wscript: Build the KDC code if we have the AD DC build enabled

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Setup logging to stdout

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Add function for handling bad password count

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Add functions to generate random password and salt.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Add function to change the password

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Add ks_is_tgs_principal()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Use talloc_zero in mit_samba_context_init().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Directly pass the principal and kflags

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Make mit_samba a shim layer between Samba and KDB

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

mit_samba: Use sdb in the mit_samba plugin

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4-kdc: Introduce a simple sdb_kdb shim layer

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

wscript: detect if we have libkdb5 and kdb.h.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

krb5-wrap: Use the principal returned by the KDC to create the ccache

We request a TGT in uppercase from the KDC. We turned on
canonicalization for that so the KDC returns the principal in lowercase
cause of this. As we use the uppercase prinicpal to create the ccache we
fail to find the tickets we need later because it is stored in the
incorrect case. You have to use the princial returned by the KDC here.

Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

smbd: fix use after free via conn->fsp_fi_cache

Some instrumentation of the the durable reconnect
code uncovered a problem in the fsp_new, fsp_free pair:

vfs_default_durable_reconnect():
  fsp_new() ==> this does DLIST_ADD(fsp->conn->sconn->files, fsp)
  if (fsp->oplock_type == LEASE_OPLOCK) {
    find_fsp_lease(fsp, &key, l) ==> this fills conn->fsp_fi_cache
    if (client guids not equal) {
      fsp_free(fsp) ==> this does DLIST_REMOVE(fsp->conn->sconn->files, fsp)
  }

so after this code we have the fsp_fi_cache still pointing to the
free'd memory. The next call to find_fsp_lease will use the cache
and hence access the freed memory.

The fix consists in invalidating the cache in fsp_free() instead
of just in its wrapper file_free().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11799

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 17 04:31:10 CET 2016 on sn-devel-144

idmap_hash: only allow the hash module for default idmap config.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

This module only makes sense as the default idmap config
("idmap config * : backend = hash" ...)

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

idmap_hash: rename be_init() --> idmap_hash_initialize()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration.

Check if the domain from the list is not already configured to use another idmap
backend. Not checking this makes the idmap_hash module map IDs for *all* domains
implicitly. This is quite dangeorous in multi-idmap-config setups.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3:winbindd:idmap: add domain_has_idmap_config() helper function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

build: fix build when --without-quota specified

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11798

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

smbd: remove quota support for some ancient OSs

Remove quota support for SunOS4 and VxFS on Solaris 2

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

samba3.blackbox.smbclient_auth.plain: Add new regression test case.

Test case covers commit:
96a49d23a4caebefcea66cfb855fadbae12ccf7c

Test case covers segfault of smbclient binary when
client NTLMv2 auth = yes
client use spnego = no
client max protocol = NT1
options are used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11793
RH BUG: http://bugzilla.redhat.com/show_bug.cgi?id=1271763

How to test:
$ make -j test TESTS="samba3.blackbox.smbclient_auth.plain"
RESULD: Should PASS
$ git revert 96a49d23a4caebefcea66cfb855fadbae12ccf7c
$ make -j test TESTS="samba3.blackbox.smbclient_auth.plain"
RESULT: Should FAIL
(and you can see segfault in dmesg)

Signed-off-by: Robin Hack <rhack@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 16 18:29:10 CET 2016 on sn-devel-144

ldb-samba:wscript: python_samba__ldb depends on pyauth

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11789

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 16 01:34:29 CET 2016 on sn-devel-144

s3:wscript: pylibsmb depends on pycredentials

The need for pytalloc-util was based on the fact that
pycredentials depends on pytalloc-util.

As pylibsmb only used pycredentials and not pytalloc-util directly,
we should depend on pycredentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11789

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

smbd: enable multi-channel if 'server multi channel support = yes' in the config

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Mar 15 20:58:19 CET 2016 on sn-devel-144

param: add parameter "server multi channel support", defaults to off.

Guenther

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3: vfs: vfs_xattr_tdb - cleanup. Remove unneeded variable "path".

