1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

78 Commits

Author SHA1 Message Date
Matthias Dieter Wallnöfer
5516191e72 s4:RPC server - cosmetic fixes - indentation, comments 2010-11-03 09:23:00 +01:00
Andrew Tridgell
0563c5bacf s4-rpc: split the dcesrv reply code out of dcerpc_server
this allows us to remove a dependency on the dcerpc_server from code
that uses rpc forwarding

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-30 23:49:01 +11:00
Andrew Bartlett
da9bca6282 s4-rpc_server Put all 'logon failure' messages at the same debug level 4
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-09-11 18:46:12 +10:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Matthias Dieter Wallnöfer
e5e4184e5a s4:rpc_server/dcesrv_auth.c - remove unreachable code 2010-06-26 19:45:45 +02:00
Matthias Dieter Wallnöfer
55df7606e3 Revert "s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with Windows 2000"
This reverts commit 1cf5be39e3.

My fix approach isn't such appreciated therefore revert this.
2010-05-30 14:53:36 +02:00
Matthias Dieter Wallnöfer
1cf5be39e3 s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with Windows 2000
Windows 2000 does strictly request header signing on some requests also if the
server doesn't provide it. But there is a small trick (don't reset the actual
session info) to make these special RPC operations work without a full header
signing implementation.

This fixes for example the list of domain groups in local groups when displayed
sing the local user/group management tool.

And this should finally fix bug #7113.

The patch was inspired by another one by tridge and abartlet: http://gitweb.samba.org/samba.git/?p=tridge/samba.git;a=commitdiff;h=2dc19e2878371264606575d3fc09176776be7729
2010-05-30 12:39:30 +02:00
Jelmer Vernooij
f9ca9e46ad Finish removal of iconv_convenience in public API's. 2010-05-18 11:45:30 +02:00
Andrew Tridgell
1e13d3fb07 s4-dcerpc: fixed auth padding to be relative to the stub, not packet
The recent dcerpc padding changes made our padding relative to the
packet header, instead of the start of the stub. Surprisingly, this
broke w2k8r2 doing a dcpromo join to a s4 server. It seems that w2k8r2
is very fussy about the padding it gets in some circumstances.
2010-02-16 21:10:52 +11:00
Andrew Tridgell
eb5fc899b0 s4-rpcserver: teach the rpc server to cope with bad sig_size estimates 2010-02-14 18:44:21 +11:00
Andrew Tridgell
259129e8f4 a4-dcerpc: another attempt at dcerpc auth padding
The last change broke net vampire against w2k8r2
2010-02-14 18:44:21 +11:00
Andrew Tridgell
da86f08605 s4-rpc: be more careful about DCERPC auth padding
Cope with a wider range of auth padding in dcerpc bind_ack and
alter_context packets. We now use a helper function that calculates
the right auth padding.
2010-02-13 23:12:29 +11:00
Andrew Tridgell
3ad4c9db20 s4: fixed a unsigned printf warnings 2009-09-08 11:52:44 +10:00
Andrew Bartlett
71632a1697 Remove auth/ntlm as a dependency of GENSEC by means of function pointers.
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.

This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.

Andrew Bartlett
2009-02-13 10:24:16 +11:00
Jelmer Vernooij
b034c519f5 Add gensec_settings structure. This wraps loadparm_context for now, but
should in the future only contain some settings required for gensec.
2008-11-02 02:05:48 +01:00
Stefan Metzmacher
9e492b1ba2 s4:rpc_server: tell the gensec layer that we want to do header signing
Note: header signing is still off by default, as the gensec backends
      don't support it together with seal yet.

metze
2008-10-06 19:45:55 +02:00
Stefan Metzmacher
844b331d25 s4:rpc_server: correctly handle dcerpc requests with object uuids
metze
2008-09-30 06:47:24 +02:00
Stefan Metzmacher
9a222474bb rpc_server: don't send auth trailers in level connect
Also ignore auth trailers in level connect on receive.

This fixes [krb5,connect] against windows.

