lib: talloc: Rename talloc_set_name_v() to tc_set_name_v(). Make it take a struct talloc_chunk *tc as the first argument.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Add _vasprintf_tc() which returns the struct talloc_chunk *, not the talloc'ed pointer.

Define talloc_vasprintf() in terms of _vasprintf_tc().
We will use _vasprintf_tc() internally later.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Change _talloc_set_name_const() to _tc_set_name_const()

First argument is now struct talloc_chunk *tc.
Ensure all callers pass correct talloc chunk from given pointer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Change __talloc() to return a struct talloc_chunk *.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Change __talloc_with_prefix() to return a struct talloc_chunk *.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

lib: talloc: Rename talloc_XXX() internal functions that take a 'struct talloc_chunk *' to tc_XXX().

We will be adding more and it ensures a consistent naming scheme.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

testprogs/blackbox: Improve the net ads dns register tests.

More tests are added that add an unprivileged user, enable their
account, and then test that they can add IP addressed but that they
cannot modify other user's IP addresses.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Sun Jul  3 14:24:59 CEST 2016 on sn-devel-144

selftest: Add test for domain join + kerberos-only auth

Add "net ads join/leave -k" tests to the net_ads test suite.

Shift the test suite from ad_member env to ad_dc env, because:
1. Seems more appropriate (the member server plays no role in this
   test)
2. The -k test breaks against the ntvfs file server for some reason,
   when trying to open the netlogon named pipe after having established
   the session with Kerberos (the create fails).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul  1 15:36:37 CEST 2016 on sn-devel-144

s3/winbindd: use == -1 instead of < 0 for error checking uid_t

The sign of the uid_t type is left unspecified by POSIX. It's defined as
an unsigned 32b int on Linux, therefore the < 0 check is always
false.

For unsigned version of uid_t, "uid == -1" will implicitely cast -1 to
unsigned making it a valid test for both signed and unsigned version of
uid_t.

This commit makes the cast to (uid_t) explicit anyway.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Jul  1 05:22:36 CEST 2016 on sn-devel-144

librpc: add decode_netlogon_samlogon_response_packet for mailslot debugging.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul  1 01:29:42 CEST 2016 on sn-devel-144

krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groups

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144

netlogon.idl: make netr_SidAttr public

It will be used in krb5pac.idl soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: make auth_convert_user_info_dc_sambaseinfo() a private helper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server/netlogon: make use of auth_convert_user_info_dc_saminfo{2,6}()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server/netlogon: initialize pointer to NULL in dcesrv_netr_LogonSamLogon_base()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: do a real copy of strings in auth_convert_user_info_dc_sambaseinfo()

That's much more expected by callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: add auth_convert_user_info_dc_saminfo2() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: add auth_convert_user_info_dc_saminfo6() and implement level 3 as wrapper

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6

This includes user_principal_name and dns_domain_name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/wbc_auth_util: fill in base.logon_domain in wbcAuthUserInfo_to_netr_SamInfo3()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: let make_user_info_dc_netlogon_validation() correctly handle level 6

We need to take care of extra sids in level 3 and 6!
And level 6 also includes user_principal_name and dns_domain_name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()

This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal()

This is more generic and matches all other places.

As this is only used in the KDC it's not a real logic change.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth.idl: add user_principal_* and dns_domain_name to auth_user_info

This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

lib/param: add lpcfg_sam_dnsname() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py verify the logonCount values

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py validate the lastLogon and lastLogonTimestamp interaction

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py test with all combinations of krb5, ntlmssp and lockOutObservationWindow

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py verify more fields in _readd_user()

The results differ depending on Kerberos or NTLMSSP usage
and the lockOutObservationWindow.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py copy user{name,pass} from the template in insta_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use creds and other_ldb as function arguments

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use userpass variables in all functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use other_ldb variables instead of self.ldb3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use userdn variables in all functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py make use of self.addCleanup() to cleanup objects

This is easier than doing it by hand...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use _readd_user() for testuser3 too

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py pass creds as argument to _readd_user()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py use user{name,pass,dn} variables in _readd_user()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py pass username,userpass optionally to insta_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py let _readd_user() return the ldb connection as user

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py make use of the _readd_user() helper function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py add a _readd_user() helper function

This is a complete copy of the code that's currently inline.
I'm doing this in multiple steps in order to keep the diff
in a reviewable state.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py make the LDAP error string checks more useful

We should first check if the error number is as expected and
then check for a specific WERROR in the error string.

