s4:kdc: rename free_sdb_key() as public sdb_key_free() function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: make free_sdb_entry() static

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let samba_kdc_entry_destructor() call sdb_free_entry()

It's basically the same as free_sdb_entry(), but the next
step will make free_sdb_entry() private.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: don't leak salt in free_sdb_key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: call krb5_free_keyblock_contents() in free_sdb_key()

This is much clearer than doing it in sdb_free_entry() already.
It also simplifies the next cleanups.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused sdb_entry_ex->free_entry()

It seems we need to take a closer look at the
memory hierachy of the sdb_entry related code.

I'll check that during the next commits,
but for now just remove use the unused hook.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libnet: ask for SDB_F_ADMIN_DATA in order to create a keytab entry

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:libnet: sdb_free_entry() already clears everything

There's no need to know about '.free_entry'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let sdb_free_entry clear sdb_entry_ex at the end

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let sdb_entry_ex_to_krb5_db_entry() initialize 'k' at the beginning

This is clearer and make further changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: let sdb_entry_to_hdb_entry() initialize *h at the beginning

This is clearer and make further changes easier.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: remove unused mkvno from sdb_key

This is not related to the kvno of the key,
the mkvno tells the HDB layer that the keys need to
be decrypted with a master key (with the given [m]kvno).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: strictly have 2 16-bit parts in krbtgt kvnos

Even if the msDS-KeyVersionNumber of the main krbtgt
account if larger than 65535, we need to have
the 16 upper bits all zero in order to avoid
mixing the keys with an RODC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14951

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: Make an if-statement in ReadDirName() a bit more readable

Align to make the () structure more obvious

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 23 17:53:09 UTC 2022 on sn-devel-184

smbclient: strequal() -> ISDOT/ISDOTDOT

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Use ISDOT/ISDOTDOT in ReadDirName()

With those macros, we check n[0] twice now, but I think the compiler
should either optimize that out or if it can't this will be in the CPU
cache, so the second check should be practially free. I can't imagine
this makes any difference but the better readability.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Fix a misleading comment

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Avoid an "else"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Use talloc_zero, save a ZERO_STRUCT

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Add a pair of {}

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: Slightly simplify add_interface()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: Make non_widelink_open() robust for non-cwd dirfsp

If you pass in dirfsp!=conn->cwd_fsp and a stream fsp, we don't chdir
to the parent pathname, and thus we also don't overwrite
fsp->base_fsp.

fsp->base_fsp!=NULL is thus the wrong condition to restore the
original base fsp name: If we open a stream with a non-cwd_fsp dirfsp,
we would overwrite fsp->base_fsp->fsp_name with NULL.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

replace: add explicit function pointer casting from dlsym() to avoid warnings

This avoids a lot of warnings on AIX.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 23 13:27:45 UTC 2022 on sn-devel-184

lib/replace: Do not typedef int bool

We need a genuine boolean type, as otherwise expressions like

bool foo = (4 & 4);
if (foo == true) {
exit(1);
} else {
exit(2);
}

could evaluate differently on non-modern platforms, and
that would be a real pain to debug.

_Bool and bool are in C99

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15028

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 23 12:31:47 UTC 2022 on sn-devel-184

gitlab-ci: Drop Debian 10

It should be enough to build on the latest Debian version. We have older
Ubuntu versions already.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Update to openSUSE 15.3

This drops openSUSE 15.1 and 15.2 to save some CI resources.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Drop Fedora 34

It should be enough to run on the latest Fedora version. This should save us
some CI minutes. We have CentOS runners and I would prefer to add CentOS9
Stream.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Use Ubuntu 20.04 for Coverity

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Remove unused variable for ubuntu1604

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3: smbd: Don't allow setting the delete on close bit on a directory if it contains non-visible files and "delete veto files = no".

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15023

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 22 17:48:25 UTC 2022 on sn-devel-184

s3: torture: Add 2 new tests SMB2-DEL-ON-CLOSE-NONWRITE-DELETE-NO, SMB2-DEL-ON-CLOSE-NONWRITE-DELETE-YES.

