1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

172 Commits

Author SHA1 Message Date
Simo Sorce
01319b6e65 Revert "Use "localhost" to be ipv6 only friendly"
This reverts commit 54548f6dde3cf74f0e90ef577a55fd720dca6d93.
2018-03-19 15:34:32 +01:00
Simo Sorce
3e8c50901c Use "localhost" to be ipv6 only friendly
Signed-off-by: Simo Sorce <idra@samba.org>
2018-03-19 15:34:32 +01:00
Gary Lockyer
3bc5685445 rpc: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.

The local address allows us to know which interface an authentication is on

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Stefan Metzmacher
376e58d2fb s3:dcerpc_helpers: correctly support DCERPC_AUTH_LEVEL_PACKET
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:16 +02:00
Stefan Metzmacher
fc65e48cbe librpc/rpc: move dcerpc_pull_ncacn_packet() from source3/librpc/rpc/ to the toplevel
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:13 +02:00
Stefan Metzmacher
ab7868a964 s3:librpc: move NDR_PRINT_DEBUG() into the caller of dcerpc_pull_ncacn_packet()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:13 +02:00
Stefan Metzmacher
1bfba2c516 s3:librpc: remove bigendian argument from dcerpc_pull_ncacn_packet()
We should get this from the packet itself.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:13 +02:00
Stefan Metzmacher
97ee4d82b1 CVE-2015-5370: s3:librpc/rpc: verify auth_context_id in dcerpc_check_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
9dedf276f0 CVE-2015-5370: s3:librpc/rpc: make use of auth->auth_context_id in dcerpc_add_auth_footer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
ce8d2d6a70 CVE-2015-5370: s3:librpc/rpc: add auth_context_id to struct pipe_auth_data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
0f8d4a50f8 CVE-2015-5370: s3:librpc/rpc: remove unused dcerpc_pull_dcerpc_auth()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
8a6240872c CVE-2015-5370: s3:librpc/rpc: let dcerpc_check_auth() auth_{type,level} against the expected values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
642fe0aa16 CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
This simplifies the callers a lot.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
67f6fd305c CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0
All other paranoia checks are done within dcerpc_pull_auth_trailer()
now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:28 +02:00
Stefan Metzmacher
b2e042ad96 s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes()
The padding needs to be relative to the payload start not to the pdu start.
We also need align the padding to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
3e6e9e3acd s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT padding bytes in dcerpc_add_auth_footer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Günther Deschner
4234cbb694 s3-rpc_server: Fix inteface typo.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun  4 03:51:29 CEST 2015 on sn-devel-104
2015-06-04 03:51:29 +02:00
Andrew Bartlett
d0a0af3550 librpc: gensec is our security provider abstraction, remove a void *
Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Andrew Bartlett
f8643b9f5f librpc: Remove user/domain from struct pipe_auth_data
This does require that we always fill in the gensec pointer, but the
simplification is worth the extra allocations.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Stefan Metzmacher
6a5cd1857f s3:rpc_client: Use gensec for NCALRPC_AS_SYSTEM.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
2ed1789e4d s3:rpc_client: pass everything to gensec by default
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
caeef257d2 s3:dcerpc_ep: make use of dcerpc_binding_set_abstract_syntax()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:16 +01:00
Stefan Metzmacher
52ccd28ca7 s3:dcerpc_ep: make use of dcerpc_binding helper functions
We should not dereference 'struct dcerpc_binding'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:16 +01:00
Stefan Metzmacher
47d7b8df44 s3:dcerpc_up: avoid useless talloc_zero() calls
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-11 16:20:28 +01:00
Stefan Metzmacher
f9cc66055d s3:dcerpc_ep: make ep_register() more tolerant regarding the passes binding vector
We should take a copy and set the abstract syntax to from the given interface
before we construct the tower.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-11 16:20:28 +01:00
Stefan Metzmacher
754f2eba16 s3:dcerpc_ep: only use the explicitly passed object_guid
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-11 16:20:28 +01:00
Stefan Metzmacher
09d3a0cda9 s3:dcerpc_ep: only use an array of 'struct dcerpc_binding *'
In future we should not dereference struct dcerpc_binding
and just keep pointers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-11 16:20:28 +01:00
Stefan Metzmacher
166766e772 s3:dcerpc_ep: make struct dcerpc_binding_vector private
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-11 16:20:28 +01:00
Stefan Metzmacher
6ab9164c74 s3:rpc_client: send a dcerpc_sec_verification_trailer if needed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  7 02:24:42 CET 2014 on sn-devel-104
2014-01-07 02:24:41 +01:00
Stefan Metzmacher
61bdbc23cd s3:rpc_client: implement DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
ecdac51e85 CVE-2013-4408:s3:rpc_client: check for invalid frag_len in dcerpc_pull_ncacn_packet()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-12-09 07:05:45 +01:00
Günther Deschner
807628ecac s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
2013-09-20 14:57:06 +02:00
Günther Deschner
639f60b151 s3-rpc_cli: remove unused schannel calls from dcerpc_helpers.c
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:09:49 +02:00
Günther Deschner
5a628490e4 s3-rpc: use gensec for schannel footer processing.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:09:44 +02:00
Stefan Metzmacher
a36ccdc83e s3:dcerpc_helpers: remove unused DEBUG message of schannel_state->seq_num.
This is a layer violation and not needed anymore as we know
how the seqnum handling works now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:58 +02:00
Stefan Metzmacher
9f2e81ae02 libcli/auth: maintain the sequence number for the NETLOGON SSP as 64bit
See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:56 +02:00
Günther Deschner
9b4fb5b074 s3-rpc_cli: pass down ndr_interface_table to rpc_pipe_open_ncalrpc().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:29:59 +02:00
Stefan Metzmacher
6b123607c8 s3:librpc: add support for PFC_FLAG_OBJECT_UUID when parsing packets (bug #9382)
Now the logic matches the one in dcerpc_read_ncacn_packet_done().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-20 17:37:19 +01:00
Stefan Metzmacher
8e1c6d4232 s3:rpc_client: rename pipe_auth_data->user_session_key to transport_session_key
metze
2012-08-01 14:17:15 +02:00
David Disseldorp
ac7b60a17b s3-rpcclient: add fsrvp commands
fss_create_expose connects to an FSRVP server and negotiates the
creation and exposure of a share shadow-copy.
shadow-copies of multiple shares can be requested with a single
fss_create_expose request.