TODO: maybe the gensec mech need to decide if signatures
      are needed in level connect.

metze
(This used to be commit 2e36297197)
2008-09-13 20:37:12 +02:00
Stefan Metzmacher
de53ddee89 rpc_server: correctly calculate the auth padding
metze
(This used to be commit e82468a8f5)
2008-09-13 20:37:11 +02:00
Stefan Metzmacher
97f59cb190 rpc_server: correct the chunk_size depending on the signature size
metze
(This used to be commit 20fc0d7bfd)
2008-08-11 18:15:59 +02:00
Stefan Metzmacher
746d3c8ff9 rpc_server: add support for DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
you need "dcesrv:header signing=yes" to enable it.

metze
(This used to be commit bde2496e6b)
2008-08-07 15:40:20 +02:00
Jelmer Vernooij
afe3e8172d Install public header files again and include required prototypes.
(This used to be commit 47ffbbf674)
2008-04-02 04:53:27 +02:00
Jelmer Vernooij
10169a2030 Remove more global_loadparm instance.s
(This used to be commit a1280252ce)
2008-02-21 17:54:24 +01:00
Jelmer Vernooij
7d5f0e0893 r26639: librpc: Pass iconv convenience on from RPC connection to NDR library, so it can be overridden by OpenChange.
(This used to be commit 2f29f80e07)
2008-01-01 16:12:15 -06:00
Jelmer Vernooij
e31abef15f r26440: Remove more uses of global_loadparm.
(This used to be commit 8858cf3972)
2007-12-21 05:50:08 +01:00
Jelmer Vernooij
d1e716cf43 r26432: Require ndr_pull users to specify iconv_convenience.
(This used to be commit 28b1d36551)
2007-12-21 05:50:02 +01:00
Jelmer Vernooij
61873ce94c r26431: Require ndr_push creators to specify a iconv_convenience context.
(This used to be commit 7352206f44)
2007-12-21 05:50:00 +01:00
Jelmer Vernooij
a2cea02584 r26430: require explicit specification of loadparm context.
(This used to be commit 1b947fe0e6)
2007-12-21 05:49:58 +01:00
Jelmer Vernooij
57f20ccd24 r26296: Store loadparm context in DCE/RPC server context.
(This used to be commit fc1f4d2d65)
2007-12-21 05:48:13 +01:00
Jelmer Vernooij
ecea5ce245 r26260: Store loadparm context in gensec context.
(This used to be commit b9e3a4862e)
2007-12-21 05:47:34 +01:00
Stefan Metzmacher
529763a9aa r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)
lib/messaging/
lib/registry/
lib/ldb-samba/
librpc/rpc/
auth/auth_winbind.c
auth/gensec/
auth/kerberos/
dsdb/repl/
dsdb/samdb/
dsdb/schema/
torture/
cluster/ctdb/
kdc/
ntvfs/ipc/
torture/rap/
ntvfs/
utils/getntacl.c
ntptr/
smb_server/
libcli/wrepl/
wrepl_server/
libcli/cldap/
libcli/dgram/
libcli/ldap/
libcli/raw/
libcli/nbt/
libnet/
winbind/
rpc_server/

metze
(This used to be commit 6223c7fddc)
2007-12-21 05:45:02 +01:00
Jelmer Vernooij
05e7c48146 r25553: Convert to standard bool type.
(This used to be commit b7371f1a19)
2007-10-10 15:07:54 -05:00
Jelmer Vernooij
37d53832a4 r25398: Parse loadparm context to all lp_*() functions.
(This used to be commit 3fcc960839)
2007-10-10 15:07:25 -05:00
Jelmer Vernooij
0b91f39164 r24780: More work allowing libutil to be used by external users.
(This used to be commit 31993cf67b)
2007-10-10 15:03:10 -05:00
Andrew Bartlett
85555742b1 r24504: Try to return more useful error information on why a bind failed.
Note that the correct return for a failed alter_context is a fault,
not a bind_nak.

Andrew Bartlett
(This used to be commit 52cce94532)
2007-10-10 15:02:03 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Andrew Bartlett
13dbee3ffe r19598: Ahead of a merge to current lorikeet-heimdal:
Break up auth/auth.h not to include the world.

