1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

37 Commits

Author SHA1 Message Date
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00
Andrew Bartlett
372ca26b20 r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5
authentication.  This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.

This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC.  This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.

The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.

We also now allow for the old secret to be stored into the
credentials, allowing service password changes.

Andrew Bartlett
(This used to be commit 205f77c579)
2007-10-10 13:45:00 -05:00
Andrew Bartlett
5edbeca141 r10153: This patch adds a new parameter to gensec_sig_size(), the size of the
data to be signed/sealed.  We can use this to split the data from the
signature portion of the resultant wrapped packet.

This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).

This fixes one of the krb5 issues in my list.

Andrew Bartlett
(This used to be commit e4f2afc343)
2007-10-10 13:38:04 -05:00
Andrew Bartlett
115945faca r9490: Fix typo
Andrew Bartlett
(This used to be commit 093b98b5b5)
2007-10-10 13:34:21 -05:00
Jelmer Vernooij
6553dd0c60 r8811: Fix the build..
(This used to be commit fac77f5fa2)
2007-10-10 13:30:07 -05:00
Andrew Bartlett
06348629b9 r8109: Try to print out more helpful debug messages on DCERPC server-side
gensec failure to start.

Andrew Bartlett
(This used to be commit bc8f8d2dcf)
2007-10-10 13:19:09 -05:00
Andrew Tridgell
af237084ec r7633: this patch started as an attempt to make the dcerpc code use a given
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.

Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.

There were 3 places where I punted:

  - abartlet wanted me to add a gensec_set_event_context() call
    instead of adding it to the gensec init calls. Andrew, my
    apologies for not doing this. I didn't do it as adding a new
    parameter allowed me to catch all the callers with the
    compiler. Now that its done, we could go back and use
    gensec_set_event_context()

  - the ejs code calls auth initialisation, which means it should pass
    in the event context from the web server. I punted on that. Needs fixing.

  - I used a NULL event context in dcom_get_pipe(). This is equivalent
    to what we did already, but should be fixed to use a callers event
    context. Jelmer, can you think of a clean way to do that?

I also cleaned up a couple of things:

 - libnet_context_destroy() makes no sense. I removed it.

 - removed some unused vars in various places
(This used to be commit 3a3025485b)
2007-10-10 13:18:15 -05:00
Jelmer Vernooij
fcc74fc060 r7313: Prefix a few functions with ncacn_ rather then dcerpc_ because they are
ncacn_ specific
(This used to be commit 875cce1268)
2007-10-10 13:17:41 -05:00
Jelmer Vernooij
430dc36c1a r7312: Add IDL for ncadg packets.
(This used to be commit 2009a430b0)
2007-10-10 13:17:40 -05:00
Andrew Bartlett
7fe68b16e6 r6457: Simply the RPC server code for the choice of GENSEC mech - it's just
one function call now, so no need for a wrapper function.

Andrew Bartlett
(This used to be commit c023f5c5e8)
2007-10-10 13:11:38 -05:00
Andrew Tridgell
759da3b915 r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5)
2007-10-10 13:09:15 -05:00
Andrew Tridgell
5423fd3b35 r4663: fixed SPNEGO auth in the rpc server
(This used to be commit 439cbb9ead)
2007-10-10 13:08:40 -05:00
Andrew Tridgell
34f6485dda r4642: added support for alter_context in the server for adding new interfaces to an existing pipe
(This used to be commit b6af57c868)
2007-10-10 13:08:38 -05:00
Stefan Metzmacher
10918b7b70 r4082: support alter_context requests
metze
(This used to be commit ab6ec6b5f4)
2007-10-10 13:06:25 -05:00
Stefan Metzmacher
37e2570632 r4081: use clearer names
metze
(This used to be commit 5d7d6f02cf)
2007-10-10 13:06:24 -05:00
Andrew Tridgell
c051779a0a r3468: split out dcerpc_server.h
(This used to be commit 729e0026e4)
2007-10-10 13:05:17 -05:00
Andrew Tridgell
c5f4378361 r2629: convert gensec to the new talloc model
by making our gensec structures a talloc child of the open connection
we can be sure that it will be destroyed when the connection is
dropped.
(This used to be commit f12ee2f241)
2007-10-10 12:59:14 -05:00
Andrew Tridgell
d79c7d41da r2627: use the new talloc capabilities in a bunch more places in the rpc
server code. This fixes a number of memory leaks I found when testing
with valgrind and smbtorture, as the cascading effect of a
talloc_free() ensures that anything derived from the top level object
is destroyed on disconnect.
(This used to be commit 76d0b8206c)
2007-10-10 12:59:13 -05:00
Andrew Tridgell
e3e3e4577b r2615: fixed a bug in the server side support for CONNECT level security
(This used to be commit fee98137ad)
2007-10-10 12:59:12 -05:00
Andrew Tridgell
642ba4bfee r2614: support CONNECT level DCE/RPC security in both client and
server. CONNECT security uses NTLMSSP, but does not do any signing or
sealing (or equivalently, its like signing, but with a zero filled
checksum).
(This used to be commit f4660857bc)
2007-10-10 12:59:12 -05:00
Andrew Tridgell
f8f2630c0d r2294: this fixes the NTLM2 sign+seal combination. I have now tested:
NTLM sign
 NTLM sign+seal
 NTLM2 sign
 NTLM2 sign+seal

