vfs_fruit: add fruit:convert_adouble parameter

https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 26 00:52:29 UTC 2023 on atb-devel-224

vfs_fruit: just log failing AppleDouble conversion

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

libadouble: allow FILE_SHARE_DELETE in ad_convert_xattr()

Not specifying FILE_SHARE_DELETE wasn't done intentionally. Not setting the flag
triggers the following problem:

* client sends a CREATE with delete access

* this triggers a call to open_streams_for_delete() where we check for
conflicting opens on any of the streams of the file or directory

* if the file (or directory) has a stream like ":com.apple.quarantine" the
stream is opened with DELETE_ACCESS and kept open when the next step might:

* if the file (or directory) has a Mac specific :AFP_AfpInfo stream, the
ad_convert() routine in fruit_create_file() is triggered

* ad_convert() checks if the file (or ...) has a sidecar ._ AppleDouble file, if
it has:

* in ad_convert_xattr() we unpack any set of xattrs encoded in the AppleDouble
file and recreate them as streams with the VFS. Now, if any of these xattrs
happens to be converted to a stream that we still have open in
open_streams_for_delete() (see above) we get a NT_STATUS_SHARING_VIOLATION

This error gets passed up the stack back to open_streams_for_delete() so the
client CREATE request fails and the client is unhappy.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_fruit: never return AFP_Resource stream for directories

The macOS client creates ._ AppleDouble files for directories that do contain
an (empty) resource fork AppleDouble entry. So when going from a Samba server
config without streams module (or when migrating data from another server
without streams support), to a Samba config with a streams module and vfs_fruit,
fruit_streaminfo() will wrongly return the AFP_Resource from the AppleDouble
file as stream to the client.

To address this, just never return an AFP_Resource stream for directories when
listing streams in fruit_streaminfo(). ad_convert(), when configured with

  fruit:delete_empty_adfiles = true
  fruit:wipe_intentionally_left_blank_rfork = true

will happily discard the AFP_Resource from the AppleDouble file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

vfs_fruit: return ENOENT instead of EISDIR when trying to open AFP_Resource for a directory

Translates to NT_STATUS_OBJECT_NAME_NOT_FOUND which is the same error macOS
returns in this case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CI: add a test for fruit AppleDouble conversion when deletion triggers conversion

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: also reset struct stat_ex.cached_dos_attributes in SET_STAT_INVALID()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15375

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 24 21:42:50 UTC 2023 on atb-devel-224

smbd: zero intialize SMB_STRUCT_STAT in vfswrap_readdir()

Avoid returning an uninitialized st.cached_dos_attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15375

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

CI: add a test that checks the dosmode of symlinks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15375

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

librpc/idl: Alias the DS_ constants in netlogon.idl to the NBT_SERVER equivilants

Both the NBT_SERVER versions (in python scripts) and DS_ constants are
in use in freeIPA so we can not just drop one for the other without
discussion.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 24 01:52:28 UTC 2023 on atb-devel-224

librpc/idl: Use nbt_server_type instead of netr_DsR_DcFlags netlogon.idl

We should not keep two idential bitfield tables in two nearby IDL files.

However a number of python files in Samba and in freeIPA use the nbt.NBT_SERVER_*
constants, so these are the better names to keep.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

librpc/idl: Merge missing bits into nbt_server_type in nbt.idl

These bits are defined in netr_DsR_DcFlags in netlogon.idl already.

We need these new bits to announce FL 2012R2 and 2016 support.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4-dsdb:large_ldap: Call setUpClass() method of base class

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: dcerpc/dnsserver: Call setUpClass() method of base class

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: dcerpc/dnsserver: Remove unused import

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyldb: Fix leak

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/auth_log: Simplify isRemote()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/auth_log: Rename ‘self’ parameter to ‘cls’

This method operates on the class, not on an instance of the class.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/auth_log: Call setUpClass() method of base class

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/auth_log: Don’t silently override remoteAddress

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/auth_log_winbind: Expect an empty remote address

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/audit_log: Pre-compile GUID regex

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Move parameter comments adjacent to parameters

This is more consistent with the non-NULL parameters, and makes it
easier to swap in the real values when we get them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

audit_tests: Check return value of json_new_array()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:utils: Check return value of json_new_object()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging:tests: Check return value of json_new_{object,array}()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Check return value of json_new_object()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use talloc_steal() rather than talloc_reference()

This is consistent with the other uses in this file (in
authn_policy_ntlm_client() and authn_policy_server()).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make parameters const

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make functions static

These functions are used only internally.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Allocate user_info_dc->sids on correct talloc context

‘user_info_dc->sids’ must live for at least as long as ‘user_info_dc’,
or a use-after-free may result.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Allocate user_info_dc->sids on correct talloc context

‘user_info_dc->sids’ must live for at least as long as ‘user_info_dc’,
or a use-after-free may result.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: Report better error message if environment is unknown

Now we get the error “environment [...] is unknown” rather than “samba
can't start up known environment”.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Fix leak of p_server_id

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Check py_return_ndr_struct() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Fix callback return value leak

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Fix leak

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging: Return the number of previously-registered functions that are removed

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Add more helpful error message for a wrongly-sized tuple

>>> m = Messaging((1,2,3,4,5))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: function takes exactly 1 argument (5 given)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Document lp_ctx parameter of messaging.Messaging()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/messaging/py: Remove incorrect function names in messaging.Messaging()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyglue: Raise an exception on error

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyglue: Check generate_random_str() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pyglue: Fix typo

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Note correct constant

KRB5_PADATA_PW_SALT is wrong. It’s an unrelated constant that just
happens to share the same value.

