sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code
97dc127b81
samba-mirror/auth/ntlmssp/gensec_ntlmssp_server.c

221 lines
7.0 KiB
C
Raw Normal View History

auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
/*
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
Unix SMB/Netbios implementation.
Version 3.0
handle NLTMSSP, client server side parsing
Copyright (C) Andrew Tridgell 2001
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
the Free Software Foundation; either version 3 of the License, or
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
(at your option) any later version.
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
You should have received a copy of the GNU General Public License
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
*/
#include "includes.h"
s4:auth: try to fix the build on Solaris MAXHOSTNAMELEN comes in via system/network.h now. metze
2009-01-31 13:34:12 +03:00
#include "system/network.h"
s4-gensec: Replace gensec_get_peer_addr with new tsocket based fn.
2009-12-16 18:41:21 +03:00
#include "lib/tsocket/tsocket.h"
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
#include "auth/ntlmssp/ntlmssp.h"
Add in support for the NTLMSSP version reply. Jeremy.
2010-05-24 22:03:42 +04:00
#include "../librpc/gen_ndr/ndr_ntlmssp.h"
ntlmssp: Move ntlmssp code to auth/ntlmssp This brings in the code from both libcli/auth and source4/auth/ntlmssp. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-07-25 10:04:38 +04:00
#include "auth/ntlmssp/ntlmssp_ndr.h"
#include "auth/ntlmssp/ntlmssp_private.h"
Fix Samba4 build errors with common libcli/samsync
2009-04-16 04:17:17 +04:00
#include "../libcli/auth/libcli_auth.h"
Move source4/lib/crypto to lib/crypto.
2008-09-24 17:30:23 +04:00
#include "../lib/crypto/crypto.h"
r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2006-11-07 03:48:36 +03:00
#include "auth/gensec/gensec.h"
auth/gensec: introduce gensec_internal.h We should treat most gensec related structures private. It's a long way, but this is a start. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 09:12:01 +04:00
#include "auth/gensec/gensec_internal.h"
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
#include "auth/common_auth.h"
r25026: Move param/param.h out of includes.h (This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
2007-09-08 16:42:09 +04:00
#include "param/param.h"
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
s4:ntlmssp Re-add gensec_ntlmssp wrapper to allow merge with source3/ By re-adding this wrapper, the actual guts of these functions are now very similar to that found in source3/libsmb/ntlmssp.c This should make it easier to merge the implementations. Andrew Bartlett
2010-08-06 11:53:44 +04:00
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
/**
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
* Return the credentials of a logged on user, including session keys
* etc.
*
* Only valid after a successful authentication
*
* May only be called once per authentication.
*
*/
NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
gensec: clarify memory ownership for gensec_session_info() and gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
2011-08-01 09:39:01 +04:00
TALLOC_CTX *mem_ctx,
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
struct auth_session_info **session_info)
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
{
NTSTATUS nt_status;
s4:ntlmssp: remove backend specifix stuff from (gensec_)ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-29 19:56:56 +03:00
struct gensec_ntlmssp_context *gensec_ntlmssp =
s4:ntlmssp: keep struct gensec_ntlmssp_context in gensec_security->private_data Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 10:23:13 +03:00
talloc_get_type_abort(gensec_security->private_data,
s4:ntlmssp: remove backend specifix stuff from (gensec_)ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-29 19:56:56 +03:00
struct gensec_ntlmssp_context);
gensec: inline gensec_generate_session_info() into only caller This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
2012-01-30 04:53:04 +04:00
uint32_t session_info_flags = 0;
if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
}
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
auth: Reorder arguments to generate_session_info This matches check_ntlm_password() and generate_session_info_pac() Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Sat Feb 18 02:19:35 CET 2012 on sn-devel-104
