1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

243 Commits

Author SHA1 Message Date
John Terpstra
0e7be48597 Following discussions with Cristian Gafton (Red Hat) we have decided to make
PAM silent about it's actions. This reduced error logging for EVERY password
validation request. Refer to password.c PAM section for further info.
Fiels Affected: password.c
(This used to be commit 7a1a8042dd)
1998-01-10 11:42:29 +00:00
Andrew Tridgell
69460b470f allow users to disable the NetWkstaUserLogon call in server level
security by changing a setting in local.h or adding it to their
Makefile. See comment in local.h
(This used to be commit cc10fdf758)
1997-12-03 03:43:05 +00:00
Andrew Tridgell
7097597fd6 HPUX trusted systems need to use bigcrypt() not crypt()
(This used to be commit 979eaf9e9c)
1997-12-02 23:27:40 +00:00
Jeremy Allison
77aec4ae63 Rolled back tree state to 11:59pm 8th November 1997 EST to
remove problems.
Jeremy
(This used to be commit 4a36ac236c)
1997-11-10 19:23:17 +00:00
Luke Leighton
e357d91068 attempting to mark up 32 bit error codes, needed for NT domains.
separated out smb server-mode password validation into a separate file.
added called and calling netbios names to client gen state: referenced
section in rfc1002.txt.
created workstation trust account checking code in ntclient.c

there might be a bug in reply_session_setup_andX.  i indented and added { }
around single-line if statements: the lm password checking code now doesn't
look right (around the GUEST_SESSSETUP bits).  *no code semantics have been
changed by the indentation process*.
(This used to be commit f27966957f)
1997-11-09 17:30:10 +00:00
Luke Leighton
bd529d7a83 following a cvs error, i am rewriting this monster-commit. with bad grace.
Modified Files:
---------------

Makefile:

	adding extra files

ipc.c :

	send_trans_reply() - alignment issue.  this makes the alignment
	the same as that in NT.  this should be looked at by people who
	understand the SMB stuff better than i.

	api_fd_commands[] - added samr and wkssvc pipes.

loadparm.c :

	lp_domain_controller() changed to mean "samba is a domain controller".
	it's a "yes/no" parameter, now.  no, it isn't used _anywhere_.

namedbwork.c nameelect.c :

	if "domain controller = yes" then add SV_TYPE_DOMAIN_CTRL to the
	host _and_ workgroup announcements.  yes, you must do both: nt does.

namelogon.c :

	important NETLOGON bug in SAMLOGON request parsing, which may be
	the source of some people's problems with logging on to the Samba PDC.

password.c :

	get_smbpwnam() renamed to get_smbpwd_entry().

pipes.c :

	added samr and wkssvc pipes.

proto.h :

	usual.  can we actually _remove_ proto.h from the cvs tree, and
	have it as one of the Makefile dependencies, or something?

reply.c :

	get_smbpwnam() renamed to get_smbpwd_entry() - also changed response
	error code when logging in from a WORKSTATION$ account.  yes, paul
	is right: we need to know when to return the right error code, and why.

server.c :

	added call to reset_chain_pnum().

	#ifdef NTDOMAIN added call to init_lsa_policy_hnd() #endif.  jeremy,
	you'd be proud: i did a compile without NTDOMAIN, and caught a link
	error for this function.

smb.h :

	defines and structures for samr and wkssvc pipes.

smbpass.c :

	modified get_smbpwnam() to get_smbpwd_entry() and it now takes
	two arguments.  one for the name; if this is null, it looks up
	by smb_userid instead.

	oh, by the way, smb_userids are actually domain relative ids
	(RIDs).  concatenate a RID with the domain SID, and you have
	an internet globally unique way of identifying a user.

	we're using RIDs in the wrong way....

	added mod_smbpwnam() function.  this was based on code in smbpasswd.c

rpc_pipes/lsaparse.c :

	added enum trusted domain parsing.  this is incomplete: i need
	a packet trace to write it properly.

rpc_pipes/pipe_hnd.c :

	added reset_chain_pnum() function.

