dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED

We should use DCERPC_FAULT_ACCESS_DENIED as default for
gensec status results of e.g. NT_STATUS_LOGON_FAILURE or
NT_STATUS_INVALID_PARAMTER.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

dcesrv_core: a failure from gensec_update results in NAK_REASON_INVALID_CHECKSUM selftest/knownfail.d/dcerpc-auth-pad

dcesrv_core: a failure from gensec_update results in NAK_REASON_INVALID_CHECKSUM

We already report that for gensec_start_mech_by_authtype() failures,
but we also need to do that for any invalid authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3 selftest/knownfail.d/dcerpc-auth-pad

dcerpc_util: let dcerpc_pull_auth_trailer() ignore data_and_pad for bind, alter, auth3

Sometimes Windows sends 3 presentation contexts (NDR32, NDR64,
BindTimeFeatureNegotiation) in the first BIND of an association.

Binding an additional connection to the association seems to
reuse the BIND buffer and just changes the num_contexts field from
3 to 2 and leaves the BindTimeFeatureNegotiation context as padding
in places.

Note, the auth_pad_length field is send as 0 in that case,
which means we need to ignore it completely, as well as any
padding before the auth header.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

dcerpc_util: let dcerpc_pull_auth_trailer() expose the reject reason selftest/knownfail.d/dcerpc-auth-pad

dcerpc_util: let dcerpc_pull_auth_trailer() expose the reject reason

If dcerpc_pull_auth_trailer() returns NT_STATUS_RPC_PROTOCOL_ERROR
it will return the BIND reject code in auth->auth_context_id.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned selftest/knownfail.d/dcerpc-auth-pad

dcerpc_util: let dcerpc_pull_auth_trailer() check that auth_offset is 4 bytes aligned

That what Windows (at least 2012_R2) also asserts.

It also makes sure that ndr_pull_dcerpc_auth() will
start with ndr->offset = 0 and don't tries to eat
possible padding.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

TEST2 TODO test_schannel_invalid_bind selftest/knownfail.d/dcerpc-auth-pad

TEST2 TODO test_schannel_invalid_bind

TEST1b test_spnego_connect_bind_auth_align[4|2] selftest/knownfail.d/dcerpc-auth-pad

TEST1b test_spnego_connect_bind_auth_align[4|2]

TEST1 python/samba/tests/dcerpc/raw_protocol.py selftest/knownfail.d/dcerpc-auth-pad

TEST1 python/samba/tests/dcerpc/raw_protocol.py

dcesrv_core: introduce dcesrv_connection->transport_max_recv_frag

The max fragment size depends on the transport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

tests/dcerpc/raw_protocol: run test_neg_xmit_ffff_ffff over tcp and smb

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

dcesrv_core: add more verbose debugging for missing association groups

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

RawDCERPCTest: add some more auth_length related asserts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

RawDCERPCTest: split prepare_pdu() and send_pdu_blob() out of send_pdu()

This will make it possible to alter pdus before sending them to the
server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:librpc: provide py_schannel bindings

This will be used in the dcerpc.raw_protocol test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

debug fault

Revert "debug fault"

This reverts commit b9cc9004f5d95ac29504b1e4dafe01c6be7c56ee.

debug fault

Revert "Revert "s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS""

This reverts commit 679fd3c8e2f26cf961e01ca56a39a373b6cf9b30.

Revert "Revert "s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS""

This reverts commit 71b7c6a941c978a6aafe2e52da0d2258788a77c2.

Revert "Revert "s3:rpc_client: implement preauth hashing support""

This reverts commit 75fd726e66ebbd1f73992ecd89d5f976374b3c96.

Revert "Revert "s4:librpc/rpc: implement preauth hashing support""

This reverts commit 84e4745174378259d9778a113e1ca81ff01db346.

Revert "Revert "Revert "s4:librpc/rpc: implement preauth hashing support"""

This reverts commit 97516adf4b0d5b68c00a53895e8c304cbca66f8b.

Revert "Revert "Revert "s3:rpc_client: implement preauth hashing support"""

This reverts commit dc82612774508354d0b51b239c161840dbba61ef.

Revert "Revert "Revert "s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS"""

This reverts commit 721a318edd39838c6f2318df15ce6f24c57fb69b.

