IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
running. More generic error return cleanup in libsmb/
needs doing (everything returning NTSTATUS not BOOL).
Jeremy
(This used to be commit 654bb9853b450c5d509d182f67ec26ac320fd590)
of the Samba4 timezone handling code back into Samba3.
Gets rid of "kludge-gmt" and removes the effectiveness
of the parameter "time offset" (I can add this back
in very easily if needed) - it's no longer being
looked at. I'm hoping this will fix the problems people
have been having with DST transitions. I'll start comprehensive
testing tomorrow, but for now all modifications are done.
Splits time get/set functions into srv_XXX and cli_XXX
as they need to look at different timezone offsets.
Get rid of much of the "efficiency" cruft that was
added to Samba back in the day when the C library
timezone handling functions were slow.
Jeremy.
(This used to be commit 414303bc0272f207046b471a0364fa296b67c1f8)
spoolss backchannel connection by rewriting
spoolss_connect_to_client(). Ensure that we
save the cli_state* in the rpc_pipe_client struct.
* fix typo in debug message in cli_start_connection"
(This used to be commit 18400f96628ffdd332c2fb2aa52b5e9aee5cb3ce)
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
cd up and down the tree and get directory listings.
Still have to figure out how to get a directory listing on a
2k dfs root. Also have to work out some issues with relative paths
that cross dfs mount points.
We're protected from the new code paths when connecting to
a non-dfs root share ( the flag from the tcon&X is stored
in the struct cli_state* )
(This used to be commit e57fd2c5f00de2b11a2b44374830e89a90bc0022)
and SMBsplclose commands (BUG 2010)
* clarify some debug messages in smbspool (also from Mike)
my changes:
* start adding msdfs client routines
* enable smbclient to maintain multiple connections
* set the CAP_DFS flag for our internal clienht routines.
I actualy have a dfs referral working in do_cd() but that code
is too ugly to live so I'm not checking it in just yet.
Further work is to merge with vl's changes in trunk to support multiple
TIDs per cli_state *.
(This used to be commit 0449756309812d854037ba0af631abad678e670e)
for bug #1717.The rest of the code needed to call this patch has not yet been
checked in (that's my next task). This has not yet been tested - I'll do this
once the rest of the patch is integrated.
Jeremy.
(This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f)
with more correct NTLMSSP support in client and server, but it will do
for now.
Also implement LANMAN password only in the classical session setup code, but
#ifdef'ed out. In Samba4, I'll make this run-time so we can torture it.
Lanman passwords over 14 dos characters long could be considered
'invalid' (they are truncated) - so SMBencrypt now returns 'False' if
it generates such a password.
Andrew Bartlett
(This used to be commit 565305f7bb30c08120c3def5367adfd6f5dd84df)
another NTLMv2 combination.
We should allow the NTLMv2 response to be calculated with either the domain
as supplied, or the domain in UPPER case (as we always did in the past).
As a client, we always UPPER case it (as per the spec), but we also
make sure to UPPER case the domain, when we send it. This should give
us maximum compatability.
Andrew Bartlett
(This used to be commit 1e91cd0cf87b29899641585f46b0dcecaefd848e)
ago.
This patch re-adds support for 'optional' SMB signing. It also ensures that
we are much more careful about when we enable signing, particularly with
on-the-fly smb.conf reloads.
The client code will now attempt to use smb signing by default, and disable
it if the server doesn't correctly support it.
Andrew Bartlett
(This used to be commit e27b5cbe75d89ec839dafd52dd33101885a4c263)
Winbind tickets expired. We now check the expiration time, and acquire
new tickets. We couln't rely on renewing them, because if we didn't get
a request before they expired, we wouldn't have renewed them. Also, there
is a one-week limit in MS on renewal life, so new tickets would have been
needed after a week anyway. Default is 10 hours, so we should only be
acquiring them that often, unless the configuration on the DC is changed (and
the minimum is 1 hour).
(This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
- setup_logging() in smbclient to be interactive (remove the timestamps)
- Fix bad return value in pull_ucs2( needs more testing to make sure this
didn't break something else) that caused clistr_pull() to always read
the same string from the buffer (pull_usc2() could return -1 if the original
source length was given as -1)
- increment some debugging messages to avoid printing them out so often
(This used to be commit 79fe75dcdf6cc38e18ca1231e4357893db4d4a08)
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
it out onto the wire. Avoids valgrind warnings because the fstrcpy() causes
part of the wire buffer to be 'marked'.
Andrew Bartlett
(This used to be commit 53d802c72aa712e099dc8de666ab66a21e18fae1)
solves the problem for me here, I can still successfully set up signing using
NTLMSSP against w2k3 and it does not show a signing error anymoe when the
password was wrong.
Jeremy, you might want to take a further look at it as this is not
particularly elegant.
Volker
(This used to be commit f5afaafd61dc7bd191225ffa8eee184125dd97c3)
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
portion of NTLMv2 key exchange. Also revert the default for
'client ntlmv2 auth' to no. This caused no ends of grief in
different cases.
And based on abartlet's mail....
> All I care about at this point is that we use NTLMv2
> in our client code when connecting to a server that
> supports it.
There is *no* way to tell this. The server can't tell us, because it
doesn't know what it's DC supports. The DC can't tell us, because it
doesn't know what the trusted DC supports. One DC might be Win2k, and
the PDC could be an older NT4.
(This used to be commit fe585d49cc3df0d71314ff43d3271d276d7d4503)
elsewhere in the code. This will allow us to try kerberos, then another user
then guest in the winbindd code.
Also, re-introduce the seperate, NT1 'guest' session setup code, as I found
some problems with doing guest under NTLMSSP.
Andrew Bartlett
(This used to be commit 33109fefe7d306a97ac48a75e3e67c166daff4ea)
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.
When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login. If you don't, your machine
account is demoted to NT4.
Andrew Bartlett
(This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
to be able to ask a LMB for the servers in its workgroup. Against
W2k this only works on port 139....
Volker
(This used to be commit 62b04d7776852098dd768268500f36c3a362f688)
Server code *should* also work (I'll check shortly). May be the odd memory
leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup
code (b) we need to ask for a subkey... (c). The client and server need to
ask for local and remote subkeys respectively.
Thanks to Paul Nelson @ Thursby for some sage advice on this :-).
Jeremy.
(This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
