1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

53 Commits

Author SHA1 Message Date
Andrew Tridgell
99c431695c added a "use spnego" option
you need to set "use spnego = no" for w2k to be able to join a samba
domain. Otherwise the w2k box will assume we can do kerberos as a KDC
(This used to be commit b5cb57a367)
2001-12-07 01:01:10 +00:00
Andrew Tridgell
9421ad4a7a added a REALLY gross hack into kerberos_kinit_password so that
winbindd can do a kinit
this will be removed once we have code that gets a tgt
and puts it in a place where cyrus-sasl can see it
(This used to be commit 7d94f1b736)
2001-12-05 09:46:53 +00:00
Andrew Bartlett
fe64484824 Make better use of the ads_init() function to get the kerberos relam etc.
This allows us to use automagically obtained values in future, and the value
from krb5.conf now.

Also fix mem leaks etc.

Andrew Bartlett
(This used to be commit 8f9ce71781)
2001-11-29 06:21:56 +00:00
Andrew Tridgell
5e25ba6fec always send an OID list until we handle raw (unwrapped) NTLMSSP
packets in session setup
(This used to be commit 3b3f8a9350)
2001-11-27 23:41:14 +00:00
Tim Potter
178f6a64b2 challange -> challenge
(This used to be commit d6318add27)
2001-11-26 04:05:28 +00:00
Andrew Tridgell
03439e1836 fixed spnego, non-kerberos negprot
(This used to be commit 2e916222a9)
2001-11-26 00:43:37 +00:00
Andrew Tridgell
481c644b7b added 'security=ADS'
(This used to be commit 5a735a88e4)
2001-11-25 23:05:13 +00:00
Andrew Bartlett
d0a2faf78d This is another rather major change to the samba authenticaion
subystem.

The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.

This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality.  While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.

This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists.  It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.

Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.

While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.

The following parameters have changed:
 - use rhosts =

  This has been replaced by the 'rhosts' authentication method,
 and can be specified like 'auth methods = guest rhosts'

 - hosts equiv =

  This needs both this parameter and an 'auth methods' entry
  to be effective.  (auth methods = guest hostsequiv ....)

 - plaintext to smbpasswd =

  This is replaced by specifying 'sam' rather than 'local'
  in the auth methods.

The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.

The available auth methods are:

guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)


Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.

Andrew Bartlett
(This used to be commit 8d31eae52a)
2001-11-24 12:12:38 +00:00
Andrew Bartlett
d8f0f3a6d4 SPNEGO works perfectly well with security=domain, so don't exclude it.
(This used to be commit 26a9479ad4)
2001-10-31 06:24:25 +00:00
Andrew Bartlett
1f829e19eb Spnego on the 'server' end of security=server just does not work, so set the
flags so we just do a 'normal' session setup.

Also add some parinoia code to detect when sombody attempts to do a 'normal'
session setup when spnego had been negoitiated.

Andrew Bartlett
(This used to be commit 190898586f)
2001-10-30 13:54:54 +00:00
Herb Lewis
3ea3492713 get rid of compiler warnings (casts and delete unused variables)
(This used to be commit 51cb4411df)
2001-10-23 19:10:30 +00:00
Andrew Tridgell
fba157123e - fixed link order of krb5 libs
- accept a wide range of principal names in session setup
(This used to be commit 672df66296)
2001-10-22 05:04:33 +00:00
Jeremy Allison
cfd68eaac4 Ok, I know it's a language thing and it shouldn't matter.... but a kerberos
name is a "principal", not a principle. English majors will complain :-).
Jeremy.
(This used to be commit b668d7d656)
2001-10-21 20:51:27 +00:00
Andrew Tridgell
42a4e6890c change smbd to use HOST/hostname principle form until I work out how
to use the other form in netjoin
(This used to be commit 58cfa13d65)
2001-10-21 03:26:24 +00:00
Andrew Tridgell
cbe31055f8 support both old and new kerberos OIDs
(This used to be commit eac164c7e6)
2001-10-21 00:11:22 +00:00
Andrew Tridgell
93645be91f better krb5 error handling (thanks andrewb!)
(This used to be commit fd3a3daef3)
2001-10-20 06:50:24 +00:00
Andrew Tridgell
5ad7448359 the beginnings of kerberos support in smbd. It doesn't work yet, but
it should give something for others to hack on and possibly find what
I'm doing wrong.
(This used to be commit 353c290f05)
2001-10-18 10:26:06 +00:00
Andrew Tridgell
b728042334 added basic NTLMSSP support in smbd. This is still quite rough, and
loses things like username mapping. I wanted to get this in then
discuss it a bit to see how we want to split up the existing
session setup code
(This used to be commit b74fda69bf)
2001-10-17 08:54:19 +00:00
Andrew Tridgell
81f56139b6 initial kerberos/ADS/SPNEGO support in libsmb and smbclient. To
activate you need to:

- install krb5 libraries
- run configure
- build smbclient
- run kinit to get a TGT
- run smbclient with the -k option to choose kerberos auth
(This used to be commit d330575856)
2001-10-11 07:42:52 +00:00
Tim Potter
dc1fc3ee8e Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.
(This used to be commit 2d0922b0ea)
2001-10-02 04:29:50 +00:00
Andrew Bartlett
41821943da Kill of the reply.c end of the workstaion trust account mess.
Fix the NT errror codes, this time in line with WinXP/2k.
 - Return the normal error codes, expect for bad user/bad password.  These map
   to logon failure, as a quick security hack.  We follow suit.

Simplfy some of the password extraction code, the auth subsytem has the
 intelegence to sort this stuff out, no need to do it here.

Move to 'global_encrypted_passwords_negotiated' to determine the use of
unencrypted hacks, replacing the current mess.

Andrew Bartlett
(This used to be commit c04f063573)
2001-09-26 13:55:59 +00:00
Andrew Bartlett
4eb7ef6b61 Fix up NT_STATUS return for session setups, Win2k objects to anything other
than NT_STATUS_LOGON_FAILURE.  This also brings us (almost) back in line with
their implementation.

Kill off SMBENCRYPT() macro

Kill off 'nt smb support' paramater - tridge okayed this one.

Andrew Bartlett
(This used to be commit 67947bf6e3)
2001-09-23 05:16:03 +00:00
Andrew Tridgell
39d7983a47 - enable MSDFS by default, there seems no reason not to have it enabled
by default in Samba 3.x

- got rid of some unused parameters in Makefile.in

- declare DEBUGLEVEL in debug.h rather than in each file
(This used to be commit b8651acb9c)
2001-09-12 03:08:51 +00:00
Andrew Tridgell
e8e98c9ea0 converted smbd to use NTSTATUS by default
major changes include:

- added NSTATUS type
- added automatic mapping between dos and nt error codes
- changed all ERROR() calls to ERROR_DOS() and many to ERROR_NT()
  these calls auto-translate to the client error code system
- got rid of the cached error code and the writebmpx code

We eventually will need to also:
- get rid of BOOL, so we don't lose error info
- replace all ERROR_DOS() calls with ERROR_NT() calls

but that is too much for one night
(This used to be commit 83d9896c1e)
2001-08-27 08:19:43 +00:00
Andrew Bartlett
0897979a8b Some better debugs for our security=server code. I want to track down why
we occasionally don't make the connection to the server.
(This used to be commit 08e99f4c12)
2001-08-08 03:25:47 +00:00
Andrew Bartlett
986372901e This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.

The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards.  The
interface currently implemented in as

nt_status = check_password(user_info, server_info)

where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.

The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.

This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing.  We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.

Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree.  (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f3)
2001-08-03 13:09:23 +00:00
Andrew Tridgell
87fbb7092b The big character set handling changeover!
This commit gets rid of all our old codepage handling and replaces it with
iconv. All internal strings in Samba are now in "unix" charset, which may
be multi-byte. See internals.doc and my posting to samba-technical for
a more complete explanation.
(This used to be commit debb471267)
2001-07-04 07:15:53 +00:00
Simo Sorce
247acd5521 - fix bug in reply_nt- fix bug in reply_nt1
(This used to be commit 200110a3b4)
2001-07-01 10:39:37 +00:00
Andrew Tridgell
4ff011d88e Added STR_NOALIGN flags to clistr and srvstr fns. Yes, NT actually does
send unaligned unicode strings sometimes!
Fixed our handling of the workgroup name tacked on the end of the
NT1 negprot response (a unaligned unicode)
fixed a couple of places where we should be using the message_end fns instead
of pre-calculated buffer lengths
(This used to be commit 86613493a9)
2001-06-21 05:38:28 +00:00
Jeremy Allison
3414c71f6d Extra stuff for large readwrite support.
Jeremy.
(This used to be commit 4338ee78c3)
2001-06-08 03:02:34 +00:00
Jeremy Allison
4d86a2841c This is *very* cool. I'm pretty convinced we can just set the
CAP_LARGE_READX|CAP_LARGE_WRITEX bits on negprot and out W2K
performance goes through the roof......
And as we *always* offer 64 buffers we can do this with this
simple change.....
Jeremy.
(This used to be commit c328dda0fa)
2001-05-23 18:47:52 +00:00
Andrew Tridgell
c9b8da47a6 enable unicode on the wire by default in smbd
the unicode support isn't complete, but it is good enough to be usable
for a test server.
(This used to be commit e787fc1daf)
2001-03-16 02:31:24 +00:00
Jeremy Allison
da3053048c Merge of new 2.2 code into HEAD (Gerald I hate you :-) :-). Allows new SAMR
RPC code to merge with new passdb code.
Currently rpcclient doesn't compile. I'm working on it...
Jeremy.
(This used to be commit 0be41d5158)
2001-03-11 00:32:10 +00:00
Andrew Tridgell
b08b70faf8 started support for unicode on the wire in smbd. Using a very similar
method to what was used in the client I now have session setup and
tconx working.

Currently this is enabled with SMBD_USE_UNICODE environment
variable. Once the code is complete this will become a smb.conf
option.
(This used to be commit 7684c1e672)
2001-03-10 11:38:27 +00:00
Gerald Carter
0bfc10011b merge of 'lanman auth' and 'min protocol' from 2.2
(This used to be commit 1d84da779a)
2001-03-09 18:59:16 +00:00
Jeremy Allison
6f58dd5871 Ok - fixed a bug in our levelII oplock code. We need to break a level II on
a byte range lock (write lock only, but Win2k breaks on read lock also so I
do the same) - if you think about why, this is obvious. Also fixed our client
code to do level II oplocks, if requested, and fixed the code where we would
assume the client wanted level II if it advertised itself as being level II
capable - it may not want that.
Jeremy.
(This used to be commit 213cd0b519)
2000-11-16 00:59:18 +00:00
Herb Lewis
8719c27726 changes to sync with 2.2. tree
.cvsignore              remove config.h - not in this directory
include/profile.h       profile changes
lib/messages.c          added message to return debug level
libsmb/clierror.c       cast to get rid of compiler warning
libsmb/smbencrypt.c     cast to get rid of compiler warning
profile/profile.c       add flush profile stats changes for profile struct
rpc_parse/parse_samr.c  fix for compiler warning
rpc_server/srv_samr.c   cast to get rid of compiler warning
smbd/ipc.c              profile stats
message.c               profile stats
smbd/negprot.c          profile stats
smbd/nttrans.c          profile stats
smbd/trans2.c           profile stats
utils/smbcontrol.c      new flush stats command
(This used to be commit bbb24daa25)
2000-10-11 05:31:39 +00:00
Shirish Kalele
8a86541e28 Changed MS_DFS to WITH_MSDFS throughout.
Fixed trans2 calls on IPC$ to let dfs referral calls through.
(This used to be commit e0965a80bd)
2000-05-26 17:10:40 +00:00
Andrew Tridgell
49a0e6d598 more merging voodoo
this adds "#define OLD_NTDOMAIN 1" in lots of places. Don't panic -
this isn't permanent, it should go after another few merge steps have
been done
(This used to be commit 92109d7b3c)
2000-05-10 10:41:59 +00:00
Jeremy Allison
693ffb8466 Added sys_fork() and sys_getpid() functions to stop the overhead
of doing a system call every time we want to just get our pid.
Jeremy.
(This used to be commit 148628b616)
2000-05-02 02:23:41 +00:00
Jeremy Allison
01d88573ea include/smb.h:
smbd/negprot.c:
smbd/reply.c: Fixes to recognise Win2k.
param/loadparm.c: Put debug timestamp parameter back to correct default.
smbd/nttrans.c: Fix to detect Win2k unicode bug with transact create.
Jeremy.
(This used to be commit bb100352ab)
2000-03-13 20:05:18 +00:00
Shirish Kalele
952799d9af dded Microsoft Dfs services.
* added a new msdfs/ directory under source/
* added msdfs sources under this directory.
* modified configure setup to add a --with-msdfs configure time option

