typo: componemt => component

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tevent: typo in documentation

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

param: fix a typo emtpy -> empty

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

check_password_script: Add a DEBUG message for timeouts

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest: add check password script test

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

check-password-script: Allow AD to execute these scripts

In contrast to source3, this is run as root and without substitution.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ctdb-tests: Link to ctdb-ipalloc instead of using ctdbd_test.c

Less code, quicker build time, smaller binary...

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Jul  4 19:29:08 CEST 2016 on sn-devel-144

ctdb-ipalloc: Drop implicit dependency on ctdb-common

Use new functions from protocol API instead.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Allow takeover tests to be run under valgrind

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Drop use of CTDB context from takeover test

The ipalloc code doesn't need a CTDB context so neither should the
code that tests it.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: IP allocation state is now an opaque structure

It is private to the IP allocation module.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: ipalloc() returns public IP list

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Move set_ipflags_internal() to ipalloc

Rename it ipalloc_set_node_flags().

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Switch set_ipflags_internal() to use a new-style node map

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Move ipalloc state initialisation to ipalloc.c

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Pass extra data to IP allocation state initialisation

No longer require CTDB context but pass in number of nodes, algorithm,
no_ip_failback and force_rebalance_nodes.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Make no_ip_failback a boolean

No need to expose tunable values that far down.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Fix buggy short-circuit when no IPs are available

At the moment IP is short-circuited when there are no available IP
addresses.  However, if some IP addresses are already allocated then
"no available IP addresses" means that all the addresses should
(probably) be released.  The current short-circuit means that no
already hosted IP addresses will be released.

The short-circuit exists to avoid lots of messages saying that all IP
addresses can not be assigned at startup time.  So, add a check to
ipalloc_can_host_ips() so that it succeeds if IP addresses are already
allocated to nodes.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: New function ipalloc_can_host_ips()

Abstracts out code involving internals of IP allocation state.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Drop known public IPs from IP allocation state

This is never used in the allocation algorithms.  It is only used when
building the merged IP list.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Move create_merged_ip_list() into ipalloc

How the existing IP layout is constructed and how the merged IP list is
sorted are important aspects of the IP allocation algorithm.  Construct the
merged IP list when known and available IPs are assigned.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: New function ipalloc_set_public_ips()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Remove function ctdb_reload_remote_public_ips()

Use ctdb_fetch_remote_public_ips() inline to fetch each list.  Assign
them into the IP allocation state separately.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Clean up reloading of remote public IPs

Factor out new function ctdb_fetch_remote_public_ips() to fetch known
or available public IP addresses, according to flags.

This also drops the hack where the array from a
ctdb_public_ip_list_old was assigned to a pointer in a
ctdb_public_ip_list.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Don't build a global IP tree

It isn't used outside this function, so just use a local variable.

This makes create_merged_ip_list() independent of the CTDB context.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Drop code to update IP assignment tree

This code is not used.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tools: Don't bother sending CTDB_SRVID_RECD_UPDATE_IP

Nothing is listening.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-recoverd: Drop code to change the IP assignment tree

The tree is no longer used in verification.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Drop remote IP verification

It is only run during a takeover run and only logs errors.  It doesn't
actually do anything to fix potential errors.  The takeover run should
fix any inconsistencies anyway.

Instead, leave a comment in the recovery daemon's monitoring loop to
add proper remote IP verification later.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Drop a use of CTDB_NO_MEMORY_NULL()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Do not use node count or PNNs from CTDB context

This is unnecessary.  IP allocation state already has a node count and
"i" is already a PNN.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Drop an unnecessary check

Deleted (and other inactive) nodes will have an empty list of known
IP addresses.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-ipalloc: Move if-statement with broken condition

This pointer is for an array that is always allocated.  The check is
meant to skip a node that has no IP addresses.  However, when there
are no IP addresses the loop below will not do anything anyway.

Add this as a check at the beginning of the function instead.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Drop CTDB_TEST_MAX_NODES

The node map is dynamically constructed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Build a node map instead of a hacky node flags array

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Assign known and available arrays via pointers.

No need to allocate these and iterate as
read_ctdb_public_ip_info_node() now returns a usable array.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: read_ctdb_public_ip_info() reads all test input

If there is per-node data then each chunk is read in a separate call
and is cherry-picked out into known_public_ips[] for each node.  This
is confusing.

Instead, a single call now reads all data for multiple nodes and
returns complete arrays of known and available IP addresses.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Drop CTDB_TEST_MAX_IPS

Arrays are now dynamically reallocated.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Drop all_ips argument from read_ctdb_public_ip_info()

Nothing uses the result.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Don't bother setting all_ips

It isn't used outside this function.  Instead, update k directly.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Simplify read_ctdb_public_ip_info() using new function add_ip()

Known public IPs array is now dynamically allocated instead of
allocated once with artificial size limit.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

ctdb-tests: Remove unused tests from IP takeover test harness

These tests aren't run anywhere.  They were used to test internal
functions during development.

The aim is to simplify this test program so that it can be linked with
the ipalloc subsystem, allowing removal of ctdbd_test.c and all of its
complications.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>

tdb: avoid many fcntl calls when incrementing seqnum

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jul  3 18:11:30 CEST 2016 on sn-devel-144

lib: talloc: Add check for destructor protection.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: As we have a struct talloc_chunk * in _talloc_free_children_internal(), use it to call _tc_free_internal() directly.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: As _tc_free_internal() takes a struct talloc_chunk *, add an extra paranoia check against destructor overwrite.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Rename the internals of _talloc_free_internal() to _tc_free_internal().