and all of the above both with and without key exchange

the NTLM2 seal case is ugly and involves an extra data copy, which
some API changes in gensec or the ndr layer might avoid in future.
(This used to be commit fce7a4218b)
2007-10-10 12:58:40 -05:00
Andrew Tridgell
350c12e5c9 r2293: fixed older NTLM sign/seal in the server
(This used to be commit d8825b69ac)
2007-10-10 12:58:40 -05:00
Andrew Bartlett
15a96c4298 r2290: Fix 'lsakey' for the server-side, it is static for
'authenticated' connections.

Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.

Andrew Bartlett
(This used to be commit b80d849b6b)
2007-10-10 12:58:40 -05:00
Andrew Bartlett
909c9b681a r2284: Thanks to some great detective work by tridge, NTLM2 signing now works.
This means that 'require NTLMv2 session security' now works for RPC
pipe signing.  We don't yet have sealing, but it can't be much further.

This is almost all tridge's code, munged into a form that can work
with the GENSEC API.

This commit also includes more lsakey fixes - that key is used for all
DCE-RPC level authenticated connections, even over CIFS/ncacn_np.

No doubt I missed something, but I'm going to get some sleep :-)

Andrew Bartlett
(This used to be commit a1fe175eec)
2007-10-10 12:58:39 -05:00
Andrew Bartlett
30ea54c4ba r2281: Add a few comments.
(This used to be commit 7be16e5036)
2007-10-10 12:58:38 -05:00
Andrew Bartlett
fa5a99b7a6 r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.
The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags.  If we don't negotiate sealing, we can't use it.

We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.

Andrew Bartlett
(This used to be commit 86f61568ea)
2007-10-10 12:58:19 -05:00
Andrew Bartlett
dc9f55dbec r1294: A nice, large, commit...
This implements gensec for Samba's server side, and brings gensec up
to the standards of a full subsystem.

This means that use of the subsystem is by gensec_* functions, not
function pointers in structures (this is internal).  This causes
changes in all the existing gensec users.

Our RPC server no longer contains it's own generalised security
scheme, and now calls gensec directly.

Gensec has also taken over the role of auth/auth_ntlmssp.c

An important part of gensec, is the output of the 'session_info'
struct.  This is now reference counted, so that we can correctly free
it when a pipe is closed, no matter if it was inherited, or created by
per-pipe authentication.

The schannel code is reworked, to be in the same file for client and
server.

ntlm_auth is reworked to use gensec.

The major problem with this code is the way it relies on subsystem
auto-initialisation.  The primary reason for this commit now.is to
allow these problems to be looked at, and fixed.

There are problems with the new code:
- I've tested it with smbtorture, but currently don't have VMware and
  valgrind working (this I'll fix soon).
- The SPNEGO code is client-only at this point.
- We still do not do kerberos.

Andrew Bartlett
(This used to be commit 07fd885fd4)
2007-10-10 12:56:49 -05:00
Andrew Tridgell
2130a1bbe7 r1168: fixed a little-endian/big-endian mixup in the rpc server code
(This used to be commit 9b397356ae)
2007-10-10 12:56:43 -05:00
Andrew Tridgell
5341ad20e1 r1030: added server side schannel support
(This used to be commit 2ac79dfba0)
2007-10-10 12:56:30 -05:00
Stefan Metzmacher
5165fec02e r1004: continue tridge's work on dcerpc server auth/crypto code
I made it much more generic, and we should be able to add a
module interface to this code, so that other DCERPC_AUTH types can be added
via modules...

metze
(This used to be commit d09abeb686)
2007-10-10 12:56:25 -05:00
Andrew Tridgell
8087d844ef r995: - renamed many of our crypto routines to use the industry standard
names rather than our crazy naming scheme. So DES is now called
  des_crypt() rather than smbhash()

- added the code from the solution of the ADS crypto challenge that
  allows Samba to correctly handle a 128 bit session key in all of the
  netr_ServerAuthenticateX() varients. A huge thanks to Luke Howard
  from PADL for solving this one!

