IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We now only build it by default with --enable-sefltest, or otherwise
if requested.
The NTVFS file server still has features not present in the smbd file
server, such as a CIFS/SMB proxy, and a radically different design,
but it is also not undergoing any ongoing development so this keeps it
in a safe state for care and maintaince, with less of a security risk
if such an issue were to come up.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11991
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 71dcc76b70d8e249624f9bf057fc4fd3a44125e1)
This patch changes the encoding/decoding of kvno (key version number)
in blobs and packets to signed integer, for compatibility with Windows.
Reportedly, MIT Kerberos does the same.
This patch effectively reverts commit 1124c4872dfb81bec9c4b527b8927ca35e39a599
in the heimdal tree.
According to the Kerberos spec (RFC 4120 5.2.9), the kvno field
in encrypted data object is an unsigned integer that fits in
32 bits. The Heimdal Kerberos component bundled with Samba
conforms to this. However, Windows deviates from the standard
and encodes kvno as a signed integer, and this creates
interoperability issues.
ASN.1 DER has no special encoding for unsigned integer. A 32-bit
unsigned integer is encoded as a signed integer, so while a signed
32-bit integer (covering the range of -0x80000000..0x7fffffff) is
encoded using up to 4 bytes, an unsigned integer (covering
0..0xffffffff) could require 5 bytes.
Normally, kvno for a given account starts at 1 and increments on
password changes. Kerberos defined this as unsigned because there's
no meaning for negative version numbers, so the standard writers figured
4 billion versions is better than 2 billion. It was not
expected for a kvno to really go past 0x7fffffff and the disctinction
usually does not matter. However, RODCs use kvnos which
have the most-significant bit set.
In Active Directory, RODCs have a private secret for the krbtgt,
because the assumption is that the RODC is less secure, and
recovering the domain krbtgt secret from the RODC would compromise
the security of the entire domain. The kvno field is being used
to identify the private krbtgt account that owns the key - the
upper 16 bits are the RODC id, and the lower 16 bits identify
the key version number for this specific RODC. It's common to
have an RODC id greater than 0x8000, and therefore to have a
kvno larger than 0x7fffffff, which would be DER-encoded using
5 bytes.
Windows encodes kvno as signed integer - basically taking the
32 bits and treating them as a signed integer rather than an
unsigned integer. This means that in Windows a kvno can
always be encoded using 4 bytes, and Windows DCs reject a kvno
encoded using more than 4 bytes without even generating an error
response (the DC assumes it's an attack).
Heimdal re-encodes the TGT when it creates a TGS request. Obviously
it cannot decode and encode the encrypted parts but it does re-encode
the plain parts, which include the kvno. That leads to a 5-byte
kvno in the TGS request, which is rejected without an error
response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11900
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat May 7 21:14:21 CEST 2016 on sn-devel-144
(cherry picked from commit 6379737b7ddc6ccb752238c5820cc62e76a8da17)
The computer name of the NTLMv2 blob needs to match
the schannel connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
The computer name of the NTLMv2 blob needs to match
the schannel connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This create a schannel connection to netlogon, this makes the tests
more realistic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 1a7d8b8602a687ff6eef45f15f597694e94e14b1)
This is the only way to get a reliable transport session key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit af8c4ebf9be314ddd13ef9ca17a0237927dd2ede)
ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0400f301e3bcf495748cff009755426a040596fa)
The test is planned but will be skipped in the MIT case this way. We
need to rewrite the test using a proper cryto/tls library.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Autobuild-User(master): José A. Rivera <jarrpa@samba.org>
Autobuild-Date(master): Wed Jul 15 00:25:38 CEST 2015 on sn-devel-104
clusapi only works via DCE/RPC sealed connections in Windows 2012R2.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
This adds a lot more validation arround trust credentials and
krb5 interaction.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 8 21:41:17 CEST 2015 on sn-devel-104
lsa_EnumTrusts() may also return non direct trusted domains in the forest.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is the same as calling dcerpc_secondary_connection/dcerpc_bind_auth.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jul 7 17:07:49 CEST 2015 on sn-devel-104
This is the same as calling dcerpc_secondary_connection/dcerpc_bind_auth_none.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
We still also allow NT_STATUS_INVALID_HANDLE and NT_STATUS_IO_DEVICE_ERROR for now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
This test toggles the online/offline resource state using the clusapi protocol
between the send and receive.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 2 05:16:00 CEST 2015 on sn-devel-104
Signed-off-by: Gordon Ross <gordon.w.ross@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 30 02:20:15 CEST 2015 on sn-devel-104
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Apr 22 20:21:18 CEST 2015 on sn-devel-104
