libcli/security: add SID_NAME_LABEL to sid_type_lookup()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lsa.idl: add SID_NAME_LABEL

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

netlogon.idl: make netr_LogonInfoClass public

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

net: Don't crash if lsa_LookupPrivDisplayName returns NULL

lsa_LookupPrivDisplayName on Windows 2012R2 can return success and still return
a NULL name:

rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 172.18.103.80 returned 12 bytes.
     lsa_LookupPrivDisplayName: struct lsa_LookupPrivDisplayName
        out: struct lsa_LookupPrivDisplayName
            disp_name                : *
                disp_name                : NULL
            returned_language_id     : *
                returned_language_id     : 0x0000 (0)
            result                   : NT_STATUS_OK

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 23 07:43:57 CET 2017 on sn-devel-144

nsswtich: Add negative tests for authentication with wbinfo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Mar 22 10:58:58 CET 2017 on sn-devel-144

s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()

There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

idmap_rfc2307: Clarify the documentation a bit

"bind_path" is a variable name internally used inside Samba. If you
look at "man ldapsearch" from OpenLDAP for example, the more common
term for this parameter is "search base". Adapt the documentation
accordingly.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

idmap_rfc2307: Slightly simplify idmap_rfc2307_initialize()

Replace an "else" branch with an early "goto err"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

idmap_tdb: Avoid a few casts

The times of attempting to be C++ compatible are gone since C compilers
can do very good warnings too.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

s3:libsmb: Only print error message if kerberos use is forced

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144

autobuild: Stop waf uninstall from removing test_tmpdir

Most of the autobuild tasks run "make distcheck", which does a
recursive "waf configure make install uninstall".  "waf uninstall"
(via BuildContext.install() in Build.py) removes empty directories all
the way up the directory tree.  This means that it removes
test_tmpdir, if it is empty, and any empty directories above it.

While this is arguably a waf bug, the simplest solution is to make
test_tmpdir non-empty so it don't get removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12703

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 21 10:37:08 CET 2017 on sn-devel-144

idmap_autorid: Use idmap_config_int

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Mar 20 23:28:38 CET 2017 on sn-devel-144

idmap_rid: Use idmap_config_int

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Add idmap_config_int

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

idmap_autorid: Use idmap_config_bool

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

idmap_ad: Use idmap_config_bool

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

idmap_rfc2307: Use idmap_config_bool

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

idmap: Use idmap_config_bool in idmap_init_domain

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Add idmap_config_bool()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

idmap_ad: Use idmap_config_const_string

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

idmap_rfc2307: Use idmap_config_const_string

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

idmap_ldap: Use idmap_config_const_string

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

idmap_ldap: Use idmap_config_const_string

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Use idmap_config_const_string in idmap_init_domain

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Use idmap_config_const_string in idmap_script_db_init

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Use idmap_config_const_string in idmap_tdb2_db_init

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Use idmap_config_const_string in wb_xids2sids_add_dom

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Use idmap_config_const_string in idmap_init_named_domain

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Use idmap_config_const_string in domain_has_idmap_config

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

winbind: Add idmap_config_const_string

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

lib: Simplify smb_nanosleep

We have the recalculation logic also in sys_poll_intr, don't duplicate it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Mar 20 16:11:16 CET 2017 on sn-devel-144

lib: Make sys_poll_intr available to ctdb

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

lib: Avoid an includes.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

ctdb-tests: Catch cases where mktemp fails due to missing TMPDIR

TMPDIR sometimes goes missing during autobuild.  When that happens the
error messages produced by CTDB tests are not very helpful.  This
should make it clear.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Mar 20 08:53:02 CET 2017 on sn-devel-144

s3:winbind: Use the correct talloc context for user information

This fixes the substitution for 'template homedir'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144

s3:winbind: Remove unused struct getpwent_user

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 18 08:59:01 CET 2017 on sn-devel-144

s3:winbind: Use correct struct member for size calculation

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

tldap: Allow dropping messages in tldap_search()