2012-02-04 10:49:49 +04:00
nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx,
gensec: inline gensec_generate_session_info() into only caller This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
2012-01-30 04:53:04 +04:00
gensec_ntlmssp->server_returned_info,
auth: Pass in the SMB username (for %U) into generate_session_info This matches what Samba3 does. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Mon Feb 13 01:25:59 CET 2012 on sn-devel-104
2012-01-30 14:49:33 +04:00
gensec_ntlmssp->ntlmssp_state->user,
gensec: inline gensec_generate_session_info() into only caller This avoids casting to and from the struct auth_user_info_dc *user_info_dc to to this, the if (user_info_dc->info->authenticated) is moved into auth_generate_session_info_wrapper(), which is the function that gensec_security->auth_context->generate_session_info points to. Andrew Bartlett
2012-01-30 04:53:04 +04:00
session_info_flags,
session_info);
} else {
DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
return NT_STATUS_INTERNAL_ERROR;
}
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
NT_STATUS_NOT_OK_RETURN(nt_status);
auth: Cope with NO_USER_SESSION_KEY from security=server Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 11:14:19 +04:00
nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info,
&(*session_info)->session_key);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
(*session_info)->session_key = data_blob_null;
nt_status = NT_STATUS_OK;
}
return nt_status;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
}
/**
auth: Move the rest of the source4 gensec_ntlmssp code to the top level The ntlmssp_server code will be in common shortly, and aside from a symbol name or two, moving the client code causes no harm and makes less mess. We will also get the client code in common very soon. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-30 15:42:39 +04:00
* Start NTLMSSP on the server side
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
*
*/
NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
{
NTSTATUS nt_status;
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
struct ntlmssp_state *ntlmssp_state;
s4:ntlmssp: remove backend specifix stuff from (gensec_)ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-29 19:56:56 +03:00
struct gensec_ntlmssp_context *gensec_ntlmssp;
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
const char *netbios_name;
const char *netbios_domain;
const char *dns_name;
const char *dns_domain;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
nt_status = gensec_ntlmssp_start(gensec_security);
NT_STATUS_NOT_OK_RETURN(nt_status);
ntlmssp: Prepare gensec_ntlmssp_start() for broader use This moves the allocation of the ntlmssp pointer back to the callers. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-07-26 06:32:08 +04:00
gensec_ntlmssp =
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
ntlmssp_state = talloc_zero(gensec_ntlmssp,
struct ntlmssp_state);
if (!ntlmssp_state) {
return NT_STATUS_NO_MEMORY;
}
gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->role = NTLMSSP_SERVER;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
auth: Rearrange ntlmssp code for clarity Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 08:57:06 +04:00
if (lpcfg_lanman_auth(gensec_security->settings->lp_ctx) &&
gensec_setting_bool(gensec_security->settings,
"ntlmssp_server", "allow_lm_key", false))
{
ntlmssp_state->allow_lm_key = true;
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->neg_flags =
s4-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants. Guenther
2009-08-25 14:12:59 +04:00
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
}
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
r16961: Merge 'seperate policy from logic' changes from Samba3. The 56-bit flag is handled just like all the others. Also negotiate the unknown 0x02000000 flag, to match windows. Andrew Bartlett (This used to be commit 1d0befdb681ed9974d1bdff46ce56353552ee0e0)
2006-07-12 04:02:50 +04:00
}
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
}
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
r19805: Add the (harmless, but apparently default) NTLMSSP_NEGOTIATE_ALWAYS_SIGN flags into the default set. Andrew Bartlett (This used to be commit 04709c75afda0234c7236fba674bf53a265f8dbb)
2006-11-20 23:58:00 +03:00
}
Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec.