ddiss@plati:~> bin/rpcclient -k -U 'LURCH\administrator%password' \
                             ncacn_np:lutze[sign]
rpcclient $> fss_create_expose backup ro hyper
381884f2-b578-45ea-b8d2-cf82491f4011: shadow-copy set created
...
share hyper@{B6137E21-9CBB-4547-A21D-E7AD40D0874B} exposed as a snapshot
of \\lutze\hyper

fss_delete removes the shadow-copy share:
rpcclient $> fss_delete hyper 381884f2-b578-45ea-b8d2-cf82491f4011 \
                        b6137e21-9cbb-4547-a21d-e7ad40d0874

Shadow-copies can be created read-write or read-only.
Experimenting with Windows Server "8" beta, a recovery complete call is
required after creating a read-write (ATTR_AUTO_RECOVERY) shadow copy.
Otherwise subsequent creation requests fail with
FSRVP_E_SHADOW_COPY_SET_IN_PROGRESS.
2012-06-08 13:34:31 +02:00
Andrew Bartlett
2b511f0e92 s3-librpc: Use gensec_spnego for DCE/RPC authentication
This ensures that we use the same SPNEGO code on session setup and on
DCE/RPC binds, and simplfies the calling code as spnego is no longer
a special case in cli_pipe.c

A special case wrapper function remains to avoid changing the
application layer callers in this patch.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:42 +01:00
Andrew Bartlett
1d0684c845 s3-librpc: Remove unused bool gensec_hook
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:42 +01:00
Andrew Bartlett
1818612830 s3-librpc Remove special case for spnego dcerpc sign/seal
SPNEGO is implemented only in terms of gensec mechanisms now.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
5ddec1182e s3-librpc: Simplify SPNEGO code now that all mechs use a struct gensec_security
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
0c1b4c2321 s3-librpc Call SPENGO/GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing
with a struct gensec_security, and allows the gensec module being
used to implement GSSAPI to be swapped for AD-server operation.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
e012ad9d8b s3-librpc Call GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing with a
struct gensec_security, and allows the gensec module being used to
implement GSSAPI to be swapped when required for AD-server operation.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
e8cd972177 s3-librpc: rename get_ntlmssp_auth_footer to be more generic
This can handle any gensec auth type now.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:04:52 +01:00
Andrew Bartlett
4ac34f3288 s3-librpc remove unused headers
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:29 +01:00
Andrew Bartlett
21fb9a47ea s3-librpc Use gensec_sig_size() instead of a fixed NTLMSSP_SIG_SIZE
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 22 20:57:27 CET 2011 on sn-devel-104
2011-12-22 20:57:27 +01:00
Andrew Bartlett
321204eaeb s3-ntlmssp Remove references to auth_ntlmssp_context from the rpc code
We always dereferenced auth_ntlmssp_state->gensec_security, so now we
do not bother passing around the whole auth_ntlmssp_state.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:50:55 +02:00