1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

145 Commits

Author SHA1 Message Date
Andrew Tridgell
3db52feb1f first pass at updating head branch to be to be the same as the SAMBA_2_0 branch
(This used to be commit 453a822a76)
1999-12-13 13:27:58 +00:00
Luke Leighton
f6276724ba changed function name of get_home_dir() to get_unixhome_dir(), to stop
clash with gnu readline library.

fixed issue with [homes] service not being there - call lp_add_home()
just before starting the msrpc processing.
(This used to be commit 054195df9b)
1999-12-12 21:00:35 +00:00
Luke Leighton
4f8a24522c final part of "first" phase converting over to msrpc daemon architecture.
done a minimal amout of clean-up in the Makefile, removing unnecessary
modules from the link stage.  this is not complete, yet, and will
involve some changes, for example to smbd, to remove dependencies on
the password database API that shouldn't be there.  for example,
smbd should not ever call getsmbpwXXX() it should call the Samr or Lsa
API.

this first implementation has minor problems with not reinstantiating
the same services as the caller.  the "homes" service is a good example.
(This used to be commit caa5052522)
1999-12-12 20:03:42 +00:00
Luke Leighton
0ce128e355 delineation between smb and msrpc more marked. smbd now constructs
pdus, and then feeds them over either a "local" function call or a "remote"
function call to an msrpc service.  the "remote" msrpc daemon, on the
other side of a unix socket, then calls the same "local" function that
smbd would, if the msrpc service were being run from inside smbd.

this allows a transition from local msrpc services (inside the same smbd
process) to remote (over a unix socket).

removed reference to pipes_struct in msrpc services.  all msrpc processing
functions take rpcsrv_struct which is a structure containing state info
for the msrpc functions to decode and create pdus.

created become_vuser() which does everything not related to connection_struct
that become_user() does.

removed, as best i could, connection_struct dependencies from the nt spoolss
printing code.

todo: remove dcinfo from rpcsrv_struct because this stores NETLOGON-specific
info on a per-connection basis, and if the connection dies then so does
the info, and that's a fairly serious problem.

had to put pretty much everything that is in user_struct into parse_creds.c
to feed unix user info over to the msrpc daemons.  why?  because it's
expensive to do unix password/group database lookups, and it's definitely
expensive to do nt user profile lookups, not to mention pretty difficult
and if you did either of these it would introduce a complication /
unnecessary interdependency.  so, send uid/gid/num_groups/gid_t* +
SID+num_rids+domain_group_rids* + unix username + nt username + nt domain
+ user session key etc.  this is the MINIMUM info identified so far that's
actually implemented.  missing bits include the called and calling
netbios names etc.  (basically, anything that can be loaded into
standard_sub() and standard_sub_basic()...)
(This used to be commit aa3c659a8d)
1999-12-12 01:25:49 +00:00
Luke Leighton
a0ba234cf9 the first independent msrpc daemon - lsarpcd.
one horrible cut / paste job from smbd, plus a code split of shared
components between the two.

the job is not _yet_ complete, as i need to be able to do a become_user()
call for security reasons.  i picked lsarpcd first because you don't
_need_ security on it (microsoft botched so badly on this one, it's not
real.  at least they fixed this in nt5 with restrictanonymous=0x2).
fixing this involves sending the current smb and unix credentials down
the unix pipe so that the daemon it eventually goes to can pick them
up at the other end.

