1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Commit Graph

2986 Commits

Author SHA1 Message Date
Jeremy Allison
03841f9e44 Fix bug #7698 - Assert causes smbd to panic on invalid NetBIOS session request.
Found by the CodeNomicon test suites at the SNIA plugfest.

http://www.codenomicon.com/

If an invalid NetBIOS session request is received the code in name_len() in
libsmb/nmblib.c can hit an assert.

Re-write name_len() and name_extract() to use "buf/len" pairs and
always limit reads.

Jeremy.
2010-09-26 03:01:03 -07:00
Volker Lendecke
2d8b65066e s3: Remove two talloc_autofree_context() calls
Both allocated blobs are freed in their routines
2010-09-26 03:29:28 +02:00
Jeremy Allison
d8814b1a48 Fix bug 7694 - Crash bug with invalid SPNEGO token.
Found by the CodeNomicon test suites at the SNIA plugfest.

http://www.codenomicon.com/

If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.

Jeremy.
2010-09-23 21:44:24 -07:00
Simo Sorce
4cdee9b0ed s3-dcerpc: add spnego server helpers
squashed: add michlistMIC signature checks

Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-23 10:54:23 -07:00
Günther Deschner
ffdfcfb514 s3-dsgetdcname: always pass in messaging context.
Volker, please check.

Guenther
2010-09-23 10:26:25 -07:00
Günther Deschner
4dbd743e46 s3-util_sid: use shared dom_sid_compare_auth and dom_sid_equal_X functions.
Guenther
2010-09-20 14:04:37 -07:00
Günther Deschner
c7fe04abc7 s3-build: only include async headers where needed.
Guenther
2010-09-20 13:54:42 -07:00
Björn Jacke
10eefd85c9 s3: fix order of arguments in nsec_time_diff call 2010-09-17 13:49:11 +02:00
Sumit Bose
e2d6b64219 Fix array size of a memmber of struct cli_ulogoff_state
The too small array makes UID-REGRESSION-FIX fail on 32bit
architectures.

Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-17 11:51:56 +02:00
Björn Jacke
aada719694 s3: use nsec_time_diff instead of TspecDiff 2010-09-16 21:38:20 +02:00
Jeremy Allison
447d96878a Fix all sid_parse returns to be checked. Tidy up some checks and error
messages.

Jeremy.
2010-09-15 15:40:15 -07:00
Andrew Bartlett
3b4db34011 s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs
The idea of this patch is: Don't support a mix of different kerberos
features.

Either we should prepare a GSSAPI (8003) checksum and mark the request as
such, or we should use the old behaviour (a normal kerberos checksum of 0 data).

Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
Samba4, and seems well outside the expected behaviour, even if Windows accepts it.

Andrew Bartlett
2010-09-11 18:46:13 +10:00
Stefan Metzmacher
cd8e2fd9fa s3-errormap: map ERRSRV/ERRbaduid to NT_STATUS_USER_SESSION_DELETED
metze
2010-09-10 17:21:32 +02:00
Günther Deschner
c59961dd81 s3-dsgetdcname: cleanup receive_getdc_response a little.
Guenther
2010-09-10 13:21:41 +02:00
Jeremy Allison
718fd39f10 Fox missing SMB_MALLOC return checks noticed by "Andreas Moroder <andreas.moroder@gmx.net>".
Jeremy.
2010-09-09 15:29:03 -07:00
Volker Lendecke
77b9b97966 s3: Remove a superfluous ; 2010-09-08 02:05:14 +02:00
Volker Lendecke
5b875a83a9 s3: Print the IP of the server that stopped responding 2010-09-01 12:57:16 +02:00
Björn Jacke
0ca6a73d01 s3: use monotonic clock for time deltas in namequery functions 2010-08-31 10:26:13 +02:00
Günther Deschner
85b8d7c605 s3-kerberos: try to fix the build w/o kerberos support.
Guenther
2010-08-30 16:03:17 +02:00
Günther Deschner
ca765d2f50 s3-build: only include krb5 environment variables where required.
Guenther
2010-08-26 00:20:29 +02:00
Günther Deschner
b5bdcdd65e s3-build: only include "fake_file.h" where needed.
Guenther
2010-08-26 00:20:28 +02:00
Volker Lendecke
554b1140a8 s3: Fix bug 7635 2010-08-21 11:55:46 +02:00
Jim McDonough
0ec0095d1a s3-libsmbclient Convert dos error codes to NTstatus in async libsmbclient.
DOS error codes were being lost with the conversion to async
libsmbclient.  If we're passing around NTSTATUS internally,
let's just convert it when we get it.

DOS ACCESS_DENIED on nautilus was not prompting for other credentials,
because it was not being mapped.
2010-08-19 15:49:31 -04:00
Günther Deschner
4349027b63 s3-cli: fix uninitialized variable.
Volker, please check.

Guenther
2010-08-19 14:08:06 +02:00
Günther Deschner
f6ac919a91 s3-libsmb: fix some uninitialized variables.
Volker, please check.