 Modified Files:
 	Makefile.in acconfig.h configure configure.in
 	include/config.h.in include/includes.h include/proto.h
 	include/smb.h include/smb_macros.h param/loadparm.c
 	smbd/negprot.c smbd/nttrans.c smbd/process.c smbd/reply.c
 	smbd/server.c smbd/trans2.c
 Added Files:
 	include/msdfs.h msdfs/README msdfs/msdfs.c msdfs/msdfs_tdb.c
 	msdfs/parse_dfs_map.c
 ----------------------------------------------------------------------
(This used to be commit 4684b4a188)
2000-03-08 22:14:30 +00:00
Jeremy Allison
fab3e0eb08 smbd/mangle.c
smbd/negprot.c: Tidyup of static initializers.
smbd/server.c: Fix -l option.
Jeremy.
(This used to be commit d120f22fef)
2000-01-08 02:16:15 +00:00
Andrew Tridgell
3db52feb1f first pass at updating head branch to be to be the same as the SAMBA_2_0 branch
(This used to be commit 453a822a76)
1999-12-13 13:27:58 +00:00
Luke Leighton
701f9ed2c9 reading in smb server domain name from SMBnegprot response
(This used to be commit 25025f4505)
1999-09-16 22:46:45 +00:00
Luke Leighton
8f1404739f Jean-Francois Micouleau's rewritten DFS patch, originally written by
Nigel Williams.  despite the data format being *exactly* the same as
NT's, this still doesn't work yet.  more work needed.
(This used to be commit 270981960b)
1999-07-12 18:46:15 +00:00
Luke Leighton
89d51caba5 added server ntlmv2 false/auto/true parameter, defaults to off.
(This used to be commit 209944dabc)
1999-05-01 01:41:28 +00:00
Andrew Tridgell
c7da9992cb gto ri of a bunch more #ifdef LARGE_SMB_OFF_T checks by introducing a
SOFF_T() macro for setting an SMB_OFF_T variable

also limited mmap based reads to MAX_MMAP_SIZE. We really can't mmap
2^50 bytes due to virtual address space problems.
(This used to be commit 4e784b1889)
1998-09-18 03:00:20 +00:00
Jeremy Allison
b8b67f4fab configure configure.in: Added checks for statvfs64. Last bit of 64 bit widening (I hope :-).
include/config.h.in: Added #undef STAT_STATVFS64.
include/includes.h: Added SMB_STRUCT_STATVFS type, Changed SMB_BIG_INTEGER to
                    SMB_BIG_UINT and SMB_BIG_INT types.
include/smb.h: Added flag defines from CIFS spec.
lib/debug.c: Fixed one more mode_t issue.
lib/system.c: Added sys_statvfs wrapper.
lib/util.c: Changed trim_string to use size_t.
param/loadparm.c: Moved "blocking locks" into locking section. Alphabetised
                  locking options. Question - shuld we do this for all options ?
passdb/ldap.c: Changed SMB_BIG_INTEGER to SMB_BIG_UINT.
passdb/nispass.c: Changed SMB_BIG_INTEGER to SMB_BIG_UINT.
passdb/smbpass.c: Changed SMB_BIG_INTEGER to SMB_BIG_UINT.
smbd/dfree.c: Changed to use 64 bit types if available. Moved to use unsigned
              types.
smbd/dosmode.c: Fixed one more mode_t issue.
smbd/negprot.c: Changed literals to be FLAG_ #defines.
smbd/nttrans.c: Removed dead code.
smbd/open.c: Changed disk_free call.
smbd/process.c: Changed literals to be FLAG_ #defines.
smbd/reply.c: Changed disk_free call.
smbd/trans2.c: Fixed but in SMB_QUERY_FS_VOLUME_INFO call. Was using
               UNICODE - should use ascii.
tests/summary.c: Added STAT_STATVFS64 check.
Jeremy.
(This used to be commit c512b1b91f)
1998-09-17 23:06:57 +00:00
Jeremy Allison
27d0bef143 Ok - this is the 'expose 64 bit to the clients' checkin.
I have tested it by creating a 'holey' 20GB file - checking that
it shows up correctl in the NT file view (it does) and am busily
copying it to NULL: on the NT box. All good so far.... :-).

Also implemented NT 'delete on close' semantics.

Jeremy.
(This used to be commit 1654faee80)
1998-09-11 19:14:27 +00:00