For probing whether a connection is a live a rootdse search might be
interesting where we don't really care for the result, only success or
failure of the operation.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

ctdb-readonly: Avoid a tight loop waiting for revoke to complete

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12697

During revoking readonly delegations, if one of the nodes disappears, then
there is no point re-trying revoking readonly delegation.  The database
needs to be recovered before the revoke operation can succeed.  So retry
only after a grace period.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Mar 17 14:05:57 CET 2017 on sn-devel-144

winbindd: remove trailing spaces in get_cache()

Trailing spaces are annoyingly highlighted red in my emacs setup so I'd
like to get rid of them. :)

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 17 00:20:17 CET 2017 on sn-devel-144

winbindd: README.Coding fixes for get_cache()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbindd: fix long lines in get_cache()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

winbindd: untangle reconnect_methods vs reconnect_ads_methods

No change in behaviour. The previous logic just seemed a bit clumsy
because of the ifdefs.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

winbindd: use NULL for pointer check in get_cache()

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

lib/util: Fix initializer

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

replace: Fix compiler warning flag

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

docs: Deprecate "auth methods"

Keeping this parameter prevents fixing bug 2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

docs: Deprecate "map untrusted to domain"

The implementation of this parameter depends on Samba to enumerate
trusted domains. In an active directory environment, we don't know of
a good way to enumerate all domains that we have to accept as trusted,
in particular with multiple forests, one-way and external trusts. We
hope to replace this parameter in the future with something that matches
Windows behaviour better, after the deprecation phase of this parameter
is over and we can remove it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Changes to make the Solaris C compiler happy.

Fix Bug 12693 dbwrap_watch.c syntax error before or at: }

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12693

Signed-off-by: Tom schulz <schulz@adi.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3: libgpo: Allow skipping GPO objects that don't have the expected LDAP attributes.

We expect the following attributes to be present in an LDAP GPO object:

displayName
flags
gPCFileSysPath
name
ntSecurityDescriptor
versionNumber

and fail if a result is returned without them. Change this
to skip results that don't contain these attributes instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12695

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Fix for Solaris C compiler.

Inspired by comment 4 in bug 12559.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12559

Signed-off-by: Tom Schulz <schulz@adi.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

s3:smbd: exit early if srv_send_smb fails

coverity fix.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>

s3: locking: Update oplock optimization for the leases era !

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12628

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 15 20:04:32 CET 2017 on sn-devel-144

s3: locking: Move two leases functions into a new file.

map_oplock_to_lease_type(), fsp_lease_type().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12628

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

lib: Fix an uninitialized variable warning

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 15 14:21:43 CET 2017 on sn-devel-144

passdb: Remove pdb_ipa

The version used these days can be found under

https://pagure.io/freeipa/blob/master/f/daemons/ipa-sam

Having a stale copy in Samba only confuses things.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 15 09:18:21 CET 2017 on sn-devel-144

testprogs: Correctly expand shell parameters

The old behaviour is:

  for var in $*
  do
    echo "$var"
  done

And you get this:

$ sh test.sh 1 2 '3 4'
1
2
3
4

Changing it to:

  for var in "$@"
  do
    echo "$var"
  done

will correctly expand to:

$ sh test.sh 1 2 '3 4'
1
2
3 4

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144

s3:vfs_expand_msdfs: Do not open the remote address as a file

The arguments get passed in the wrong order to read_target_host().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687

Signed-off-by: Andreas Schneider <asn@samba.org>

lib/crypto: implement samba.crypto Python module for RC4

Implement a small Python module that exposes arcfour_crypt_blob()
function widely used in Samba C code.

When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
there is a need to encrypt trusted credentials with RC4 cipher.

Current Samba Python code relies on Python runtime to provide RC4
cipher. However, in FIPS 140-2 mode system crypto libraries do not
provide access RC4 cipher at all. According to Microsoft dochelp team,
Windows is treating AuthenticationInformation blob encryption as 'plain
text' in terms of FIPS 140-2, thus doing application-level encryption.

