git.samba.org - samba.git/log

s4:kdc: hdb_samba4_audit() is only called once per request

So we need to restructure the logic a bit.

NOTE: This commit finally works again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Tue Mar 1 23:28:22 UTC 2022 on sn-devel-184

s4-kdc: Adapt to move from HDB auditing to KDC auditing constants

This is to adapt to:

    commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
    Author: Luke Howard <lukeh@padl.com>
    Date:   Thu Jan 13 14:37:29 2022 +1100

        kdc: move auth event definitions into KDC header

        Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
        kdc-audit.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4:kdc: Adapt to removal of publicly accessible request structure members

We now have to use the accessor functions instead.

This is an adaptation to Heimdal:

commit ec24edf7005c340018450a202d27ca75fcf322d4
Author: Luke Howard <lukeh@padl.com>
Date:   Thu Jan 20 09:15:24 2022 +1100

    kdc: add accessor functions for KDC request structure

    Add accessor functions for use by Samba and other plugin developers.
    Documentation is in kdc/kdc-accessors.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Adapt to hdb_entry_ex removal

Rather than having a 'free_entry' member that can be called to free an
hdb_entry, we now implement the free function in HDB. We perform the
free only if the context pointer is non-NULL.

We also remove the ZERO_STRUCTP() in sdb_entry_to_hdb_entry(), as the
context pointer is now part of the 'hdb_entry' structure itself, and
this would undesirably zero it out.

This is an adaptation to Heimdal commits:

commit c5551775e204d00c7ee8055ab6ddbba7e0590584
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:15:55 2022 +1100

    hdb: decorate HDB_entry with context member

    Decorate HDB_entry with context and move free_entry callback into HDB structure
    itself. Requires updating hdb_free_entry() signature to include HDB parameter.
    A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
    member) into hdb_entry.

commit 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:54:40 2022 +1100

    hdb: eliminate hdb_entry_ex

    Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
    an additional context member in hdb_entry which is managed by the free_entry
    method in HDB).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Increment plugin minor version

This is an adaptation to Heimdal:

commit 40e4a4df09c2d6c3ba7bf14df1dee74a0bc18110
Author: Luke Howard <lukeh@padl.com>
Date:   Mon Jan 10 12:50:37 2022 +1100

    kdc: use astgs_request_t for client/server name (TGS)

    Store the client and server principal name from the TGT and request
    (respectively) in the astgs_request_t rather than using local variables.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal_build: Don't generate .x source files

This is an adaptation to Heimdal:

commit 9427796f1a65906f12768b28abdb5a928222f3c6
Author: Jeffrey Altman <jaltman@secure-endpoints.com>
Date:   Wed Jan 5 15:45:23 2022 -0500

    Generate .x source files as .c source files

    The generated .x source and .hx header files are plain C source files.
    Generate them as .c source files and avoid unnecessary file copying
    and special makefile rules.

    Change-Id: Ifc4bbe3c46dd357fdd642040ad964c7cfe1d395c

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Explicitly set plugin minor version

This is an adaptation to Heimdal:

commit 7cc4b7a9e624f5eecfbb38607d4cc0870a895671
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 13:08:11 2022 +1100

    kdc: KDC plugin API contract notes

    Add some notes about the KDC plugin API contract, and require plugins to
    explicitly indicate which version of the API they support (remove the macro
    alias for the current version).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal_build: Add SFU source file

This is an adaptation to Heimdal:

commit 0287558838de79313e38026d2f0905ffc987d0b8
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Dec 24 13:49:55 2021 +1100

    kdc: move Services for User implementation out of krb5tgs.c

    Move the Services for User (SFU/S4U) implementation -- protocol transition and
    constrained delegation -- into its own compilation unit, with an interface that
    only takes an astgs_request_t, so it can be easily factored out into a plugin
    module in the future.

    This refactoring is also careful to update all client names in the request
    structure after the SFU/S4U validation has successfully completed.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Adapt to removal of auth audit event types

This is an adaptation to Heimdal:

commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 09:42:03 2022 +1100

    hdb: consolidate preauth audit event types

    Instead of having distinct preauth success/failure events for different
    mechanisms, have a single event; the mechanism can be disambiguated by querying
    the HDB_REQUEST_KV_PA_NAME key.