We currently allow setting the delete on close bit for
a directory containing only explicitly hidden/vetoed files
in the case where "delete veto files = yes" *and*
"delete veto files = no". For the "delete veto files = no"
case we should be denying setting the delete on close bit
when the client tries to set it (that's the only time Windows
looks at the bit and returns an error to the user). We
already do the in the dangling symlink case, we just
missed it in the !is_visible_fsp() case.

Mark SMB2-DEL-ON-CLOSE-NONWRITE-DELETE-NO as knownfail
for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15023

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

WHATSNEW: Mention our matrix room as well

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Mon Mar 21 13:52:06 UTC 2022 on sn-devel-184

WHATSNEW: IRC is irc.libera.chat according to https://samba.org/samba/irc.html

Signed-off-by: Thomas Debesse <dev@illwieckz.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server/samr: Use extended DN when searching for user

Switch to dsdb_search() for looking up the user for changing the
password, and specify that we want extended DNs. Using the SID or GUID
avoids a race condition if the DN of the user changes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 18 12:45:17 UTC 2022 on sn-devel-184

samba-tool group: Add --special parameter to add predefined special group

This allows default security groups that have been added since Windows
Server 2008 R2, such as Protected Users, to be created in pre-existing
domains. An error message is generated if a group already exists with
the same name, DN, or SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

functionalprep.sh: Add test for samba-tool add group --special

Test that we can add the special Protected Users group, and that we get
an appropriate error message when attempting to add it a second time.

We add these tests here so that we can make use of an old provision that
does not already have the Protected Users group added.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/sam: Ensure that Protected Users group cannot be deleted

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server/samr: Simplify lp_ctx expression

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:auth: Disable NTLM authentication for Protected Users

We also move the authentication to after checking whether the user is
protected, so that if a user in the Protected Users group tries to
authenticate with a wrong password, the bag password count is not
incremented and the account is not locked out. This does not match
MS-APDS, but matches the behaviour of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add KDC support for Protected Users group

Accounts in the Protected Users group acting as clients lack support for
the RC4 encryption type. TGTs issued to such accounts have a lifetime
restricted to four hours, and are unable to be proxied or forwarded.

To determine at lookup time whether a client account is a member of
Protected Users, we now also create an auth_user_info_dc structure when
creating the database entry for an AS-REQ, rather than only when
creating a PAC for a TGT, or when recreating the PAC from an RODC-issued
TGT.

This means that the user's groups are now expanded even for AS-REQs that
result in an error (such as a PREAUTH_REQUIRED error), but this is
required to be able to correctly determine the account's available
encryption types, which are needed soon after fetching the user account.

Currently, the TGT lifetime may exceed four hours (for Heimdal
specifically). This may happen if PKINIT is used, and either the
pkinit_max_life_from_cert_extension option is TRUE and
pkinit_max_life_bound is greater than four hours, or
pkinit_max_life_from_cert is greater than four hours.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Add function to get user_info_dc from database

The resulting user_info_dc is kept in the 'samba_kdc_entry' structure,
so it can be reused between calls.

This allows us to simplify samba_kdc_get_pac_blobs(), as it no longer
need to return a user_info_dc structure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: simplify samba_kdc_message2entry by using data_blob_string_const("computer")

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

dsdb/common: Add helper function for determining if account is in Protected Users group

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:provision_users.ldif: Add Protected Users group

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/passwords: Test that LDAP password changes work for Protected Users

We want to disable SAMR password changes for Protected Users, but need
to ensure that other methods of changing the password still work.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/password_lockout: Test NTLM and SAMR password changes with Protected Users

Test that NTLM and SAMR password changes cannot be used for Protected
Users, and that lockouts are not triggered for attempting to use them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add tests for the Protected Users group

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

auth/credentials: Add encrypt_samr_password()

This method encrypts a samr_Password structure with the current session
key, which allows for interactive SamLogon from Python.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest/dbcheck: Fix up msDS-RevealedUsers links with deleted target DN

Replicating test accounts to the RODC and then deleting them caused
stale msDS-RevealedUsers links to remain in the database.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add helper function to modify ticket flags

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add account to cleanup list before adding it to database

