pyglue: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Note correct constant

KRB5_PADATA_PW_SALT is wrong. It’s an unrelated constant that just
happens to share the same value.

Heimdal uses the correct constant, kERB_ERR_TYPE_EXTENDED.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

gp: sshd policy correctly sort policy

The sshd_config man page says that key value
pairs 'the first obtained value will be used'.
So we need to sort policies from last to first.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 19 01:23:19 UTC 2023 on atb-devel-224

tests: Replace iconv(1) UTF-16LE conversion with a python3 call

GNU libiconv and its iconv(1) do NOT define 'utf16le' as
an alias of 'UTF-16LE' encoding.

Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest: Report "unknown environment" if setup returns "UNKNOWN"

Samba*::setup_*() may return the string "UNKNOWN".

```
$ ./configure --with-ads ...
...
$ make
...
$ make test
...
Can't use string ("UNKNOWN") as a HASH ref while "strict refs" in use at /.../samba-4.18.2/selftest/target/Samba.pm line 131.
```

Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

build:waf: Check value of GNU_TLS_* with detected env

Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

build:wafsamba: Allow lib for CHECK_VALUEOF()

Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4:kdc: Check lifetime of correct ticket

The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224

third_party/heimdal: Import lorikeet-heimdal-202305172147 (commit dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests presenting short-lived ticket in various scenarios

With the Heimdal KDC, we erroneously accept short-lived FAST and
user-to-user tickets.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Rename modify_requester_sid_time() to modify_lifetime()

...now that the requester SID parameter is optional.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter

This is so callers can modify the lifetime of a ticket without
necessarily changing the requester SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Use consistent time between get_KerberosTime() calls

Otherwise get_KerberosTime() calls time.time() itself, the value of
which can change between calls.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Move modify_requester_sid_time() to RawKerberosTest

We shall make use of it in KdcTgsTests.

Also move add_requester_sid(), which this function depends upon.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove manual addition of error data

This is now handled by the hdb_samba4_set_ntstatus() call above.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add NTSTATUS e-data to KDC reply

If an NTSTATUS code has been set in the KDC request structure, encode it
as KERB-ERROR-DATA and add it to the KDC reply.

hdb_samba4_set_ntstatus() adds the NTSTATUS code to the request
structure.

hdb_samba4_get_ntstatus() gets that status code back from the request
structure.

hdb_samba4_set_edata_from_ntstatus() encodes the status code and adds it
to the reply.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202305170245 (commit 9c903d03c31ec96af79e2723e3ae41890dd83122)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure

Our KDC plugin can use this to store NTSTATUS codes that can be added to
the final KDC reply later.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use more suitable type for final_ret

This now matches the return type of the function.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Set expected_status even if expect_status is not true

We might get an NTSTATUS code even if we aren’t explicitly saying that
we expect one.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Be less particular about getting NTSTATUS codes for KDC TGS tests

Samba currently doesn’t return a status code in these error cases.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Be less particular about expected status codes for S4U tests

Samba doesn’t return a status code for these error cases, so lower our
expectations of getting them.

We don’t have to add ‘'expect_status': None’ to all these test cases,
but this makes it clear at a glance that ‘expected_status’ isn’t
actually being checked, and gives us the opportunity to change this
aspect of each individual test in the future.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use talloc_get_type_abort()

We dereference this pointer immediately after this call, so we should be
sure it is not NULL.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add support for constructed claims (for authentication silos)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224

s4:kdc: Make use of dsdb_search_one()

Ensure we get exactly one object back, or an error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Don’t perform unnecessary search to get account objectClass

We now have this information in the ldb_message.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Have get_claims_for_principal() take the entire principal

The ldb_message contains more information than just the DN, such as
which authentication policy or silo is assigned.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Enforce TGT lifetime authentication policy

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Look up authentication policies for Kerberos clients and servers

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make maximum lifetime and renew time signed

This is now consistent with Heimdal, and with our usage of time_t
elsewhere.

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag

This corresponds with the HDB_F_ARMOR_PRINCIPAL flag in Heimdal, and
indicates a lookup of an armor ticket client principal, rather than the
principal of the main TGT. This helps us to determine whether an
authentication policy will apply to a principal acting as a client, and
hence whether we have to look up the policy in the database.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add helper functions for authentication policies

These functions are not yet used.