    Note: there is still an explicit event for long-term key-based success/failure
    in order to help the backend implement lockout.

    Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
    than in each mechanism. Success is still audited in the mechanism to allow
    client pre-authentication success to be noted even if something subsequent
    (e.g. encoding a reply, memory allocation) fails. The generic catch-all for
    success remains.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Rename windc to kdc plugin

This is an adaptation to Heimdal:

commit fcff5933ade652343d7c169659da92fac0e6e0d4
Author: Luke Howard <lukeh@padl.com>
Date:   Mon Jan 3 11:10:18 2022 +1100

    kdc: rename windc to kdc plugin

    Rename the "windc" plugin API to the more general "kdc" plugin API, for two
    reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
    controller, and the plugin API has accreted methods that are not specific to
    emulating a domain controller (such as referral_policy and finalize_reply).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add referral policy callback

This is now used instead of a configuration option.

This is an adaption to Heimdal:

commit 3fa47f5a1a422e178d968a8ec0d59889eaa71548
Author: Luke Howard <lukeh@padl.com>
Date:   Sun Jan 2 21:51:43 2022 +1100

    kdc: add referral_policy callback to windc plugin

    Add a referral policy hook to the TGS as a more elegant way of resolving
    referral detection for Samba). The hook can either rewrite the server_princ in
    the request, or it can return an error to disable built-in referral processing.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add 'not authorised' auth events

This is an adaptation to Heimdal:

commit d683780b1d728bf8c5b794a1f66842e5a25bd360
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 23:44:05 2022 +1100

    kdc: separate PKINIT/GSS authorization failure

    Create a new audit event for PKINIT/GSS authorization (impersonation) failure

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Adapt to removal of auth event details

This is an adaptation to Heimdal:

commit e15e711b13e2fb33f4480a054cba60b6c4c0183b
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 18:05:51 2022 +1100

    kdc: remove auth_event_details audit key

    The auth event details audit key (formerly, parameter to auth_status)
    contained, variously, an encryption type name; a PKINIT client certificate
    name; or, a GSS initiator name. Audit these instead using individual keys that
    reflect the values' contents.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Refactor HDB API

This is an adaptation to Heimdal:

commit b1dcc1a47485165ada778ef3c3463cfc0779d183
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Dec 31 17:24:58 2021 +1100

    kdc: refactor Samba-specific auditing API in terms of existing API

    Make Samba-specific HDB auth status API a wrapper on the existing auditing API,
    with a view towards unifying the two APIs in a future commit.

    The term "auth status" is replaced with "auth event", and the HDB auth_status
    method is replaced with a more general purpose audit method which has access to
    the entire request structure.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal_build: Add source files to build

This is an adaptation to Heimdal:

commit be708ca3cf98900c61919f8ff7ced4428b5d1f32
Author: Nicolas Williams <nico@twosigma.com>
Date:   Wed Dec 22 17:01:12 2021 -0600

    gsskrb5: Add simple name attributes support

    This adds Kerberos mechanism support for:

     - composite principal name export/import
     - getting rudimentary name attributes from GSS names using
       gss_get_name_attribute():
        - all (raw) authorization data from the Ticket
        - all (raw) authorization data from the Authenticator
        - transit path
        - realm
        - component count
        - each component
     - gss_inquire_name()
     - gss_display_name_ext() (just for the hostbased service name type
                               though)

    The test exercises almost all of the functionality, except for:

     - getting the PAC
     - getting authz-data from the Authenticator
     - getting the transit path

    TBD (much) later:

     - amend test_context to do minimal name attribute checks as well
     - gss_set_name_attribute() (to request authz-data)
     - gss_delete_name_attribute()
     - getting specific authorization data elements via URN fragments (as
       opposed to all of them)
     - parsing the PAC, extracting SIDs (each one as a separate value)
     - some configurable local policy (?)
     - plugin interface for additional local policy

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal: import lorikeet-heimdal-202203010107 (commit 0e7a12404c388e831fe6933fcc3c86e7eb334825)

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal_build: Define fallthrough macro for switch statements

This is an adaptation to Heimdal:

commit ddc61136100b32346c4c4efa2bb6ddb5baedfb3e
Author: Nicolas Williams <nico@twosigma.com>
Date: Fri Jan 14 16:32:04 2022 -0600

