1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

99 Commits

Author SHA1 Message Date
Stefan Metzmacher
1a53c1dc92 r13346: use private proto header files for the torture tests
metze
(This used to be commit 67837dbd2b)
2007-10-10 13:51:47 -05:00
Andrew Bartlett
a5a79e8b8c r12865: Upgrade the librpc and libnet code.
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous.  This should better
function with servers that set restrict anonymous.

There are too many parts of Samba that get, parse and modify the
binding parameters.  Avoid the extra work, and add a binding element
to the struct dcerpc_pipe

The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern.  Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.

To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.

Andrew Bartlett
(This used to be commit d65b354959)
2007-10-10 13:50:55 -05:00
Jelmer Vernooij
acd6a086b3 r12510: Change the DCE/RPC interfaces to take a pointer to a
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.

This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).

This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.

I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e)
2007-10-10 13:47:48 -05:00
Andrew Tridgell
f3dc80e2ef r11843: fixed a valgrind error in the RPC-SAMLOGON test
(This used to be commit 61cabcd7f9)
2007-10-10 13:46:37 -05:00
Stefan Metzmacher
045e8ca574 r11479: fix compiler warning
metze
(This used to be commit 5f45d07020)
2007-10-10 13:45:42 -05:00
Andrew Bartlett
a489c19c45 r11453: Fix warning, for a case that just can't happen.
Andrew Bartlett
(This used to be commit c0ba414a38)
2007-10-10 13:45:38 -05:00
Andrew Bartlett
546f63df5b r11370: Samba4 now passes it's own RPC-SAMLOGON test again.
This avoids the nasty user@DOMAIN test for now, as it has very odd
semantics with NTLMv2.

Allow only user accounts to do an interactive login.

Andrew Bartlett
(This used to be commit 690cad8083)
2007-10-10 13:45:27 -05:00
Andrew Bartlett
18e9c49922 r11360: Pass down a flag indicating that this is an 'old password', and to
expect funny buisness.

Andrew Bartlett
(This used to be commit b2810bd702)
2007-10-10 13:45:24 -05:00
Andrew Bartlett
09bfb8ffb0 r11355: Test for error returns when we don't specify the newly discovered
'workstation for account on NTLM' flag.

Andrew Bartlett
(This used to be commit aa5b6cf7c4)
2007-10-10 13:45:23 -05:00
Andrew Bartlett
56576de528 r11352: Add newly discovered (via the radiator lists) flags for controlling
plaintext and machine account logins.

Update tests to confirm this behaviour.

Andrew Bartlett
(This used to be commit a0ed41d379)
2007-10-10 13:45:22 -05:00
Andrew Bartlett
43adda56b6 r10847: Fix up new 'decrypt samlogon reply' routine to be more robust, and use
it in the RPC-SAMLOGON test.

Andrew Bartlett
(This used to be commit 675b7df2ee)
2007-10-10 13:39:35 -05:00
Andrew Bartlett
d76f425b30 r10805: Move RPC-SAMLOGON to C99 initialisation
Andrew Bartlett
(This used to be commit 0f994275ce)
2007-10-10 13:39:31 -05:00
Andrew Bartlett
c8bec9dd3a r10703: Add a new user account, change the password and test it in the SAMLOGON test.
The semantics for the user account are very odd, the old password is
still valid, but the session keys appear to be blanked out.

Andrew Bartlett
(This used to be commit bbfaf4821d)
2007-10-10 13:39:21 -05:00
Andrew Bartlett
099c3d5327 r10697: Change the torture join code to return a credentials structure, as
that is what most of the callers want anyway.

Remove and re-add the account for the torture case, rather than just
modify it.

Test with a user account (needs work to change the password).