i can't believe this all worked!!!
(This used to be commit 2245b0c6d1)
1999-12-06 00:44:32 +00:00
Luke Leighton
b96e4e4f7d domain_client_validate() no longer takes serverlist, it calls
get_any_dc_name().
(This used to be commit e21367c0eb)
1999-12-02 19:07:13 +00:00
Luke Leighton
c15b95cd1e cli_session_setup() now takes an extra argument (host name). hey, what
the heck is a cli_session_setup() call doing in here???  this should use
cli_establish_connection()server!
(This used to be commit fa054c96c6)
1999-12-01 21:47:30 +00:00
Luke Leighton
0d44ff9a76 attempting to resolve the issue that multiple servers often specified in
parameters to connect to \PIPE\NETLOGON.
(This used to be commit d1986ade30)
1999-11-29 21:47:14 +00:00
Luke Leighton
32b9508d06 implement server-side generation of NTLMv2 session key. YESSS :-)
(This used to be commit 1092b4f6fb)
1999-11-21 19:59:56 +00:00
Luke Leighton
680dcc9341 hmmm... have to add client-side support in domain_client_validate() to
_use_ user session key.
(This used to be commit be6a6b1393)
1999-11-21 17:27:20 +00:00
Luke Leighton
4081147c31 adding user session key into network netlogon response.
(This used to be commit c73f6b0d02)
1999-11-21 17:11:00 +00:00
Luke Leighton
387cc182e6 oops, #ifdef'd cli_shutdown out, as the fun has _already_ started:
NT refuses to play nice, and establish a trust relationship.
(This used to be commit 98c42764fb)
1999-11-20 22:05:31 +00:00
Luke Leighton
27b8df4d9b attempting to establish inter-domain trust relationships. modified
smbpasswd so it can be used to set up inter-domain trust account.
(This used to be commit 99ec0620c3)
1999-11-20 21:59:16 +00:00
Luke Leighton
24a069eac3 modified domain_client_validate to take trust account name / type. this
is to pass DOMAIN_NAME$ and SEC_CHAN_DOMAIN instead of WKSTA_NAME$ and
SEC_CHAN_WKSTA.

modified check_domain_security to determine if domain name is own domain,
and to use wksta trust account if so, otherwise check "trusting domains"
parameter and use inter-domain trust account if so, otherwise return
False.
(This used to be commit 97ec74e1fa)
1999-11-20 20:54:29 +00:00
Luke Leighton
902b53dcc0 cli_nt_setup_creds() returns uint32 NT status code not a BOOL.
removed all comparisons to if (fn() == False), replaced with if (!fn()).
(This used to be commit fdef97eb7c)
1999-10-29 15:53:18 +00:00
Luke Leighton
6f9105c853 various. debug levels changed. nmbd doesn't need libsmb/clienttrust.c.
samr_lookup_rids() moved to a dynamic memory structure not a
static one limited to 32 RIDs.  cli_pipe.c reading wasn't checking
ERRmoredata when DOS error codes negotiated (this terminates
MSRPC code with prejudice).
(This used to be commit 8976eca2db)
1999-10-21 16:53:50 +00:00
Luke Leighton
33ed8059a2 NTLMv2 check being actioned when NT password response was only 24 chars.
added check to ensure response is more than 24 chars before bothering
to do an NTLMv2 check.
(This used to be commit 7a58895ff2)
1999-07-16 22:23:45 +00:00
Luke Leighton
0262b2a6b4 copy of password struct needed to be made prior to calling copy_passwd_struct
found by Bertl <bs@vpnet.at>.
(This used to be commit 93298bca1c)
1999-07-16 22:03:15 +00:00
Luke Leighton
92b8937bae added %d %d to error message, try to track down the uid / smb_uid mismatch
(This used to be commit ec918ba144)
1999-07-15 17:50:27 +00:00
Luke Leighton
527820d306 oops, refused lm when ntlmv2 was true not false/auto. oops!
(This used to be commit 6b4b24d220)
1999-07-07 16:44:38 +00:00
Luke Leighton
ec711742c0 smb_password_ok() checking incorrectly whether lm password exists.
when lmcompatibilitylevel=0x2 on nt sp4+ clients, lm# is not sent.
(This used to be commit e655e68474)
1999-07-06 21:25:42 +00:00
Luke Leighton
73891ca8e4 improving authentication code (tidyup).
(This used to be commit ab1a6aa42d)
1999-06-29 18:47:06 +00:00
Tim Potter
731c7f2ecf Moved code that changes the pw_passwd entry (i.e shadow password and
weird unixware stuff) into _Get_Pwnam() to fix a memory allocation bug.