- restructured the server side rpc authentication to allow for other
  than NTLMSSP sign and seal. This commit just adds the structure, the
  next commit will add schannel server side support.

- added 128 bit session key support to our client side code, and
  testing against w2k3 with smbtorture. Works well.
(This used to be commit 729b2f41c9)
2007-10-10 12:56:25 -05:00
Andrew Bartlett
5b0ab386cb r874: This patch is a pile of work on NTLMSSP:
Samba's NTLMSSP code is now fully talloc based, which should go a long
way to cleaning up the memory leaks in this code.  This also avoids a
lot of extra copies of data, as we now allocate the 'return' blobs on
a caller-supplied context.

I have also been doing a lot of work towards NTLM2 signing and
sealing.  I have this working for sealing, but not for the verifier
(MD5 integrity check on the stream) which is still incorrect.

(I can aim a rpcecho sinkdata from a Win2k3 box to my server, and the
data arrives intact, but the signature check fails.  It does however
match the test values I have...).

The new torture test is cludged in - when we get a unit test suite
back, I'll happliy put it in the 'right' place....

Andrew Bartlett
(This used to be commit 399e2e2b11)
2007-10-10 12:56:14 -05:00
Stefan Metzmacher
7e6cf43756 This patch adds a better dcerpc server infastructure.
1.) We now register endpoint servers add startup via register_backend()
    and later use the smb.conf 'dcerpc endpoint servers' parameter to setup the dcesrv_context

2.) each endpoint server can register at context creation time as much interfaces as it wants
    (multiple interfaces on one endpoint are supported!)
    (NOTE:  there's a difference between 'endpoint server' and 'endpoint'!
	    for details look at rpc_server/dcesrv_server.h)

3.) one endpoint can have a security descriptor registered to it self
    this will be checked in the future when a client wants to connect
    to an smb pipe endpoint.

4.) we now have a 'remote' endpoint server, which works like the ntvfs_cifs module
    it takes this options in the [globals] section:

    dcerpc remote:interfaces = srvsvc, winreg, w32time, epmapper
    dcerpc remote:binding = ...
    dcerpc remote:user = ...
    dcerpc remote:password = ...

5.) we currently have tree endpoint servers: epmapper, rpcecho and remote

    the default for the 'dcerpc endpiont servers = epmapper, rpcecho'

    for testing you can also do
    dcerpc endpoint servers = rpcecho, remote, epmapper
    dcerpc remote:interfaces = srvsvc, samr, netlogon

6,) please notice the the epmapper now only returns NO_ENTRIES
    (but I think we'll find a solution for this too:-)

7.) also there're some other stuff left, but step by step :-)

This patch also includes updates for the
register_subsystem() , ntvfs_init(), and some other funtions
to check for duplicate subsystem registration


metze

(hmmm, my first large commit...I hope it works as supposed :-)
(This used to be commit 917e45dafd)
2004-01-08 22:55:27 +00:00
Andrew Tridgell
7efa19cd22 added a smb.conf flag "rpc big endian" that tells our rpc server to
send packets in bigendian format.
(This used to be commit 44df662960)
2003-12-17 02:06:44 +00:00
Andrew Tridgell
24c22aef90 a fairly large commit!
This adds support for bigendian rpc in the client. I have installed
SUN pcnetlink locally and am using it to test the samba4 rpc
code. This allows us to easily find places where we have stuffed up
the types (such as 2 uint16 versus a uint32), as testing both
big-endian and little-endian easily shows which is correct. I have now
used this to fix several bugs like that in the samba4 IDL.

In order to make this work I also had to redefine a GUID as a true
structure, not a blob. From the pcnetlink wire it is clear that it is
indeed defined as a structure (the byte order changes). This required
changing lots of Samba code to use a GUID as a structure.

I also had to fix the if_version code in dcerpc syntax IDs, as it
turns out they are a single uint32 not two uint16s.

The big-endian support is a bit ugly at the moment, and breaks the
layering in some places. More work is needed, especially on the server
side.
(This used to be commit bb1af644a5)
2003-12-16 09:02:58 +00:00
Andrew Tridgell
d009dc61f9 ntlmssp over rpc over tcp now fully works
I needed to hack the ntlmssp code a little, as the auth code in samba4
is out of date relative to the samba3 auth code. I need to do a merge :)
(This used to be commit 6ee0935afe)
2003-12-14 10:45:50 +00:00
Andrew Tridgell
8f6b3eb1a9 fixed a bug handling multiple PDUs being read from a socket at one
time in the rpc server.

started on the framework for the dcerpc authentication server code
(This used to be commit 74041b6a0a)
2003-12-14 01:09:10 +00:00