Heimdal uses the correct constant, kERB_ERR_TYPE_EXTENDED.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

gp: sshd policy correctly sort policy

The sshd_config man page says that key value
pairs 'the first obtained value will be used'.
So we need to sort policies from last to first.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 19 01:23:19 UTC 2023 on atb-devel-224

tests: Replace iconv(1) UTF-16LE conversion with a python3 call

GNU libiconv and its iconv(1) do NOT define 'utf16le' as
an alias of 'UTF-16LE' encoding.

Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

selftest: Report "unknown environment" if setup returns "UNKNOWN"

Samba*::setup_*() may return the string "UNKNOWN".

```
$ ./configure --with-ads ...
...
$ make
...
$ make test
...
Can't use string ("UNKNOWN") as a HASH ref while "strict refs" in use at /.../samba-4.18.2/selftest/target/Samba.pm line 131.
```

Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

build:waf: Check value of GNU_TLS_* with detected env

Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

build:wafsamba: Allow lib for CHECK_VALUEOF()

Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

s4:kdc: Check lifetime of correct ticket

The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224

third_party/heimdal: Import lorikeet-heimdal-202305172147 (commit dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Add tests presenting short-lived ticket in various scenarios

With the Heimdal KDC, we erroneously accept short-lived FAST and
user-to-user tickets.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Rename modify_requester_sid_time() to modify_lifetime()

...now that the requester SID parameter is optional.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter

This is so callers can modify the lifetime of a ticket without
necessarily changing the requester SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Use consistent time between get_KerberosTime() calls

Otherwise get_KerberosTime() calls time.time() itself, the value of
which can change between calls.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Move modify_requester_sid_time() to RawKerberosTest

We shall make use of it in KdcTgsTests.

Also move add_requester_sid(), which this function depends upon.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove manual addition of error data

This is now handled by the hdb_samba4_set_ntstatus() call above.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add NTSTATUS e-data to KDC reply

If an NTSTATUS code has been set in the KDC request structure, encode it
as KERB-ERROR-DATA and add it to the KDC reply.

hdb_samba4_set_ntstatus() adds the NTSTATUS code to the request
structure.

hdb_samba4_get_ntstatus() gets that status code back from the request
structure.

hdb_samba4_set_edata_from_ntstatus() encodes the status code and adds it
to the reply.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202305170245 (commit 9c903d03c31ec96af79e2723e3ae41890dd83122)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure

Our KDC plugin can use this to store NTSTATUS codes that can be added to
the final KDC reply later.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use more suitable type for final_ret

This now matches the return type of the function.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Set expected_status even if expect_status is not true

We might get an NTSTATUS code even if we aren’t explicitly saying that
we expect one.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Be less particular about getting NTSTATUS codes for KDC TGS tests

Samba currently doesn’t return a status code in these error cases.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/krb5: Be less particular about expected status codes for S4U tests

Samba doesn’t return a status code for these error cases, so lower our
expectations of getting them.

We don’t have to add ‘'expect_status': None’ to all these test cases,
but this makes it clear at a glance that ‘expected_status’ isn’t
actually being checked, and gives us the opportunity to change this
aspect of each individual test in the future.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Use talloc_get_type_abort()

We dereference this pointer immediately after this call, so we should be
sure it is not NULL.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add support for constructed claims (for authentication silos)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224

s4:kdc: Make use of dsdb_search_one()

Ensure we get exactly one object back, or an error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Don’t perform unnecessary search to get account objectClass

We now have this information in the ldb_message.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Have get_claims_for_principal() take the entire principal

The ldb_message contains more information than just the DN, such as
which authentication policy or silo is assigned.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Enforce TGT lifetime authentication policy

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Look up authentication policies for Kerberos clients and servers

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make maximum lifetime and renew time signed

This is now consistent with Heimdal, and with our usage of time_t
elsewhere.

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag

This corresponds with the HDB_F_ARMOR_PRINCIPAL flag in Heimdal, and
indicates a lookup of an armor ticket client principal, rather than the
principal of the main TGT. This helps us to determine whether an
authentication policy will apply to a principal acting as a client, and
hence whether we have to look up the policy in the database.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add helper functions for authentication policies

These functions are not yet used.

They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure

Just copying the structure fields is prone to lead to use-after-frees if
we access them after the original structure and its fields are freed.

Instead, call authsam_shallow_copy_user_info_dc() to make the copy. This
properly references the fields in the original structure so that they
will not be freed until we are sure we have finished with them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Add NTSTATUS strings to log messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Fix typo in log message

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Add function to add a formatted time value to a JSON message

json_add_timestamp() is limited to adding a ‘timestamp’ field with the
current time. The new function can add an arbitrary timestamp with an
arbitrary field name.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Add function to add an optional boolean value to a JSON message

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib:audit_logging: Add function to add flags to a JSON message

This replaces a couple of calls to snprintf() in
log_authentication_event_json() and log_successful_authz_event_json()
respectively.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Remove superfluous semicolon

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Fix leak

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth: Correct parameter order in header

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix diagnostic messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix error messages

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Check ldb_dn_new() return value

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove double-free

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Remove double-free

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Fix leaks

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: Make use of auth_generate_security_token()

We don’t need the whole session info structure to perform an access
check.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Fix typos

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Split out new function to generate a security token

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>