selftest: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

script: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

python:tests: Fix code spelling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

libcli/smb: Remove unused fallback case for ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM

We now require a GnuTLS version that is not impacted for AES-GCM
(fixed in 3.6.11, we require 3.6.13).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul  4 07:42:35 UTC 2023 on atb-devel-224

build: We don't need SEEKDIR_RETURNS_VOID

We don't call seekdir() in source3 anymore

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul  3 20:40:05 UTC 2023 on atb-devel-224

lib: Move IO_REPARSE_TAG_NFS subtypes to toplevel

They should be generally available

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Translate ENXIO to NT_STATUS_ILLEGAL_FUNCTION

ENXIO is returned when trying to openat() a unix domain socket or a
FIFO without anything at the other end. [MS-ERREF] has
ILLEGAL_FUNCTION as "The specified handle is not open to the server
end of the named pipe.", which comes pretty close to me.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

error_inject: Reduce indentation with an early return

Review with "git show -b"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

torture4: Fix an error message

The fsctl is called FSCTL_SET_ZERO_DATA

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

tests: Enable a few tests for FreeBSD

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Save 76 bytes of .text

Probably not really measurable, but as this is a pretty frequently
accessed table, maybe this saves us some cache misses. And it's very
cheap to get :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Avoid a direct reference to smb_messages[]

That's what we have smb_fn_name() for

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbclient3: Use talloc_asprintf(), no explicit SAFE_FREE required

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

utils3: Remove the "split_tokens" utility

This is not tested as far as I can see, and as this is explicity meant
as a testing utility I think we can live without it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

wb_dsgetdcname: don't use stack variables for async code

This is not really a problem because we call ndr_push from
with a _send() function, but still we leave dangling pointers
arround...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Jacke <bjacke@samba.org>
Autobuild-Date(master): Sun Jul  2 17:42:56 UTC 2023 on atb-devel-224

wb_dsgetdcname: log also the domain name for failures

Signed-off-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

wb_dsgetdcname.c: move common message to higher log level

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

wb_dsgetdcname.c: don't use statis log level numbers

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tallocmsg.c: move info log message to appropriate level

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

garbage_collect_tombstone.c: use DBG* macros instead of static numeric log levels

Some log levels changed slightly because the macros don't cover all the
previously used levels.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

garbage_collect_tombstones.c: move info log message to appropriate level

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

winbindd_cache.c: use DBG* macros instead of static log level numbers

Some log levels changed slightly because the macros don't cover all the
previously used levels.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

winbindd_cache.c: move some some notice messages from ERR to NOTICE level

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

winbindd_cache: adjust some debug levels to more appropriate severities

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

build: Remove unused check for SHA1_Update and SHA1_RENAME_NEEDED

I can not find the code that required this, even in the history.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 30 14:59:46 UTC 2023 on atb-devel-224

Remove redundant check and fallback for AES CMAC 128 as we now require GnuTLS 3.6.13

This allows us to remove a lot of conditionally compiled code and so
know with more certainly that our tests are covering our code-paths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

crypto: Remove aesni-intel accelerated AES crypto functions

These will shortly be unused as we will rely on GnuTLS for all AES cryptography
now that we require GnuTLS 3.6.13

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Remove rudundent check and fallback for AES CFB8 as we now require GnuTLS 3.6.13

This allows us to remove a lot of conditionally compiled code and so
know with more certaintly that our tests are covering our codepaths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Remove rudundent check/workaround for buggy GnuTLS 3.5.2 as we now require GnuTLS 3.6.13

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Remove rudundent check for gnutls_pkcs7_get_embedded_data_oid as we now require GnuTLS 3.6.13

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Remove check for gnutls_set_default_priority_append as it unused

This became unused with d30865014569f4b9a1261d9f0c40bc4fc98f883e

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2()

This removes a lot of inline #ifdef and means this feature is always tested.

