IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
All other paranoia checks are done within dcerpc_pull_auth_trailer()
now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This prevents man in the middle downgrade attacks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Pair-Programmed-With: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.
We sadly need to keep this enabled by default for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Pair-Programmed-With: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
We sadly need to allow this for now by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol() for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Use SMB_SIGNING_IPC_DEFAULT for RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We need NT1 => LATEST in order to work against all servers which support
DCERPC over ncacn_np.
This is a mini step in using SMB2/3 in our client side by default.
This gives us a higher chance that SMB signing is supported by the
server (as it can't be turned off for SMB2 and higher).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
SMB_SIGNING_IPC_DEFAULT must be used from s3 client code when opening
RPC connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This fixes a regression that was introduced by commit
abb24bf8e874d525382e994af7ae432212775153
("s3:smbd: make use of better SMB signing negotiation").
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.
The main logic for this hides in lpcfg_server_signing_allowed().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Pair-programmed-with: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
The ensures we apply the "server schannel = yes" restrictions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
We don't need to change the protocol version because:
1. An old client may provide the "initial_blob"
(which was and is still ignored when going
via the wbcCredentialCache() function)
and the new winbindd won't use new_spnego.
2. A new client will just get a zero byte
from an old winbindd. As it uses talloc_zero() to
create struct winbindd_response.
3. Changing the version number would introduce problems
with backports to older Samba versions.
New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 22 19:20:38 CET 2016 on sn-devel-144
(cherry picked from commit ef1ad0e122659b5ff9097f0f7046f10fc2f3ec30)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0906d61bb2f3446483d82928b55f5b797bac4804)
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144
(cherry picked from commit c06058a99be4cf3ad3431dc263d4595ffc226fcf)
It will be possible to use this for more than just NTLMSSP in future.
This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 285c342f01a6e9a892f03360f8d2d0097e7a41cb)
Everything uses the top level ntlmssp code via gensec now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit afffe797547a97ec839913e1ca89045989bbea49)