rpc_pipes/pipenetlog.c :

	get_smbpwnam() function renamed to get_smbpwd_entry().

	arcfour() issues.

	removed capability of get_md4pw() function to automatically add
	workstation accounts.  this should either be done using
	smbpasswd -add MACHINE$, or by using \PIPE\samr.

rpc_pipes/pipe_util.c :

	create_pol_hnd() - creates a unique LSA Policy Handle.  overkill
	function: uses a 64 bit sequence number; current unix time and
	the smbd pid.

rpc_pipes/smbparse.c :

	arcfour() issues.

	smb_io_unistr2() should advance by uni_str_len not uni_max_len.

	smb_io_smb_hdr_rb() - request bind uses uint16 for the context
	id, and uint8 for the num_syntaxes.  oops, i put these both as
	uint32s.


Added Files:
------------

rpc_pipes/lsa_hnd.c :

	on the samr pipe, allocate and associate an LSA Policy Handle
	with a SID.  you receive queries with the LSA Policy Handle,
	and have to turn this back into a SID in order to answer the
	query...

rpc_pipes/pipesamr.c rpc_pipes/samrparse.c

	\PIPE\samr processing.  samr i presume is the SAM Replication pipe.

rpc_pipes/pipewkssvc.c rpc_pipes/wksparse.c

	\PIPE\wkssvc processing.  the Workstation Service pipe?


holy cow.
(This used to be commit 1bd084b3e6)
1997-11-06 23:03:58 +00:00
Andrew Tridgell
224c40a523 a simple SMB torture tester. This will allow us to evaluate locking
techniques more accurately.
(This used to be commit 054e3b2ae3)
1997-11-01 13:22:16 +00:00
Andrew Tridgell
0891bb6a91 rewrote the password server code using the new clientgen.c client
interface

The new code uses a source netbios name equal to the Samba servers
name, not the client name. It also uses NetWkstaUserLogon to do a full
network logon. This means it will honour the servers logon
restrictions (such as login times etc).
(This used to be commit 11de90f972)
1997-10-21 09:34:33 +00:00
Luke Leighton
423a7c4171 util.c password.c :
added automount_server() function which, if -DAUTOMOUNT is in use,
	returns the server name of the NIS auto.map entry.  otherwise,
	it returns local_server.

	added use of automount_server() for a new substitution %N for NIS
	home server.  this defaults, via automount_server(), to the same
	functionality as %L if -DAUTOMOUNT is not used.

	removed vuser->home_share.  moved code that grabbed the servername
	into the separate function automount_server().

loadparm.c :

	created "logon drive" (default of "")
	created "logon home"  (default of "\\%N\%U")
	changed default of "logon path" from NULL to "\\%N\%U\profile".

ipc.c pipenetlog.c :

	use lp_logon_drive(), lp_logon_home() and lp_logon_path() in their
	now easier-to-use form (don't have to check if *lp_logon_path() and
	manually substitute a default of \\%L\%U and do a standard_sub_basic()
	on the result, because the default automatically does this.
(This used to be commit c6c28a4c3c)
1997-10-20 12:10:58 +00:00
Andrew Tridgell
f4b4b3e6e3 casting cleanups
(This used to be commit ab849a9782)
1997-10-20 02:50:12 +00:00
John Terpstra
b676826bec Added Michael Johnsons' PAM modifications <johnsonm@redhat.com>
This patch has been checked over. JHT
(This used to be commit c84a043f89)
1997-10-16 05:33:24 +00:00
Andrew Tridgell
91e56c7b7b force the salt to be a maximum of 2 characters long in calls
to crypt()

This might solve some password problems, particulary on HPUX
(This used to be commit 45f4ae4327)
1997-10-15 04:04:38 +00:00
Luke Leighton
c5e739febe Makefile:
added credentials.c to smbd

credentials.c:

	using credential structures instead of char*

password.c uid.c server.c:

	added sid and attr to user_struct.

smbdes.c:

	smbhash and str_to_key make public instead of private.