Note that the Get_Pwnam() function now returns a const struct passwd *
as a hint to other developers not to change entries in the struct
passwd.
(This used to be commit 36d7cb4ccc)
1999-06-13 04:14:24 +00:00
Luke Leighton
150645f955 Jani Jaakkola's "getpwuid() / getpwnam()" hash-cache-hack
(This used to be commit 899fc053c5)
1999-05-06 18:05:45 +00:00
Luke Leighton
43a460075a SAM database "set user info".
----------------------------

- removed DOM_RID4

- removed SAMR_UNKNOWN_32

- added SAMR_SET_USERINFO (opcode 0x32)

- added level 0x1 to SAMR_QUERY_DOM_INFO (needed for create user)

- fixed pwdb_gethexpwd() it was failing on XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

- added mod_sam21pwd_entry()

- preparing to call mod_sam21pwd_entry()

- added "user session key" to user_struct.dc.  this is md4(nt#) and is
  needed to decode user's clear-text passwords in SAMR_SET_USERINFO.

- split code out in chgpasswd.c to decode 516 byte password buffers.
(This used to be commit 2e58ed7424)
1999-03-25 13:54:31 +00:00
Luke Leighton
bd76e02ec4 going to start adding inter-domain trust logons soon.
(This used to be commit f9f594c03e)
1999-03-19 15:49:22 +00:00
Luke Leighton
c4241b5662 cli_setup_creds new arguments added.
(This used to be commit 5fa3a3f710)
1999-03-12 19:37:40 +00:00
Luke Leighton
e67a8d9d98 server_cryptkey() now calling cli_connectserverlist(). stupid microsoft
idiotic *SMBSERVER connectionism added to cli_connect_serverlist().
also added check for protocol < LANMAN2.
(This used to be commit c2bcb3a286)
1998-12-14 21:22:59 +00:00
Luke Leighton
9c848ec329 removed nt_pipe_fnum from struct cli_state. need to be able to call
LsaLookupSids etc from within SamrQueryAliasMembers, for example.
fnum is now a parameter to client functions.  thanks to mike black
for starting the ball rolling.
(This used to be commit bee8f7fa6b)
1998-12-07 20:23:41 +00:00
Luke Leighton
f3787515d6 moved get_unixgroups it will be needed by the unix instance of the group
DB API
(This used to be commit ef58e48bc9)
1998-12-03 17:41:14 +00:00
Luke Leighton
30038de462 weekend work. user / group database API.
- split sam_passwd and smb_passwd into separate higher-order function tables

- renamed struct smb_passwd's "smb_user" to "unix_user".  added "nt_user"
plus user_rid, and added a "wrap" function in both sam_passwd and smb_passwd
password databases to fill in the blank entries that are not obtained
from whatever password database API instance is being used.

NOTE: whenever a struct smb_passwd or struct sam_passwd is used, it MUST
be initialised with pwdb_sam_init() or pwd_smb_init(), see chgpasswd.c
for the only example outside of the password database APIs i could find.

- added query_useraliases code to rpcclient.

- dealt with some nasty interdependencies involving non-smbd programs
and the password database API.  this is still not satisfactorily
resolved completelely, but it's the best i can do for now.

- #ifdef'd out some password database options so that people don't
mistakenly set them unless they recompile to _use_ those options.

lots of debugging done, it's still not finished.  the unix/NT uid/gid
and user-rid/group-rid issues are better, but not perfect.  the "BUILTIN"
domain is still missing: users cannot be added to "BUILTIN" groups yet,
as we only have an "alias" db API and a "group" db API but not "builtin-alias"
db API...
(This used to be commit 5d5d7e4de7)
1998-11-29 20:03:33 +00:00
Andrew Tridgell
091a92e996 try to use *SMBSERVER to connect to password server if the first
session_request fails.
(This used to be commit ab2370e7ac)
1998-11-21 01:28:15 +00:00
Jeremy Allison
a97baa50fd smbd/password.c: Added *SMBSERVER fix is name is too long.
web/swat.c: Changed '?' to help.
Jeremy.
(This used to be commit 631913ea85)
1998-11-21 00:16:28 +00:00
Jeremy Allison
768761820e Added the same open()/fopen()/creat()/mmap() -> sys_XXX calls.
Tidied up some of the mess (no other word for it). Still doesn't
compile cleanly. There are calls with incorrect parameters that
don't seem to be doing the right thing.

