1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

928 Commits

Author SHA1 Message Date
Ira Cooper
8cd8aa6686 libcli: Overflow array index read possible, in auth code.
Changed the if condtion to detect when we'd improperly overflow.

Coverity-Id: 1167990
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
2014-02-24 11:56:37 +01:00
Ira Cooper
14063719e0 Revert "libcli: Overflow array index read possible, in auth code."
This reverts commit 538cbfe0e9.

Signed-off-by: Ira Cooper <ira@samba.org>
2014-02-24 14:16:00 +05:30
Ira Cooper
538cbfe0e9 libcli: Overflow array index read possible, in auth code.
The values have to be signed here to allow for the values to go negative,
to prevent the overflow.

Coverity-Id: 1167990
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Mon Feb 24 07:23:03 CET 2014 on sn-devel-104
2014-02-24 07:23:03 +01:00
Michael Adam
85235d03c1 libcli: use DBWRAP_LOCK_ORDER_NONE when opening schannel_store.tdb
Make lack of lock order checking more visible.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:07 +01:00
Michael Adam
7e766a0a8a dbwrap: add dbwrap_flags argument to dbwrap_local_open()
To be consistent with db_open() and prepare for future
possible extensions.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:07 +01:00
Stefan Metzmacher
b8fdeb8ca7 libcli/auth: reject computer_name longer than 15 chars
This matches Windows, it seems they use a fixed size field to store
netlogon_creds_CredentialState.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:12:14 +01:00
Stefan Metzmacher
387ed2e15d libcli/auth: don't alter the computer_name in cluster mode.
This breaks NTLMv2 authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:12:05 +01:00
Stefan Metzmacher
ece3ba10a1 libcli/auth: add netlogon_creds_cli_set_global_db()
This can be used to inject a db_context from dbwrap_ctdb.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:11:19 +01:00
Andreas Schneider
fa8c2b1578 libcli: Fix the comment for the address.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-01-17 14:50:30 +01:00
Stefan Metzmacher
f08c0b2ef1 libcli/smb: make use of tevent_req_set_cleanup_fn()
This is more better than a custom tevent_req destructor.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-01-17 12:38:08 +01:00
Matthias Dieter Wallnöfer
0c2fbe5a0c samba:python - Py_RETURN_NONE remove compatibility code for releases < 2.4
http://www.python.org/doc//current/c-api/none.html

Reviewed-By: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date(master): Thu Jan  9 16:27:47 CET 2014 on sn-devel-104
2014-01-09 16:27:47 +01:00
Stefan Metzmacher
0e62f32795 libcli/auth: fix usage of an uninitialized variable in netlogon_creds_cli_check_caps()
If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2014-01-08 14:34:13 +01:00
Stefan Metzmacher
3d45d4dc3c libcli/auth: remove unused netlogon_creds_cli_context_copy()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:16 +01:00
Stefan Metzmacher
fa3af7c2e8 libcli/auth: make use of real options in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:05 +01:00
Stefan Metzmacher
dc96b1ddcc libcli/auth: use unique key_name values in netlogon_creds_cli_context_common()
Until all callers are fixed to pass the same 'server_computer'
value, we try to calculate a server_netbios_name and use this
as unique identifier for a specific domain controller.

Otherwise winbind would use 'hostname.example.com'
while 'net rpc testjoin' would use 'HOSTNAME',
which leads to 2 records in netlogon_creds_cli.tdb
for the same domain controller.

Once all callers are fixed we can think about reverting this
commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:04 +01:00
Stefan Metzmacher
6e6d9f9f12 libcli/auth: add netlogon_creds_cli* infrastructure
This provides an abstraction to hide netlogon_creds_CredentialState,
which is stored in a node local tdb.

Where the global state (netlogon_creds_CredentialState) between client and
server was only kept in memory (on the client side), we now use
the abstracted netlogon_creds_cli_context.

We now use a node specific computer name in order to establish
individual netlogon sessions per node.

If the caller wants to use some netlogon calls with credential chain
(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
to get the current netlogon_creds_CredentialState in a g_lock'ed
fashion, a talloc_free() will release the lock.

The locking is needed as there might be more than one process
(multiple winbindd child, cmdline tools) which want to talk
to a specific domain controller. The usage of netlogon_creds_CredentialState
needs to be serialized as it uses sequence numbers.

LogonSamLogonEx doesn't use the credential chain, but for some operations
it needs the global session in order to de/encrypt individual fields.
It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
functions, which just make sure the session hasn't changed between
get and validate.

This is prepares the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 12:47:03 +01:00
Stefan Metzmacher
0059929601 libcli/smb: s/tstream_cli_np/tstream_smbXcli_np
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:42 +01:00
Stefan Metzmacher
8ec4163848 libcli/smb: s/TSTREAM_CLI_NP/TSTREAM_SMBXCLI_NP
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:42 +01:00
Stefan Metzmacher
024fc73047 libcli/smb: move source3/libsmb/cli_np_tstream.c to tstream_smbXcli_np.c
This code is generic enough to have it in the top level now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:42 +01:00
Gregor Beck
3d90e9346b libcli/smb: add smb1cli_readx*
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:39 +01:00
Gregor Beck
cb295d708d libcli/smb: add smb1cli_writex*
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:39 +01:00
Gregor Beck
b9d19e876f libcli/smb: add smb1cli_close*
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:39 +01:00
Gregor Beck
50f910ff5d libcli/smb: add smb1cli_ntcreatex*
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:39 +01:00
Stefan Metzmacher
ef28ed685f libcli/smb: move some *TRANSACT_* flags to smb_constants.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:38 +01:00
Stefan Metzmacher
306cba4b8c libcli/smb: move some FILE_* flags to smb_constants.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-01-07 08:37:38 +01:00
Stefan Metzmacher
616cd00995 auth/gensec: move libcli/auth/schannel_sign.c into schannel.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-07 00:27:11 +01:00
Stefan Metzmacher
e6afeae695 libcli/auth: try to use the current timestamp creds->sequence
If the last usage of netlogon_creds_client_authenticator()
is in the past try to use the current timestamp and increment
more than just 2.

