TEST1b test_spnego_connect_bind_auth_align[4|2]

TEST1 python/samba/tests/dcerpc/raw_protocol.py selftest/knownfail.d/dcerpc-auth-pad

TEST1 python/samba/tests/dcerpc/raw_protocol.py

dcesrv_core: introduce dcesrv_connection->transport_max_recv_frag

The max fragment size depends on the transport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

tests/dcerpc/raw_protocol: run test_neg_xmit_ffff_ffff over tcp and smb

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

dcesrv_core: add more verbose debugging for missing association groups

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

DEBUG part3

BACKPORT-MARKER: v4-19-witness-backports-from-wip.txt

smb2_tcon: add "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}" options

Signed-off-by: Stefan Metzmacher <metze@samba.org>

python:tests/rpcd_witness_samba_only: add tests for 'net witness force-response'

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:utils: add 'net witness force-response'

This allows generating any possible AsyncNotify response
for the specified selection of witness registrations
from rpcd_witness_registration.tdb.

This can be used by developers to test the (windows)
client behavior to specific AsyncNotify responses.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

python:tests/rpcd_witness_samba_only: add tests for 'net witness force-unregister'

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:utils: add 'net witness force-unregister'

This allows removing of the specified selection
of witness registrations from rpcd_witness_registration.tdb.

Any pending AsyncNotify will get WERR_NOT_FOUND.

Typically this triggers a clean re-registration on the client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

python:tests/rpcd_witness_samba_only: add tests for 'net witness {client,share}-move'

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:utils: add 'net witness client-move' and 'net witness share-move'

These can be used to generate CLIENT_MOVE or SHARE_MOVE message
to the specified selection of witness registrations from
rpcd_witness_registration.tdb

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server/witness: add handling of MSG_RPCD_WITNESS_REGISTRATION_UPDATE messages

This implements the server side features for the
'net witness [client-move,...]' commands in the end.

These are administrator driven notifications for the witness client.

RPCD_WITNESS_REGISTRATION_UPDATE_FORCE_RESPONSE and
RPCD_WITNESS_REGISTRATION_UPDATE_FORCE_UNREGISTER will be very useful
for later automated testing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpcd_witness.idl: add rpcd_witness_registration_updateB message definitions

This will be used for rpcd_witness_registration_updateB messages
in 'net witness [client-move,...]' commands later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

messaging.idl: add MSG_RPCD_WITNESS_REGISTRATION_UPDATE

This will be used for rpcd_witness_registration_updateB messages
in 'net witness [client-move,...]' commands later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

python:tests/rpcd_witness_samba_only: add tests for 'net witness list'

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:utils: add 'net witness list' command

It lists the entries from the rpcd_witness_registration.tdb.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server/witness: let Register[Ex] store rpcd_witness_registration.tdb records

This will allow 'net witness list' to be implemented in the end.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpcd_witness.idl: introduce definitions for rpcd_witness_registration.tdb records

A rpcd_witness_registration.tdb will be added shortly in order to
implement useful 'net witness [list,client-move,...]' commands
in the end.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

python/blackbox: add rpcd_witness_samba_only.py test

This tests the witness service and its interaction with
ctdb.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

python/tests: add TestCase.get_loadparm(s3=True) support

This will be used for tests with registry shares,
as the top level loadparm system doesn't support them.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

script/autobuild.py: also pass PYTHONPATH to make test of 'samba-ctdb'

Otherwise tests won't find the custom tdb python bindings

Signed-off-by: Stefan Metzmacher <metze@samba.org>

selftest/Samba: export CTDB_PREFIX in clusteredmember testenv

It means ctdb/tests/local_daemons.sh will be easily useable

Signed-off-by: Stefan Metzmacher <metze@samba.org>

selftest/Samba3: start samba_dcerpcd in clusteredmember

This enables the rpcd_witness to be available.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

selftest/Samba3: remove unused variable in setup_clusteredmember

Signed-off-by: Stefan Metzmacher <metze@samba.org>

selftest/Samba3: get NETBIOSNAME correct for clusteredmember

It was missed in commit
7598b9069d3b983f8eb3b89b8459ec993ee43c80

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server/witness: add implementation based on CTDB_SRVID_IPREALLOCATED and ctdbd_all_ip_foreach()

The design is relatively simple in the end:

- We use ctdbd_all_ip_foreach() in order to build an
  in memory list of interfaces(ip addresses) and
  record if:
  - they are currently available or not
  - if they node local or not

- The current list is would we use for the
  GetInterfaceList() call.

- Register[Ex] will create an in memory structure
  holding a queue for pending AsyncNotify requests.

- Unregister() will cancel pending AsyncNotify requests and
  let them return NOT_FOUND.