Revert "Revert "Revert "s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS"""

This reverts commit 6c0eb5463c735a6d99e3f33b36d7f1069480889c.

Revert "Revert "dcesrv_core: add support for DCERPC_BIND_TIME_PROTECT_ALL_PDUS""

This reverts commit f174934098422e5d04b3b5e47ee9384e51405f11.

Revert "Revert "dcesrv_core: implement preauth hashing support""

This reverts commit 1d112459c0cfdc2d8343954be023fcce46dbc3ee.

Revert "dcesrv_core: implement preauth hashing support"

This reverts commit a1982c8c10591e05374eed06388054baa20bc331.

Revert "dcesrv_core: add support for DCERPC_BIND_TIME_PROTECT_ALL_PDUS"

This reverts commit 075b12cf688df215ca212dd5251d4fa61ea57eb3.

Revert "Revert "s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS""

This reverts commit 679fd3c8e2f26cf961e01ca56a39a373b6cf9b30.

Revert "Revert "s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS""

This reverts commit 71b7c6a941c978a6aafe2e52da0d2258788a77c2.

Revert "Revert "s3:rpc_client: implement preauth hashing support""

This reverts commit 75fd726e66ebbd1f73992ecd89d5f976374b3c96.

Revert "Revert "s4:librpc/rpc: implement preauth hashing support""

This reverts commit 84e4745174378259d9778a113e1ca81ff01db346.

Revert "s4:librpc/rpc: implement preauth hashing support"

This reverts commit bf0bde8fc88782ca1dd82d7397f2ba74c16c155b.

Revert "s3:rpc_client: implement preauth hashing support"

This reverts commit 1063313bec66f1475ed8d8396398cd50f559b59a.

Revert "s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS"

This reverts commit fc83ab921b1f6048bafa2f67940fc28166ce88b9.

Revert "s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS"

This reverts commit 3047fa7dc31f9df0c9d46c5006e145aa30d28daf.

dcesrv_core: add support for DCERPC_BIND_TIME_PROTECT_ALL_PDUS

This only works if the client supports header signing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS

We decrypt/verify DCERPC_PKT_FAULT pdus now.

We don't send any DCERPC_PKT_CO_CANCEL nor DCERPC_PKT_ORPHANED
pdus yet...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:librpc/rpc: implement DCERPC_BIND_TIME_PROTECT_ALL_PDUS

We decrypt/verify DCERPC_PKT_FAULT pdus now.

We don't send any DCERPC_PKT_CO_CANCEL nor DCERPC_PKT_ORPHANED
pdus yet...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

DISCUSS: dcerpc.idl: add DCERPC_BIND_TIME_PROTECT_ALL_PDUS

This applies to all connection oriented dcerpc, which is
all Samba implements and cares about.

The following pdus are usable for connection oriented dcerpc:

   DCERPC_PKT_REQUEST
   DCERPC_PKT_RESPONSE
   DCERPC_PKT_FAULT
   DCERPC_PKT_BIND
   DCERPC_PKT_BIND_ACK
   DCERPC_PKT_BIND_NAK
   DCERPC_PKT_ALTER
   DCERPC_PKT_ALTER_RESP
   DCERPC_PKT_SHUTDOWN
   DCERPC_PKT_CO_CANCEL
   DCERPC_PKT_ORPHANED
   DCERPC_PKT_AUTH3

DCERPC_PKT_REQUEST and DCERPC_PKT_RESPONSE are already
protected by encryption or signing (including header signing).

The following of them are now implicitly protected
by DCERPC_BIND_TIME_SUPPORT_PREAUTH and
DCERPC_SEC_VT_COMMAND_PREAUTH:

   DCERPC_PKT_BIND
   DCERPC_PKT_BIND_ACK
   DCERPC_PKT_BIND_NAK
   DCERPC_PKT_ALTER
   DCERPC_PKT_ALTER_RESP
   DCERPC_PKT_AUTH3

This assuming that the client starts with a protected
DCERPC_PKT_REQUEST, which includes a dcerpc_sec_verification_trailer.

DCERPC_PKT_SHUTDOWN are not supported by Samba nor
also marked as not used on [MS-RPCE].