This ensures accounts are still cleaned up if a test fails before adding
it to the cleanup list.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Add more encryption type constants

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Remove accounts in reverse order of addition

This prevents problems if accounts are added as children of other
accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:kdc: Fix copy-paste typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests/krb5: Simplify logic

This code can be made part of the previous 'else' branch.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184

tests/krb5: Improve mock RODC creation

Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the
RODC has been created, so we don't try to use a mock RODC that failed to
create.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

selftest: Simplify krb5 test environments

It's not necessary to repeat the required environment variables for
every test.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

python: Restore SDDL abbreviations for SIDs

This time we use the correct values.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

sddl: Remove SDDL SID strings unsupported by Windows

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

sddl: Add new SDDL SID strings

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

sddl: Fix incorrect SDDL SID strings

Change the values to match those used by Windows.

Verified with PowerShell commands of the form:
New-Object Security.Principal.SecurityIdentifier ER

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:rpc_server/lsa: Use explicit SID instead of SDDL abbreviation

This is to prepare for the SDDL string being removed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

python: Use explicit SIDs instead of SDDL abbreviations

This is to prepare for changing the SDDL string values.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

python:tests: Add tests for SDDL SID strings

We get the server to decode the SDDL by putting the SID strings in the
defaultSecurityDescriptor of a new class and making an object of that
class. We then check that the resulting SID is what we expect.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

torture: Allow Samba as an AD DC to use zeros for LM key

This is simple, explainable and secure.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 02:47:13 UTC 2022 on sn-devel-184

torture: Do not expect LM passwords to be accepted except by samba3

This allows Samba as an AD DC (compared with the fileserver/NT4-like DC mode) to match
windows and refuse all LM passwords, no matter what.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

torture: Update rpc.samlogon to match Win19 and newer Samba behaviour for LM key

Not all cases are covered, but this much covers the areas that Samba and Win19
will agree on.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Remove auth_log test for RAP password change

RAP is SMB1, the password change routine requires LM hashes and so everything
here is going away or has now gone, so remove the test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

ntlm_auth: Adapt --diagnostics mode to expect that the DC does not support LANMAN by default

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3-ntlm_auth: Convert table of tests in --diagnostics to designated initialisers

This makes it easeir to set some as "LM auth".

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb: Remove LM hash parameter from samdb_set_password() and callers

This fixes the rpc.samr test because we no longer specify an LM hash
to the DSDB layer only to have it rejected by password_hash.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Allow RPC-SAMR to cope with OemChangePasswordUser2 being un-implemented

This is important to allow, after other changes, for the Samba AD DC to again
pass rpc.samr after the removal of LM hash support from the DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Cope with LM hash not being stored in the tombstone_reanimation test

The removal of LM hash storage changes the expected metadata.

We do not need to track these values exactly to prove the
behaviour here.

This is not due to the changes in password_hash directly, which in
update_final_msg() sets DSDB_FLAG_INTERNAL_FORCE_META_DATA to force
a push out of the removed attribute to the replication state.

However at the stage of a subsequent LDAP Delete there is no longer
a lmPwdHistory nor dBCSPwd attribute, in the directory, so there is
no subsequent version bump to remove them when building a tombstone.

Samba's behaviour is different to that seen by Metze on windows 2022,
where he sees dBCSPwd removed (for the no LM store case) but
lmPwdHistory kept.  We in Samba choose to differ, not storing an
ambiguous LM hsitory (of "" values likely), so allowing any version
for these two attributes is the sensible choice.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb: Remove parsing of LM password hash from "dBCSPwd" attribute

This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4-rpc_server: Do not use LM hash in password changes

We now only change passwords based on the NT hash.

This means we no longer support samr_OemChangePasswordUser2()
and we do not check the LM verifier din samr_ChangePasswordUser3()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4-auth: Do not supply the LM hash to the AD DC authentication code

This still passes in the value in the LM field for checking
in case it is an NT response or LMv2.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4-auth: Disable LM authenticaton in the AD DC despite "lanman auth = yes"

LM authentication is very weak and a very bad idea, so has been deprecated since
Samba 4.11.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4/dsdb: Remove LM password generation and storage from password_hash

We no longer generate nor store the LM hash in the Samba AD DC.