Use fallthrough statement attribute

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Fix a use-after-free

stat_cache_lookup() allocates its result on top of talloc_tos().
filename_convert_smb1_search_path() creates a talloc_stackframe(),
which makes the names which were supposed to be allocated on the "ctx"
parameter of filename_convert_smb1_search_path() go away too
early. Reparent the results from stat_cache_lookup() properly.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14989

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 1 20:59:55 UTC 2022 on sn-devel-184

smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Set errno in an error return

Don't leak an unrelated errno

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Simplify parent_dirname() by using talloc_strndup()

Don't duplicate the talloc_strndup() functionality.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Use cp_smb_filename_nostream() in adouble_path()

No need to TALLOC_FREE(smb_fname->stream_name) later

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

third_party/heimdal_build: Determine whether time_t is signed

Without this, Heimdal will assume time_t is unsigned, and a wrong
assumption will cause 'infinite' ticket lifetimes to be reckoned as from
the past, and thus requests will fail with KDC_ERR_NEVER_VALID.

This is an adaptation to Heimdal:

commit 9ae9902249732237aa1711591604a6adf24963fe
Author: Nicolas Williams <nico@twosigma.com>
Date:   Tue Feb 15 17:01:00 2022 -0600

    cf: Check if time_t is signed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar  1 18:07:50 UTC 2022 on sn-devel-184

s4:kdc: Don't pass empty PAC buffers to krb5_pac_add_buffer()

Heimdal will no longer allow us to pass a dummy zero-length buffer to
krb5_pac_add_buffer(), so we have to pass a buffer of length 1 instead.

This is an adaption to Heimdal:

commit 190263bb7a56fc775b50a6cd0dc91820d2b2e5eb
Author: Jeffrey Altman <jaltman@secure-endpoints.com>
Date:   Wed Jan 19 22:55:33 2022 -0500

    assert non-NULL ptrs before calling mem funcs

    The definitions of memcpy(), memmove(), and memset() state that
    the behaviour is undefined if any of the pointer arguments are
    NULL, and some compilers are known to make use of this to
    optimise away existing NULL checks in the source.

    Change-Id: I489bc256e3eac7ff41d91becb0b43aba73dbb3f9
Link: https://www.imperialviolet.org/2016/06/26/nonnull.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

third_party/heimdal_build: Add KDC_LIB macro definitions

This is an adaptation to Heimdal:

commit 7bb00a40eabbed2bc1c268f5244bfb9736d9bebe
Author: Luke Howard <lukeh@padl.com>
Date: Tue Jan 4 13:08:35 2022 +1100

kdc: fix Windows build

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

auth: Cope with NULL upn_name in PAC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()

This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

vfs_shadow_copy2: remove async getxattrat

vfswrap_getxattrat_send() is handle based using smb_fname->fsp. As
the open of smb_fname->fsp was processed by this module, the handle
is already correctly opened on the file in the snapshot. In the end
this means we can just call directly call the next function here.

Note that the same reasoning might apply to other modules that use
vfs_not_implemented_getxattrat_send(), but checking and adjusting those is a job
for another day. Currently they will continue to go via the sync fallback of the
caller.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 28 20:53:35 UTC 2022 on sn-devel-184

CI: add a test for async dosmode on a file in a shadow_copy2 snapshot

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CI: enable "smbd async dosmode" on shadow_write share

Existing tests don't care, upcoming new test needs it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: also check for NT_STATUS_NOT_SUPPORTED

If a VFS module fails SMB_VFS_GETXATTRAT_SEND/RECV with ENOSYS like currently
vfs_shadow_copy2 or any other module that uses
vfs_not_implemented_getxattrat_send() the ENOSYS error that
vfs_not_implemented_getxattrat_send() sets gets mapped to
NT_STATUS_NOT_SUPPORTED by map_nt_error_from_unix().