We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

build: Set minimum required GnuTLS version to 3.6.13

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

smbd: Merge openat_pathref_fsp_nosymlink() into _internal()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jun 30 11:43:46 UTC 2023 on atb-devel-224

smbd: Factor out create_open_symlink_err()

3 times talloc_zero() and read_symlink_reparse() makes a nice separate
function.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Remove "atname" from smbd_dirptr_get_entry()'s mode_fn

Unused.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Rewrite smbd_dirptr_get_entry()

Move filtering of entries, in particular symlinks, fully into
smbd_dirptr_get_entry(). Before, this was hidden in magic code inside
openat_pathref_fsp() and the mode_fn()s. Changing anything file open
code led to changes in very distant code paths because of unforeseen
consequences to directory listing. This change centralizes the
decision what directory entries to show into
smbd_dirptr_get_entry(). It uses openat_pathref_fsp_nosymlink()
without any symlink magic. It might need some tweaking when we also
want to show other special files, but this will hopefully be easier.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Factor out full_path_from_dirfsp_at_basename()

Will use this logic in the next patch

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Introduce dir_fname helper var in smbd_dirptr_get_entry()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Modernize two DEBUG statements

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Pass name and stat_ex to dos_mode_msdfs()

We'll use it in a place without a smb_fname soon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Pass "char*" to dos_mode_from_name()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Pass stat_ex and files_struct to dos_mode_from_sbuf()

Will enable simplification of dos_mode_msdfs()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Extend openat_pathref_dirfsp_nosymlink()

Turn it into openat_pathref_fsp_nosymlink() which opens not only
directories but normal files and symlinks too. If it finds a symlink,
return NT_STATUS_STOPPED_ON_SYMLINK and all the metadata we can find:
struct stat_ex plus the symlink target.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

test: skip the open-eintr test

With 7bb8af3f74c we already had to tune the error_inject VFS object to filter
out the openat-calls coming from filename_convert_dirfsp&friends. With
the next patch openat() will be called from even more places, and I
don't really see a good way to properly deal with EINTR in all the
places where it can happen. The real case where EINTR is something we
need to handle properly I guess is with kernel oplocks active: open()
waits for another process to give up its kernel oplock, which opens
the window for EINTR to become a valid case to properly take care
of. For all other opens I would be willing to live with the fact that
we just return an error message that might be different from Windows.

To detect that kernel oplock case properly, with O_PATH we have to
look at the /proc/self/fd/<n> reopen or the O_EMPTY_PATH FreeBSD
flavor from inside the error_inject module I guess. But then, the
second time we come around the corner we have to let it pass.

Difficult to properly test, disable the test for now.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Fully fill in fsp in openat_pathref_fsp_nosymlink_internal()

Prepare for allowing openat_pathref_fsp_nosymlink() to open real files
in the next patches.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Lift up conn->cwd from openat_pathref_dirfsp_nosymlink()

The goal of this patch is to make the next patches smaller. Next
patches will also make openat_pathref_dirfsp_nosymlink() open real
files, not only directories.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Factor out full_path_extend()

This logic will be used in another place in the next commit

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Add read_symlink_reparse()

Fake up a symlink reparse point structure from an on-disk reparse
point.

Turn in-share absolute symlinks into relative ones for the client to
properly follow symlinks. Pass on everything else as-is. In particular
clients follow symlinks pointing at \\server\share\...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Apply some README.Coding to dos_mode_from_sbuf()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Simplify dos_mode_msdfs()

This is exactly what dos_mode_from_name() does.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Move dos_mode_from_name() up in dosmode.c

Is useful in dos_mode_msdfs() as well.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

smbd: Slightly simplify smbd_dirptr_get_entry()

Implementing virtually empty directories for "dont descend" looks
easier to me this way. It should also be an optimization, because now
we don't walk the whole directory anymore after . and .., which always
come first anyway.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

.gitlab-ci:bootstrap: remove ubuntu1804*, add debian12, upgrade opensuse 15.5

Signed-off-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org Use Debian 11 for the 32 bit host as the compile
 currently fails - just exits without information - mid-way on Debian 12]

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jun 30 08:51:17 UTC 2023 on atb-devel-224

third_party: Update socket_wrapper to version 1.4.2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jun 29 16:06:11 UTC 2023 on atb-devel-224

s3:utils: smbget fix a memory leak

Using smbget to download files recursively (-R).