Andrew Bartlett
(This used to be commit 38bebef024)
2007-10-10 13:39:20 -05:00
Jelmer Vernooij
42b81d7c3e r10528: Add credentials.h back into includes.h as some compilers don't
seem to be able to handle incomplete enum types.
(This used to be commit 540155fad3)
2007-10-10 13:39:02 -05:00
Jelmer Vernooij
f801ad3592 r10510: Decrease the amount of data included by includes.h a bit
(This used to be commit 03647e1321)
2007-10-10 13:38:58 -05:00
Andrew Bartlett
7cf1f5768c r10440: Start passing against Win2k3 SP1 again, with the NTLMv2 changes
described on the list.  I probably need to write more specific NTLMv2
sucess and failure mode tests.

Andrew Bartlett
(This used to be commit c4d608734a)
2007-10-10 13:38:46 -05:00
Andrew Bartlett
51cbc188df r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)

This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.

Also don't set the realm from a ccache, as then it overrides --option=realm=.

Andrew Bartlett
(This used to be commit 194e8f07c0)
2007-10-10 13:38:39 -05:00
Andrew Bartlett
24186a80eb r9728: A *major* update to the credentials system, to incorporate the
Kerberos CCACHE into the system.

This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.

It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.

Andrew Bartlett
(This used to be commit 6202267f6e)
2007-10-10 13:34:54 -05:00
Andrew Bartlett
c46b658eec r9166: This checks more of auth subsystem in the PAC test.
Andrew Bartlett
(This used to be commit 1fa87223eb)
2007-10-10 13:31:26 -05:00
Andrew Bartlett
c24a7249f0 r8854: #if 0 out the right things this time. (Sorry about the build breakage)
Use "" for the no domain case.

Andrew Bartlett
(This used to be commit 4989ffe870)
2007-10-10 13:30:11 -05:00
Andrew Tridgell
a9dd19542e r8852: fixed the build
andrew, please check
(This used to be commit 0dda73add3)
2007-10-10 13:30:11 -05:00
Andrew Bartlett
9cae22604b r8846: Test yet more NTLMv2 combinations.
I can't get a few of the session key values right (and these tests are
#if 0'ed out), but this expands the testing.

Andrew Bartlett
(This used to be commit e947c8a8f2)
2007-10-10 13:30:11 -05:00
Andrew Bartlett
aa233ffd1f r8824: Fix indentation, and don't send 'invalid' LM password.
Andrew Bartlett
(This used to be commit a1c1aecc7e)
2007-10-10 13:30:09 -05:00
Andrew Bartlett
e578c33c2c r7757: Add NTLMv2 support to the NT1 Session setup (ie, not SPNEGO/NTLMSSP)
Session Setup code.

Add a mem_ctx argument to a few of the NTLMv2 support functions, and
add smb.conf options to control client NTLMv2 behaviour.

Andrew Bartlett
(This used to be commit 3f35cdb218)
2007-10-10 13:18:32 -05:00
Andrew Tridgell
af237084ec r7633: this patch started as an attempt to make the dcerpc code use a given
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.

Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.

There were 3 places where I punted:

  - abartlet wanted me to add a gensec_set_event_context() call
    instead of adding it to the gensec init calls. Andrew, my
    apologies for not doing this. I didn't do it as adding a new
    parameter allowed me to catch all the callers with the
    compiler. Now that its done, we could go back and use
    gensec_set_event_context()

  - the ejs code calls auth initialisation, which means it should pass
    in the event context from the web server. I punted on that. Needs fixing.

  - I used a NULL event context in dcom_get_pipe(). This is equivalent
    to what we did already, but should be fixed to use a callers event
    context. Jelmer, can you think of a clean way to do that?

I also cleaned up a couple of things:

 - libnet_context_destroy() makes no sense. I removed it.

 - removed some unused vars in various places
(This used to be commit 3a3025485b)
2007-10-10 13:18:15 -05:00
Andrew Bartlett
04b350acf8 r7521: Remove useless loops from SAMLOGON test, which speeds it up a lot.
Andrew Bartlett
(This used to be commit d74b7c20b6)
2007-10-10 13:18:05 -05:00
Andrew Bartlett
ae0cf9c240 r6793: Move auth_sam to use the dnsDomain rather than the
soon-to-be-depricated 'realm'.