Unfortunately when checking whether the async SMB_VFS_GETXATTRAT_SEND() failed
and to determine if the sync fallback should be triggered, we currently only
check for NT_STATUS_NOT_IMPLEMENTED which is the error we get when "store dos
attributes" is disabled.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CI: add test "smb2.async_dosmode"

Verifies async-dosmode sync fallback works with shadow_copy2 which returns
ENOSYS for SMB_VFS_GET_DOS_ATTRIBUTES_SEND().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: check "store dos attributes" settings in the async dosmode code

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CI: remove shares referencing removed functionality

The whole "smbd:force sync [user|root] [path|chdir] safe threadpool" stuff was
removed long ago by 29dd6f3e59055a17fa3d6a63619773f940e63374.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

editorconfig: We always inserted a new line so keep doing that

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 28 10:22:34 UTC 2022 on sn-devel-184

packaging: Reformat shell scripts

shfmt -f packaging/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Feb 24 10:13:36 UTC 2022 on sn-devel-184

nsswitch: Reformat shell scripts

shfmt -f nsswitch/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:tevent: Reformat shell scripts

shfmt -f lib/tevent/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:tdb: Reformat shell scripts

shfmt -f lib/tdb/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:replace: Reformat shell scripts

shfmt -f lib/replace/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:ldb: Reformat shell scripts

shfmt -f lib/ldb/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:fuzzing: Reformat shell scripts

shfmt -f lib/fuzzing/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:winbind: Use the canonical principal name to renew the credentials

The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Feb 23 16:17:29 UTC 2022 on sn-devel-184

s3:winbind: Store canonical principal and realm in ccache entry

They will be used later to refresh the tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: Return canonical principal and realm from kerberos_return_pac()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib:krb5_wrap: Fix wrong debug message and use newer debug macro

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib:krb5_wrap: Improve debug message and use newer debug macro

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:libads: Fix memory leak in kerberos_return_pac() error path

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

autobuild: Run admem_idmap_autorid tests

They will be part of the samba-admem runners.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Feb 23 11:54:01 UTC 2022 on sn-devel-184

s3:tests: Run test_idmap_rid.sh against admem_idmap_autorid

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

selftest: Add ad member with idmap_autorid backend

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

s3:trusts_utils: use a password length of 120 for machine accounts

This is important when we change the machine password against
an RODC that proxies the request to an RWDC.

An RODC using NetrServerPasswordSet2() to proxy PasswordUpdateForward via
NetrLogonSendToSam() ignores a return of NT_STATUS_INVALID_PARAMETER
and reports NT_STATUS_OK as result of NetrServerPasswordSet2().
This hopefully found the last hole in our very robust machine account
password handling logic inside of trust_pw_change().

The lesson is: try to be as identical to how windows works as possible,
everything else may use is untested code paths on Windows.

A similar problem was fixed by this commit:

    commit 609ca657652862fd9c81fd11f818efb74f72ff55
    Author: Joseph Sutton <josephsutton@catalyst.net.nz>
    Date:   Wed Feb 24 02:03:25 2021 +1300

        provision: Decrease the length of random machine passwords

        The current length of 128-255 UTF-16 characters currently causes
        generation of crypt() passwords to typically fail. This commit
        decreases the length to 120 UTF-16 characters, which is the same as
        that used by Windows.

        BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 23 08:49:54 UTC 2022 on sn-devel-184

upgradehelpers.py: add a comment to update_krbtgt_account_password()

The backend generates its own random krbtgt password values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

provision: add a comment that the value of krbtgtpass is ignored in the backend

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

upgradehelpers.py: let update_machine_account_password() use 120 character passwords

We already changed provision to use 120 character passwords with commit
609ca657652862fd9c81fd11f818efb74f72ff55.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

provision: use 120 characters for the dns account password

We should use the same as for the computer account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

samba-tool/join_member: let py_net_join_member() choose the password

It means we'll let trust_pw_new_value() generate the password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s3:py_net: allow machinepass=None to py_net_join_member()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ctdb-protocol: CID 1499395: Uninitialized variables (UNINIT)

Issue is reported here:

853      case CTDB_CONTROL_DB_VACUUM: {
854      struct ctdb_db_vacuum db_vacuum;
855
>>>     CID 1499395:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "db_vacuum.full_vacuum_run" when calling "ctdb_db_vacuum_len".
856      CHECK_CONTROL_DATA_SIZE(ctdb_db_vacuum_len(&db_vacuum));
857      return ctdb_control_db_vacuum(ctdb, c, indata, async_reply);
858      }