If smbget found that a file is already existed in the destination,
smbget would said 'File exists', return early, and 'newname' allocated
memory is never freed, this is found by valgrind.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15403

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 28 07:02:34 UTC 2023 on atb-devel-224

s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is missing

We log a warnings if access is not granted from a security descriptor in
msDS-AllowedToActOnBehalfOfOtherIdentity, so we should use the same log
level if msDS-AllowedToActOnBehalfOfOtherIdentity is not available at
all.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 27 06:39:08 UTC 2023 on atb-devel-224

s4:kdc: Include default groups in security token

This is consistent with the behaviour of the existing function
_authn_policy_access_check() and of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Implement Heimdal hook for resource-based constrained delegation

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Be less strict regarding acceptable delegation error codes

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Remove useless sdb → hdb error code translation

samba_kdc_check_s4u2proxy() is never going to return an SDB_* error
code, so these conditions can never be hit.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Initialize pointers with NULL

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202306200407 (commit fc2894beeaa71897753975154a5f7fd80b923325)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

smbd: Don't mask open error if fstatat() fails

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jun 26 16:53:21 UTC 2023 on atb-devel-224

tests: Show smbd returns wrong error code when creating on r/o fs

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

error_inject: Enable returning EROFS for O_CREAT

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

error_inject: map EROFS

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s4:kdc: Don’t overwrite error code

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 26 12:11:30 UTC 2023 on atb-devel-224

s4:kdc: Add comment to clarify that we fetch the client claims

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: clear client and device claims from trusts

As we don't support the Claims Transformation Algorithm [MS-CTA]
we better clear claims as they have no valid meaning in our domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make [client,device]_claims_blob const pointers

This is so that we can have them point to ‘null_data’ if we so choose.

We can’t assign the result of data_blob_talloc() to a const pointer, so
we go through an intermediary non-const pointer for the
device_claims_blob case.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Remove unnecessary NULL check

pac_blobs_add_blob() already checks whether the blob argument is NULL,
and skips adding the blob if so.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac()

For now we only pass in the krbtgt that verified the client pac
and optionally the krbtgt that verified the device pac.

These can be different depending on the domain of the related
principals.

If we want to apply SID filtering in future we may also need
to pass in the krbtgt that verified the delegated_proxy_pac,
but that needs more research and if not required for the
following changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: adjust formatting of samba_kdc_update_pac() documentation

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Enforce authentication policy service restrictions when getting a PAC

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Check authentication policy server restrictions

For a constrained delegation request, we need to pass ‘delegated_proxy’
(and the delegated proxy PAC, if one was provided) into
samba_kdc_update_pac() so that we can verify that the delegating server
is allowed to authenticate to the target server.

The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Check authentication policy device restrictions

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add comment stating that policies aren’t looked up for S4U clients

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Test that client policies are not enforced with S4U

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Fix RBCD comments

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Don’t unnecessarily specify ‘id’

In tests where we have multiple accounts of the same type, we use the
‘id’ parameter to ensure that these accounts are all different, as some
restrictions are bypassed if an account authenticates to the selfsame
account. However, this is unnecessary if we already specify (with
‘use_cache=False’) that the cache is not to be used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Remove unused ‘server’ parameter in pac_verify()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors

Such errors were not logged in the past, either, but that was accidental
— a result of failing too early for an authentication event to be set —
rather than the auditing being deliberately designed that way.

Now that we have added the KDC_AUTH_EVENT_CLIENT_FOUND event, we want to
ensure that PREAUTH_REQUIRED errors continue to go unlogged.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Update Samba KDC plugin to match new Heimdal version

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add test for authenticating with disabled account and wrong password

This shows us that the client’s access is checked prior to passwords
being checked.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/auth_log_pass_change: Fix flapping test

It appears that discardMessages() is still not entirely reliable. Ensure
that we filter out any messages from the Administrator’s authentication.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

netcmd: domain: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c

Commit 6bd3b4528d4b33c8f7ae6341d166bea3a06cd971 diverged the const
declarations in the header, this brings them back in alignnment as
is Samba's normal practice.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 26 00:26:37 UTC 2023 on atb-devel-224

s4:kdc: Use talloc_get_type_abort()

We subsequently dereference the result without performing a NULL check.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Create a temporary talloc context on which to allocate

‘client->context’ is too long-lived to use for allocating short-term
data.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Flip sense of condition

A negative condition incurs more cognitive load.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Unify common code paths

Perhaps view with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case

This will help to reduce code duplication and the number of branching
code paths.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc()

We may not always want this SID to be present. For example, to enforce
authentication policies as Windows does, we’ll want the client’s
security token without this SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Have samba_kdc_update_pac_blob() do less

Previously this function obtained the auth_user_info_dc structure, then
used it to update the PAC blob. Now it does only one thing: fetch the
auth_user_info_dc info and return it to the caller, who can then call
samba_get_logon_info_pac_blob().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>