1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

377 Commits

Author SHA1 Message Date
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00
Stefan Metzmacher
cce1eaea91 s3:smbd: reject a MaxBufferSize < SMB_BUFFER_SIZE_MIN (500) in a session setup request
This makes sure sconn->smb1.sessions.max_send is always >= SMB_BUFFER_SIZE_MIN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10422
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-03-05 10:06:24 -08:00
Björn Jacke
666948c776 s3: set native os according to Windows and NBT_ANNOUNCE_VERSION defines
When the native os in sessionsetup is "Unix" then broken Konica Minolta
printers refuse to talk to those CIFS servers. Other CIFS servers also announce
themselves with native os Windows. Let's do the same to improve
interoperability with broken devices like those printers from Konica Minolta.
Thanks to Daniel Hoffmann for finding and reporting this Konika printer
brokenness.

https://bugzilla.samba.org/show_bug.cgi?id=10168

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-01-14 16:48:30 -08:00
Stefan Metzmacher
d24b8afb79 s3:smbd: keep global_client_caps and max_send from the first successful session setup
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-03-20 09:32:26 -07:00
Gregor Beck
f588704640 s3:smbd:setup_new_vc_session: traverse sessions instead of connections to shutdown other smbds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:15:00 +02:00
Gregor Beck
e24b1041b1 s3:smbd: initialize session->global before calling session_claim
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:14:59 +02:00
Gregor Beck
02b9b79447 s3:smbd: remove smbd_server_connection argument from session_claim()
retrieve the server connection from the smbXsrv_session  argument instead.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:14:59 +02:00
Gregor Beck
4878769f8e s3:smbd: pass smbXsrv_session instead of user_struct to session_claim() and session_yield()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:14:59 +02:00
Stefan Metzmacher
1c7bd2b71c s3:smbd: remove unused variable in sesssetup.c
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Aug  5 23:09:06 CEST 2012 on sn-devel-104
2012-08-05 23:09:06 +02:00
Stefan Metzmacher
ff75fd9eda s3:smbd: setup the application session key with the first tcon on a session
Look for Server.Session.SessionKeyState in [MS-SMB].
The first SMBtconX sets the state to available, which makes it possible
to protect the session key at that stage, if client and server
support TREE_CONNECT_ANDX_EXTENDED_SIGNATURE.

metze
2012-08-04 12:33:06 +02:00
Stefan Metzmacher
49d0432efd s3:smbd: setup session->global->signing_/application_key during SPNEGO SMB1 session setups
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Aug  4 11:09:42 CEST 2012 on sn-devel-104
2012-08-04 11:09:42 +02:00
Stefan Metzmacher
2265e4633a s3:smbd: setup session->global->signing_/application_key during old SMB1 session setups
metze
2012-08-04 09:10:23 +02:00
Stefan Metzmacher
3d63e4da17 s3:smbd: keep the "application session key" during SMB1 reauth
metze
2012-08-04 09:10:22 +02:00
Stefan Metzmacher
e77000259c s3:smbd/sesssetup: implement dynamic re-authentication and expire session if client supports it
metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
a129e271b5 s3:smbd: make use of smbXsrv_session for smb1
Pair-Programmed-With: Michael Adam <obnox@samba.org>

metze
2012-06-25 20:55:06 +02:00
Michael Adam
73b200064f s3:util: rename procid_equal() to serverid_equal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-06-21 08:27:32 +02:00
Volker Lendecke
53cfde7204 s3: Remove a user of procid_is_me
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-06-21 08:27:30 +02:00
Stefan Metzmacher
02d9ba6ee1 s3:smbd: change user_struct->vuid to uint64_t
Only sconn->smb1.sessions.next_vuid remains as uint16_t,
so that we do not generate larger values yet.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun  6 12:07:33 CEST 2012 on sn-devel-104
2012-06-06 12:07:33 +02:00
Stefan Metzmacher
f52e5738a2 s3:smbd: use 'struct user_struct' instead of typedef'ed 'user_struct'
metze
2012-06-06 10:18:39 +02:00
Stefan Metzmacher
8693a4fff9 s3:lib: split things into a conn_tdb.h
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jun  5 19:28:35 CEST 2012 on sn-devel-104
2012-06-05 19:28:35 +02:00
Stefan Metzmacher
d58f7cd546 s3:smbd: allow creating new spnego sessions only with a 0 vuid
Found by the raw.context test.

