ensuring that passed-in arguments go to their
intended destinations.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Split out device info checking into new method

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Move some claims tests around

It's helpful to have the test declarations be together for better
locality and ease of reading.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add type to expect a value is one of a set of possible types

This is useful for cases where we differ from Windows in some minor
detail, and where the effort required to reach parity is unjustifiably
high.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow comparing UnorderedLists only with one another

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Unconditionally check compressed claims

not only if STRICT_CHECKING=1.

This also fixes a bug where the call to huffman_decompress() was
indented incorrectly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

rpcd: With npa->need_idle_server we can have more than 256 servers

Before this patch the worker-status cut the worker index such that
samba-dcerpcd could not properly update status of the surplus rpc
daemons. This could lead to those daemons to stay around forever,
samba-dcerpcd will never notice they are idle and can exit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15310

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Mar  6 22:35:00 UTC 2023 on atb-devel-224

rpcd: Do blocking connects to local pipes

We don't have real async callers yet, and this is the simplest way to
fix our missing light-weight deterministic async fallback mechanism.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15310

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

rpcd: Increase listening queue

Allow more waiters under load.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15310

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture3: test rpc scalability

With

smbtorture3 //127.0.0.1/ipc\$ rpc-scale -N 50 -o 1000

I am able to immediately trigger bug 15130.

Not running by default, this is a pure load test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15310

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

librpc: Remove unused sync rpc_transport_np_init()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>