2008-11-02 04:05:48 +03:00
if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
}
auth: Set NTLMSSP_NEGOTIATE_SIGN when session key support is required This matches the s3 NTLMSSP server. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 08:40:53 +04:00
if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
s4-auth: match the new s3 gensec client and always negotiate SIGN with SEAL Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-15 06:19:41 +04:00
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
r6464: Remove the last of the Samba3 NTLMSSP API. This removes the rudundent struct ntlmssp_state, and pushes all the member elements into struct gensec_ntlmssp_state. This also removes the 2-layer start function, caused by the previous double abstraction layer. Andrew Bartlett (This used to be commit eebbb4205b335214d24974f3be825846f6227f0c)
2005-04-25 14:33:00 +04:00
}
s4-loadparm: 2nd half of lp_ to lpcfg_ conversion this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 08:32:42 +04:00
if (lpcfg_server_role(gensec_security->settings->lp_ctx) == ROLE_STANDALONE) {
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->server.is_standalone = true;
s4:ntlmssp: replace server_role by a server.is_standalone in (gensec_)ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 12:14:07 +03:00
} else {
s4:ntlmssp: rename gensec_ntlmssp_state => ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 19:57:54 +03:00
ntlmssp_state->server.is_standalone = false;
s4:ntlmssp: replace server_role by a server.is_standalone in (gensec_)ntlmssp_state Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 12:14:07 +03:00
}
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
auth: Allow the netbios name and domain to be set from winbindd in ntlm_auth3 Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 17 12:18:51 CET 2012 on sn-devel-104
2012-02-06 11:02:11 +04:00
if (gensec_security->settings->server_netbios_name) {
netbios_name = gensec_security->settings->server_netbios_name;
} else {
netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx);
}
if (gensec_security->settings->server_netbios_domain) {
netbios_domain = gensec_security->settings->server_netbios_domain;
} else {
netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
}
s4:ntlmssp: calculate server names at startup and store them in (gensec_)ntlmssp_state->server.* Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 17:14:38 +03:00
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
if (gensec_security->settings->server_dns_name) {
dns_name = gensec_security->settings->server_dns_name;
} else {
s4:auth/ntlmssp/ntlmssp_server.c - add "const" in front of "dnsdomain" Signed-off-by: Metze
2011-05-07 12:37:24 +04:00
const char *dnsdomain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx);
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
char *lower_netbiosname;
lower_netbiosname = strlower_talloc(ntlmssp_state, netbios_name);
NT_STATUS_HAVE_NO_MEMORY(lower_netbiosname);
s4:ntlmssp: calculate server names at startup and store them in (gensec_)ntlmssp_state->server.* Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 17:14:38 +03:00
/* Find out the DNS host name */
Remove strlower_m() and strupper_m() from source4 and common code. This function is problematic because a string may expand in size when changed into upper or lower case. This will then push characters off the end of the string in the s3 implementation, or panic in the former s4 implementation. Andrew Bartlett
2011-05-03 06:16:16 +04:00
if (dnsdomain && dnsdomain[0] != '\0') {
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
dns_name = talloc_asprintf(ntlmssp_state, "%s.%s",
lower_netbiosname,
dnsdomain);
Remove strlower_m() and strupper_m() from source4 and common code. This function is problematic because a string may expand in size when changed into upper or lower case. This will then push characters off the end of the string in the s3 implementation, or panic in the former s4 implementation. Andrew Bartlett
2011-05-03 06:16:16 +04:00
talloc_free(lower_netbiosname);
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
NT_STATUS_HAVE_NO_MEMORY(dns_name);
Remove strlower_m() and strupper_m() from source4 and common code. This function is problematic because a string may expand in size when changed into upper or lower case. This will then push characters off the end of the string in the s3 implementation, or panic in the former s4 implementation. Andrew Bartlett
2011-05-03 06:16:16 +04:00
} else {
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
dns_name = lower_netbiosname;
s4:ntlmssp: calculate server names at startup and store them in (gensec_)ntlmssp_state->server.* Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 17:14:38 +03:00
}
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
}
s4:ntlmssp: calculate server names at startup and store them in (gensec_)ntlmssp_state->server.* Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 17:14:38 +03:00
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
if (gensec_security->settings->server_dns_domain) {
dns_domain = gensec_security->settings->server_dns_domain;
} else {
dns_domain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx);
s4:ntlmssp: calculate server names at startup and store them in (gensec_)ntlmssp_state->server.* Inspired by the NTLMSSP merge work by Andrew Bartlett. metze Signed-off-by: Günther Deschner <gd@samba.org>
2009-12-30 17:14:38 +03:00
}
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.netbios_name);
ntlmssp_state->server.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.netbios_domain);
ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state, dns_name);
NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name);
ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state, dns_domain);
NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
r6458: Split up NTLMSSP into a new directory, and into seperate files for the client and server logic code. In future, this may allow us to build only the NTLMSSP client, and not the server, but in the short-term, it allows me greater sainity in moving around these files. Andrew Bartlett (This used to be commit 2f22841c6753e3d5816c12bd463b71f74e1d8796)
2005-04-25 09:03:50 +04:00
return NT_STATUS_OK;
}
auth: Provide a way to specify the NTLMSSP server name to GENSEC This avoids us needing to assume lp_netbios_name().lp_dnsdomain() if the caller knows better. This will allow preservation of current s3 behaviour. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-31 09:17:04 +04:00
Copy Permalink