1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

212 Commits

Author SHA1 Message Date
Michael Adam
a1a8746174 s3:smb2_sesssetup: implement SMB3 session bind (disabled)
This is disabled for now. It will be possible to enabled it
via a config switch once the underpinnings are complete.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Sat Jan 23 03:22:18 CET 2016 on sn-devel-144
2016-01-23 03:22:18 +01:00
Stefan Metzmacher
edd781d5a8 s3:smb2_sesssetup: treat BINDING in smbd_smb2_session_setup_auth_return
This adds smbd_smb2_bind_auth_return(), a
variant of auth_return for session binding.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2016-01-23 00:08:36 +01:00
Ralph Boehme
fe5353c82e s3:smb2_server: convert signing_required bool to flags bitmap
Use a flags bitmap for storing the signing state. This is in preparation
of a subsequent patch that adds more flags to the bitmap.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-22 07:52:21 +01:00
Ralph Boehme
736cd36d36 s3:smb2_server: store encryption cipher in the channel
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-22 07:52:20 +01:00
Ralph Boehme
bfdffea0fa s3:smb2_server: convert encryption desired and required bools to flags
This adds a bitmap smbXsrv_encrpytion_flags with flags to the
smbXsrv_session_global.tdb and smbXsrv_tcon_global.tdb that we use
instead of bools for desired and required.

We need this info in the smbXsrv tdbs for smbstatus. Subsequent commits
for smbstatus will use it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-01-22 07:52:20 +01:00
Michael Adam
fba90fd8fe s3:smbd_smb2_reauth_generic_return: make use of smb2req->xconn
More specifically move from smb2req->sconn to smb2req->xconn->client->sconn
to avouid using smb2req->sconn directly.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 13 14:02:21 CET 2016 on sn-devel-144
2016-01-13 14:02:21 +01:00
Stefan Metzmacher
57053c5cb9 s3:smb2_sesssetup: let smbd_smb2_reauth_generic_return() cope with channels
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-09-10 18:32:15 +02:00
Michael Adam
69d2af10d4 s3:smb2_sesssetup: let smbd_smb2_auth_generic_return() cope with channels
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-09-10 18:32:15 +02:00
Michael Adam
6f95bc5025 s3:smb2_sesssetup: change talloc hierarchy in smbd_smb2_session_setup_gensec_done
Only put session_info to the session->global context if we use it.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-09-10 18:32:15 +02:00
Stefan Metzmacher
d391f6daea s3:smb2_sesssetup: use session->pending_auth
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2015-07-30 21:58:14 +02:00
Michael Adam
8ab4b05d33 s3:smb2_sesssetup: check that the connection belongs to the session in sess.setup
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-07-29 18:26:07 +02:00
Michael Adam
fc228025d7 smbd:smb2: only enable encryption in session if desired
Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:27 +02:00
Jeremy Allison
0aefbf45c9 smbd: Fix clients connecting unencrypted with PROTOCOL_SMB2_24 or higher.
Nonce code was terminating connections where xconn->smb2.server.cipher == 0.

If no negotiated cipher (smb2.server.cipher is zero) set nonce_high_max to zero.
smb2_get_new_nonce() returns NT_STATUS_ENCRYPTION_FAILED if it is ever called with
session->nonce_high_max == 0.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11300

Signed-off-by: Jeremy Allison <jra@samba.org>
2015-06-17 22:10:24 +02:00
Simo Sorce
461c69bd7c s3:smb2_server: In CCM and GCM mode we can't reuse nonces
Reuse of nonces with AES-CCM and AES-GCM leads to catastrophic failure,
so make sure the server drops the connection if that ever happens.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11300

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Simo Sorce <idra@samba.org>
Autobuild-Date(master): Fri May 29 22:38:50 CEST 2015 on sn-devel-104
2015-05-29 22:38:50 +02:00
Stefan Metzmacher
4481fea86a s3:smb2_sesssetup.c: For SMB >= 3.1, derive crypto keys from preauth
This protects the full connection setup including
a posteriori verification of the negotiate messages,
by signing the final session setup response with a signing key
derived from the preauth hash and the authentication session key.

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2015-05-08 13:00:28 +02:00
Stefan Metzmacher
5871d3da87 s3:smb2_sesssetup: remove unused smbd_smb2_session_setup_* destructors
The cleanup of a failing session setup is now handled in
smbd_smb2_session_setup_wrap_*().

