1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Commit Graph

46 Commits

Author SHA1 Message Date
Jeremy Allison
39e0dbcf07 Allow the mechOID to be written separately.
Jeremy.
(This used to be commit e3e08c6e7d)
2008-02-14 11:29:54 -08:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Gerald Carter
5221ebb299 r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.
The translate_name() used by cli_session_setup_spnego() cann rely
Winbindd since it is needed by the join process (and hence before
Winbind can be run).
(This used to be commit 00a93ed336)
2007-10-10 12:31:03 -05:00
Gerald Carter
3529156971 r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,
and client fixes.  Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba73)
2007-10-10 12:31:02 -05:00
Stefan Metzmacher
42349190b7 r25227: Patch from "Steven Danneman" <steven.danneman@isilon.com>:
-
We ran across a bug joining our Samba server to a Win2K domain with LDAP
signing turned on.  Upon investigation I discovered that there is a bug
in Win2K server which returns a duplicated responseToken in the LDAP
bindResponse packet.  This blob is placed in the optional mechListMIC
field which is unsupported in both Win2K and Win2K3.  You can see RFC
2478 for the proper packet construction.  I've worked with metze on this
to confirm all these finding.

This patch properly parses then discards the mechListMIC field if it
exists in the packet, so we don't produce a malformed packet error,
causing LDAP signed joins to fail.  Also attached is a sniff of the
domain join, exposing Win2Ks bad behavior (packet 21).
-

(I've just changed the scope of the DATA_BLOB mechList)

metze
(This used to be commit 200b5bfb81)
2007-10-10 12:30:52 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00
Stefan Metzmacher
14ac7712f3 r22093: send also the correct OID_KERBEROS5 not only the broken
OID_KERBEROS_OLD one.

metze
(This used to be commit 294c69334f)
2007-10-10 12:19:10 -05:00
Stefan Metzmacher
eceb926df9 r22092: - make spnego_parse_auth_response() more generic and
not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
  if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
  force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE

metze
(This used to be commit e9f2aa22f9)
2007-10-10 12:19:10 -05:00
Günther Deschner
69cee2a3ec r21240: Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".

Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).

Guenther
(This used to be commit 7e1a84b722)
2007-10-10 12:17:50 -05:00
Volker Lendecke
eb00981fc3 r19041: Make us connect to Vista RC1. Apparently metze had done the same patch some
weeks ago.

We have some work before us, when in AD mode Vista sends
"not_defined_in_RFC4178@please_ignore" as the principal.....

Volker
(This used to be commit af85d8ec02)
2007-10-10 12:15:05 -05:00
Volker Lendecke
a3a082b248 r19037: Fix a segfault
(This used to be commit 1c18ebe675)
2007-10-10 12:15:04 -05:00
Jeremy Allison
3a8bf11ae3 r16306: Error handling in this asn1 code *sucks*. Fix a generic
class of memory leak bugs on error found by Klocwork (#123).
Many of these functions didn't free allocated memory on
error exit.
Jeremy.
(This used to be commit 8ef11a7c6d)
2007-10-10 11:17:32 -05:00
Volker Lendecke
3ea740f5e5 r16156: Fix storing NULL in the wrong place. Klocwork id's 127 and 128.
Volker
(This used to be commit 7674a4f836)
2007-10-10 11:17:23 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Volker Lendecke
a0d2029339 r12476: Apply some const
(This used to be commit a3f102f6c3)
2007-10-10 11:05:57 -05:00
Jeremy Allison
8d7c886671 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
(This used to be commit d720867a78)
2007-10-10 11:05:02 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Gerald Carter
f24d88cf9d r7139: trying to reduce the number of diffs between trunk and 3.0; changing version to 3.0.20pre1
(This used to be commit 9727d05241)
2007-10-10 10:57:02 -05:00
Derrell Lipman
9840db418b r6149: Fixes bugs #2498 and 2484.
1. using smbc_getxattr() et al, one may now request all access control
   entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
   provided by smbc_getxattr() et al, when requesting all attributes,
   all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
   compiler flags are in use.  removed -Wcast-qual flag from list, as that
   is specifically to force warnings in the case of casting away qualifiers.

Note: In the process of eliminating compiler warnings, a few nasties were
      discovered.  In the file libads/sasl.c, PRIVATE kerberos interfaces
      are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
      kerberos interfaces are being used.  Someone who knows kerberos
      should look at these and determine if there is an alternate method
      of accomplishing the task.
(This used to be commit 994694f7f2)
2007-10-10 10:56:24 -05:00
Jeremy Allison
792776782e r1240: Ensure we don't shadow Heimdal globals.
Jeremy.
(This used to be commit 464d2e9048)
2007-10-10 10:52:02 -05:00
Andrew Bartlett
7d068355aa This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
(This used to be commit 7c34de8096)
2004-01-08 08:19:18 +00:00
Andrew Bartlett
fcbfc7ad06 Changes all over the shop, but all towards:
- NTLM2 support in the server
 - KEY_EXCH support in the server
 - variable length session keys.

In detail:

 - NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).

 * This is known as 'NTLMv2 session security' *

(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes.  We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)

This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed.  This also needs to be turned off for
'security=server', which does not support this.

- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.

- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.

- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure.  This should help the SPNEGO implementation.

- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.

- The other big change is to allow variable length session keys.  We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter.  However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.

 * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *

- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe.  This
should help reduce some of the 'it just doesn't work' issues.

- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer.  (just allocate)


REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0d)
2003-11-22 13:19:38 +00:00
Volker Lendecke
d7ec3205e9 Don't wrap up anything that is not there. Otherwise upper layers
can not figure that we got no ticket.