pipes.c smb.h:

	lsa structures, sub-functions.

proto.h:

	usual.
(This used to be commit 87a0a94485)
1997-10-10 14:48:05 +00:00
Jeremy Allison
a0cd12e221 dir.c: more pstrcpys.
local.h: Add OPLOCK_BREAK_TIMEOUT.
password.c: Fix for paranoia password server security bug.
proto.h: Updated.
reply.c: Oplock changes.
server.c: Massive oplock changes - nearly there....
smb.h: oplock definitions.
util.c: Add local message processing queues for oplocks.
Jeremy (jallison@whistle.com)
(This used to be commit 92f1553db2)
1997-09-30 02:38:19 +00:00
Andrew Tridgell
cda707f917 add a cast
(This used to be commit e712c6ed61)
1997-09-16 08:26:33 +00:00
Andrew Tridgell
57c2578cb2 - change generate_challenge() to use md4 instead of des
- move routines about a bit between smbencrypt.c and smbdes.c. Ensure
that there is no entry point for normal DES operation

- add the following comment:

   This code is NOT a complete DES implementation. It implements only
   the minimum necessary for SMB authentication, as used by all SMB
   products (including every copy of Microsoft Windows95 ever sold)

   In particular, it can only do a unchained forward DES pass. This
   means it is not possible to use this code for encryption/decryption
   of data, instead it is only useful as a "hash" algorithm.

   There is no entry point into this code that allows normal DES operation.

   I believe this means that this code does not come under ITAR
   regulations but this is NOT a legal opinion. If you are concerned
   about the applicability of ITAR regulations to this code then you
   should confirm it for yourself (and maybe let me know if you come
   up with a different answer to the one above)
(This used to be commit 35b92e725f)
1997-09-16 04:41:16 +00:00
Andrew Tridgell
33a003de40 This commit does 3 main things:
1) put the encryption code in by default, with no #ifdef. It is still
disabled by default so you need to add "encrypt passwords = yes" in
smb.conf but at least all binaries will have it.

2) cleanup the kanji code so it compiles with no warnings

3) get rid of lots of uses of ugly non-portable C code. The main
offender being things like "register" but also remove uses of the
"const" keyword as there are compilers out there that don't support it
and even those that do often complain about its usage. Users don't
like warnings :-(

There is still some work to do. We need to replace the md4 code with
our own implementation. The current code (from rfc1186) is PD but is
not very portable. The new RFC (rfc1320) is more portable but adds
copyright restrictions. I'll do a from-scratch MD4 soon.

