IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The idea of this is that all client utils like smbpasswd and also for example
"net join" do not access our internal databases like passdb and secrets.tdb
directly anymore but pass everything throught the well-established RPC
interfaces.
The way you use this is the following: With rpc_cli_smbd_conn_init() or its
async variant you initialize a "struct rpc_cli_smbd_conn". This structure is
the link to a freshly forked smbd, ready to be used for RPC services. You
should only ever have one such structure in your program. More don't hurt, but
are plainly unnecessary.
If you want to use the SAMR pipe to change a passwort, you connect to that pipe
with rpc_pipe_open_local. Do you normal rpccli_samr calls on that and your
locally forked smbd will connect to passdb for you.
GD, this might make the distinction between the _l and _r calls in libnetapi
mostly unnecessary. At least it is intended to do so... :-)
rpc_read always reads the whole bytes it was asked to read. So it is not really
necessary for it to update the current_pdu_offset, for clarity this can better
be done in the caller.
cli_rpc_pipe_open() now uses tcp transport for drsuapi and named pipe
transport for all other pipes.
This finally allows rpcclient to call dscracknames on windows
(don't forget to call "seal" in advance).
Guenther
(This used to be commit b243a03602)
This probably does not matter in current code, but without this it's not
possible to do the bind as a different user than the underlying smb user.
Jeremy, please check!
Thanks,
Volker
(This used to be commit b90062e33c)
In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8
netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate
flags everywhere (not only when running in security=ads). Only for NT4 we need
to do a downgrade to the returned negotiate flags.
Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6.
Guenther
(This used to be commit 0970369ca0)
Refactor the actual retrieval of the session key through the
established netlogon pipe out of get_schannel_session_key()
and get_schannel_session_key_auth_ntlmssp() into a new
function get_schannel_session_key_common().
(To avoid code duplication.)
Michael
(This used to be commit e77c4022cf)
Up to now each caller used its own logic.
This eliminates code paths where there was a special treatment
of the following situation: the domain given is not our workgroup
(i.e. our own domain) and we are not a DC (i.e. it is not a typical
trusted domain situation). In situation the given domain name was
previously used as the machine account name, resulting in an account
name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me.
get_trust_pw would not have obtained a password in this situation
anyways.
I hope I have not missed an important point here!
Michael
(This used to be commit 6ced4a7f88)
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336)
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
metze
(This used to be commit e9f2aa22f9)
Jeremy, I'm afraid you removed the "domain->initialized" from the
set_dc_types_and_flags() call when the connect to PI_LSARPC_DS failed
(with rev. 19148).
This causes now that init_dc_connection_network is called again and
again which in turn rescans the DC each time (which of course fails each
time with NT_STATUS_BUFFER_TOO_SMALL). Just continue with the
non-PI_LSARPC_DS scan so that the domain is initialized properly.
Guenther
(This used to be commit c6f63a08f5)
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b722)
in smb.conf. This did work before the join rewrite.
Samba will have problems if you try to run any of the daemons
with an incorrect workgroup but it should not fail to join.
The summary is that a member server should always use it's
own machine name when setting up schannel since that is
the only account it has. Thanks to Volker for the discussion.
(This used to be commit 95763b94f7)
With this change (and setting lanman auth = no in smb.conf)
we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth.
Jeremy
(This used to be commit 93ca3eee55)
1. Fix a crash bug which should have reared its ugly head ages ago, but for
some reason, remained dormant until recently. The bug pertained to
libsmbclient doing a structure assignment of a cli after having opened a
pipe. The pipe open code makes a copy of the cli pointer that was passed
to it. If the cli is later copied (and that cli pointer that was saved
is no longer valid), the pipe code will cause a crash during shutdown or
when the copied cli is closed.
2. The 'type' field in enumerated shares was not being set correctly with
the new RPC-based mechanism for enumerating shares.
(This used to be commit 62a02b8f2a)
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
tested this so I may have screwed this up - however it now follows the
DCE spec. valgrinded tests to follow....
Jeremy.
(This used to be commit 877e0a61f5)
supported pipe. Netlogon is still special, as we open that twice, one to do
the auth2, the other one with schannel.
The client interface is completely unchanged for those who only use a single
pie. cli->pipe_idx is used as the index for everything except the "real"
client rpc calls, which have been explicitly converted in my last commit. Next
step is to get winbind to just use a single smb connection for multiple pipes.
Volker
(This used to be commit dc294c52e0)
patches.
Pass down the pipe_idx down to all functions in cli_pipe where nt_pipe_fnum is
referenced. First step towards having multiple pipes on a cli_struct. The idea
is to not have a single nt_pipe_fnum but an array for the pipes we support.
Volker
(This used to be commit 93eab05020)
for setting up an schannel connection. This solves the problem
of a Samba DC running winbind, trusting a native mode AD domain,
and needing to enumerate AD users via wbinfo -u.
(This used to be commit e9f109d1b3)
would attempt to supply a password to the 'inside' NTLMSSP, which the
remote side naturally rejected.
Andrew Bartlett
(This used to be commit da408e0d5a)
defaults specified by the caller to prevail.
Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing.
Call ntlmssp_sign_init() unconditionally in the client - we setup the
session key, why not setup the rest of the data.
Andrew Bartlett
(This used to be commit 48123f7e42)
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0d)
the bind response to WKSSVC it does not send \PIPE\ntsvcs as NT4 (did not
check w2k) but \PIPE\wkssvc. I'm not sure whether we should make this check at
all, so making it a bit more liberal should hopefully not really hurt.
Volker
(This used to be commit 029dcb351b)
- When connecting to the NETOGON pipe, we make a call to auth2, in order
to verify our identity. This call was being made with negotiation flags
of 0x1ff. This caused our account to be downgraded. If we instead make
the call with flags > 1ff (such as 0x701ff), then this does not occour.
- This is *not* related to the use of kerberos for the CIFS-level connection
My theory is that Win2k has a test to see if we are sending *exactly* what
NT4 sent - setting any other flags seems to cause us to remain intact.
Also ensure that we only have 'setup schannel' code in a few places, not
scattered around cmd_netlogon too.
Andrew Bartlett
(This used to be commit e10f0529fe)
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.
When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login. If you don't, your machine
account is demoted to NT4.
Andrew Bartlett
(This used to be commit 3547cb3def)
connection that set it up has been shut down.
(Also, pipes still connected, and reconnections to the same pipe (eg SAMR)
may continue to use that session key until their TCP/IP connection is shut
down)
Allow further testing by printing out the session key, and allowing it's input
into rpcclient.
Next step is automatic storage in a TDB.
Andrew Bartlett
(This used to be commit fa4d7be161)
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9ea)
channel:
- If the domain name passed to create_rpc_bind_req() is empty, use
lp_workgroup()
- Correctly set the auth_padding field when the send_size is a multiple
of 8 bytes
I've tested with nt4sp6 and win2ksp0 and it seems to work, although
there are no password hashes transferred from win2k. The empty
passwords are being protected by the secure channel encryption though.
(This used to be commit a8c11e8556)