The problem is that ctdb_bool_len() unnecessarily dereferences its
argument, which in this case is &db_vacuum.full_vacuum_run.  Not a
security issue because the value copied by dereferencing is not used.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Wed Feb 23 02:02:06 UTC 2022 on sn-devel-184

ctdb-tests: Fix missing #include for sigaction(2)

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Dump a stack trace on abort

Debugging a test failure here without GDB is not possible. Dumping a
stack trace gives a good hint.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

examples: Reformat shell scripts

shfmt -f examples/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 22 16:20:58 UTC 2022 on sn-devel-184

docs-xml: Reformat shell scripts

shfmt -f docs-xml | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

buildtools: Reformat shell scripts

shfmt -f buildtools | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

configure: Reformat wrapper script

shfmt -w -p -i 0 -fn configure

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

editorconfig: Change shell to tabs with tab width 8

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-dcerpcd: Silence a DEBUG message

This is not worth a debuglevel 1 message

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Feb 22 10:16:44 UTC 2022 on sn-devel-184

smbd: We have the fsp available, use fsp_is_alternate_stream()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Convert get_real_filename_full_scan() to OpenDir_ntstatus()

Get us a better error message without going through the lossy errno.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Initialize a pointer

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

vfs: walk_streams() returns NTSTATUS

Don't go via errno

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: can_delete_directory_fsp() returns NTSTATUS

Don't go via errno

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Factor out OpenDir_ntstatus()

We might have callers interested in the exact NTSTATUS error code.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Make OpenDir_fsp() return NTSTATUS

Preparation for making OpenDir return NTSTATUS

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Initialize a pointer

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

util: CID 1499409:  Memory - corruptions  (OVERLAPPING_COPY)

This is quite bizarre:

*** CID 1499409:  Memory - corruptions  (OVERLAPPING_COPY)
/lib/util/debug.c: 1742 in dbghdrclass()
1736      sizeof(tvbuf.buf),
1737      "%ld seconds since the Epoch", (long)t);
1738      }
1739      }
1740
1741      ensure_hostname();
>>>     CID 1499409:  Memory - corruptions  (OVERLAPPING_COPY)
>>>     In the call to function "snprintf", the object pointed to by argument "state.hostname" may overlap with the object pointed to by argument "state.header_str".
1742      state.hs_len = snprintf(state.header_str,
1743      sizeof(state.header_str),
1744      "%s %s %s[%u]: ",
1745      tvbuf.buf,
1746      state.hostname,
1747      state.prog_name,

Coverity doesn't explicitly say so but the only way this can happen is
if state.hostname is not NUL-terminated within its declared length.
ensure_hostname() and debug_set_hostname() ensure NUL-termination, but
the caching effect of ensure_hostname() probably stops Coverity from
being certain about anything.

Try making Coverity happy by using a precision to limit the number of
characters from hostname that can be used.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Feb 22 00:17:12 UTC 2022 on sn-devel-184

autobuild: Rewrite the symbol checking

This should be less error prone.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 21 19:36:45 UTC 2022 on sn-devel-184

s3:utils: Fix missing space in testparm output

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 21 15:03:24 UTC 2022 on sn-devel-184

third_party: Update waf to verison 2.0.23

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 21 10:06:27 UTC 2022 on sn-devel-184

third_party:waf: Print the version of waf at the end of the update script

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

editorconfig: Final newlines are pycodestyle

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

waf: re-add missing readlink test

this was another portability regression that came with the moving to waf

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13631

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 23:12:51 UTC 2022 on sn-devel-184

readlink test: inverse return code

We need to return 0 in case readlink is *broken* here - this is because our waf
CHECK_CODE function does only allow generating defines in case the test succeeds

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13631

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>

wscript: s/default/required/ _static_modules for the acl modules

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14974

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_aixacl: add proper header file

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7239

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

acl: fix function arguments for AIX' and Solaris' sys_acl_get_fd()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14974

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3: smbd: Fix our leases code to return the correct error in the non-dynamic share case.

We now return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same
(non-dynamic) share. This will enable us to pass another
Windows test suite leases test.

We now behave the same as Windows10.