Add torture test for this behaviour.

Andrew Bartlet
(This used to be commit 6b9020661a)
2007-10-10 13:16:44 -05:00
Andrew Bartlett
85e9412c47 r6565: Cludge, cludge, cludge...
We need to pass the 'secure channel type' to the NETLOGON layer, which
must match the account type.

(Yes, jelmer objects to this inclusion of the kitchen sink ;-)

Andrew Bartlett
(This used to be commit 8ee208a926)
2007-10-10 13:16:26 -05:00
Andrew Bartlett
645711c602 r5941: Commit this patch much earlier than I would normally prefer, but metze needs a working tree...
The main volume of this patch was what I started working on today:
 - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
 - Uses sepereate inner loops for some of the DCE/RPC tests

The other and more important part of this patch fixes issues
surrounding the new credentials framwork:

This makes the struct cli_credentials always a talloc() structure,
rather than on the stack.  Parts of the cli_credentials code already
assumed this.

There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.

Andrew Bartlett
(This used to be commit 0453f9d05d)
2007-10-10 13:11:11 -05:00
Jelmer Vernooij
05bc2d7b2c r5928: Use cli_credentials in:
- gtk+ (returned by GtkHostBindingDialog as well now)
 - torture/
 - librpc/
 - lib/com/dcom/
(This used to be commit ccefd78233)
2007-10-10 13:11:08 -05:00
Andrew Bartlett
df64302213 r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.

With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind.  This changes a lot of files, and these will again
be changed when jelmer does the credentials work.

I also correct some schannel IDL to distinguish between workstation
names and account names.  The distinction matters for domain trust
accounts.

Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.

In the schannel DB, we now store both the domain and computername, and
query on both.  This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.

In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.

This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.

The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.

The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests.  This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.

In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL.  This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc2)
2007-10-10 13:11:07 -05:00
Andrew Bartlett
42031bc4be r5668: Add tests to RPC-SAMLOGON to test for user@REALM style logins. These
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I
need to look into it a bit more).

Add support to the Samba4 server for these logins.  This will need
extension when we handle trusted domains as a DC, as it is a principal
name, not just another format for the username.

Andrew Bartlett
(This used to be commit de02c7c222)
2007-10-10 13:10:58 -05:00
Andrew Tridgell
e82aad1ce3 r5298: - got rid of pstring.h from includes.h. This at least makes it a bit
less likely that anyone will use pstring for new code

 - got rid of winbind_client.h from includes.h. This one triggered a
   huge change, as winbind_client.h was including system/filesys.h and
   defining the old uint32 and uint16 types, as well as its own
   pstring and fstring.
(This used to be commit 9db6c79e90)
2007-10-10 13:09:38 -05:00
Andrew Tridgell
759da3b915 r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for the
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5)
2007-10-10 13:09:15 -05:00
Andrew Bartlett
1a71331ebc r4675: Prevent global warming, and save tridge's sainity by short-cutting the
testsuite for all the different flag types.  (We really only need to
know if we are getting the session key crypto stuff right, and one
call can tell us that).

Andrew Bartlett
(This used to be commit 8807498f6d)
2007-10-10 13:08:41 -05:00
Andrew Tridgell
6836f5d0b1 r4616: the first phase in the addition of proper support for
dcerpc_alter_context and multiple context_ids in the dcerpc client
library.