metze
2012-05-18 16:36:16 +02:00
Stefan Metzmacher
1e7f8d5ad0 s3:smbd/sesssetup: use a helper variable 'action' to mark guest access
metze
2012-04-16 10:39:50 +02:00
Volker Lendecke
11d087aa04 s3: Remove chain_reply
<insert your favourite tombstone ascii art here>
2012-03-10 15:34:12 +01:00
Volker Lendecke
90b33a05e9 s3: Make sure the andX chains are ended correctly
Normally chain_reply took care of this. This will go away soon.
2012-03-10 15:34:11 +01:00
Andrew Bartlett
50547a9950 s3-auth: Follow auth_ntlmssp and use auth4_context for Session Setup
This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers.  By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
d7bb961859 s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-03-04 23:33:05 +01:00
Andrew Bartlett
2f74f2f180 s3-auth: Add extra error messages on authentication or authorization failure
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
eb3e34e965 s3-smbd Remove unused code now we always have SPNEGO via gensec
This was previously needed because SPNEGO was only available in the AD DC.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:43 +01:00
Stefan Metzmacher
507872f90f s3:smbd: inline code in reply_sesssetup_and_X_spnego()
This makes the logic much easier to follow.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jan 31 21:52:45 CET 2012 on sn-devel-104
2012-01-31 21:52:45 +01:00
Stefan Metzmacher
5f79ad5f87 s3:smbd: the spnego session setup don't need to copy the in blob
metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
ec0142dd31 s3:smbd: rework reply_spnego_ntlmssp to reply_spnego_generic
This removes the unused spnego_gen_auth_response() wrapping.

metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
ee15790d7a s3:smbd: remove unused code from sesssetup.c
metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
63f6567ca9 s3:smbd: remove pending_auth_data logic
This is handled by the gensec_spnego module.

metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
8327ee94db s3:smbd: always use the gensec code path in sesssetup.c
The other code pathes are unused, because we always have
the spnego gensec module.

metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
d3e5a0bea4 s3:smbd: explicitly ask for GENSEC_FEATURE_UNIX_TOKEN
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Jan 12 11:22:53 CET 2012 on sn-devel-104
2012-01-12 11:22:53 +01:00
Andrew Bartlett
16e463e169 s3-auth Remove ntlmssp_wrap.h which is no longer required
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
3042e38d51 s3-auth use gensec directly rather than via auth_generic_state
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
1075efabc7 s3-auth Add TALLOC_CTX * to auth_generic_prepare()
This makes the long term owner of this memory more clear.  So far only the
clear cases have been moved from NULL however.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
c17131685c s3-auth remove auth_ntlmssp_start(), call auth_generic_start() directly
This makes it clear that this can support more than just NTLMSSP.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
1100f6eca5 s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()
This function handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
6391fff9da s3-auth rename auth_ntlmssp_state -> auth_generic_state
This structure handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Stefan Metzmacher
03455519e7 s3:smbd: pass smbd_server_connection and a snumused function pointer to reload_services()
metze
2011-12-15 11:11:24 +01:00
Andrew Bartlett
3f079885b2 s3-ntlmssp Remove auth_ntlmssp_want_feature()
We now just call the gensec_want_feature() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:33 +02:00
Andrew Bartlett
083025ccd5 s3-ntlmssp Remove auth_ntlmssp_update wrapper
We now just call gensec_update directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:10 +02:00
Andrew Bartlett
915fe7981b s3-auth remove auth_ntlmssp_session_info()
Instead, call gensec_session_info() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:02 +02:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Stefan Metzmacher
abb24bf8e8 s3:smbd: make use of better SMB signing negotiation
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Sep 14 09:41:02 CEST 2011 on sn-devel-104
2011-09-14 09:41:02 +02:00
Andrew Bartlett
fec25c3a62 ntlmssp: Add ntlmssp_blob_matches_magic()
This avoids having the same check in 3 different parts of the code

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug  3 12:45:04 CEST 2011 on sn-devel-104
2011-08-03 12:45:04 +02:00
Andrew Bartlett
8fca9741fe s3-auth rename auth_ntlmssp_steal_session_info()
There is no longer any theft of memory as the underlying routines now
produce a new auth_session_info for this caller, allocating it
on the supplied memory context.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
b0dd2cde86 s3-smbd Be consistent with %U subs on guest logins
The NTLMSSP code always specified "" as the username, and this makes
guest logins via the old-style session setup do the same.

Andrew Bartlett
2011-08-03 18:48:05 +10:00