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11182

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-06 22:33:19 +02:00
Stefan Metzmacher
50aeb6b38b s3:smb2_sesssetup: add smbd_smb2_session_setup_wrap_send/recv()
The wrapper calls smbXsrv_session_shutdown_send/recv() in case of an error,
this makes sure a failing reauth shuts down the session like an explicit logoff.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11182

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-06 22:33:19 +02:00
Stefan Metzmacher
8f0d4d1132 s3:smb2_sesssetup: always assign smb2req->session when a session was created.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11182

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-06 22:33:19 +02:00
Stefan Metzmacher
95057fe375 s3:smb2_sesssetup: let smbd_smb2_logoff_* use smbXsrv_session_shutdown_*
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11182

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-06 22:33:19 +02:00
Volker Lendecke
b3385f74db smbd: Make SMB3 clients use encryption with "smb encrypt = auto"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar  3 10:40:42 CET 2015 on sn-devel-104
2015-03-03 10:40:42 +01:00
Jeremy Allison
eb05766a8c Revert "s3: smbd: signing. Ensure we respond correctly to an SMB2 negprot with SMB2_NEGOTIATE_SIGNING_REQUIRED."
Even though the MS-SMB2 spec says so, Windows doesn't behave
like this.

This reverts commit 1cea6e5b6f.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
2015-02-23 22:32:48 +01:00
Jeremy Allison
1cea6e5b6f s3: smbd: signing. Ensure we respond correctly to an SMB2 negprot with SMB2_NEGOTIATE_SIGNING_REQUIRED.
Bug 11103:  - Samba does not set the required flags in the SMB2/SMB3 Negotiate Protocol Response when signing required by client

https://bugzilla.samba.org/show_bug.cgi?id=11103

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <smfrench@gmail.com>
2015-02-19 20:42:07 +01:00
Stefan Metzmacher
382019656e s3:smb2_server: allow reauthentication without signing
If signing is not required we should not require it for reauthentication.
Windows clients would otherwise fail to reauthenticate.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-12-12 20:47:06 +01:00
Stefan Metzmacher
1ed30a6ba7 s3:smb2_server: check xconn->smb2.server.cipher instead of xconn->smb2.server.capabilities
SMB 3.10 and later won't have SMB2_CAP_ENCRYPTION anymore.

xconn->smb2.server.cipher == 0 is the indication that we don't support encryption on the connection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-10-16 19:30:04 +02:00
Stefan Metzmacher
89c6d67124 s3:smb2_sesssetup: we don't need to do a 2nd smb2srv_session_lookup()
For the continuation of a SMB2 SessionSetup we already have the
smb2req->session (with NT_STATUS_MORE_PROCESSING_REQUIRED).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-09-19 09:15:13 +02:00
Stefan Metzmacher
7f649f9e22 s3:smb2_sesssetup: use smb2req->sconn in smbd_smb2_reauth_generic_return()
xconn->sconn will go away soon.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-09-19 09:15:11 +02:00
Jeremy Allison
01a18811cc s3: smbd: smb2-sessionsetup. Fix use after free when the sessionsetup request state is freed before struct smbXsrv_session struct.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Sep  8 09:52:23 CEST 2014 on sn-devel-104
2014-09-08 09:52:23 +02:00
Stefan Metzmacher
bd19fd1286 s3:smbd: remember the time of the session setup auth_time
This is the time of the last reauth.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:14 +02:00
Stefan Metzmacher
d47c006d9d s3:smb2_sesssetup: make use of smb2req->xconn
We should use stuff relative to the current request.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:14 +02:00
Stefan Metzmacher
f261dd9c7d s3:smb2_sesssetup: split out smbd_smb2_session_setup_auth_return()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:14 +02:00
Stefan Metzmacher
4a07b14cea s3:smb2_server: pass smbXsrv_connection to smbd_server_connection_terminate*()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:13 +02:00
Stefan Metzmacher
c9e171ff72 s3:smb2_*: make use of smb2req->xconn where possible
We need to use the connection that is used by the current request.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:13 +02:00
Stefan Metzmacher
92e96bedfb s3:smb2_server: move sconn->smb2.requests to xconn->smb2.requests
This prepares the structures for multi-channel support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-08-06 09:51:11 +02:00
Stefan Metzmacher
7c26475d58 s3:smb2_sesssetup: cancel and wait for pending requests on logoff
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-03-12 09:27:38 -07:00
Jeremy Allison
506817dfc9 s3:smb2_sesssetup: split smbd_smb2_logoff into an async *_send/recv pair.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10344

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-03-12 09:27:37 -07:00
Stefan Metzmacher
39832ff588 s3:smb2_sesssetup: make use of smbd_smb2_generate_outbody()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-03-05 13:59:22 -08:00
Christian Ambach
ca8353efaa s3:smbd/smb2 fix compiler warnings
about a potentially uninitialized variables