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Mar 15 11:45:19 CET 2016 on sn-devel-144

s3:vfs: Change get_acl_blob() to take a const smb_filename * parameter from const char *.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:smbd: Change refuse_symlink() to take a const smb_filename * parameter from const char *.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:smbd: Change get_ea_names_from_file() to take a const smb_filename * parameter from const char *.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:smbd: Change get_ea_list_from_file_path() to take a const smb_filename * parameter from const char *.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3: smbd: Change canonicalize_ea_name() to take a const smb_filename * parameter from const char *.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3: smbd: Reformatting - remove unneeded const char *fname variable.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:vfs: vfs_streams_xattr.c: Change walk_xattr_streams() to const struct smb_filename * from const char *.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:vfs: vfs_streams_xattr.c - Remove duplicate code. This is exactly vfs_stat_smb_basename().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3: vfs: vfs_solarisacl. refuse_symlink() means we can always use STAT here.

For a posix acl call on a symlink, we've already refused it.
For a Windows acl mapped call on a symlink, we want to follow
it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3: vfs: vfs_hpuxacl. refuse_symlink() means we can always use STAT here.

For a posix acl call on a symlink, we've already refused it.
For a Windows acl mapped call on a symlink, we want to follow
it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

build: mark explicit dependencies on pytalloc-util

All subsystems that include pytalloc.h need to link against
pytalloc-util.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11789

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Mar 15 07:08:16 CET 2016 on sn-devel-144

build: improve comments in tests/oldquotas.c

Add comments to #else and #endif

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 15 02:18:15 CET 2016 on sn-devel-144

s3:vfs: Change smbacl4_GetFileOwner() to take const struct smb_filename * from const char *.

Preparing to remove vfs_stat_smb_basename() call.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>

s3:smbd:vfs: Change posix_get_nt_acl() from const char * to const struct smb_filename *.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>

s3:smbd:vfs: Change smb_get_nt_acl_nfs4() to take a const struct smb_filename *.

Push the struct further down closer to places that use
lp_posix_pathname() functions.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>

s3:smbd: Fix build for vfs_aixacl2.c.

Missed conversion of get_nt_acl_fn from const char *
to const struct smb_filename *.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>

s3: smbd: Remove the last lp_posix_pathnames() in the rename path.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>

smbd:smb2: remove an unnecessary !! cast.

Casting to bool is done implcitly upon assignment.
Thanks to Ralph for pointing this out!

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Mar 14 23:01:31 CET 2016 on sn-devel-144

s3:libnet:libnet_join: update msDS-SupportedEncryptionTypes (if required) with machine creds.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144

s3:libnet:libnet_join: fill in output enctypes and only modify when necessary.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libnet:libnet_join: define list of desired encryption types only once.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:librpc:idl:libnet_join: add encryption types to libnet_JoinCtx.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libnet:libnet_join: always try to create machineaccount via LDAP first.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads:ldap: fix ads_check_ou_dn to deal with account_ou not being initialized

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads:ndr: add ADS_AUTH_USER_CREDS to ndr_print_ads_auth_flags()

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libads:ldap: print LDAP error message with log level 10.

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:libnet:libnet_join: prepare to allow connecting with machine creds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Partly revert "s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add"

This partly reverts commit 0c74d62524db376b6a3fac00c688be0cdffcaa80.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

tests: Allow alternative error code for backupkey test

It appears that incorrect decryption triggers a different error code,
causing a test which fails every now and again, as sometimes the invalid
data will parse as a SID, and so pass one of the checks.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon Mar 14 03:55:16 CET 2016 on sn-devel-144

dsdb/repl: Ensure we use the LOCAL attid value, not the remote one

The key here is that while this never was an issue for builtin schema,
nor for objects with an msDS-IntID used outside the schema partition,
additional attributes added and used in the schema partition were
incorrectly using the wrong attributeID value in the replPropertyMetaData.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11783

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Mar 13 23:29:14 CET 2016 on sn-devel-144

s4:torture/lsa: improve debug message

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:winbindd: don't unclude two '\0' at the end of the domain list

This avoids a scary "trustdom_list_done: Got invalid trustdom response" message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

build: fix disk-free quota support on Solaris 10

Samba has no code to support quota on Solaris 10 (and possibly other
os's such as AIX) using the new quota interface. The new interface
serves both disk size/free space reporting (clamping the underlying
file system numbers with quota), and direct manipulation of the user's
quota.