Guenther
2010-08-19 12:36:23 +02:00
Volker Lendecke
d7c8fb21bb s3: async cli_list 2010-08-18 15:14:02 +02:00
Volker Lendecke
77761d9adc s3: Add cli_flush 2010-08-18 15:14:02 +02:00
Günther Deschner
59289d4fa9 s3-build: only include smb_signing.h where needed.
Guenther
2010-08-18 09:20:13 +02:00
Volker Lendecke
08b628efe4 s3: Remove some unused code 2010-08-15 15:15:59 +02:00
Volker Lendecke
19280b65a5 s3: Fix an uninitialized variable 2010-08-14 10:08:45 +02:00
Andrew Bartlett
71d80e6be0 s3-krb5 Only build ADS support if arcfour-hmac-md5 is available
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult.  This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.

The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time.  We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.

If not found, ADS support will not be compiled in.

This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.

A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.

Andrew Bartlett

Signed-off-by: Simo Sorce <idra@samba.org>
2010-08-13 09:08:27 -04:00
Andrew Bartlett
75adca63f2 libcli/auth Make the source3/ implementation of the NTLMSSP server common
This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 16:22:04 +02:00
Andrew Bartlett
979b672dcb s3:ntlmssp Split the NTLMSSP server into before and after authentication
This allows for a future where the auth subsystem is async, and the
session key generation needs to happen in a callback.

This code is originally reworked into this style by metze for the
source4/ implementation.

The other change here is to introduce an 'out_mem_ctx', which makes
the API match that used in source4.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 16:17:10 +02:00
Andrew Bartlett
4969b3de63 s3:ntlmssp Always call ntlmssp_sign_init()
There is no code path that sets nt_status before this point, without
a return.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 12:13:00 +02:00
Andrew Bartlett
617ec0733d s3:ntlmssp Don't use talloc_tos() for NTLMSSP blobs for now
This code will, I hope, soon be merged in common, and the Samba4
use case does not currently support talloc_tos() properly.  Use another
context for now.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 12:13:00 +02:00
Andrew Bartlett
d112557a05 s3:ntlmssp Don't permit LM_KEY in combination with NTLMv2
This is another 'belts and braces' check to avoid the use of the
weak 'LM_KEY' encryption when the client has chosen NTLMv2.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 12:13:00 +02:00
Andrew Bartlett
f6cc686036 s3:ntlmssp Don't reply with the LM_KEY negotiation flag when not available
This ensures the client isn't confused and we don't enter this
weaker authentication scheme when we don't really, really need to.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 12:13:00 +02:00
Andrew Bartlett
3c0a17a127 s3:ntlmssp Don't use the lm key if the user didn't supply one.
This may help to avoid a number of possible MITM attacks where LM_KEY is
spoofed into the session.  If the login wasn't with lanman
(and so the user chose to disclose their lanman response),
don't disclose back anything based on their lanman password.

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 12:13:00 +02:00
Andrew Bartlett
f744e42bd0 s3:ntlmssp Add extra DEBUG() message for auth system failures
Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 12:13:00 +02:00
Andrew Bartlett
e0c94d14b3 s3:ntlmssp Redirect lp_lanman_auth() via 'allow_lm_key'
This will allow this to be handled via common code in the future

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 12:13:00 +02:00
Andrew Bartlett
1e83b36afb libcli/auth Move some source3/ NTLMSSP functions to the common code.
libcli/auth Use true and false rather than True and False in common code

Andrew Bartlett

Signed-off-by: Günther Deschner <gd@samba.org>
2010-08-10 11:56:33 +02:00
Günther Deschner
164ee0fe56 s3-libsmb: include nbt.h in namequery_dc code.
Guenther
2010-08-06 15:43:37 +02:00
Günther Deschner
257a1f1097 s3-krb5: include krb5pac.h where needed.
Guenther
2010-08-06 15:43:37 +02:00
Günther Deschner
2523aec6d1 s3-rap: include svcctl.h where needed.
Guenther
2010-08-06 15:43:37 +02:00
Günther Deschner
ae36783c7b s3-passdb: include samr.h where needed.
Guenther
2010-08-06 15:43:37 +02:00
Volker Lendecke
ee11bb8748 s3: Remove some direct cli->inbuf references in interpret_long_filename 2010-08-05 14:53:54 +02:00
Volker Lendecke
869a19f06c s3: Remove a pointless wrapper function 2010-08-05 14:53:54 +02:00
Volker Lendecke
61fb8a4fd1 s3: Explicitly pass flags2 to clistr_pull_talloc
Required to eventually make cli_list async
2010-08-05 14:53:54 +02:00
Volker Lendecke
1cbe8b85ae s3: Remove some pointless wrapper functions 2010-08-05 13:57:31 +02:00
Volker Lendecke
6cb5a0d097 s3: Remove some pointless wrapper functions 2010-08-05 13:57:31 +02:00