This adds much to the knownfail, some future commits will trim this
back down by making the tests understand that the server will not
support or store the LM hash.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4-rpc_server: Remove pre-check for existing NT and LM hash from netlogon

We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

kdc: Remove pre-check for existing NT and LM hash from kpasswd

We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb: Return dsdb_password_change control name to DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID

This makes it clearer that the purpose of this control is to indicate that the password
was already checked (by an out-of-band mechanism, eg kpasswd) and so can safely be changed
subject to ACLs etc.

This essentially reverts bbb9dc806e4399c65dee9b5dc2cde0bfaa9609bd

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

dsdb: No longer supply exact password hashes in a control to indicate password changes

This returns the API for password changes via (eg) kpasswd to the
previous design as at 7eebcebbab8f62935bd1d5460e58b0a8f2cc30e8
where a control but no partiuclar values were specified.

This avoids the issues that were attempted to be addressed between
7eebcebbab8f62935bd1d5460e58b0a8f2cc30e8 and 786c41b0954b541518d1096019e1ce7ca11e5e98
by still keeping the ACL check from 23bd3a74176be4a1f8d6d70b148ababee397cf8c.

The purpose of this change is to move away from the NT hash (unicodePwd) being
the primary password in Samba, to allow installations to operate without this
unsalted hash.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: run s4member tests less

The s4member test environment is a historical artifact, provisioned like an
AD DC using sam.ldb and joined using the historical S4 join code.

Once running however it is nothing particualr special in winbindd, so
there is no need to run the tests against ad_member and s4member.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Remove duplicate run of rpc.lsa tests against ad_dc as "samba3"

Running these tests twice is a waste (sorry, thas was my choice when
merging s3 and s4 to just run all the tests against the AD DC) and
more importantly means that tests are run in "samba3" mode against
the AD DC, making it difficult to change the tests to expect a different
behaivour against the AD DC compared to the NT4 DC.

To assure that we have not lost tests, I ran:
grep command st/subunit | grep ad_dc| cut -f 2 -d\" | cut -f 2- -d. | sort | uniq -c

The two blocks (for rpc.lsa and rpc.lsa.*) are because the rpc.lsa.*
subtests were not previously run under ncacn_ip_tcp: and this is the
minimal change.

The output is:
--- /tmp/3 2022-02-12 14:01:50.435761067 +1300
+++ /tmp/now 2022-02-12 14:01:37.427595351 +1300
@@ -13,9 +13,8 @@
       2 rpc.lsa-getuser on ncalrpc with validate.
       2 rpc.lsa-getuser with bigendian.
       2 rpc.lsa-getuser with seal,padcheck.
       2 rpc.lsa-getuser with validate.
-      2 rpc.lsa.lookupnames.
       2 rpc.lsa.lookupnames with .
       2 rpc.lsa.lookupnames with bigendian.
       2 rpc.lsa.lookupnames with validate.
       2 rpc.lsalookup on ncacn_ip_tcp with bigendian.
@@ -26,9 +25,8 @@
       2 rpc.lsalookup on ncacn_np with validate.
       2 rpc.lsalookup on ncalrpc with bigendian.
       2 rpc.lsalookup on ncalrpc with seal,padcheck.
       2 rpc.lsalookup on ncalrpc with validate.
-      2 rpc.lsa.lookupsids.
       2 rpc.lsa.lookupsids with .
       2 rpc.lsa.lookupsids with bigendian.
       2 rpc.lsa.lookupsids with validate.
       2 rpc.lsalookup with bigendian.
@@ -42,15 +40,11 @@
       2 rpc.lsa on ncacn_np with validate.
       2 rpc.lsa on ncalrpc with bigendian.
       2 rpc.lsa on ncalrpc with seal,padcheck.
       2 rpc.lsa on ncalrpc with validate.
-      2 rpc.lsa over ncacn_ip_tcp .
-      2 rpc.lsa over ncacn_np .
-      2 rpc.lsa.privileges.
       2 rpc.lsa.privileges with .
       2 rpc.lsa.privileges with bigendian.
       2 rpc.lsa.privileges with validate.
-      2 rpc.lsa.secrets.
       2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=no.
       2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=no --option=clientntlmv2auth=yes.
       2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=yes.
       2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=yes --option=clientntlmv2auth=yes.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Remove duplicate run of rpc.samr tests against ad_dc as "samba3"