This code still needs surgery :-(.

Jeremy.
(This used to be commit 18ff93a9ab)
1998-11-17 20:50:07 +00:00
Luke Leighton
74d539f557 - group database API. oops and oh dear, the threat has been carried out:
the pre-alpha "domain group" etc parameters have disappeared.

- interactive debug detection

- re-added mem_man (andrew's memory management, detects memory corruption)

- american spellings of "initialise" replaced with english spelling of
  "initialise".

- started on "lookup_name()" and "lookup_sid()" functions.  proper ones.

- moved lots of functions around.  created some modules of commonly used
  code.  e.g the password file locking code, which is used in groupfile.c
  and aliasfile.c and smbpass.c

- moved RID_TYPE_MASK up another bit.  this is really unfortunate, but
  there is no other "fast" way to identify users from groups from aliases.
  i do not believe that this code saves us anything (the multipliers)
  and puts us at a disadvantage (reduces the useable rid space).
  the designers of NT aren't silly: if they can get away with a user-
  interface-speed LsaLookupNames / LsaLookupSids, then so can we.  i
  spoke with isaac at the cifs conference, the only time for example that
  they do a security context check is on file create.  certainly not on
  individual file reads / writes, which would drastically hit their
  performance and ours, too.

- renamed myworkgroup to global_sam_name, amongst other things, when used
  in the rpc code.  there is also a global_member_name, as we are always
  responsible for a SAM database, the scope of which is limited by the role
  of the machine (e.g if a member of a workgroup, your SAM is for _local_
  logins only, and its name is the name of your server.  you even still
  have a SID.  see LsaQueryInfoPolicy, levels 3 and 5).

- updated functionality of groupname.c to be able to cope with names
  like DOMAIN\group and SERVER\alias.  used this code to be able to
  do aliases as well as groups.  this code may actually be better
  off being used in username mapping, too.

- created a connect to serverlist function in clientgen.c and used it
  in password.c

- initialisation in server.c depends on the role of the server.  well,
  it does now.

- rpctorture.  smbtorture.  EXERCISE EXTREME CAUTION.
(This used to be commit 0d21e1e609)
1998-11-17 16:19:04 +00:00
Andrew Tridgell
8c62b28e0e converted smbclient to use clientgen.c rather than clientutil.c
I did this when I saw yet another bug report complaining about
smbclient intermittently missing files. Rather than applying more
patches to smbclient it was better to move to the more robust
clientgen.c code.

The conversion wasn't perfect, I probably lost some features of
smbclient while doing it, but at least smbclient should be consistent
now. It if fails it should _always_ fail rather than giving people the
false impression of a reliable utility.

the tar stuff seems to work, but hasn't had much testing as I never
use it myself. I'm sure someone will find bugs in my conversion of
smbtar.c. It was quite tricky as it did a lot of its own SMB calls. It
now uses clientgen.c exclusively.

smbclient is still quite messy, but at least it doesn't build its own
SMB packets.