Currently DCERPC_PKT_FAULT pdus from the server to the client
are not protected by encryption nor signing. Which
requires application level protocols to invent custom
downgrade detection, for things like DCERPC_NCA_S_OP_RNG_ERROR
or DCERPC_NCA_S_FAULT_INVALID_TAG, when running over unprotected
transports.

DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED from the client
to the server are also not protected by encryption nor signing.

The DCERPC_BIND_TIME_PROTECT_ALL_PDUS feature tells client
and server to also encrypt or sign DCERPC_PKT_FAULT,
DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED pdus.

DCERPC_BIND_TIME_PROTECT_ALL_PDUS is only available together
with DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN being negotiated
at the same time, but that's the case with all recent
Windows and Samba releases.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

dcesrv_core: implement preauth hashing support

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: implement preauth hashing support

For now we just need to send DCERPC_SEC_VT_COMMAND_PREAUTH
as we only support one security and one presenation context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:librpc/rpc: implement preauth hashing support

For now we just need to send DCERPC_SEC_VT_COMMAND_PREAUTH
once per presentation context, as we only support one security context yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

librpc/rpc: pass struct dcerpc_sec_vt_preauth to dcerpc_sec_verification_trailer_check()

This is optional and all callers pass NULL until they implement this correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

librpc/rpc: implement dcerpc_sec_vt_preauth_{check,update}()

This verifies the client given dcerpc_sec_vt_preauth structure
against the current server preauth hash based on the client given
salt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

DISCUSS: dcerpc.idl: add DCERPC_BIND_TIME_SUPPORT_PREAUTH and DCERPC_SEC_VT_COMMAND_PREAUTH

DCERPC_BIND_TIME_SUPPORT_PREAUTH will ask the server to fill the uuid part
of the transfer syntax of the DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK
dcerpc_ack_ctx, with a random value.

DCERPC_SEC_VT_COMMAND_PREAUTH makes it possible to detect downgrade attacks.

Client and server calculate a rolling sha512 hash
over all incoming and outgoing BIND,BIND_ACK,ALTER,ALTER_RESP,AUTH3 PDUs.
This is similar to the SMB3 preauth protection.

Both start with an array of SHA512_DIGEST_LENGTH (64) zero bytes
for CONNECTION->PREAUTH_SHA512.

Each PDU updates the hash in the following way.

CONNECTION->PREAUTH_SHA512 = SHA512(CONNECTION->PREAUTH_SHA512 + PDU_BYTES)

Each dcerpc_sec_vt_preauth structure contains a random SALT
and sha512 hash, it calculated as SHA512(CONNECTION->PREAUTH_SHA512 + SALT).

The server also calculates SHA512(CONNECTION->PREAUTH_SHA512 + SALT) and
compares the result with the client specified value.

The dcerpc_sec_vt_preauth is included once per combination
of presentation context and security context. It contains
16 random bytes from the server (via the uuid part of
DCERPC_BIND_ACK_RESULT_NEGOTIATE_ACK) and 16 random bytes
from the client (within the dcerpc_sec_vt_preauth structure itself).

The dcerpc_sec_vt_preauth is included in
dcerpc_sec_verification_trailer, which is added as padding
to the end of the DCERPC_PKT_REQUEST payload, so it's encrypted or signed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: implement bind time feature negotiation

This is not strictly needed as we don't use any of the
optional features yet.

But it will make it easier to add bind time features we'll
actually use later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context

We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.

It's also not needed to require a single array element.

We already checked above that we have at least one.

The next patch will all bind time feature negotiation
and that means we'll have 2 array elements...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()

This prepares adding bind time feature negotiation in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()

dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().

Signed-off-by: Stefan Metzmacher <metze@samba.org>

ctdb-scripts: Do not de-duplicate the interfaces list

Using xargs with sort -u to de-duplicate this list was my idea and
causes a couple of things to go wrong.  The use of xargs causes
double-quotes to be lost.  The resulting $public_ifaces value also
contains newlines.  The newlines could be removed with an additional
xargs at the end of the pipeline... but that would add an extra level
of quote stripping.

I have unsuccessfully tried to find an alternative, but still elegant,
command pipeline that de-duplicates the list, while maintaining
quoting.

So, just drop the de-duplication.

This might make interface_ifindex_exists_with_options() slightly less
efficient.  However, that function walks the whole list, only
terminating early when a match is found on both interface and options,
so at least it will be correct.

Include an extra testcase.