Running these tests twice is a waste (sorry, thas was my choice when
merging s3 and s4 to just run all the tests against the AD DC) and
more importantly means that tests are run in "samba3" mode against
the AD DC, making it difficult to change the tests to expect a different
behaivour against the AD DC compared to the NT4 DC.

To assure that we have not lost tests, I ran:
grep command st/subunit | grep ad_dc| cut -f 2 -d\" | cut -f 2- -d. | sort | uniq -c

The output is:
--- /tmp/2 2022-02-11 21:00:54.033610748 +1300
+++ /tmp/now 2022-02-11 21:01:13.849823721 +1300
@@ -1,32 +1,21 @@
-      2 rpc.samr.
-      2 rpc.samr.handletype.
       2 rpc.samr.handletype with .
       2 rpc.samr.handletype with bigendian.
       2 rpc.samr.handletype with validate.
-      2 rpc.samr.large-dc.
       2 rpc.samr.large-dc on ncacn_np with .
-      2 rpc.samr.machine.auth.
       2 rpc.samr.machine.auth with .
       2 rpc.samr.machine.auth with bigendian.
       2 rpc.samr.machine.auth with validate.
       2 rpc.samr on ncacn_np with .
-      2 rpc.samr.passwords.
-      2 rpc.samr.passwords.badpwdcount.
       2 rpc.samr.passwords.badpwdcount on ncacn_np with .
       2 rpc.samr.passwords.lockout on ncacn_np with .
       2 rpc.samr.passwords on ncacn_np with .
-      2 rpc.samr.passwords.pwdlastset.
       2 rpc.samr.passwords.pwdlastset on ncacn_np with .
       2 rpc.samr.passwords.validate on ncacn_ip_tcp with bigendian.
       2 rpc.samr.passwords.validate on ncacn_ip_tcp with seal,padcheck.
       2 rpc.samr.passwords.validate on ncacn_ip_tcp with validate.
-      2 rpc.samr.passwords.validate over ncacn_ip_tcp .
-      2 rpc.samr.priv.
       2 rpc.samr.priv with .
       2 rpc.samr.priv with bigendian.
       2 rpc.samr.priv with validate.
-      2 rpc.samr.users.
       2 rpc.samr.users on ncacn_np with .
-      2 rpc.samr.users.privileges.
       2 rpc.samr.users.privileges on ncacn_np with .
       4 tests.dcerpc.samr_change_password.

It is clear that the tests are all still being run at least once against the AD DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Allow samba.tests.ntlm_auth to fail rather than error checking --diagnostics

This allows a knownfail entry to be written for this test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Use more torture_assert_goto() et al in rpc.samlogon test

This testsuite can otherwise fail with an error, which cannot be covered with
a knownfail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

wafsamba: Fix call to sorted()

In Python 3, sorted() does not take a 'cmp' parameter, so we need to use
the 'key' parameter instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 01:36:59 UTC 2022 on sn-devel-184

s4-smbtorture: Fix typo in assertion message

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/ntacls.py: Fix ACE type comparison

SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the one in
gp_create_gpt_security_descriptor().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:policy: Fix ACE type comparison

SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the comment.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb audit tests: Use assert_in_range() for comparing timestamps

This can make the code clearer. assert_in_range() takes only integer
parameters, but POSIX allows us to assume that time_t is an integer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb audit tests: Fix flapping test

Use gettimeofday() to obtain the current time for comparison, to be
consistent with audit_logging.c. On Linux, time() may occasionally
return a smaller value than gettimeofday(), despite being called later.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4:kdc: Remove trailing whitespace in wdc-samba4.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4:kdc: Remove ks_is_tgs_principal()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac()

This is for MIT Kerberos >= 1.20.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac()

This is for MIT Kerberos <= 1.19

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>