They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure

Just copying the structure fields is prone to lead to use-after-frees if
we access them after the original structure and its fields are freed.

Instead, call authsam_shallow_copy_user_info_dc() to make the copy. This
properly references the fields in the original structure so that they
will not be freed until we are sure we have finished with them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add NTSTATUS strings to log messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Fix typo in log message

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Add function to add a formatted time value to a JSON message

json_add_timestamp() is limited to adding a ‘timestamp’ field with the
current time. The new function can add an arbitrary timestamp with an
arbitrary field name.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Add function to add an optional boolean value to a JSON message

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Add function to add flags to a JSON message

This replaces a couple of calls to snprintf() in
log_authentication_event_json() and log_successful_authz_event_json()
respectively.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Remove superfluous semicolon

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Fix leak

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Correct parameter order in header

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix diagnostic messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix error messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Check ldb_dn_new() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove double-free

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove double-free

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make use of auth_generate_security_token()

We don’t need the whole session info structure to perform an access
check.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Fix typos

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Split out new function to generate a security token

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Remove unnecessary return statements

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix debugging strings

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix typos

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Factor out PAC blob functions into new source file

pac-glue.c has become rather large, and can do without these PAC
blob–handling functions.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add missing includes and declarations

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

libcli: Add missing include

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Include missing headers

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests for authentication policies

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow specifying whether PA-DATA types are to be checked

Not all tests are intended to test that the correct PA-DATA types are
returned. This parameter allows us to skip checking for cases where we
don’t care.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow server and workstation accounts to perform a SamLogon

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Allow specifying machine credentials to _test_samlogon()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Rename ‘server’ to ‘dc_server’

This makes it more clear that this is in fact the DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon:schannel: Fix NULL pointer dereference

We should not pass a NULL pointer into netlogon_creds_client_init().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data

Certain clients rely on this behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Improve edata checking

Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA
or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA
and fall back to METHOD_DATA if that fails.

The environment variable EXPECT_NT_STATUS indicates that the KDC
supports returning a status code in the e-data field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Clean up code

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms

We should not limit the possible encryption algorithms to the currently
known ones.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224

s4:torture: Replace calls to deprecated function

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 17 00:24:38 UTC 2023 on atb-devel-224

s4:dsdb: Check return value of allocation functions

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Check ldb_binary_encode_string() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Check ldb_binary_encode_string() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-auth: Log correct function name

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

netlogon:schannel: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Run in interactive mode if no args are supplied

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python: Safely clear structure members

Using Py_CLEAR() ensures that these structures are observed in a
consistent state by any Python code that may run during deconstruction.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:tests: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Return status code if configuration prohibits NTLM

Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb:large_ldap: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-dsdb:large_ldap: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Remove unused variables

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Use correct variable

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Use more specific assertion methods

These methods produce better error messages if an assertion fails.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest/password_lockout: Remove unused imports

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Remove unnecessary variable

It is conciser to use ‘r’ to refer to update_forest_info.entries[i].

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain: Use result of setup_local_server() instead of object field

The code is clearer if we consistently refer to the same variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor security descriptor test

Use more specific unittest methods.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor confidential attributes test

Use more specific unittest methods, and remove unused code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb:tests: Refactor ACL test

Use more specific unittest methods; remove some unused variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyglue: use Py_ssize_t in random data generation functions

Prefer 'Py_ssize_t' over 'int' in random data generation functions
to match both Python and (internally used through the library layer)
GnuTLS APIs, and use PyUnicode_FromStringAndSize() where the data
size is known.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Fixed comments to correctly match the
 new check for just negative numbers]

lib:util: prefer size_t for random data generation functions

Prefer 'size_t' over 'int' in generate_random_buffer(),
generate_secret_buffer() and generate_nonce_buffer() to
match an underlying gnutls_rnd() calls.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Change ad_dc environment to be 2016 functional level

This is not yet supported in full, but this makes ad_dc match our full set of available features.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest: Allow provision_ad_dc() to take functional_level as an argument

The $$$$$$$ is removed as it does not do what you think it does.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>