This stage does the following:

 - split "struct dcerpc_pipe" into two parts, the main part being "struct dcerpc_connection", which
   contains all the parts not dependent on the context, and "struct dcerpc_pipe" which has
   the context dependent part. This is similar to the layering in libcli_*() for SMB

 - disable the current dcerpc_alter code. I've used a #warning until i
   get the 2nd phase finished. I don't know how portable #warning is, but
   it won't be long before I add full alter context support anyway, so it won't last long

 - cleanup the allocation of dcerpc_pipe structures. The previous code
   was quite awkward.
(This used to be commit 4004c69937)
2007-10-10 13:08:34 -05:00
Andrew Bartlett
c32f3129bc r4614: Fix RPC-SAMLOGON, to use the workstation context (forgot to globally replace).
Andrew Bartlett
(This used to be commit ddb54d4ea1)
2007-10-10 13:08:33 -05:00
Andrew Bartlett
cb032eebd6 r4610: You can't join as a BDC and test against trusted domains. This test
only needs WS privilages anyway.

Andrew Bartlett
(This used to be commit a093c4f98e)
2007-10-10 13:08:33 -05:00
Andrew Bartlett
56df264cf8 r4566: Fix Samba4 to pass it's own RPC-SAMLOGON torture test.
Include RPC-SAMLOGON in the list of tests expected to pass

Remove silly extra loops from the RPC-SAMLOGON test, which mostly just
slowed htings down.

Andrew Bartlett
(This used to be commit 518ca9fb69)
2007-10-10 13:08:28 -05:00
Andrew Bartlett
967b77a827 r4510: Some more tests for RPC-NETLOGON, checking the idea that we could
combine the NTLM and LMv2 responses, for maximum compatability from a
client perspective, allowing access to servers that require NTLMv2, as
well as those that don't support it.

Currently, this is unfortunetly not possible against Win2k3 (and Samba
is being coded to match that behaviour at this point).

Andrew Bartlett
(This used to be commit 93b46ebe0f)
2007-10-10 13:08:17 -05:00
Andrew Bartlett
8eb981c90a r4499: Almost make our Samba4 server pass the RPC-SAMLOGON torture test.
I just need to fix a couple of NTLMv2 issues before we can fully pass,
and put this in test_rpc.sh, as a 'should pass' test.

Andrew Bartlett
(This used to be commit 4b52409e38)
2007-10-10 13:08:15 -05:00
Andrew Tridgell
4183b2ac38 r4037: fixed a bunch of "might be uninitialised" warnings after enabling -O1 in my compile
(This used to be commit 0928b1f5b6)
2007-10-10 13:06:16 -05:00
Stefan Metzmacher
13abb52758 r3959: fix compiler warnings
metze
(This used to be commit e28351f710)
2007-10-10 13:06:08 -05:00
Andrew Bartlett
21ebf8b942 r3922: Add yet another NETLOGON RPC. This is another varient of SamLogon,
that works only on SCHANNEL secured connections (as it needs the
implicit credentials).

Fix some of the IDL.

Andrew Bartlett
(This used to be commit 90cd7b34cc)
2007-10-10 13:06:06 -05:00
Andrew Bartlett
be7a3e3ce0 r3904: * Add new LSA calls to open trusted domains
* Add new tests for ACCOUNTs in SamSync

* Clean up names in NETLOGON and LSA

* Verify Security Descriptors against LSA, as well as SamR

Andrew Bartlett
(This used to be commit 7094502fe0)
2007-10-10 13:06:03 -05:00
Andrew Bartlett
32e368502d r3680: Move the multiple runs of this test into a loop. Also check that no
flags individually have an impact (above what we already expect).

Andrew Bartlett
(This used to be commit 68dd173dc0)
2007-10-10 13:05:43 -05:00
Andrew Bartlett
189783e5b9 r3679: We now know a few more of the Netlogon negotiate flags.
Interestingly, all the interesting flags are a '4' (as hex digits in
the flag).

Andrew Bartlett
(This used to be commit 295e09fa3e)
2007-10-10 13:05:43 -05:00
Andrew Bartlett
a8db4dcf03 r3677: Seperate the SamLogon tests from the main RPC-NETLOGON test into a
RPC-SAMLOGON of their own.

I have expanded the tests to validate the use of various flags, which
change some of the crypto behaviour.

Andrew Bartlett
(This used to be commit 3a140a3691)
2007-10-10 13:05:43 -05:00