IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
fix the confusion when we tdb_lock_bystring() but
we retrieve an entry using tdb_fetch_by_string.
It's now always tdb.*bystring()
(This used to be commit 66359531b89368939f0e8f584a45844b5f2f99e7)
It was caused by the winbind_ping() call in is_trusted_domain()
o if we are a DC then we check our own direct trust relationships
we have to rely on winbindd to update the truatdom_cache
o if we are a domain member, then we can update the trustdom_cache
ourselves if winbindd is not there
(This used to be commit 22dfcafb37f7109dc455f4fb6323a25ba4f097bc)
* is_trusted_domain() is broken without winbind. Still working on this.
* get_global_sam_name() should return the workgroup name unless we
are a standalone server (verified by volker)
* Get_Pwnam() should always fall back to the username (minus domain name)
even if it is not our workgroup so that TRUSTEDOMAIN\user can logon
if 'user' exists in the local list of accounts (on domain members w/o
winbind)
Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0
domain member not running winbindd.
notes: make_user_info_map() is slightly broken now due to the
fact that is_trusted_domain() only works with winbindd. disabled
checks temporarily until I can sort this out.
(This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
*) consolidates the dc location routines again (dns
and netbios) get_dc_list() or get_sorted_dc_list()
is the authoritative means of locating DC's again.
(also inludes a flag to get_dc_list() to define
if this should be a DNS only lookup or not)
(however, if you set "name resolve order = hosts wins"
you could still get DNS queries for domain name IFF
ldap_domain2hostlist() fails. The answer? Fix your DNS
setup)
*) enabled DOMAIN<0x1c> lookups to be funneled through
resolve_hosts resulting in a call to ldap_domain2hostlist()
if lp_security() == SEC_ADS
*) enables name cache for winbind ADS backend
*) enable the negative connection cache for winbind
ADS backend
*) removes some old dead code
*) consolidates some duplicate code
*) moves the internal_name_resolve() to use an IP/port pair
to deal with SRV RR dns replies. The namecache code
also supports the IP:port syntax now as well.
*) removes 'ads server' and moves the functionality back
into 'password server' (which can support "hostname:port"
syntax now but works fine with defaults depending on
the value of lp_security())
(This used to be commit d7f7fcda425bef380441509734eca33da943c091)
* move back to qsort() for sorting IP address in get_dc_list()
* remove dc_name_cache in cm_get_dc_name() since it slowed
things down more than it helped. I've made a note of where
to add in the negative connection cache in the ads code.
Will come back to that.
* fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead
of MAX_ALLOWED)
* only enumerate domain local groups in our domain
* simplify ldap search for seqnum in winbindd's rpc backend
(This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
This replaces the universal group caching code (was originally
based on that code). Only applies to the the RPC code.
One comment: domain local groups don't show up in 'getent group'
that's easy to fix.
Code has been tested against 2k domain but doesn't change anything
with respect to NT4 domains.
netsamlogon caching works pretty much like the universal group
caching code did but has had much more testing and puts winbind
mostly back in sync between branches.
(This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
(this now causes things like the LANMAN protocol and contacting servers with 'encrypt passwords = no' set to fail, if configured)
'client ntlmv2 auth' (a BOOL) forces both plaintext and lanman off, and is the
most secure setting for compatible hosts.
Perhaps we should change this to 'client minimum auth'?
Andrew Bartlett
(This used to be commit e1fb681e4c921456fde154b87687722a18ed4aac)
MAC calcuation code, and now supports multiple outstanding packets.
Fixes bug #40
Andrew Bartlett
(This used to be commit dd33212f1ec08f46223d6de8e5ff3140ce367a9a)
into rpc_find_dc(). Should probably be extended some more
in 3.0 but this is what we have for the moment.
(This used to be commit 0e23abf95cf7ba2d0a314a34bddb4d46de2a3cd1)
1. Allows to change quota settings for shared mount points from Win2K and WinXP from Explorer properties tab
2. Disabled by default and when requested, will be probed and enabled only on Linux where it works
3. Was tested for approx. two weeks now on Linux by two independent QA teams, have not found any bugs so far
Documentation to follow
(This used to be commit 4bf022ce9e45be85609426762ba2644ac2031326)
With big thanks to tpot for the ethereal disector, and for the base code
behind this, we now fully support NTLMv2 as a client.
In particular, we support it with direct domain logons (tested with ntlm_auth
--diagnostics), with 'old style' session setups, and with NTLMSSP.
In fact, for NTLMSSP we recycle one of the parts of the server's reply directly...
(we might need to parse for unicode issues later).
In particular, a Win2k domain controller now supplies us with a session key
for this password, which means that doman joins, and non-spnego SMB signing
are now supported with NTLMv2!
Andrew Bartlett
(This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81)
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.
Volker
(This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
(well, under certain conditions :-)
There is no length limit on the size of the authentication response added
into the MD5 hash. (We had previously limited this to lengths like 40, 44 or
64 in attempts to make sense of what the SNIA spec tells us).
Instead, the entire authentication response is added in.
Currently, this only works on a Win2k domain members with a Samba PDC,
becouse our NTLMv2 code currently fails against an Win2k PDC.
However, this splits the problem in half - particularly as the NTLMv2 format
is known, and even has an ethereal disector! (thanks tpot).
Andrew Bartlett
(This used to be commit 7645d3d28afbb8eea502c0e063df3afb3aa812f4)
key, so we can test it in ntlm_auth.
I suspect the 'lm' version doesn't exist, but it's easy to change back.
Andrew Bartlett
(This used to be commit 5efd95622c411f123660b6613b86c7a68bba68e8)
This should make it clearer what magic numbers refer to the magic numbers
in the CIFS spec, and what bits and peices are being appended into the MD5
calculation where.
Andrew Bartlett
(This used to be commit 7f1c271cfb04f621e36f1acf60979652e82dc6f4)
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
just the correct error.
This should help us avoid breaking NT4 IPC$ connections, for example.
This has required that we don't overwrite the device type for IPC$ in our
tcon&X code, but only smbwrapper even uses it, and a server that doesn't send
a correct dev type breaks other things pretty badly.
In any case, I'll 'fix' smbwrapper :-).
Andrew Bartlett
(This used to be commit a93057efcb6e639be05b7bdcb9729ed8f39f5f62)
merge last time. I hope this might fix a few failures on the build farm too.
Andrew Bartlett
(This used to be commit 0c837126923cc30fa60223a5a68d4f527971cc7b)
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
- Stephan Kulow's changes (fixing warnings in libsmbclient)
- VFS modules
- Seperating libs
(This used to be commit 6e9b7802335428c88ecf4e44a0e2395ac58e96b5)
workstation, we have to use the workstation type, if we have a BDC account,
we must use the BDC type - even if we are pretending to be a workstation
at the moment.
Also actually store and retreive the last change time, so we can do
periodic password changes again (for RPC at least).
And finally, a couple of minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