However, there's legacy code that supports only disk size/free space on
Solaris 10. In the waf build, this code is not compiled because there is
no test for it.

This patch adds a test to see whether the legacy code can be used.

Issue reported and fix tested by Andrew Morgan <morgan@orst.edu>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11788

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Mar 13 01:37:58 CET 2016 on sn-devel-144

smbd: Only check dev/inode in open_directory, not the full stat()

This is needed because the smb2.create.mkdir-dup test creates a race,
and against an AD DC this can cause a flapping test if the lstat() and
stat() calls are made either side of the chown() due to creation of a
file by administrator.

Fix based on original patches by myself, by Douglas Bagnall
<douglas.bagnall@catalyst.net.nz>.  and Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11780

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 12 09:43:21 CET 2016 on sn-devel-144

lib/socket/interfaces: Fix some uninitialied bytes.

Valgrind reports the following:

==26599== Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s)
==26599==    at 0x7014707: ioctl (in /usr/lib64/libc-2.22.so)
==26599==    by 0x79D1585: query_iface_speed_from_name (interfaces.c:152)
==26599==    by 0x79D1BBA: _get_interfaces (interfaces.c:277)
==26599==    by 0x79D1E80: get_interfaces (interfaces.c:368)
==26599==    by 0x508A7E3: load_interfaces (interface.c:612)
==26599==    by 0x150B30: main (net.c:963)
==26599==  Address 0xffefff0d8 is on thread 1's stack
==26599==  in frame #1, created by query_iface_speed_from_name
(interfaces.c:130)
==26599==
==26599== Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s)
==26599==    at 0x7014707: ioctl (in /usr/lib64/libc-2.22.so)
==26599==    by 0x79D15CC: query_iface_speed_from_name (interfaces.c:164)
==26599==    by 0x79D1BBA: _get_interfaces (interfaces.c:277)
==26599==    by 0x79D1E80: get_interfaces (interfaces.c:368)
==26599==    by 0x508A7E3: load_interfaces (interface.c:612)
==26599==    by 0x150B30: main (net.c:963)
==26599==  Address 0xffefff0d8 is on thread 1's stack
==26599==  in frame #1, created by query_iface_speed_from_name
(interfaces.c:130)

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: mark samba4.winbind.struct.domain_info.ad_member as flapping

See https://lists.samba.org/archive/samba-technical/2016-March/112861.html

  found 517 lines matching '^UNEXPECTED' in 641 files matching 'samba.stdout$'
   175 UNEXPECTED(failure): samba4.winbind.struct.domain_info(ad_member:local)
    19 UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
    12 UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_encrypt_decrypt_wrong_key(ad_dc_ntvfs)
    12 UNEXPECTED(failure): samba4.drs.delete_object.python(promoted_dc).delete_object.DrsDeleteObjectTestCase.test_ReplicateDeletedObject1(promoted_dc)
    12 UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_decrypt_wrong_r2(ad_dc_ntvfs)
    11 UNEXPECTED(failure): samba4.ldap.notification.python(ad_dc_ntvfs).__main__.LDAPNotificationTest.test_max_search(ad_dc_ntvfs)

We'll see if we also need to add
samba4.winbind.struct.domain_info.s3member
before we're able to identify and fix the problem.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Mar 12 02:14:39 CET 2016 on sn-devel-144

s4:dsdb/test/sort: avoid 'from collections import Counter'

This is only available in python 2.7 and >= 3.1

This should fix make test with python 2.6.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/test/notification: make test_invalid_filter more resilient against ordering races

We saw a lot of flapping tests with:

    [1793(11038)/1892 at 1h55m26s]
    samba4.ldap.notification.python(ad_dc_ntvfs)(ad_dc_ntvfs)
    UNEXPECTED(failure):
    samba4.ldap.notification.python(ad_dc_ntvfs).__main__.LDAPNotificationTest.test_max_search(ad_dc_ntvfs)
    REASON: Exception: Exception: Traceback (most recent call last):
      File
    "/memdisk/autobuild/fl/b1782183/samba/source4/dsdb/tests/python/notification.py",
    line 181, in test_max_search
        self.assertEquals(num, ERR_TIME_LIMIT_EXCEEDED)
    AssertionError: 11 != 3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth

An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ctdb-client: Increase the timeout for TRANS3_COMMIT control

On a busy system, TRANS3_COMMIT control can take upto or longer than
3 seconds.  On timeout, there are few possible outcomes.