- CTDB_SRVID_IPREALLOCATED messages will cause we refresh
  with ctdbd_all_ip_foreach():
  - this will detect changes in the interface state
    and remove stale interfaces.
  - for each change the list of registrations is checked
    for a matching ip address and a RESOURCE_CHANGE
    will be scheduled in the queue of the registration,
    the started queue will trigger AsyncNotify responses

- We also register the connections with ctdb in order
  to give other nodes a chance to generate tickle-acks
  for the witness tcp connections.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:rpc_server: add basic rpcd_witness template

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:ctdbd_conn: add ctdbd_all_ip_foreach() helper

This can we used to traverse through all ip addresses ctdb knows
about.

The caller can select node ips and/or public ips.

This will we useful to monitor the addresses from a witness
service...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:ctdbd_conn: split out ctdbd_control_get_nodemap()

This will simplify future changes...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:ctdbd_conn: pass vnn to ctdbd_control_get_public_ips()

In future we also want to ask other nodes for their public_ips.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

witness.idl: make witness_interfaceList public to that ndr_print works in python

Signed-off-by: Stefan Metzmacher <metze@samba.org>

smbstatus: let --json include session.{creation,expiration,auth}_time

This is very useful in order to predict NETWORK_SESSION_EXPIRED
messages...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

selftest: make get_loadparm a classmethod

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 18fd2e4ff35e4ec3491a1836c1896c1417126b08)

BACKPORT-MARKER: v4-19-witness-backports-from-txt

dcesrv_reply: just drop responses if the connection is already terminating

There's no reason to waste resources...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  9 11:26:55 UTC 2024 on atb-devel-224

(cherry picked from commit 1b6ef968d8370757cb472a1e3bfe030f8066c50d)

dcesrv_core: add dcesrv_call_state->subreq in order to allow tevent_req_cancel() on termination

Requests might be cancelled if the connection got disconnected,
we got an ORPHANED or CO_CANCEL pdu.

But this is all opt-in for the backends to choose.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e829f5d8ec3a77acb52a22d45e61dcce03762a10)

witness.idl: add flag(NDR_PAHEX) to some hex based enums

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 87e37e73a9ba13ed92a33a385a387b225b2b9190)

witness.idl: make some types public in order to be used elsewhere

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 290b0b04ae41b835f864bba02b1320693ef199d3)

witness.idl: Set cifs as auth service name for the witness interface

Windows clients use the 'cifs' service name to bind to the witness interface.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5beef87816d103a729508ce88368c30c87b1fa4e)

tdb: fix python/tdbdump.py example

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 78ec47a6674db65d738305cf00861aa711886a43)

examples/scripts: add smbXsrvdump

A simple python tool to dump smbXsrv TDB databases.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3c73d201d454a88135757065a2b238e6d94a1ac9)

smbXsrv.idl: add python bindings

This is useful for some scripting examples and debugging...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8e850685a1052a16bea402df3e8057218080c373)

smbstatus: let --json dump also session channels

This makes if easier to see how tcp connections belong
to a session or client_guid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b96ce32f826ba03384e6a7535200d7e18354fc4b)

smbstatus: let --json report the client_guid a session belongs to

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3f92a684abb577b84d01b8f9124a7a459635d851)

smbXsrv_session: store session_global->client_guid

This is very useful for debugging...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c1c326ebccb272acc918a97aff5b659cc299c9e5)

s3:sessionid: export smbXsrv_session_global via sessionid->global

This will allow smbstatus --json to dump more details.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 88b1c8723b30930585514dacd472e4941c69220c)

lib/util: let is_zero_addr() return true for AF_UNSPEC

It means the completely zero'ed structure is detected
as zero address, as AF_UNSPEC is 0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d52f7279063817055b6816d9f8372e374c90f75f)

s3:smbd multichannel: improve smbXsrv_connection_dbg()

client_guid as well as local and remote address help a lot
for debugging...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 10b084f824f839497405665b904cd54f8f5ff703)

s3:smbd multichannel: let a cross-node session binding NT_STATUS_REQUEST_NOT_ACCEPTED

This is better than NT_STATUS_USER_SESSION_DELETED, as it means the
client can keep it's session alive. Otherwise a windows client believes
the whole session is gone and all other channels are invalid.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 475784d63e9381e8a76cd666842686c1b8d2d0b4)

s3:smbd multichannel: always allow multichannel to the ip of the queried connection

We can announce the ip of the current connection even if it's
a moveable cluster address... as the client is already connected to it.