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-12-12 14:21:27 -08:00
Jeremy Allison
d4a5c832f1 smbd: Invalidate the session correctly.
When a session is invalidated then we must also ensure it isn't used in
any pending requests being processed.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-04 09:46:45 +01:00
Michael Adam
25494628a2 smbd:smb2: fix crash when smb2 session reauth fails
https://bugzilla.samba.org/show_bug.cgi?id=10208

Authentication error in smb2 session reauth invalidates
the session. In this case the session must in contrast
to successful session setup requests be torn down and live
no longer than the request.

The talloc move of the session from the global session
table to the request ensures that the session setup
reply can still be correctly signed, but subsequent
requests on the connection don't find a session any more.

Pair-Programmed-With: Jeremy Allison <jra@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
2013-10-15 11:48:19 -07:00
Gregor Beck
e24b1041b1 s3:smbd: initialize session->global before calling session_claim
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:14:59 +02:00
Gregor Beck
02b9b79447 s3:smbd: remove smbd_server_connection argument from session_claim()
retrieve the server connection from the smbXsrv_session  argument instead.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:14:59 +02:00
Gregor Beck
4878769f8e s3:smbd: pass smbXsrv_session instead of user_struct to session_claim() and session_yield()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:14:59 +02:00
Jeremy Allison
49a335731a Revert "Fix bug #9222 - smbd ignores the "server signing = no" setting for SMB2."
This reverts commit dfd3c31a3f.

As Metze pointed out:

From MS-SMB2 section 2.2.4:

SMB2_NEGOTIATE_SIGNING_ENABLED

When set, indicates that security signatures are enabled
on the server. The server MUST set this bit, and the client MUST return
STATUS_INVALID_NETWORK_RESPONSE if the flag is missing.

I'll submit a documentation bug to fix #9222 that way.
2012-10-03 12:50:42 -07:00
Jeremy Allison
dfd3c31a3f Fix bug #9222 - smbd ignores the "server signing = no" setting for SMB2.
Still sign if client request is signed, just don't negotiate it in
negprot or sessionsetup.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Oct  3 00:59:42 CEST 2012 on sn-devel-104
2012-10-03 00:59:42 +02:00
Jeremy Allison
bd2f1604d7 Make metze happy and the code clearer :-).
Ensure we know after the destructor fires we're never going to
look at this again.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 12 03:00:21 CEST 2012 on sn-devel-104
2012-09-12 03:00:20 +02:00
Jeremy Allison
ba5f557b5d Fix talloc memory heirarchy bug. If there's an SMB2 sessionsetup in flight when we're shut down, we end up freeing the struct smbXsrv_session *session pointer twice.
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Sep 10 23:34:06 CEST 2012 on sn-devel-104
2012-09-10 23:34:06 +02:00
Stefan Metzmacher
54dfd08cb2 s3:smb2_server: use smbXsrv_session->nonce_*
metze
2012-08-23 08:23:07 +02:00
Stefan Metzmacher
0d7b17f4db s3:smb2_sesssetup: setup global->[en|de]cryption_key
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Aug  9 09:59:02 CEST 2012 on sn-devel-104
2012-08-09 09:59:02 +02:00
Stefan Metzmacher
64dce26533 s3:smb2_sesssetup: set global->encryption_required and enforce it
This the account or client doesn't support encryption we should
reject the session setup.

metze
2012-08-09 08:21:35 +02:00
Stefan Metzmacher
6bfdca4786 s3:smb2_sesssetup: remove unused code in smbd_smb2_reauth_generic_return()
A reauth exchange is already signed, with the channel signing key.

metze
2012-08-08 05:37:49 +02:00
Stefan Metzmacher
5f7d786b08 s3:smb2_sesssetup: remove TALLOC_FREE(session) from smbd_smb2_[re]auth_generic_return
The caller does this via the smbd_smb2_session_setup_state_destructor()

