IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
cli_credentials_get_principal() returns NULL in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Remove the sock_exec code which is no longer needed and additionally has been
used by exploit code.
This was originally test support code, the tests relying on the sock_exec
code have been removed.
Past exploits have used sock_exec as a proxy for system() matching a talloc
destructor prototype.
See for example:
Exploit for Samba vulnerabilty (CVE-2015-0240) at
https://gist.github.com/worawit/051e881fc94fe4a49295
and the Red Hat post at
https://access.redhat.com/blogs/766093/posts/1976553
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 20 07:20:13 CET 2017 on sn-devel-144
The default debug level of smbclient is set to 'log level = 1'. So we
need to use at least NOTICE to not get the message when we do not force
kerberos.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 24 17:22:18 CEST 2017 on sn-devel-144
get_ipc_connect() is only used in code paths that require cli_NetServerEnum()
to work, so it must already require SMB1 only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12876
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Treat them identically. Create them on demand after for a tcon call,
and delete them on a tdis call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
This function updates cli->server_{os,type,domain} to valid values
after a session setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This fixes a regression and prints the session setup on connect again:
Domain=[SAMBA-TEST] OS=[Windows 6.1] Server=[Samba 4.7.0pre1-DEVELOPERBUILD]
smb: \>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
If smbXcli_session_is_guest() returns true, we should handle the authentication
as anonymous and don't touch the gensec context anymore.
Note that smbXcli_session_is_guest() always returns false, if signing is
required!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144
This allows source4/torture code to set the option for tests by
preparing a struct smbcli_options with max_credits set to some value and
pass that to a torture_smb2_connection_ext().
This will be used in subsequent smbtorture test for SMB2 creditting.
Behaviour of existing upper layers is unchanged, they simply pass the
wanted max credits value to smbXcli_negprot_send() instead of
retrofitting it with a call to smb2cli_conn_set_max_credits().
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Also old servers should be able to handle NTLMSSP via SPNEGO.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec 21 22:21:08 CET 2016 on sn-devel-144
This will allow us to setup SMB1 encryption by just passing
cli_credentials.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This can be used temporarily to do the required kinit if we use kerberos
and the password has been specified.
In future this should be done in the gensec layer on demand, but there's
more work attached to doing it in the gensec_gse module.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There're no callers which try to pass a raw lm_response directly anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 9 13:09:37 CET 2016 on sn-devel-144
This can be used with a valid creds structure in order
to do a share level authentication or with NULL in the cases
we assume a modern server already.
Later we can change the ordering and implement
cli_tree_connect() on top of cli_tree_connect_creds().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 2 17:32:26 CET 2016 on sn-devel-144
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
'dest_realm' is only valid in the winbindd use case, where we also have
the account in that realm.
We need to ask the DC to which KDC the principal belongs to, in order to
get the potential trust referrals right.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
It's enough to pass down target_service and target_hostname, that's all we
have at the smb layer. The kerberos layer should figure out what
the final target_principals is based on the users realm.
The gse_krb5 backend doesn't use it currently, so it's also unused.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The spnego backend will take the "client use spnego principal" option.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This separates the construction of the ASCII-Password (lm_response)
and UNICODE-Password (nt_response) values from the marshalling logic.
We don't need the NT1 marshalling logic 3 times (guest, plain, nt1),
we just need it once now in smb1cli_session_setup_nt1*.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This separates the spnego authentication logic from the
marshalling logic.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
There're no callers which tried to pass raw {lm,nt}_response any more.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