This change means in a typical ctdb cluster, where we only have public
addresses, the client can at least have more than one multichannel'ed
connection to the public ip.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8a3707e3ed96df43c8f825527deb7d27fe0c6be8)

libcli/security: remove PRIMARY_{USER,GROUP}_SID_INDEX defines from security.h

These and more are also defined in security_token.h, which is later included
from security.h anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit f94d2ed13e6aa54e7e4e4cc292c565de1711a2a9)

libcli/smb: add new SMB2_SHAREFLAG_ defines in smb2_constants.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6331d33ae498e03368422e585c3e47cfc73dfdb2)

ctdb: add comments to "addip"/"delip" when CTDB_{CONTROL,EVENT,SRVID}_IPREALLOCATED happens

"addip"/"delip" are different from "moveip" so they don't need to
call ipreallocate() nor send_ipreallocated_control_to_nodes().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 62654f0aeb1909129e87df061186509560859bed)

ctdb: let "moveip" end with CTDB_CONTROL_IPREALLOCATED to all connected nodes

This matches the behavior of takeover_send/recv() from
ctdb_takeover_helper.c.

It means we consistently call the ipreallocated event scripts
and also send CTDB_SRVID_IPREALLOCATED after moving ips.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 589ebabc95eef0c301a47696e82c0ac341027597)

ctdb: remove unused ctdb_message_disable_ip_check()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 2c6b455bd7656b4e43d1f4ea488f06cd7918586b)

ctdb: let "moveip" also use disable_takeover_runs()

That makes the behavior more consistent compared to a takeover run
started from the within ctdbd.

The behavior is the same but ctdb_message_disable_ip_check() used
a legacy code path and the next commits will also touch some
of the moveip logic...

The logic and comments are copied from control_reloadips().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit cad1969b171766a5264973e7bfb5f9f7295421b6)

ctdb: send a CTDB_SRVID_IPREALLOCATED message after CTDB_EVENT_IPREALLOCATED

Event scripts run the "ipreallocated" hook in order to notice that some ip addresses
in the cluster potentially changed.

CTDB_SRVID_IPREALLOCATED gives C code a chance to get notified as well once the event
scripts are finished.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit b1d0d5d51422f377c2e989ea6dacb2aa5794082b)

s4:rpc_server/epmapper: use ndr_syntax_id_equal() in dcesrv_epm_Map() to match the request

This matches it much easier to understand.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5ec5496df40e6015ec8de6133a406bb50efebe35)

s4:rpc_server/epmapper: check dcerpc_floor_get_uuid_full() result in dcesrv_epm_Map()

This already checks for EPM_PROTOCOL_UUID and simplifies the logic.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 53e4fe647ec3f840836340cf9eac4f79b8794aad)

s4:rpc_server: simplify logic in dcesrv_epm_Map matching

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit dfdb8736c750079bc42d274a416c9f7ea3f820dc)

librpc/rpc: also get the 2nd half of the ndr_syntax_id from a floor

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7a7a38b870dd8f0b384e290b8e9e18305bf54f90)

librpc/rpc: add dcerpc_floor_pack_uuid_full() helper function

This handles the full syntax with split major and minor version,
from lhs and rhs.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1058382d048bc368a3825cb295d9aeabf0ef9b10)

s3:rpc_server: let create_policy_hnd() return a pointer

This allows a TALLOC_FREE() on it to unregister and destroy the
handle easily.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ac392c35e4993e1f4bd25519c607a00508e57de4)

s4:rpc_server/remote: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 403bceef914d6793a7f5ec4432445f043919c277)

s4:rpc_server/netlogon: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 06c12033b355d234d561ad11b5f4b1bad1c79417)

s4:rpc_server/lsa: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d880999480ed62cd0249f3bd67d5f7830d396b57)

s4:rpc_server/common: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit eaf3654dd1e6f8d0557148e673a574e57ce7a71c)

s4:rpc_server/echo: make use of dcesrv_async_reply()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 27d11803a45d7cb7c2d4b422cc2ec6a02fb04616)

librpc/rpc: add dcesrv_async_reply() helper that disconnects as needed

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b8eae782251d89b11e86c19f3cd8dbd58fa506ca)

librpc/rpc: allow dcesrv_context to propose the preferred ndr syntax

This allows specific services to use ndr64.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5a6978205edc2217006762bfe540e8f62caad74b)

s3:rpc_server: distribute clients based on available association group slots

The important factor to distribute connection to workers
should be the number of used association group slots instead
of the raw number of connections. If one worker has a lot of
association groups with just one connection each, but another
with few association groups, but multiple connections per
association group. The one with less association groups should
get the connection. Note each worker is only able to allocate
UINT16_MAX allocation groups, but the number of connections
is only limited by RAM.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f8b76235fe0fda5a58fed8a527bbeba196560ca1)

dcesrv_core: maintain the number of allocated association groups per dce_ctx

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 40e780ad162c8c561822d6284f8e6227fca69c8a)

s3:rpc_server: improve debugging in rpc_host_distribute_clients()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2c2c2f43688748de4687c12bef46a4c2c3fd140d)

s3:rpc_server: simplify rpc_host_find_worker()

This will help me in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cd2cb49179cebb63ca04bd35670d10af9ed55f67)

s3:rpc_server: correctly allow up to 65536 workers processes

We already limit the per worker portion of the association
group id to UINT16_MAX, so we can also use 16-bit instead
of just 8-bit to encode the worker index.