Volker
(This used to be commit 2a724a7a87)
2003-08-13 20:27:18 +00:00
Jim McDonough
9f2e6167d2 Update my copyrights according to my agreement with IBM
(This used to be commit c9b209be2b)
2003-08-01 15:21:20 +00:00
Jeremy Allison
4632786cfb W00t! Client smb signing is now working correctly with krb5 and w2k server.
Server code *should* also work (I'll check shortly). May be the odd memory
leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup
code (b) we need to ask for a subkey... (c). The client and server need to
ask for local and remote subkeys respectively.
Thanks to Paul Nelson @ Thursby for some sage advice on this :-).
Jeremy.
(This used to be commit 3f9e3b6070)
2003-07-25 23:15:30 +00:00
Jim McDonough
4f276f9696 More on bug 137: rename more of krb5_xxx functions to not start with krb5_
(This used to be commit 10f1da3f4a)
2003-05-30 20:11:34 +00:00
Andrew Bartlett
ec458fa87e Merge from HEAD - sync up SessionSetup code to HEAD, including Luke Howard's
session key and auth verifier patches.

Andrew Bartlett
(This used to be commit 3f9616a68a)
2003-03-17 22:45:16 +00:00
Andrew Bartlett
d1221c9b6c Merge from HEAD client-side authentication changes:
- new kerberos code, allowing the account to change it's own password
   without special SD settings required
 - NTLMSSP client code, now seperated from cliconnect.c
 - NTLMv2 client code
 - SMB signing fixes

Andrew Bartlett
(This used to be commit 837680ca51)
2003-02-24 02:55:00 +00:00
Andrew Bartlett
251ea1e677 Merge minor library fixes from HEAD to 3.0.
- setenv() replacement
 - mimir's ASN1/SPNEGO typo fixes
 - (size_t)-1 fixes for push_* returns
 - function argument signed/unsigned correction
 - ASN1 error handling (ensure we don't use initiailsed data)
 - extra net ads join error checking
 - allow 'set security discriptor' to fail
 - escape ldap strings in libads.
 - getgrouplist() correctness fixes (include primary gid)

Andrew Bartlett
(This used to be commit e9d6e2ea9a)
2003-02-19 12:31:16 +00:00
Andrew Bartlett
1cba0a7579 Merge from HEAD:
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor.
  - also consequential changes to the NTLMSSP and SPNEGO parsing functions
  - and the client code that uses the same functions
 - Add ntlm_auth, a NTLMSSP authentication interface for use by applications
   like Squid and Apache.
  - also consquential changes to use common code for base64 encode/decode.
 - Winbind changes to support ntlm_auth (I don't want this program to need
   to read smb.conf, instead getting all it's details over the pipe).
 - nmbd changes for fstrcat() instead of fstrcpy().

Andrew Bartlett
(This used to be commit fbb46da79c)
2003-01-28 12:07:02 +00:00
Gerald Carter
a834a73e34 sync'ing up for 3.0alpha20 release
(This used to be commit 65e7b5273b)
2002-09-25 15:19:00 +00:00
Jelmer Vernooij
b2edf254ed sync 3.0 branch with head
(This used to be commit 3928578b52)
2002-08-17 17:00:51 +00:00
Andrew Tridgell
e90b652848 updated the 3.0 branch from the head branch - ready for alpha18
(This used to be commit 03ac082dcb)
2002-07-15 10:35:28 +00:00
Andrew Bartlett
ba9341c7de Try not to malloc -1 bytes (apx 4GB) when the data is already in error.
Andrew Bartlett
(This used to be commit ad1faf8fa4)
2002-02-15 23:11:13 +00:00
Tim Potter
cd68afe312 Removed version number from file header.
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06)
2002-01-30 06:08:46 +00:00
Andrew Tridgell
b0e4827b97 simple fix for creating blank data blobs
(This used to be commit 08bb2dfec2)
2002-01-05 23:30:59 +00:00
Andrew Tridgell
5d378a280f added internal sasl/gssapi code. This means we are no longer dependent on cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm
(This used to be commit 435fdf276a)
2001-12-08 11:18:56 +00:00
Jeremy Allison
cfd68eaac4 Ok, I know it's a language thing and it shouldn't matter.... but a kerberos
name is a "principal", not a principle. English majors will complain :-).
Jeremy.
(This used to be commit b668d7d656)
2001-10-21 20:51:27 +00:00
Andrew Tridgell
bbcd9deb07 made smbclient cope better with arbitrary principle forms
(This used to be commit d1341d74b7)
2001-10-21 03:25:34 +00:00
Andrew Tridgell
5ad7448359 the beginnings of kerberos support in smbd. It doesn't work yet, but
it should give something for others to hack on and possibly find what
I'm doing wrong.
(This used to be commit 353c290f05)
2001-10-18 10:26:06 +00:00
Andrew Tridgell
b728042334 added basic NTLMSSP support in smbd. This is still quite rough, and
loses things like username mapping. I wanted to get this in then
discuss it a bit to see how we want to split up the existing
session setup code
(This used to be commit b74fda69bf)
2001-10-17 08:54:19 +00:00
Andrew Tridgell
b46f6d865e fixed NTLMSSP with XP servers (who don't send the duplicate challenge
in the asn1 spnego structures)
(This used to be commit 131010e9fb)
2001-10-14 06:14:11 +00:00
Andrew Tridgell
d726eb216a moved some OIDs to the ASN.1 header
(This used to be commit 7092beef9d)
2001-10-12 04:54:53 +00:00
Andrew Tridgell
9f7cb41f11 added NTLMSSP authentication to libsmb. It seems to work well so I have enabled it by default if the server supports it. Let me know if this breaks anything. Choose kerberos with the -k flag to smbclient, otherwise it will use SPNEGO/NTLMSSP/NTLM
(This used to be commit 076aa97bee)
2001-10-12 04:49:42 +00:00