Replace samba.arcfour_encrypt() implementation with a call to
samba.crypto.arcfour_crypt_blob().

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144

examples:clifuse: Add a stub for getattr

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 14 19:15:03 CET 2017 on sn-devel-144

examples: Add '-p', '--port' to smb2mount

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libsmb: Slightly simplify trustdom_cache_fetch

Also adapt to modern coding standards

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libsmb: Use talloc in trustdom_cache_key

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libsmb: Simplify trustdom_cache_store

The additional arguments were never used

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libsmb: Make a few functions static

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

libsmb: Remove some stale code

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

krb5_wrap: Fix smb_gss_krb5_import_cred() picky-developer build

This does not build on Fedora 25 with picky-developer turned on.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

testprogs: Test 'net ads join' with a dedicated keytab

This checks that a 'net ads join' can create the keytab and make sure we
will not regress in future.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

param: Allow to specify kerberos method on the commandline

We support --option for our tools but you cannot set an option where the
value of the option includes a space.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

s3:libads: Correctly handle the keytab kerberos methods

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

krb5_wrap: Print a warning for an invalid keytab name

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

remove historic source3/change-log

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 13 19:45:31 CET 2017 on sn-devel-144

getncchanges: Remove O(n) loop in link parsing

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 13 08:57:24 CET 2017 on sn-devel-144

dsdb: Allow parsed_dn_find to have a prefixed blob match

This allows us to search against binary DN using only the attributeID in
the case of msDS-RevealedUsers (as it appears right at the beginning).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dsdb: Move parsed_dn_find into a common location

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/dbcheck-links: remove spurious sleeping

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: generalize samdb_result_sid_array_ndr a little

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: Add a comment regarding sIDHistory for allow/deny in repl_secret

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

objectclass_attrs: Restrict systemOnly attributes

This allows restriction of auditing attributes from being wiped.
Modifications of the RID Set must be done as SYSTEM.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/match_rules: Use system privilege for msDS-RevealedUsers

Must be done before the systemOnly attribute is enforced.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

dbcheck: Improve dbcheck to find (and may fix) dangling msDS-RevealedUsers

We cannot add missing backlinks because of the duplicate checking. There
seems to be no trivial way to add the bypass.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: include object SID in tokenGroups calculation for repl secret

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/repl_rodc: Test the direct allow/deny attribute works

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: Reorder and comment code for clarity

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: Prevent a small, but possible race condition in build_object

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: Refactor filter_attrs from build_object

This makes it easier to have a transaction around it.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: Tie destination DSA GUID to authenticating RODC for REPL_SECRET

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tests/repl_rodc: Ensure that the machine account is tied to the destination DSA

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: Implement functionality for msDS-RevealedUsers

This multi-valued DN+Binary linked attribute is present on the server object
for an RODC. A link to an object is added to it whenever secret
attributes from that object are replicated to an RODC to serve as an
audit trail.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>

getncchanges: Do not filter secrets by PAS in EXOP_REPL_SECRET

This conforms with Windows' behaviour.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

replmd: Include extra data on DN in search if it exists

This is important for multi-valued DN+Binary (or DN+String) attributes,
as otherwise they will be considered duplicates.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>

replmd: Ensure that binary blobs in links are ordered in the database

This is required if we are to search them with a binsearch.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

getncchanges: Let security of RWDC+ manually replicate secrets to RODCs

This correctly passes has_get_all_changes through to repl_secrets.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>

drsblobs: Add decode for replPropertyMetaData1

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

tests/repl_rodc: Duplicate msDS-RevealedUsers test for RODC machine acct

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/tests: Add repl_rodc test

Currently, this tests the msDS-RevealedUsers feature, which we don't
support at the moment.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

getncchanges: Return correct denied REPL_SECRET error code

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

drsbase: use credentials if supplied

Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/dsdb_dn: Add a generic get_bytes method on DNs

Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb_tdb: Add better comments for duplicate attr values

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>