If we use netlogon_creds_client_authenticator() a lot within a
second, we increment keep incrementing by 2.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
2013-12-24 13:18:18 +01:00
Stefan Metzmacher
636daac3b7 libcli/auth: remove bogus comment regarding replay attacks
creds->sequence (timestamp) is the value that is used to increment the internal
state, it's not a real sequence number. The sequence comes
from adding all timestamps of the whole session.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-12-24 09:10:06 +01:00
Stefan Metzmacher
202bcf9096 libcli/auth: set the return_authenticator->timestamp = 0
This is what windows returns, the value is ignored by the client anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-12-24 09:10:06 +01:00
Volker Lendecke
eaf807c361 secacl: Slightly simplify make_sec_acl
This avoids a complex if-expression

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 14 00:10:21 CET 2013 on sn-devel-104
2013-12-14 00:10:21 +01:00
Volker Lendecke
4ec65713fe secacl: Fix a memleak in an error path
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-12-13 12:45:57 -08:00
Volker Lendecke
b6e323bcf6 secacl: Don't use talloc_zero
We initialize all but one field anyway

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-12-13 12:45:57 -08:00
Volker Lendecke
2b113599f8 secacl: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-12-13 12:45:57 -08:00
Christian Ambach
66e35a93a5 libcli: fix compiler warnings
about missing prototypes

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-12-12 14:21:27 -08:00
Christian Ambach
23fc48cfb1 lib/clap fix compiler warnings
about set but unused variable

Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-12-12 14:21:27 -08:00
Stefan Metzmacher
821a49b7d0 CVE-2013-4408:libcli/util: add some size verification to tstream_read_pdu_blob_done()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-12-09 07:05:46 +01:00
Günther Deschner
4112eb0529 docs: remove duplicate word "name" in nmblookup4 manpage.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-11-19 09:52:39 +01:00
Benjamin Franzke
e306250a25 libcli/cldap: Add utility to create netlogon filter
This utility is splitted of from cldap_netlogon_send.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-11-11 23:00:55 +01:00
Stefan Metzmacher
127fc670a3 libcli/smb: fix smb2cli_ioctl*() against Windows 2008.
The subsections of [MS-SMB2] "3.2.5.14 Receiving an SMB2 IOCTL Response"
say the client should ignore the InputOffset/InputCount.

We do that only if we ask for max_input_length = 0.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10232

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 31 01:16:10 CET 2013 on sn-devel-104
2013-10-31 01:16:09 +01:00
Andreas Schneider
eec05fb70f libcli: Add tstream_npa_socketpair() function.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-29 15:31:45 +01:00
Nadezhda Ivanova
daefca2a1a s4-dsacl: Fixed incorrect handling of privileges in sec_access_check_ds
Restore and backup privileges are not relevant to ldap
access checks, and the TakeOwnership privilege should
grant write_owner right

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-10-25 09:45:57 +13:00
Stefan Metzmacher
60f16bacdc libcli/smb: add SMB2_HDR_FLAG_DFS for SMB2 Create operations on dfs shares
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-10-17 16:10:35 +02:00
Stefan Metzmacher
b16b469f3f libcli/smb: add FLAG_CASELESS_PATHNAMES based on FILE_CASE_SENSITIVE_SEARCH to smb1 requests
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-10-17 16:09:10 +02:00
Stefan Metzmacher
e6eb6b9e94 libcli/smb: move Filesystem Attributes defines to smb_constants.h
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-10-17 16:08:29 +02:00
Stefan Metzmacher
44224cd40f libcli/smb: add FLAGS2_DFS_PATHNAMES for SMB1 operations against dfs shares
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-10-17 16:06:22 +02:00
Stefan Metzmacher
1c4e95cbd8 libcli/smb: add smbXcli_tcon_{set,get}_fs_attributes()
These are the attributes returned from the FileFsAttributeInformation
request.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-10-17 16:04:35 +02:00
Stefan Metzmacher
e0fe97c543 libcli/smb: add smbXcli_tcon_is_dfs_share()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10200

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-10-17 16:03:25 +02:00
Luk Claes
24e7be87d1 libcli/smb: Introduce smbXcli_conn_dfs_supported
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10200

Signed-off-by: Luk Claes <luk@debian.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-10-17 16:01:39 +02:00
Michael Adam
f643961343 libcli/smb: add smb2cli_tcon_is_encryption_on()
https://bugzilla.samba.org/show_bug.cgi?id=10208

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-10-15 11:49:01 -07:00
Volker Lendecke
c944d2ea41 libcli: Correct smb2_lease_pull
We don't really use leases yet, so so far this went by unnoticed. It's
the V2 lease requests that hold the parent lease key, not the V1 ones.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-06 13:55:50 +02:00