We also add the full error string as msg to assertTrue(),
so we'll actually see it if the assertion is wrong.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py cross-check the lastLogon value with samr

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/tests: let password_lockout.py reduce the values for lockoutDuration and lockOutObservationWindow

This reduces the runtime of the test while still producing reliable results.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/sam: update the logonCount for interactive logons

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/sam: don't update lastLogon just because it's 0 currently

Non interactive logons doesn't trigger an update
unless the (effective) badPwdCount is not 0 and lockoutTime is 0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already

Non interactive logons doesn't reset badPwdCount to 0
when the effective badPwdCount is already 0
(with (badPasswordTime + lockOutObservationWindows) < now).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: add some const to {samdb_result,dsdb}_effective_badPwdCount()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

test_pkinit_heimdal.sh: add a FILE: prefix to the KRB5CCNAME variable

This makes the tests more robust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

test_pkinit_heimdal.sh: add a helper VARIABLE to store the certificate paths

We also don't need the separation of admincert.pem and admincertupn.pem
anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: add 'samba-tool user setpassword --smartcard-required/--clear-smartcard-required'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: do a password retype validation check for 'samba-tool user setpassword'

This matches the behavior of 'samba-tool user create' and 'samba-tool user password'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool: add --smartcard-required option to 'samba-tool user create'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samdb.py: add smartcard_required option to newuser()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: don't allow interactive password logons with UF_SMARTCARD_REQUIRED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3:winbindd: pass 'interactive' down through winbindd_dual_auth_passdb()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/common: remove unused samdb_result_force_password_change()

The logic is incomplete and the correct logic is already available
via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()

The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server/samr: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()

The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()

The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

krb5pac.idl: add PAC_CREDENTIAL related structures

See [MS-PAC] 2.6 PAC Credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:kdc: add some const to samba_get_logon_info_pac_blob()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/auth_sam_reply: add some const to input parameters

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

tsocket: Do not dereference a NULL pointer

Make sure the lrbsda pointer is not allocated and we will
not end up dereferencing a NULL pointer. In practice this
can't happen, but this change links the pointer with the
code that uses it.

Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 30 02:53:02 CEST 2016 on sn-devel-144

s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence.

https://bugzilla.samba.org/show_bug.cgi?id=11838

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3-winbind: Fix memory leak with each cached credential login

When we allow offline logon and have a lot of logins, windbind will leak
4k of memory which each log in. On systems with heavy load this can grow
quickly and the OOM killer will kill Winbind.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11999

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 29 19:03:53 CEST 2016 on sn-devel-144

selftest: Skip the samba4.raw.eas tests

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: Skip also s4 base.createx_sharemodes_dir

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: Remove samba4.smb2.compound tests we skip

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: Remove samba4 delaywrite tests we skip

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: Skip s4 smb2 rename tests

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: Skip the Samba4 rap tests

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

selftest: Skip smbtorture_s3 tests against ntvfs

This reduces the time our testsuite is running. We are not going to
implement these features so it doesn't make sense to run the test at
all. More will follow.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

s3: tdb: On some platforms pthread_mutex_trylock() returns EBUSY not EDEADLK.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 29 15:14:44 CEST 2016 on sn-devel-144

s4/selftests: test net ads dns register/unregister.

Add a new test for the net ads dns commands and the needed self test
setup. Currently tests that we can register a name and that it
turns up. Also, tests that we can register with -P.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 28 22:35:35 CEST 2016 on sn-devel-144

ldb: Fix CID 1362935: CHECKED_RETURN

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

libnet: Fix CID 1362934: CHECKED_RETURN

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3: tldap: Make tldap_gensec_bind_send()/tldap_gensec_bind_recv() static.