Remove knownfail.d/smb2-lease-duplicateopen

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 18 20:12:12 UTC 2022 on sn-devel-184

s4: torture: Add new SMB2 lease test test_lease_duplicate_open().

Checks we return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same share.

Checked against Windows10. Currently fails against smbd
so add knownfail.d/smb2-lease-duplicateopen

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>

s4: torture: Add new SMB2 lease test test_lease_duplicate_create().

Checks we return INVALID_PARAMETER when trying to create a
new file with a duplicate lease key on the same share.

Checked against Windows10. Samba already passes this
but we didn't have a test before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>

source4/torture: Drop unused variable attribute

clang complains:

../../source4/client/client.c:1569:11: error: variable 'attribute' set but not used [-Werror,-Wunused-but-set-variable]
uint16_t attribute = FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN;
^

That is, the variable is initialised and updated but the value is
never used.

Commit 2f377d5101783ed4d8c96a46aaec61895cc7b6ad from 2004 dropped the
use of this variable.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 17 19:06:25 UTC 2022 on sn-devel-184

source4/torture: Drop unused variable mask

clang complains:

../../source4/torture/smb2/notify.c:871:11: error: variable 'mask' set but not used [-Werror,-Wunused-but-set-variable]
        uint32_t mask;
                 ^

That is, the variable is initialised and updated but the value is
never used.

Looks to have been this way since commit
15d93a5d8e21893e1cca5c989dbf97010aae1622 from 2009.  Just drop it.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>

source4/torture: Drop unused variable tdif

clang complains:

../../source4/torture/basic/denytest.c:1805:11: error: variable 'tdif' set but not used [-Werror,-Wunused-but-set-variable]
                int64_t tdif;
                        ^

That is, the variable is initialised and updated but the value is
never used.

Perhaps it is meant to be used in the nearby torture_comment() call,
but it has been this was since commit
cb1cff90f165d82cbbf1dd87e475a1b13984d45e from 2004.  Just drop it.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>

source4/torture: Avoid unused variable

clang complains:

../../source4/torture/basic/delete.c:2342:7: error: variable 'correct' set but not used [-Werror,-Wunused-but-set-variable]
        bool correct = true;
             ^

That is, the variable is initialised and updated but the value is
never used.  Similar functions return this variable, so try that.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_not_implemented: do not mark structs with _PUBLIC_

Commit 5d295e41af4e9316aee1b4cf1c3087663b7c06a4 accidentally marked
some structs with _PUBLIC_, which causes clang to complain:

../../source3/modules/vfs_not_implemented.c:594:1: error: attribute 'visibility' is ignored, place it after "struct" to apply attribute to type declaration [-Werror,-Wignored-attributes]
_PUBLIC_
^
../../lib/replace/replace.h:917:33: note: expanded from macro '_PUBLIC_'
^
../../source3/modules/vfs_not_implemented.c:642:1: error: attribute 'visibility' is ignored, place it after "struct" to apply attribute to type declaration [-Werror,-Wignored-attributes]
_PUBLIC_
^
../../lib/replace/replace.h:917:33: note: expanded from macro '_PUBLIC_'
^

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>

util: Drop unused variable mask_perms

clang complains:

../../source3/smbd/posix_acls.c:2783:9: error: variable 'mask_perms' set but not used [-Werror,-Wunused-but-set-variable]
mode_t mask_perms = 0;
^

That is, the variable is initialised and updated but the value is
never used.

This potentially points to a bug in commit
f735551b9edef66b152261cf6eb2f29b7b69d65b from 2002.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>

util: Drop unused variable num_received

clang complains:

../../source4/libcli/clilist.c:111:6: error: variable 'num_received' set but not used [-Werror,-Wunused-but-set-variable]
        int num_received = 0;
            ^
../../source4/libcli/clilist.c:268:6: error: variable 'num_received' set but not used [-Werror,-Wunused-but-set-variable]
        int num_received = 0;
            ^

That is, the variable is initialised and updated but the value is
never used.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>

util: Drop unused variable num_chars

clang complains:

../../lib/util/genrand_util.c:99:9: error: variable 'num_chars' set but not used [-Werror,-Wunused-but-set-variable]
size_t num_chars = 0;
^

That is, the variable is initialised and incremented but the value is
never used.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>