We also need to test that what I've implemented is portable. It should
be, but I'm too tired right now to test it on anything other than
intel linux.
(This used to be commit db917c62c1)
1997-09-14 16:37:18 +00:00
Jeremy Allison
ab68ac375e Fix from Frank Varnavas <varnavas@ny.ubs.com>.
We cannot use the same name as the client to
the NT password server, as NT will drop client
connections if the same client name connects
twice. Instead, synthesize a name from our pid.
and the remote machine name.
Jeremy (jallison@whistle.com)
(This used to be commit ebf9487a9a)
1997-09-04 21:23:27 +00:00
Samba Release Account
9170cfd4b6 spelling.
lkcl
(This used to be commit 7e326450cf)
1997-08-11 18:06:44 +00:00
Samba Release Account
b5114b41f5 Makefile: Added IRIX 6 target.
loadparm.c: Fixed stupid static warnings with set_default_server_announce_type.
password.c:	Fixed char -> uchar cast warnings.
nameservreply.c: Fixed group fade out code.
Jeremy (jallison@whistle.com)
(This used to be commit a2dd5c5a55)
1997-08-05 01:31:55 +00:00
Samba Release Account
7314126d9e client.c: Added amanda fixes.
clitar.c:	Added amanda fixes.
nameannounce.c:	Removed redundent code.
nameelect.c:	Removed redundent code.
nameserv.h:		Removed redundent code.
nameservresp.c:	Removed redundent code.
namework.c:		Removed redundent code.
password.c:		Prevented crash if getpwnam fails.
Jeremy (jallison@whistle.com)
(This used to be commit 760fe30353)
1997-07-28 18:59:57 +00:00
Samba Release Account
a3de6a813e charset.c: Fixed signed/unsigned issues.
password.c:	Fixed problem with MS-Exchange services.
Jeremy (jallison@whistle.com)
(This used to be commit e723dd3dee)
1997-07-22 19:04:40 +00:00
Samba Release Account
8b904f4ecc Makefile: Added krb5 option from Nathan Neulinger <nneul@umr.edu>
includes.h:	Added krb5 option from Nathan Neulinger  <nneul@umr.edu>, added SGI5 fix.
password.c: Added krb5 option from Nathan Neulinger  <nneul@umr.edu>
quotas.c: Added inode quote fix.
reply.c: removed redundent code.
server.c: Changed error debug to 0, removed redundent check.
util.c: Added close_low_fd() to become_daemon - fix for rsh from Johnathan Knight.
Jeremy (jallison@whistle.com)
(This used to be commit 256afb7648)
1997-07-17 20:11:58 +00:00
Samba Release Account
fc3901122d Fixes for UnixWare 2.x with shadow passwords from
Warren Young <tkennedy@cyberport.com>.
(This used to be commit 885b42b447)
1997-07-03 17:19:46 +00:00
Samba Release Account
16c87e9198 Fixed *really* stupid bug in register_vuid - only a problem
on multi-user NT systems.
Jeremy (jallison@whistle.com)
(This used to be commit 6ca5c8ca32)
1997-06-18 01:04:57 +00:00
Samba Release Account
0f1f0ceb95 'The mother of all checkins' :-). Jeremy Allison (jallison@whistle.com)
Wed May  7 1997: Update for 1.9.17alpha1 release - 'browsefix release'
designed to make browsing across subnets work.

byteorder.h:	Updated copyright to 1997.
charcnv.c:      Updated copyright to 1997.
charset.c 	Updated copyright to 1997.
charset.h	Updated copyright to 1997.
client.c	Updated copyright to 1997.
clientutil.c	Updated copyright to 1997.
dir.c		Updated copyright to 1997.
fault.c		Updated copyright to 1997.
includes.h	Updated copyright to 1997.
interface.c	Updated copyright to 1997.
ipc.c		Updated copyright to 1997.
kanji.c		Updated copyright to 1997.
kanji.h		Updated copyright to 1997.
loadparm.c	Updated copyright to 1997.
locking.c	Updated copyright to 1997.
mangle.c	Updated copyright to 1997.
message.c	Updated copyright to 1997.
nameannounce.c

	Made use of WINS subnet explicit.
Added reset_announce_timer() so announcement
can be made immediately when we become a master.
Expanded code to do sync with dmb.

namebrowse.c

	Removed redundent checks for AM_MASTER in
sync code. Made use of WINS subnet explicit.

namedbname.c	Made use of WINS subnet explicit.
namedbresp.c	Made use of WINS subnet explicit.
namedbserver.c	Made use of WINS subnet explicit.

namedbsubnet.c

	Explicitly add workgroup to WINS subnet
when we become a dmb. Made use of WINS subnet explicit.

namedbwork.c

	Made use of WINS subnet explicit. Removed
redundent check_work_servertype() function.

nameelect.c

	Explicitly add workgroup to WINS subnet
when we become a master browser. Made use of WINS subnet explicit.

namelogon.c	Updated copyright to 1997.
namepacket.c	Updated copyright to 1997.
namequery.c	Updated copyright to 1997.

nameresp.c

	Made use of WINS subnet explicit. Made nmbd fail if
configured as master browser and one exists already.

nameserv.c

	Made use of WINS subnet explicit. Remove redundent
logon server and domain master code.

nameserv.h	Add emumerate subnet macros.
nameservreply.c	Made use of WINS subnet explicit.
nameservresp.c	Updated copyright to 1997.

namework.c

	Made use of WINS subnet explicit. Updated code to
add sync browser entries to add subnet parameter.