I haven't touched smbmount as I never use it. Mike, do you want to
convert smbmount to use clientgen.c?
(This used to be commit e14ca7765a)
1998-11-09 03:45:49 +00:00
Jeremy Allison
548b417d40 codepages/codepage_def.936: Updated comment.
param/loadparm.c: Removed "networkstation user login", "domain controller", and "domain sid" parameters.
passdb/passdb.c: Removed "networkstation user login" code and changed bug test code
                 to only check once for a bad password server. This will stop the
                 complaints of many "bad login" audit records in NT PDC logs.
utils/smbpasswd.c: Removed check for "domain controller".
Jeremy.
(This used to be commit d6e6e936b5)
1998-11-07 05:32:37 +00:00
Jeremy Allison
6e3af45afe Fixed mainly signed/unsigned issues found by SGI cc in -fullwarn mode.
smbd/chgpasswd.c: Fixed (my) stupid bug where I was returning stack based variables. Doh !
smbd/trans2.c: Allows SETFILEINFO as well as QFILEINFO on directory handles.
Jeremy.
(This used to be commit 0b44d27d0b)
1998-10-21 16:58:34 +00:00
Luke Leighton
01de603084 - dce/rpc code
- removed debug info in struni2 and unistr2 (security risk)

- rpc_pipe function was getting pointer to data then calling realloc *dur*

- password check function, the start of "credential checking",
  user, wks, domain, pass as the credentials (not just user,pass which
  is incorrect in a domain context)

- cli_write needs to return ssize_t not size_t, because total can be -1
  if the write fails.

- fixed signed / unsigned warnings (how come i don't get those any more
  when i compile with gcc???)

- nt password change added in smbd.  yes, jeremy, i verified that the
  SMBtrans2 version still works.
(This used to be commit fcfb40d2b0)
1998-10-19 17:32:10 +00:00
Luke Leighton
b6993a89af !pass -> pass != NULL is wrong: !pass -> pass == NULL is correct. oops.
(This used to be commit 866e101818)
1998-10-16 21:41:42 +00:00
Luke Leighton
97f0c9d550 made pass_check_smb() available for dce/rpc use.
(This used to be commit 95e8a910c5)
1998-10-16 21:36:19 +00:00
Luke Leighton
3637ad5f2b cli_nt_session_open() encrypt arg removed
(This used to be commit 63def71799)
1998-10-16 20:18:46 +00:00
Luke Leighton
5cb99177af setup_groups() - code clarification. no functional change.
(This used to be commit dae7c5ea9a)
1998-10-16 20:13:26 +00:00
Luke Leighton
c404bb7754 rpcclient interactive login (with trust account changing if you are root)
cli_session_setup handles null sessions correctly
(This used to be commit 60c0f22a4e)
1998-10-15 23:51:07 +00:00
Jeremy Allison
fc7d3e4caa config: Fix crypt prototype on RedHat Linux.
include/includes.h: Fix crypt prototype on RedHat Linux.
smbd/fileio.c: Fix mmap bug found by WinCE client.
smbd/ipc.c: Fix WinCE wierdness with pipes being opened as \server\pipe\lanman
smbd/password.c: Fix encrypted null passwords.
Jeremy.
(This used to be commit 475992730c)
1998-10-15 00:55:17 +00:00
Luke Leighton
935dc98f66 dce/rpc
(This used to be commit 69f5f9f889)
1998-10-14 06:29:20 +00:00
Andrew Tridgell
99208208fa use level 0 for DEBUG() of malformed password entry in smbpasswd
(This used to be commit bff457b4a4)
1998-10-13 14:14:09 +00:00
Luke Leighton
f8a3e2df11 using wrong cli_state in "security = domain" call.
(This used to be commit 1c08cc2466)
1998-10-06 16:25:24 +00:00
Andrew Tridgell
40984f6b55 - modified resolve_name() to take a name_type
- cleaned up resolve_name() (split into separate functions for each resolver)
- if can't find local master then use #1B name
- support listing of foreign workgroups in /smb/
(This used to be commit a4e607c17d)
1998-10-04 12:00:40 +00:00
Jeremy Allison
9066025a8a Got very strict about the differences and uses of
uid_t, gid_t and vuid. Added sys_getgroups() to get
around the int * return problem. Set correct datatypes
for all uid, gid and vuid variables.
Jeremy.
(This used to be commit e570db46fc)
1998-09-29 20:24:17 +00:00