Add credentials_krb5.h with the kerberos dependent prototypes.

Andrew Bartlett
(This used to be commit 2b569c42e0)
2007-10-10 14:25:00 -05:00
Andrew Tridgell
bb435cbd03 r19502: fixed the RPC-SECRETS test with kerberos. Andrew, can you look at this
as well?

The server side change is needed to fix a valgrind error, which was
possibly exploitable if the client sent deliberately bad data
(This used to be commit e3c04cf165)
2007-10-10 14:24:40 -05:00
Andrew Bartlett
3c203ab927 r19465: Rather than use the non-standard API for determining the signature
length, use the amount the wapped message expanded by.

This works, because GSSAPI doesn't do AEAD (signing of headers), and
so changing the signature length after the fact is valid.

Andrew Bartlett
(This used to be commit bd1e0f679c)
2007-10-10 14:21:37 -05:00
Stefan Metzmacher
7a845bcb01 r17341: pass a messaging context to auth_context_create()
and gensec_server_start().

calling them with NULL for event context or messaging context
is no longer allowed!

metze
(This used to be commit 679ac74e71)
2007-10-10 14:15:17 -05:00
Andrew Tridgell
302cab75c3 r12554: get rid of the pesky NTLMSSP warnings about being called after processing is finished
(This used to be commit ca6ae1afa0)
2007-10-10 13:47:57 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00
Andrew Bartlett
372ca26b20 r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication.  This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.

This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC.  This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.

The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.

We also now allow for the old secret to be stored into the
credentials, allowing service password changes.

Andrew Bartlett
(This used to be commit 205f77c579)
2007-10-10 13:45:00 -05:00
Andrew Bartlett
5edbeca141 r10153: This patch adds a new parameter to gensec_sig_size(), the size of the
data to be signed/sealed.  We can use this to split the data from the
signature portion of the resultant wrapped packet.

This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).

This fixes one of the krb5 issues in my list.

Andrew Bartlett
(This used to be commit e4f2afc343)
2007-10-10 13:38:04 -05:00
Andrew Bartlett
115945faca r9490: Fix typo
Andrew Bartlett
(This used to be commit 093b98b5b5)
2007-10-10 13:34:21 -05:00
Jelmer Vernooij
6553dd0c60 r8811: Fix the build..
(This used to be commit fac77f5fa2)
2007-10-10 13:30:07 -05:00
Andrew Bartlett
06348629b9 r8109: Try to print out more helpful debug messages on DCERPC server-side
gensec failure to start.

Andrew Bartlett
(This used to be commit bc8f8d2dcf)
2007-10-10 13:19:09 -05:00
Andrew Tridgell
af237084ec r7633: this patch started as an attempt to make the dcerpc code use a given
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.

Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.

There were 3 places where I punted:

  - abartlet wanted me to add a gensec_set_event_context() call
    instead of adding it to the gensec init calls. Andrew, my
    apologies for not doing this. I didn't do it as adding a new
    parameter allowed me to catch all the callers with the
    compiler. Now that its done, we could go back and use
    gensec_set_event_context()

  - the ejs code calls auth initialisation, which means it should pass
    in the event context from the web server. I punted on that. Needs fixing.

  - I used a NULL event context in dcom_get_pipe(). This is equivalent
    to what we did already, but should be fixed to use a callers event
    context. Jelmer, can you think of a clean way to do that?

I also cleaned up a couple of things:

 - libnet_context_destroy() makes no sense. I removed it.

 - removed some unused vars in various places
(This used to be commit 3a3025485b)
2007-10-10 13:18:15 -05:00
Jelmer Vernooij
fcc74fc060 r7313: Prefix a few functions with ncacn_ rather then dcerpc_ because they are
ncacn_ specific
(This used to be commit 875cce1268)
2007-10-10 13:17:41 -05:00
Jelmer Vernooij
430dc36c1a r7312: Add IDL for ncadg packets.
(This used to be commit 2009a430b0)
2007-10-10 13:17:40 -05:00