IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
in both SCHANNEL and NTLMSSP.
(Try not to deal with a general case as individual special cases...)
Andrew Bartlett
(This used to be commit 6ca77bd28f16f9f65ff40bf8996e39356de5b4f8)
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
channel:
- If the domain name passed to create_rpc_bind_req() is empty, use
lp_workgroup()
- Correctly set the auth_padding field when the send_size is a multiple
of 8 bytes
I've tested with nt4sp6 and win2ksp0 and it seems to work, although
there are no password hashes transferred from win2k. The empty
passwords are being protected by the secure channel encryption though.
(This used to be commit a8c11e855611c91e94787387c62ac629232cacfa)
useful in the auth verifier yet. So this patch ignores it.
Really checking this would be a lot more intrusive: in rpc_api_pipe we
would have to distinguish between binds and normal requests, or have
more state in the netsec info of cli_state, which is also somewhat
hackish.
Volker
(This used to be commit 8de04fcf680a9bc5054965577eb500e0541ffe66)
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.
Volker
(This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
tidying up. Samsync still doesn't work due to bad parsing of net_io_sam_alias_info
with a blank description. Still working on this....
Jeremy.
(This used to be commit 942fede9a57a9319cf67388004dd45fa8a045f41)
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing against platforms
different from NT4SP6.
Volker
(This used to be commit eaef0d8aeff1aa5a067679be3f17e08d7434e1e8)
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
generates some errors we haven't seen before which are inappropriately
logged at level 0.
(This used to be commit 40d5112048ab0943caef7149b7a0d9dee5256b87)
buffer up to the current position, and use this to dump pipe buffers
just before parsing.
(This used to be commit 92a3ab274e6cf09a8ba39b91f8bbacba6de40b37)
so that we can print it in later debug messages.
Call prs_dump to dump out requests sent by the client at sufficiently
high debug levels.
(This used to be commit 9973b22b34dc2a88a20b821d4e69f39d2a6aa6a3)
for and ignore ERRmoredata errors as the client library doesn't support
32-bit error messages.
Added some annotations for the RPC pipe code to make it a bit clearer
maybe.
(This used to be commit f179e0ff61794073aedcf77544865ad2f18c6e6d)
on different pipes. This seriously confuses NT. Unfortunately HEAD
branch is limited to one rpc pipe per connection as the fnum is stored
inside the cli_state structure. It should really be broken out into
it's own structure so multiple pipes can be opened on one TCP/IP socket.
What a good idea! But look over here! I've already done it in another
workarea but it will require a day or two to refactor some of the internal
samba rpc client stuff (i.e netlogon requests) so it will remain uncommitted
for another while.
(This used to be commit 657804f3be2b621c8ee15bdb905879e208f9ca2f)
We were reading the endainness in the RPC header and then never propagating
it to the internal parse_structs used to parse the data.
Also removed the "align" argument to prs_init as it was *always* set to
4, and if needed can be set differently on a case by case basis.
Now ready for AS/U testing when Herb gets it set up :-).
Jeremy.
(This used to be commit 0cd37c831d79a12a10e479bf4fa89ffe64c1292a)
Removed IS_BITS_xxx macros as they were just reproducing "C" syntax in a more
obscure way.
Jeremy.
(This used to be commit c55bcec817f47d6162466b193d533c877194124a)
in the RPC code. This change was prompted by trying to save a long (>256)
character comment in the printer properties page.
The new system associates a TALLOC_CTX with the pipe struct, and frees
the pool on return of a complete PDU.
A global TALLOC_CTX is used for the odd buffer allocated in the BUFFERxx
code, and is freed in the main loop.
This code works with insure, and seems to be free of memory leaks and
crashes (so far) but there are probably the occasional problem with
code that uses UNISTRxx structs on the stack and expects them to contain
storage without doing a init_unistrXX().
This means that rpcclient will probably be horribly broken.
A TALLOC_CTX also needed associating with the struct cli_state also,
to make the prs_xx code there work.
The main interface change is the addition of a TALLOC_CTX to the
prs_init calls - used for dynamic allocation in the prs_XXX calls.
Now this is in place it should make dynamic allocation of all RPC
memory on unmarshall *much* easier to fix.
Jeremy.
(This used to be commit 0ff2ce543ee54f7364e6d839db6d06e7ef1edcf4)