Make it use a struct talloc_chunk *tc parameter. Define _talloc_free_internal()
in terms of _tc_free_internal().

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Call talloc_chunk_from_ptr() less often in __talloc_with_prefix()

Rename 'ptc' pointer to parent as it's re-used as
that name later in the function.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Rename talloc_set_name_v() to tc_set_name_v(). Make it take a struct talloc_chunk *tc as the first argument.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Add _vasprintf_tc() which returns the struct talloc_chunk *, not the talloc'ed pointer.

Define talloc_vasprintf() in terms of _vasprintf_tc().
We will use _vasprintf_tc() internally later.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Change _talloc_set_name_const() to _tc_set_name_const()

First argument is now struct talloc_chunk *tc.
Ensure all callers pass correct talloc chunk from given pointer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Change __talloc() to return a struct talloc_chunk *.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Change __talloc_with_prefix() to return a struct talloc_chunk *.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Rename talloc_XXX() internal functions that take a 'struct talloc_chunk *' to tc_XXX().

We will be adding more and it ensures a consistent naming scheme.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs/blackbox: Improve the net ads dns register tests.

More tests are added that add an unprivileged user, enable their
account, and then test that they can add IP addressed but that they
cannot modify other user's IP addresses.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Sun Jul  3 14:24:59 CEST 2016 on sn-devel-144

selftest: Add test for domain join + kerberos-only auth

Add "net ads join/leave -k" tests to the net_ads test suite.

Shift the test suite from ad_member env to ad_dc env, because:
1. Seems more appropriate (the member server plays no role in this
   test)
2. The -k test breaks against the ntvfs file server for some reason,
   when trying to open the netlogon named pipe after having established
   the session with Kerberos (the create fails).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul  1 15:36:37 CEST 2016 on sn-devel-144

s3/winbindd: use == -1 instead of < 0 for error checking uid_t

The sign of the uid_t type is left unspecified by POSIX. It's defined as
an unsigned 32b int on Linux, therefore the < 0 check is always
false.

For unsigned version of uid_t, "uid == -1" will implicitely cast -1 to
unsigned making it a valid test for both signed and unsigned version of
uid_t.

This commit makes the cast to (uid_t) explicit anyway.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Jul  1 05:22:36 CEST 2016 on sn-devel-144

librpc: add decode_netlogon_samlogon_response_packet for mailslot debugging.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul  1 01:29:42 CEST 2016 on sn-devel-144

krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groups

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144

netlogon.idl: make netr_SidAttr public

It will be used in krb5pac.idl soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: make auth_convert_user_info_dc_sambaseinfo() a private helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server/netlogon: make use of auth_convert_user_info_dc_saminfo{2,6}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server/netlogon: initialize pointer to NULL in dcesrv_netr_LogonSamLogon_base()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: do a real copy of strings in auth_convert_user_info_dc_sambaseinfo()

That's much more expected by callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: add auth_convert_user_info_dc_saminfo2() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: add auth_convert_user_info_dc_saminfo6() and implement level 3 as wrapper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6

This includes user_principal_name and dns_domain_name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/wbc_auth_util: fill in base.logon_domain in wbcAuthUserInfo_to_netr_SamInfo3()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: let make_user_info_dc_netlogon_validation() correctly handle level 6

We need to take care of extra sids in level 3 and 6!
And level 6 also includes user_principal_name and dns_domain_name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()

This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal()

This is more generic and matches all other places.

As this is only used in the KDC it's not a real logic change.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth.idl: add user_principal_* and dns_domain_name to auth_user_info

This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/param: add lpcfg_sam_dnsname() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py verify the logonCount values

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py validate the lastLogon and lastLogonTimestamp interaction

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py test with all combinations of krb5, ntlmssp and lockOutObservationWindow

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py verify more fields in _readd_user()

The results differ depending on Kerberos or NTLMSSP usage
and the lockOutObservationWindow.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py copy user{name,pass} from the template in insta_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use creds and other_ldb as function arguments

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use userpass variables in all functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use other_ldb variables instead of self.ldb3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use userdn variables in all functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py make use of self.addCleanup() to cleanup objects

This is easier than doing it by hand...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use _readd_user() for testuser3 too

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py pass creds as argument to _readd_user()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use user{name,pass,dn} variables in _readd_user()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py pass username,userpass optionally to insta_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py let _readd_user() return the ldb connection as user

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py make use of the _readd_user() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py add a _readd_user() helper function

This is a complete copy of the code that's currently inline.
I'm doing this in multiple steps in order to keep the diff
in a reviewable state.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py make the LDAP error string checks more useful

We should first check if the error number is as expected and
then check for a specific WERROR in the error string.

We also add the full error string as msg to assertTrue(),
so we'll actually see it if the assertion is wrong.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py cross-check the lastLogon value with samr

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py reduce the values for lockoutDuration and lockOutObservationWindow

This reduces the runtime of the test while still producing reliable results.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/sam: update the logonCount for interactive logons

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/sam: don't update lastLogon just because it's 0 currently

Non interactive logons doesn't trigger an update
unless the (effective) badPwdCount is not 0 and lockoutTime is 0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already

Non interactive logons doesn't reset badPwdCount to 0
when the effective badPwdCount is already 0
(with (badPasswordTime + lockOutObservationWindows) < now).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: add some const to {samdb_result,dsdb}_effective_badPwdCount()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

test_pkinit_heimdal.sh: add a FILE: prefix to the KRB5CCNAME variable

This makes the tests more robust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

test_pkinit_heimdal.sh: add a helper VARIABLE to store the certificate paths

We also don't need the separation of admincert.pem and admincertupn.pem
anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>