metze
2012-08-08 05:37:49 +02:00
Stefan Metzmacher
559742f45f s3:smb2_sesssetup: make use of SMBD_SMB2_* macros
metze
2012-08-05 20:55:36 +02:00
Stefan Metzmacher
df08929d28 s3:smb2_sesssetup: reject SMB2_SESSION_FLAG_BINDING requests
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 26 02:08:56 CEST 2012 on sn-devel-104
2012-07-26 02:08:56 +02:00
Stefan Metzmacher
45cd2bc2b3 s3:smb2_sesssetup: make use of smb2srv_session_close_previous_send/recv
metze
2012-06-25 20:55:07 +02:00
Stefan Metzmacher
ed75069460 s3:smb2_sesssetup: inline gensec_session_info() call
metze
2012-06-25 20:55:07 +02:00
Stefan Metzmacher
1b8bcaeda3 s3:smb2_sesssetup: make use of gensec_update_send/recv
metze
2012-06-25 20:55:07 +02:00
Stefan Metzmacher
f32e99a0fc s3:smb2_sesssetup: inline most of smbd_smb2_session_setup()
metze
2012-06-25 20:55:07 +02:00
Stefan Metzmacher
d2e1058f42 s3:smb2_sesssetup: implement dynamic re-authentication and expire sessions
metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
463b308f16 s3:smbd: make use of smbXsrv_tcon and smbXsrv_session for smb2
The removes the protocol specific smbd_smb2_session and
smbd_smb2_tcon.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
ef408e5068 s3:smb2_sesssetup: add support for SMB 2.24/3.00 signing
metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
02d206ee64 s3:smb2_sesssetup: make use of the smbXsrv_session infrastructure
We still have smbd_smb2_session as primary structure,
but that will went away once we got rid of smbd_smb2_tcon.

metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
02d9ba6ee1 s3:smbd: change user_struct->vuid to uint64_t
Only sconn->smb1.sessions.next_vuid remains as uint16_t,
so that we do not generate larger values yet.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun  6 12:07:33 CEST 2012 on sn-devel-104
2012-06-06 12:07:33 +02:00
Stefan Metzmacher
f52e5738a2 s3:smbd: use 'struct user_struct' instead of typedef'ed 'user_struct'
metze
2012-06-06 10:18:39 +02:00
Stefan Metzmacher
ff700acdd0 s3:smb2_sesssetup: make use of nt_status_squash() in smbd_smb2_session_setup_recv()
metze
2012-05-17 12:59:08 +02:00
Stefan Metzmacher
8f887ce164 s3:smb2_sesssetup: make the top level code async using
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sun May 13 17:59:39 CEST 2012 on sn-devel-104
2012-05-13 17:59:39 +02:00
Stefan Metzmacher
1b8645b4c8 s3:smb2_sesssetup: add smbd_smb2_session_setup_send/recv as wrapper
This just adds smbd_smb2_session_setup_send/recv as wrapper to
the sync smbd_smb2_session_setup function.

This will allow us to change to top level code to work async,
then we can have a 2nd step where we remove the sync
smbd_smb2_session_setup function.

metze
2012-05-13 14:11:02 +02:00
Stefan Metzmacher
70ac2cc831 s3:smb2_sesssetup: pass down in_flags to smbd_smb2_session_setup()
metze
2012-05-13 14:11:01 +02:00
Stefan Metzmacher
7b359bc615 s3:smb2_sesssetup: pass down in_previous_session_id to all layers
metze
2012-05-13 14:11:00 +02:00
Stefan Metzmacher
148ca9e05f s3:smbd: call file_close_user() before removing tree connects in conn_close_all()
This will help later if we have to handle a SMB2TreeDisconnect different
compared to a SMB2SessionLogoff and a TCPDisconnect.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Mar 15 21:56:09 CET 2012 on sn-devel-104
2012-03-15 21:56:09 +01:00
Stefan Metzmacher
6ce72a01ab s3:smbd: keep 'num_users' and 'users' directly under smbd_server_connection
The plan is to have users_struct as some kind of low level
abstraction for a smb1/smb2 session, that can be used by SMB_VFS modules.

metze
2012-03-06 21:26:05 +01:00
Andrew Bartlett
eb3e34e965 s3-smbd Remove unused code now we always have SPNEGO via gensec
This was previously needed because SPNEGO was only available in the AD DC.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:43 +01:00
Stefan Metzmacher
3383ebbe7e s3:smbd: rework smbd_smb2_*_ntlmssp_auth* to smbd_smb2_auth_generic*
metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
58e401fae2 s3:smbd: always use the gensec code path in smb2_sesssetup.c
The other code pathes are unused, because we always have
the spnego gensec module.

metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
da8e8e5fa5 s3:smb2_sessetup: call set_current_user_info() and reload_services() on success
This matches the smb1 code.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jan 25 08:39:35 CET 2012 on sn-devel-104
2012-01-25 08:39:35 +01:00
Stefan Metzmacher
d3e5a0bea4 s3:smbd: explicitly ask for GENSEC_FEATURE_UNIX_TOKEN
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Jan 12 11:22:53 CET 2012 on sn-devel-104
2012-01-12 11:22:53 +01:00
Andrew Bartlett
16e463e169 s3-auth Remove ntlmssp_wrap.h which is no longer required
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
3042e38d51 s3-auth use gensec directly rather than via auth_generic_state
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
1075efabc7 s3-auth Add TALLOC_CTX * to auth_generic_prepare()
This makes the long term owner of this memory more clear.  So far only the
clear cases have been moved from NULL however.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
c17131685c s3-auth remove auth_ntlmssp_start(), call auth_generic_start() directly
This makes it clear that this can support more than just NTLMSSP.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
1100f6eca5 s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()
This function handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Stefan Metzmacher
03455519e7 s3:smbd: pass smbd_server_connection and a snumused function pointer to reload_services()
metze
2011-12-15 11:11:24 +01:00
Stefan Metzmacher
caa134672c s3:smbd: make use of SMB_SIGNING_* constants
metze
2011-11-03 16:55:13 +01:00
Andrew Bartlett
3f079885b2 s3-ntlmssp Remove auth_ntlmssp_want_feature()
We now just call the gensec_want_feature() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:33 +02:00
Andrew Bartlett
083025ccd5 s3-ntlmssp Remove auth_ntlmssp_update wrapper
We now just call gensec_update directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:10 +02:00
Andrew Bartlett
915fe7981b s3-auth remove auth_ntlmssp_session_info()
Instead, call gensec_session_info() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:02 +02:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Jeremy Allison
f0f91d0117 Fix bug #8477 - Map to guest can return uninitialized blob of data.
Found by Codenomicon at SNIA SDC.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Sep 23 03:19:46 CEST 2011 on sn-devel-104
2011-09-23 03:19:46 +02:00
Stefan Metzmacher
1bb6e6758c s3:smb2_server: fix a logic error, we should sign non guest sessions
metze
2011-09-22 22:30:22 +02:00
Michael Adam
39dcf4bf02 s3:smb2-server: session setup replies should always be signed (except for guest sessions)
not only if the session should be signed

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Sep 21 11:00:09 CEST 2011 on sn-devel-104
2011-09-21 11:00:09 +02:00
Stefan Metzmacher
d280d9f945 s3:smb2_server: use smbd_smb2_request_verify_sizes() in smb2_sesssetup.c
metze
2011-09-07 10:38:03 +02:00
Andrew Bartlett
fec25c3a62 ntlmssp: Add ntlmssp_blob_matches_magic()
This avoids having the same check in 3 different parts of the code

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug  3 12:45:04 CEST 2011 on sn-devel-104
2011-08-03 12:45:04 +02:00
Andrew Bartlett
8fca9741fe s3-auth rename auth_ntlmssp_steal_session_info()
There is no longer any theft of memory as the underlying routines now
produce a new auth_session_info for this caller, allocating it
on the supplied memory context.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
d3524f2eae s3-auth use auth_generic_start to get full GENSEC in Samba3 session setup
This tests if the auth_generic_start() hook is available on the auth
context during the negprot, and if so it uses auth_generic_start() to
hook to GENSEC to handle the full SPNEGO blob.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
36112a442f s3-smbd Ensure we do not read past the end of a possible NTLMSSP blob
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
9a45bf3952 s3-auth set session_info->sanitized_username in create_local_token()
Rather than passing this value around the callers, and eventually
setting it in register_existing_vuid(), we simply pass it to
create_local_token().  This also removes the need for
auth_ntlmssp_get_username().

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
8b983d2326 s3-ntlmssp Split auth_ntlmssp_start into two functions
This helps map on to the GENSEC semantics better, and ensures that the
full set of desired features are set before the mechanism starts.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
778bf87d8d s3-ntlmssp Remove calls to auth_ntlmssp_and_flags from the server
This is changed so that the callers ask for the additional flags
that they need, starting with no additional flags.

This helps to create a proper abstraction layer in
ntlmssp_wrap/auth_ntlmssp.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
6d7ac4f1ad s3-ntlmssp Add mem_ctx argument to auth_ntlmssp_update
This clarifies the lifetime of the returned token.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
8a650243b3 s3-auth Move map to guest to directly after the check_password calls
This means we no longer need two different map to guest functions
and have consistent logic with fewer layering violations.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:02 +10:00
Andrew Bartlett
6622821063 s3-auth Remove seperate guest boolean
Instead, we base our guest calculations on the presence or absense of the
authenticated users group in the token, ensuring that we have only
one canonical source of this important piece of authorization data

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-20 09:17:14 +10:00