1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

212 Commits

Author SHA1 Message Date
Justin Maggard
d7ca174744 s3:smbd: add negprot remote arch detection for OSX
Remote arch detection for OSX clients has been broken for some time, since
both Samba and OSX started supporting SMB2.  Fix it by adding modern OSX
client detection support to the negprot remote arch detection routine.

Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar  3 09:03:53 CET 2016 on sn-devel-144
2016-03-03 09:03:53 +01:00
Justin Maggard
b69b96fc14 s3:smbd: rework negprot remote arch detection
Negprot remote arch detection is very cryptic.  Rework it so it's easier
to understand, and therefore more extensible, following the protocol table
in inline comments.  This also allows us to remove some hacks.

Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
Reviewed-by: Ralph Boehme <rb@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 05:50:17 +01:00
Stefan Metzmacher
fbcc30931c s3:smbd: remove unused spnego related includes
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2015-12-17 14:45:13 +01:00
Richard Sharpe
6abd986704 Convert all uses of uint8/16/32 to _t in source3/smbd.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-06 04:14:14 +02:00
Stefan Metzmacher
0b99a8ac45 s3:smbd: only pass smbXsrv_connection to fork_echo_handler()
We don't need smbd_server_connection there.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-09-19 09:15:11 +02:00
Stefan Metzmacher
f25331499e s3:smbd: use req->sconn in reply_negprot()
xconn->sconn will go away soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-09-19 09:15:11 +02:00
Stefan Metzmacher
05779e318a s3:smbd: pass smbXsrv_connection to get_challenge()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:13 +02:00
Stefan Metzmacher
e9fb54c1ec s3:smbd: pass smbXsrv_connection to negprot_spnego()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:13 +02:00
Stefan Metzmacher
314ef691ba s3:smbd: move sconn->smb1.signing_state to xconn->smb1.signing_state
This prepares the structures for multi-channel support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:11 +02:00
Stefan Metzmacher
cd8105484c s3:smbd: move sconn->smb1.negprot.* to xconn->smb1.negprot.*
This prepares the structures for multi-channel support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:11 +02:00
Shirish Pargaonkar
a0583976da samba: Retain case sensitivity of cifs client
When a client supports extended security but server does not,
and that client, in Flags2 field of smb header indicates that

- it supports extended security negotiation
- it does not support security signatures
- it does not require security signatures

Samba server treats a client as a Vista client.

That turns off case sensitivity and that is a problem for cifs vfs client.

So include remote cifs client along with remote samba client
to not do so otherwise.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10755

Signed-off-by: Shirish Pargaonkar <spargaonkar@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Aug  1 16:11:43 CEST 2014 on sn-devel-104
2014-08-01 16:11:43 +02:00
Stefan Metzmacher
a56c35a4de s3:smbd: always allow SMB1 signing, but only announce it if configured.
Always allow the client to turn on SMB1 signing using
FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 16 10:07:56 CEST 2014 on sn-devel-104
2014-04-16 10:07:56 +02:00
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00
Andrew Bartlett
86850860f8 lib/param: Normalise "read raw" and "write raw" parameters
They have been changed to function like normal parameters,
removing a special case in the loadparm system.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-02-12 13:17:13 +13:00
Garming Sam
63598ff628 param: rename lp function and variable from "encrypted_passwords" to "encrypt_passwords"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Garming Sam
fc111c7875 param: rename lp function and variable from "srv_minprotocol" to "server_min_protocol"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Garming Sam
64dc4b59f8 param: rename lp function and variable from "srv_maxprotocol" to "server_max_protocol"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Garming Sam
57d407430f param: rename lp function and variable from "maxmux" to "max_mux"
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-02-07 16:19:15 -08:00
Volker Lendecke
fbee7c1eab smbd: Fix async echo handler forking (Bug 10086)
If SMB3 is chosen via an SMB1 negprot, we forked the echo handler because
set_Protocol is called later, after the full protocol negotiation is done.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Aug 14 15:54:43 CEST 2013 on sn-devel-104
2013-08-14 15:54:43 +02:00
Stefan Metzmacher
be98c1c889 s3:smbd: remove silly (SMB_OFF_T_BITS == 64) checks
configure will abort if sizeof(off_t) is not 8.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-03-20 09:32:26 -07:00
Jeremy Allison
b70f23c2b5 Correctly check for errors in strlower_m() returns. 2012-08-09 12:08:18 -07:00
Andrew Bartlett
9521cd0409 param: Make the 'unicode' parameter common
This parameter is most useful for interop testing, rather than production use.

Andrew Bartlett
2012-07-24 10:46:12 +10:00
Andrew Bartlett
6aee8021a1 s3-smbd: Remove unused branches in negprot since security=share was removed 2012-06-11 11:44:07 +02:00
Andrew Bartlett
9db04c481d s3-smbd: Remove support for protocols before LANMAN1
This falls out of the removal of security=share, because we now require that
a session setup has been performed before (essentially) all other operations.

Andrew Bartlett
2012-06-05 04:27:36 +02:00
Stefan Metzmacher
b3235d483d s3:smbd: introduce struct smbXsrv_connection
This will represent a transport connection for SMB 1 or 2
in the server. smbd_server_connection will slowly be moved
to the SMB_VFS layer to satisfy the existing modules,
but it will hopefully be protocol independend in future.

metze
2012-05-12 01:01:34 +02:00
Jelmer Vernooij
c0288e0612 lib/util: Remove obsolete sys_getpid() and sys_fork().
The performance of these is minimal (these days) and they can return
invalid results when used as part of applications that do not use
sys_fork().