Only expose a synchronous tldap_gensec_bind() call, as it can't
really be async anyway.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 28 11:19:33 CEST 2016 on sn-devel-144

s3: tldap: Remove asynchronous calls to gensec_update_send()/_recv() as for the spnego backend they're synchronous anyway.

This should prevent nested event loops, and won't make the
code performance worse anyway.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

selftest: test idmap backend id allocation for unknown SIDS

If an SID is is not found becaues the RID doesn't exist in a domain and
the domain is configured to use a non-allocating idmap backend like
idmap_ad or idmap_rfc2307, winbindd must not return a mapping for the
SID.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: make autorid the default idmap backend in admember_rfc2307

This is needed for a new test in the next commit. Exisiting tests aren't
affected by this, at least a private autobuild passed with this
change.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbindd: in wb_lookupsids return domain name if we have it

When doing a SID to xid mapping for an unknown SID, the idmap child gets
passed a lsa_RefDomainList with an empty domain name (ie ""). This is
coming from LsaLookupSids() and causes the mapping request to end up in
the default idmap domain.

Example request with domain name "":

  wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
     in: struct wbint_Sids2UnixIDs
         domains                  : *
             domains: struct lsa_RefDomainList
                 count                    : 0x00000001 (1)
                 domains                  : *
                     domains: ARRAY(1)
                         domains: struct lsa_DomainInfo
                             name: struct lsa_StringLarge
                                 length                   : 0x0000 (0)
                                 size                     : 0x0002 (2)
                                 string                   : *
                                     string                   : ''
                             sid                      : *
                                 sid                      : S-1-5-21-3152989960-574718769-2188965058
                 max_size                 : 0x00000020 (32)
         ids                      : *
             ids: struct wbint_TransIDArray
                 num_ids                  : 0x00000001 (1)
                 ids: ARRAY(1)
                     ids: struct wbint_TransID
                         type                     : ID_TYPE_NOT_SPECIFIED (0)
                         domain_index             : 0x00000000 (0)
                         rid                      : 0x000029aa (66666)
                         xid: struct unixid
                             id                       : 0xffffffff (4294967295)
                             type                     : ID_TYPE_NOT_SPECIFIED (0)

In _wbint_Sids2UnixIDs() we call idmap_find_domain_with_sid() with the
domain name "" and this triggers use of the default idmap domain which
in case of idmap_autorid will allocate an id from a idmap_autorid range.

If we know the domain, ensure we return it for SIDs were the SID was not
found but the domain of the SID was found. Callers like sids2xids depend
on the domain name and returning an empty string "" for valid domain can
trigger unwanted idmap range allocations.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

winbindd/idmap_rfc2307: fix a crash

map->map is NULL if lookupsid failed.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s3:utils/net: Add new option 'unregister' in 'net ads dns' command.

This new option allows DNS names to be unregistered and removes all
IP entries for a given name in the specified AD server.

Signed-off-by: Shyamsunder Rathi <shyam.rathi@nutanic.com>
Reviewed-by: Richard SHarpe <rsharpe@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Mon Jun 27 20:43:26 CEST 2016 on sn-devel-144

s4:dsdb/tests: add pwdLastSet tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 27 08:52:48 CEST 2016 on sn-devel-144

s4:dsdb/samldb: pwdLastSet = -1 requires Unexpire-Password right

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/samldb: fix comment "lockoutTime" reset as per MS-SAMR 3.1.1.8.10

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: only allow pwdLastSet as "0" or "-1"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:rpc_server/samr: only set pwdLastSet to "0" or "-1"

The password_hash module will take care of translating "-1"
to the current time.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: allow pwdLastSet only changes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: make it possible to specify pwdLastSet together with a password change

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: handle the DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET control

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: make the DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET code path more robust

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: only set pwdLastSet if required

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: create a shallow copy of the client message for the final update

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: move ldb_msg_add_empty() calls to update_final_msg()

We should only replace attributes when we're asked to do so.
Currently that's always the case, but that will change soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb/password_hash: remember if we need to update the passwords and/or pwdLastSet

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>