1. The transaction has completed on all nodes and TRANS3_COMMIT control
   has returned.  In such a case, there is no problem.

2. The transaction has completed on the local node, but TRANS3_COMMIT
   control is still active.  In such a case, ctdb_transaction_commit()
   can return successfully.  If this is being called from ctdb, then
   ctdb will exit.  This will cause ctdb daemon to trigger recovery
   since the client exited while transaction is active.  This will cause
   unnecessary recovery.

3. Database recovery was started and ctdb_transaction_commit() will
   retry till the recovery completes the transaction.

Increasing the timeout to 30 seconds will avoid the spurious database
recoveries when TRANS3_COMMIT control takes longer to finish.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Mar 11 19:59:53 CET 2016 on sn-devel-144

smbd: Prevent a crash

smb2srv_session_close_previous_check crashes if
ndr_pull_smbXsrv_session_globalB fails for some reason. It depends on "is_free"
to be correctly set. All we can do for an invalid database is to discard the
record and set it free.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 11 00:12:18 CET 2016 on sn-devel-144

s3: smbd: Simplify logic inside rename_internals_fsp() part 2

Removes the use of an extraneous 'struct smb_filename *'
which wasn't being created correctly, only as a place
holder for two char * pointers.

Use split_stream_filename() to create the char * pointers
directly and make it clearer what we're up to here.

The logic here is still complex, but I'm satified
it does the correct thing.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3: smbd: Simplify logic inside rename_internals_fsp() part 1.

Use standard parent_dirname() function instead of hand-hacking
using strrchr_m(xxx, '/'). Next commit should enable removal
of synthetic_smb_fname_split().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:lib: Move internal lp_posix_pathnames() call out of utility function synthetic_smb_fname_split().

Make it a passed in parameter instead.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:lib: Remove the const SMB_STRUCT_STAT * parameter from synthetic_smb_fname_split().

Only one caller uses this, and this can be handled externally.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:lib: Rewrite synthetic_smb_fname_split() to use split_stream_filename().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:lib. Add split_stream_filename() Not yet used.

Will replace internals of synthetic_smb_fname_split().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

selftest: add some test cases to net ads join

Perform a testjoin between steps to verify join status
Perform most testjoins with machine account because that's
the more common case.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Mar 10 14:41:13 CET 2016 on sn-devel-144

selftest: run net ads join test in a private client env

net ads join command changes machine password, thus affecting
the test environment beyond the thing we want to test.

This cange runs the test in a private client env, with its
own hostname, newly-generated machine SID, and a separate
secrets.tdb, thus not affecting the running AD member server,

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

s4:rpc_server: dcesrv_generic_session_key should only work on local transports

This matches modern Windows servers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 10 10:15:21 CET 2016 on sn-devel-144

s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error

Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top

This is the only way to get a reliable transport session key.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp

It requires a transport session key, which is only reliable available
over SMB.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture: the backupkey tests need to use ncacn_np: for LSA calls

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np

ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: remove unused functions in clispnego.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: remove unused cli_session_setup_kerberos*() functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair

It will be possible to use this for more than just NTLMSSP in future.

This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: unused ntlmssp.c

Everything uses the top level ntlmssp code via gensec now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libsmb: make use gensec based SPNEGO/NTLMSSP

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: keep service and hostname separately in ads_service_principal

Caller will use them instead of the full principal in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function

It will be possible to use this for more than just NTLMSSP in future.

Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()

This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE

This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:libads: add missing TALLOC_FREE(frame) in error path

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s4:selftest: simplify the loops over samba4.ldb.ldap

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>