IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
In future this will an impersonation wrapper tevent_context based on the
user session.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This is not a full fix yet as we don't allow compound requests
after going async.
With SMB 3.11 requiring signed TreeConnect requests it's pointless
to try to compound requests after a SessionSetup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12845
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jun 17 10:55:25 CEST 2017 on sn-devel-144
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This allows the GENSEC service description to be set from the various callers
that go via this function.
The RPC service description is the name of the interface from the IDL.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
We're using the client guid as gencache db key, so this can only be used
with SMB 2_10 or higher.
The idea is that whenever we get a direct SMB2 negprot, we can then try
to see if a value is cached for the client's guid.
When a user logs off the cache entry is deleted.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Real anonymous sessions don't get it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.
The main logic for this hides in lpcfg_server_signing_allowed().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This is disabled for now. It will be possible to enabled it
via a config switch once the underpinnings are complete.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Sat Jan 23 03:22:18 CET 2016 on sn-devel-144
This adds smbd_smb2_bind_auth_return(), a
variant of auth_return for session binding.
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Use a flags bitmap for storing the signing state. This is in preparation
of a subsequent patch that adds more flags to the bitmap.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This adds a bitmap smbXsrv_encrpytion_flags with flags to the
smbXsrv_session_global.tdb and smbXsrv_tcon_global.tdb that we use
instead of bools for desired and required.
We need this info in the smbXsrv tdbs for smbstatus. Subsequent commits
for smbstatus will use it.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
More specifically move from smb2req->sconn to smb2req->xconn->client->sconn
to avouid using smb2req->sconn directly.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 13 14:02:21 CET 2016 on sn-devel-144
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Only put session_info to the session->global context if we use it.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Don't enforce it but only announce ENCRYPT_DATA, using the
encryption_desired flag in session setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Nonce code was terminating connections where xconn->smb2.server.cipher == 0.
If no negotiated cipher (smb2.server.cipher is zero) set nonce_high_max to zero.
smb2_get_new_nonce() returns NT_STATUS_ENCRYPTION_FAILED if it is ever called with
session->nonce_high_max == 0.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11300
Signed-off-by: Jeremy Allison <jra@samba.org>
Reuse of nonces with AES-CCM and AES-GCM leads to catastrophic failure,
so make sure the server drops the connection if that ever happens.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11300
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Simo Sorce <idra@samba.org>
Autobuild-Date(master): Fri May 29 22:38:50 CEST 2015 on sn-devel-104
This protects the full connection setup including
a posteriori verification of the negotiate messages,
by signing the final session setup response with a signing key
derived from the preauth hash and the authentication session key.
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
The cleanup of a failing session setup is now handled in
smbd_smb2_session_setup_wrap_*().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11182
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The wrapper calls smbXsrv_session_shutdown_send/recv() in case of an error,
this makes sure a failing reauth shuts down the session like an explicit logoff.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11182
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Even though the MS-SMB2 spec says so, Windows doesn't behave
like this.
This reverts commit 1cea6e5b6f.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
Bug 11103: - Samba does not set the required flags in the SMB2/SMB3 Negotiate Protocol Response when signing required by client
https://bugzilla.samba.org/show_bug.cgi?id=11103
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <smfrench@gmail.com>
If signing is not required we should not require it for reauthentication.
Windows clients would otherwise fail to reauthenticate.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10958
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
SMB 3.10 and later won't have SMB2_CAP_ENCRYPTION anymore.
xconn->smb2.server.cipher == 0 is the indication that we don't support encryption on the connection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
For the continuation of a SMB2 SessionSetup we already have the
smb2req->session (with NT_STATUS_MORE_PROCESSING_REQUIRED).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Sep 8 09:52:23 CEST 2014 on sn-devel-104
This is the time of the last reauth.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
We should use stuff relative to the current request.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
We need to use the connection that is used by the current request.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
This prepares the structures for multi-channel support.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10344
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
When a session is invalidated then we must also ensure it isn't used in
any pending requests being processed.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
https://bugzilla.samba.org/show_bug.cgi?id=10208
Authentication error in smb2 session reauth invalidates
the session. In this case the session must in contrast
to successful session setup requests be torn down and live
no longer than the request.
The talloc move of the session from the global session
table to the request ensures that the session setup
reply can still be correctly signed, but subsequent
requests on the connection don't find a session any more.
Pair-Programmed-With: Jeremy Allison <jra@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
retrieve the server connection from the smbXsrv_session argument instead.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