nmbd.c

	Added sanity check for misconfigured nmbd.

nmblib.c	Updated copyright to 1997.
nmblookup.c	Updated copyright to 1997.
nmbsync.c

	Removed redundent AM_ANY_MASTER check.

params.c	Updated copyright to 1997.
password.c	Updated copyright to 1997.
pipes.c		Updated copyright to 1997.
predict.c	Updated copyright to 1997.
printing.c	Updated copyright to 1997.

proto.h

	Changed protos for new nmbd code.

quotas.c	Updated copyright to 1997.
replace.c	Updated copyright to 1997.
reply.c		Updated copyright to 1997.
server.c	Updated copyright to 1997.
shmem.c		Updated copyright to 1997.
smb.h		Updated copyright to 1997.
smbencrypt.c	Updated copyright to 1997.
smbpasswd.c	Updated copyright to 1997.
smbrun.c	Updated copyright to 1997.
status.c	Updated copyright to 1997.
system.c	Updated copyright to 1997.
testparm.c	Updated copyright to 1997.
testprns.c	Updated copyright to 1997.
time.c		Updated copyright to 1997.
trans2.c	Updated copyright to 1997.
trans2.h	Updated copyright to 1997.
uid.c		Updated copyright to 1997.
username.c	Updated copyright to 1997.
util.c		Updated copyright to 1997.
version.h

	Changed to 1.9.17alpha1.
(This used to be commit cf23a155a1)
1997-05-08 01:14:17 +00:00
Samba Release Account
121c81e3d6 added automount home directory support. contributed by simeon@bangor.co.uk
and a mini bug-fix by rob.nacarrato@sheridanc.on.ca

reads in an entry from the auto.home file for the user when they log in,
and mounts their home directory as the default path for the [homes] service.

i might add this as to the %substitution system, so that you can
specify subdirectories for the user profiles, mainly.

lkcl
(This used to be commit 0bb6acc358)
1997-05-07 17:56:46 +00:00
Samba Release Account
cc55a88ddc JHT ===> Fixed potential PAM Security hole and second chance syndrome
spurious warning message "Warning - no crypt available"
(This used to be commit dc559428b8)
1997-02-04 10:35:38 +00:00
Samba Release Account
d613892674 JHT ==> Added extensions for PAM (Pluggable Authentication Module) support
for Linux and other little beasties that use PAM.
	Source: ftp.redhat.com/pub/Incoming/samba-1.9.16p9.src.rpm
	Originally from RedHat modifications to samba-1.9.15p8
(This used to be commit 79145bad56)
1997-01-02 04:04:49 +00:00
Samba Release Account
7da995a1dd Set num_validated_users to zero if Realloc fails.
(This used to be commit 57121e609e)
1996-11-09 01:56:20 +00:00
Samba Release Account
8c5c55fea5 Core of the changes for returning smb_uid's. smb_uid's are now
returned as an index plus offset into the valudated_users table.
The offset (100) is added so that an smb_uid of zero becomes
an invalid value. All access into the validated_users table are
done by removing the offset and indexing into the table. Out of
ranges return NULL. Causes accesses into the validated_users table
to be more consistant and controlled.

This change made due to the fact that the uid field is only 16
bits in the smb header and we need for this not to be a unix
user id (which can ge 32 bits).

jra@cygnus.com
(This used to be commit ac265eff85)
1996-10-25 20:18:28 +00:00
Andrew Tridgell
e5893bdfbe I have fixed quite a few important bugs in this commit.
Luke, can you take special note of the bug fixes to nmbd so you can
propogate them to your new code.

- rewrote the code that used to use fromhost(). We now call
gethostbyaddr() only if necessary and a maximum of once per
connection. Calling gethostbyaddr() causes problems on some systems so
avoiding it if possible is a good thing :-)

- added the "fake oplocks" option. See the docs in smb.conf(5) and
Speed.txt

- fixed a serious bug in nmbd where it would try a DNS lookup on
FIND_SELF queries. This caused a lot of unnecessary (and incorrect)
DNS lookups to happen. FIND_SELF queries should only go to the
internal name tables.