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Apr 18 09:08:34 UTC 2024 on atb-devel-224

python: Fix NtVer check for site_dn_for_machine()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 17 19:32:11 UTC 2024 on atb-devel-224

lib: Remove an obsolete comment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 09:01:34 UTC 2024 on atb-devel-224

smbd: Remove sconn->using_smb2

We have the same information available via conn_using_smb2()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

smbd: Add conn_using_smb2()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

smbd: Change protocol selection to not use "sconn->using_smb2"

To me this is pretty confusing, it seems to overload this struct
element.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

ctdb: Modernize a few DEBUGs

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 00:54:55 UTC 2024 on atb-devel-224

ctdb: Remove common/line.[ch]

This was an implementation of getline(3), use that instead.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

ctdb: Use stdio's getline() in ctdb_connection_list_read()

This is the only user of common/line.[ch], which can go next.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

lib: Use fdopen_keepfd()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

rpc_server3: Use fdopen_keepfd()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

lib: Add fdopen_keepfd()

Capture the dup/fdopen pattern

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

lib: Give lib/util/util_file.c its own header file

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

ctdb-scripts: Add options to generate smb.conf interfaces include file

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ctdb-scripts: Rename and relocate function get_all_interfaces()

get_all_interfaces() functions gets all names for all public interfaces.
However name is misleading. Thus renamed it to get_public_ifaces() and
moved it under functions.

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Process ip add/drop events for options:dynamic only

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-interface: Change API for interface 'options'

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-interface: Add parsing for interface 'options'

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-interface: Add extra parameter 'options' to interface definition

Signed-off-by: Vinit Agnihotri<vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

param: Add additional key 'options' for interfaces

The key 'options' specifies if server should spawn/kill listning sockets
in event of add/dropped ip addresses on specified interface.

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Use MSG_SMB_IP_DROPPED

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

messaging: Add new SMBD message

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Handle ip drop event and close listening socket

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Open socket for additional ip address

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-interface: Add new API to validate interface info for given interface index

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib-addrchange: Change API to fill up if_index value from netlink msg

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd-server: Set event callback for interface change notification

Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs: Document new tdbdump -x option

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Tue Apr 16 18:37:17 UTC 2024 on atb-devel-224

tdb: Add test for tdbdump -x

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tdb: Add tdbdump option to output all data as hex values

This can be useful for debugging tdb databases, the hex output of the
key can be used for "net tdb" or ctdb commands.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tdb: Add test for tdbdump command

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tdb: Return failure as exit status from test_tdbbackup.sh

When this test is called from wscript, only the exit code is checked.
Track failures and return as non-zero exit code.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs

Add missing free for entry variable and its members : key and principal
Found definite memory leaks via valgrind as shown below.

Leak 1 :
==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433
==1686==    at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686==    by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101)
==1686==    by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500)
==1686==    by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686==    by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686==    by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
==1686==    by 0x127F45: process_request_send (winbindd.c:502)
==1686==    by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686==    by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686==    by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686==    by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686==    by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686==    by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686==    by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686==    by 0x1232F3: main (winbindd.c:1718)

Leak 2 :
==1686==    at 0x4C38185: malloc (vg_replace_malloc.c:431)
==1686==    by 0x62255E4: krb5_copy_principal (copy_princ.c:38)
==1686==    by 0x621D003: krb5_mkt_get_next (kt_memory.c:503)
==1686==    by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384)
==1686==    by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434)
==1686==    by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68)
==1686==    by 0x127F45: process_request_send (winbindd.c:502)
==1686==    by 0x127F45: winbind_client_request_read (winbindd.c:749)
==1686==    by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126)
==1686==    by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142)
==1686==    by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737)
==1686==    by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938)
==1686==    by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110)
==1686==    by 0x66D39B4: _tevent_loop_once (tevent.c:823)
==1686==    by 0x1232F3: main (winbindd.c:1718)

Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224

s4:dsdb: Implement msDS-ManagedPassword attribute

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224

s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Catch failures to authenticate with gMSA managed passwords

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Expand out knownfails for gMSA getpassword tests

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Set up passwords and password IDs of new gMSAs

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Add functions for Group Managed Service Accounts implementation

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Factor out a function to remove all password related attributes

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:crypto: Reformat source code

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for gMSAs

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>