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
2012-03-24 21:55:40 +01:00
Andrew Bartlett
50547a9950 s3-auth: Follow auth_ntlmssp and use auth4_context for Session Setup
This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers.  By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
d7bb961859 s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-03-04 23:33:05 +01:00
Andrew Bartlett
c318c94170 s3-param: Align lp_{max,min}protocol with lib/param names
This adds an alisas to ensure that both our loadparm systems know all
the names.

I would like to move to the 'server ..' name as canonical, and this
will be raised on the list.

Andrew Bartlett
2012-02-27 07:36:05 +01:00
Andrew Bartlett
eb3e34e965 s3-smbd Remove unused code now we always have SPNEGO via gensec
This was previously needed because SPNEGO was only available in the AD DC.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:43 +01:00
Andrew Bartlett
16e463e169 s3-auth Remove ntlmssp_wrap.h which is no longer required
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
3042e38d51 s3-auth use gensec directly rather than via auth_generic_state
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
1075efabc7 s3-auth Add TALLOC_CTX * to auth_generic_prepare()
This makes the long term owner of this memory more clear.  So far only the
clear cases have been moved from NULL however.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
1100f6eca5 s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()
This function handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
6391fff9da s3-auth rename auth_ntlmssp_state -> auth_generic_state
This structure handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Stefan Metzmacher
704cf10645 s3:smbd: avoid using sconn_server_id()
metze
2011-12-16 13:19:32 +01:00
Stefan Metzmacher
03455519e7 s3:smbd: pass smbd_server_connection and a snumused function pointer to reload_services()
metze
2011-12-15 11:11:24 +01:00
Stefan Metzmacher
af1a2eecce s3:smbd: calculate the negprot signing flags from the signing_state
We should map from lp_server_signing() just once in srv_init_signing().

metze

Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Nov 16 18:59:49 CET 2011 on sn-devel-104
2011-11-16 18:59:49 +01:00
Stefan Metzmacher
9b4c300922 s3:smbd: also send the server name in the negprot response
This matches W2K (at least sp4) and higher.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Nov  4 15:50:06 CET 2011 on sn-devel-104
2011-11-04 15:50:06 +01:00
Stefan Metzmacher
caa134672c s3:smbd: make use of SMB_SIGNING_* constants
metze
2011-11-03 16:55:13 +01:00
Andrew Bartlett
083025ccd5 s3-ntlmssp Remove auth_ntlmssp_update wrapper
We now just call gensec_update directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:10 +02:00
Stefan Metzmacher
abb24bf8e8 s3:smbd: make use of better SMB signing negotiation
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Sep 14 09:41:02 CEST 2011 on sn-devel-104
2011-09-14 09:41:02 +02:00
Stefan Metzmacher
258ffddf1c libcli/smb: s/FLAGS2_UNKNOWN_BIT4/FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Sep 10 00:34:50 CEST 2011 on sn-devel-104
2011-09-10 00:34:50 +02:00
Stefan Metzmacher
012c9d06a9 s3:smb2_server: add basic support for SMB 2.1
This adds support for the 2 stage negprot, from SMB 1 to SMB 2.1.

Support for this of for now and "max protocol = SMB2" still maps
to "max protocol = SMB2_02" PROTOCOL_SMB2_02.

In order to activate smb2.1, you need to use "max protocol = SMB2_10".

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Sep  5 19:30:58 CEST 2011 on sn-devel-104
2011-09-05 19:30:58 +02:00
Stefan Metzmacher
491c975dfe s3:smbd: make use of PROTOCOL_SMB2_02
metze
2011-09-05 13:25:00 +02:00
Volker Lendecke
781074664d s3: Fix bug 8334, do not fork the echo handler for smb2
If a smb1 negprot negotiated smb2 we forked the echo responder. This will
eventually lead to a panic from

[2011/08/30 10:33:29.212578,  0, pid=3846917] smbd/smb2_server.c:243(smbd_smb2_request_create)
  Invalid SMB packet: first request: 0x0009

because from the echo responder we always read using the normal smb1 protocol
handling routine. If that is a bit down the smb2 stream, we get a non-negprot
packet and panic.

BTW, the echo responder is not required for smb2 anyway, Microsoft confirmed
that it probes the server liveness using TCP keepalives and not smb2 echo
requests.

Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Wed Aug 31 17:58:48 CEST 2011 on sn-devel-104
2011-08-31 17:58:48 +02:00
Andrew Bartlett
d3524f2eae s3-auth use auth_generic_start to get full GENSEC in Samba3 session setup
This tests if the auth_generic_start() hook is available on the auth
context during the negprot, and if so it uses auth_generic_start() to
hook to GENSEC to handle the full SPNEGO blob.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Stefan Metzmacher
aca920b27c s3:smbd: use PROTOCOL_SMB2_02 instead PROTOCOL_SMB2
metze
2011-07-12 08:18:00 +02:00
Andrew Bartlett
74eed8f3ed s3-param Remove special case for global_myname(), rename to lp_netbios_name()
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.

Andrew Bartlett
2011-06-09 12:40:09 +02:00
Andrew Bartlett
73b377432c s3-talloc Change TALLOC_REALLOC_ARRAY() to talloc_realloc()
Using the standard macro makes it easier to move code into common, as
TALLOC_REALLOC_ARRAY isn't standard talloc.

Andrew Bartlett
2011-06-09 12:40:08 +02:00