- don't set FIND_SELF for name queries if we are a wins proxy, as we
are supposed to be answering queries for other hosts.

- fixed a bug in nmbd which had "if (search | FIND_LOCAL)" instead of
"if (search & FIND_LOCAL)". Luke, this was in nameservreply.c

- the above 3 bugs together meant that DNS queries were being cached,
but the cache wasn't being used, so every query was going to DNS, no
wonder nmbd has been chewing so much CPU time! Another side effect was
that queries on names in lmhosts weren't being answered for bcast
queries with "wins proxy" set.

- ignore the maxxmit for seconday session setups (see CIFS spec)

- close user opened files in a uLogoffX for user level security (see
CIFS spec)

- added uid into the files struct to support the above change
(This used to be commit ea472b7217)
1996-10-05 10:41:13 +00:00
Andrew Tridgell
11d9539d75 - accept either NT or lanman passwords in tconX
(This used to be commit b6c1c60d72)
1996-10-02 14:06:17 +00:00
Andrew Tridgell
9155889092 - add timeouts to connect() for password server connections. This
makes multiple password servers practical.
(This used to be commit 5c3e8326cc)
1996-08-22 06:32:03 +00:00
Andrew Tridgell
a521fe8a27 a cleanup of the receive_smb() usage, adding timeouts in some places
also added paranoid code in the main process() loop of smbd to detect
when smbd is looping uselessly. This should stop the "smbd is chewing
lots of cpu" reports
(This used to be commit 8e9dce34d5)
1996-06-10 05:16:19 +00:00
Andrew Tridgell
7e3b4a1c0d got rid of a lot of redundent header files as we now globally generate
prototypes automatically using "make proto". This is much less prone
to error than the old method of manually adding prototypes
(This used to be commit b551dc98f7)
1996-06-10 04:38:24 +00:00
Andrew Tridgell
b9ae225b28 - added interface.c and removed all the references to myip, bcast_ip
and Netmask, instead replacing them with calls to routines in
interface.c

- got rid of old MAXINT define

- added code to ensure we only return one entry for each name in the ipc
enum routines

- added new_only option to add_netbios_entry() to prevent overwriting
of important names

- minor time handling fixup
(This used to be commit 7ed71b73ae)
1996-06-06 11:43:09 +00:00
Andrew Tridgell
a2c1623827 a huge pile of changes :-)
The biggest thing is the integration of Lukes new nmbd. Its still
largely untested, so we will really need some feedback

I've also added auto prototype generation and cleaned up a lot of
minor things as a result
(This used to be commit 0d8dcfa13c)
1996-06-04 06:42:03 +00:00
Andrew Tridgell
58734631b4 Lots of changes!
- add faq info on NT printer handling
- add "delete readonly" option to help rcs users
- add stuff to man pages on new printer options
- add "proxy name resolution" option
- add "command string" -c option to smbclient (thanks Ken)
- split time functions into time.c
- rearrange the quotas stuff a bit and fix some bugs
- complete rehash of the time handling code thanks to Paul Eggert
- fix nmblookup output a bit
- add plp print queue parsing from Bertrand Wallrich
(This used to be commit 635b56f19c)
1996-05-31 15:13:29 +00:00
Andrew Tridgell
1956d13494 cleanups to make thinsg compile cleanly
(This used to be commit 39fbeb04ae)
1996-05-29 07:47:47 +00:00
Andrew Tridgell
11f7553c74 turn on KEEP_PASSWORD_SERVER_OPEN by default
(This used to be commit d2676cdd0b)
1996-05-05 11:25:07 +00:00
Andrew Tridgell
03aeb8af5d fix a netgroup bug (innetgr() was being called with the args in the
wrong order!)
(This used to be commit 4419093d33)
1996-05-04 10:45:50 +00:00
Samba Release Account
0e8fd33987 Initial version imported to CVS
(This used to be commit 291551d807)
1996-05-04 07:50:46 +00:00