While there we should actually ensure that the max worker
index is UINT16_MAX.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit eb8cf371b8dc9575e2b838ac8e4f03518eb092da)

rpc_host.idl: change server_index from uint8 to uint32

This reflects what we're using in the C code already...

Note this is an incompatible change, but we also changed
from named_pipe_auth_req_info7 to named_pipe_auth_req_info8
in master...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e4bdab659bbe88f8687cefea9ef80850b585a37d)

s3:rpc_server: make use of dcesrv_register_default_auth_types[_machine_principal]()

This mostly matches windows now...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f35baa4eb2e68a4253f90f85052306471d61bd04)

s3:rpc_server: let get_servers() callback of rpc_worker_main() return NTSTATUS

This means the rpc_worker_main() logic is the only layer that
needs to call exit() and its able to do some cleanup before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ae38cfe6da728ea565d02e010d77360447b6007f)

s3:rpc_server: let register_ep_server() errors result in DBG_ERR()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2d73b1e06188f3570bf88598a3b01f09f6ff633c)

librpc/rpc: add dcesrv_register_default_auth_types[_machine_principal]() helpers

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2ba5016e4b496a8f123fe91403cf178f7930d43e)

librpc/rpc: implement dcesrv_mgmt_inq_princ_name infrastructure

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1d0a5b3ac751d4162b8414453303e28cc1b87c21)

librpc/rpc: let dcesrv_mgmt_inq_if_ids() filter out the mgmt syntax_id

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9f51379dd731f5c5b19a41ced4fd4ef1e2f4d2aa)

librpc/rpc: apply some code cleanup and error checks to dcesrv_mgmt.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6cb12d3955d3c7f216c79b081f5431ec9f4c14ce)

s4:torture/rpc: let test_inq_princ_name_size also test for princ_name_size = 0 and BAD_STUB_DATA

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a38f58ac85fbba7a6f1076516117acc6eae44358)

s3:selftest: also run rpc.mgmt against the nt4_dc (and ad_dc)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2a290dcb9456ce1b855fe426e197f0edad27a747)

libcli/util: let win_errstr() fallback to hresult_errstr()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 09daeba6962d9f2534762250eb3b172154aa4aaf)

BACKPORT-MARKER: v4-19-test-witness-backports.txt

auth/credentials_krb5: make use of smb_gss_krb5_prepare_acceptor_cred()

We should check all keys in our in memory keytab
and skip the transited checks unless we're
in standalone/MIT-realm mode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>

auth/credentials_krb5: let cli_credentials_get_server_gss_creds() use an early return

This will simplify the next commits.

Check with: git show -w

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s3:gse: let gse_init_server() use smb_gss_krb5_prepare_acceptor_cred()

We should check all keys in our in memory keytab
and skip the transited checks unless we're in
standalone/MIT-realm mode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>

krb5_wrap: add smb_gss_krb5_prepare_acceptor_cred()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>

configure_mitkrb5: check for GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907

Signed-off-by: Stefan Metzmacher <metze@samba.org>

s4:heimdal_build: define HAVE_GSS_KRB5_CRED_{SKIP_TRANSIT_CHECK,ITERATE_ACCEPTOR_KEYTAB}_X

We can only do that for our own copy of heimdal, see
https://github.com/heimdal/heimdal/pull/656

In future we may want to use
source4/heimdal_build/wscript_configure only for
our in tree copy of heimdal and do real configure
checks for the system heimdal build.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>

HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X

This allows krb5_rd_req_in_set_iterate_keytab() to be used via the
gssapi layer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>

HEIMDAL:lib/krb5: add krb5_rd_req_in_set_iterate_keytab()

A caller might not know the kvno maintained by the KDC.
And most often there's need to know it.

So this function makes it possible to force the keytab
iteration in order to get a consistent behavior.
Otherwise it's possible to get a different behavior
if the guessed kvno in the keytab accidentally matches
the kvno of the ticket and we'll give up if the
key is not able to decrypt the ticket.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>

HEIMDAL:lib/krb5: let krb5_rd_req_ctx() fallback only on KRB5KRB_AP_ERR_BAD_INTEGRITY

This avoids hidding a real error like KRB5KRB_AP_ERR_ILL_CR_TKT.

We only want to retry with the next key if the decryption
failed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>