samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00

Author	SHA1	Message	Date
Andreas Schneider	1298280a22	auth:creds: Rename CRED_USE_KERBEROS values Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>	2020-11-03 15:25:37 +00:00
Matthew DeVore	c2ac923c6a	s3: safe_string: do not include string_wrappers.h Rather than have safe_string.h #include string_wrappers.h, make users of string_wrappers.h include it explicitly. includes.h now no longer includes string_wrappers.h transitively. Still allow includes.h to #include safe_string.h for now so that as many modules as possible get the safety checks in it. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2020-08-28 00:56:34 +00:00
Volker Lendecke	4b95ea37cb	ntlm_auth: Add type-safety instead of a simple cast Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2020-01-09 18:55:36 +00:00
Volker Lendecke	91f069cc16	ntlm_auth: Add a NULL check Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2020-01-09 18:55:36 +00:00
Volker Lendecke	add8fd21c0	ntlm_auth: Replace winbind_pw_check() by _send and _recv This is just fake async, but it avoids one use of a sync function pointer in auth4_context Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2020-01-06 22:09:32 +00:00
Volker Lendecke	066c4eeaa4	ntlm_auth: Replace local_pw_check() by _send and _recv This is just fake async, but it avoids one use of a sync function pointer in auth4_context Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2020-01-06 22:09:32 +00:00
Volker Lendecke	605bb4e907	ntlm_auth: Fix a DEBUG message This is not routine auth_generic_prepare Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>	2020-01-03 00:04:43 +00:00
Isaac Boukris	dce944e8a1	smbdes: convert E_old_pw_hash to use gnutls Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-12-10 00:30:31 +00:00
Volker Lendecke	2651463e19	ntlm_auth: Fix nonempty line endings Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2019-11-06 20:36:35 +00:00
Volker Lendecke	995de9c2d2	ntlm_auth: Simplify session generation We don't need to parse a text sid, we have those as binary available Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2019-11-06 20:36:34 +00:00
Ralph Boehme	9471508391	s3: remove now unneeded call to cmdline_messaging_context() This was only needed as dbwrap_open() had a bug where it asked for the ctdb connection before initializing messaging. The previous commit fixed that so we can now safely remove the calls to cmdline_messaging_context() from all tools that don't use messaging. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13925 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Oct 24 09:33:47 UTC 2019 on sn-devel-184	2019-10-24 09:33:47 +00:00
Swen Schillig	968f720410	s3: free popt context in utils If done with popt context it should be free'd. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>	2019-08-22 00:21:50 +00:00
Andreas Schneider	359ae5be0d	s3:utils: Use GnuTLS RC4 in ntlm_auth BUG: https://bugzilla.samba.org/show_bug.cgi?id=14031 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2019-07-26 01:48:24 +00:00
Andreas Schneider	a2bb56542b	s3:utils: Use C99 initializer for poptOption in ntlm_auth Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>	2019-01-28 10:29:14 +01:00
Andreas Schneider	fce92606b3	s3:utils: Use #ifdef instead of #if for config.h definitions Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>	2018-11-28 23:19:24 +01:00
Christof Schmitt	9ed617474f	s3: ntlm_auth: Use cmdline_messaging_context Call cmdline_messaging_context to initialize the messaging context before accessing clustered Samba config. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>	2018-09-07 17:26:16 +02:00
Günther Deschner	947cf38597	CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>	2018-08-14 13:57:15 +02:00
Mathieu Parent	44ae08858e	Fix spelling s/retrive/retrieve/ Signed-off-by: Mathieu Parent <math.parent@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2018-05-12 02:09:27 +02:00
Volker Lendecke	6120f56801	ntlm_auth: PAM_AUTH_CRAP needs a privileged socket This only works right now because wb_common always tries privileged Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>	2018-04-24 14:32:10 +02:00
Andreas Schneider	5ba0b72fa3	s3:utils: Add FALL_THROUGH statements in ntlm_auth.c Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2018-03-01 04:37:43 +01:00
Douglas Bagnall	a4c853a7de	util/rfc1738_unescape(): return end pointer or NULL on error At present we don't detect errors, but when we do we'll return NULL. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2018-02-22 01:04:18 +01:00
Volker Lendecke	ffbf393fba	ntlm_auth: Use libwbclient in get_winbind_netbios_name() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2017-11-18 00:09:16 +01:00
Volker Lendecke	403003b528	ntlm_auth: Use libwbclient in get_require_membership_sid() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2017-11-18 00:09:16 +01:00
Volker Lendecke	25e85a4507	ntlm_auth: Use libwbclient in get_winbind_domain() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2017-11-18 00:09:16 +01:00
Volker Lendecke	5781cefc42	ntlm_auth: Use libwbclient in winbind_separator() Avoid direct winbindd_request_response() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2017-11-18 00:09:16 +01:00
Stefan Metzmacher	e999b798c6	s3:ntlm_auth: fix memory leak in manage_gensec_request() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12736 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2017-04-07 16:49:15 +02:00
Andrew Bartlett	a0ab86dedc	auth: Add logging of service authorization In ntlm_auth.c and authdata.c, the session info will be incomplete Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>	2017-03-29 02:37:27 +02:00
Andrew Bartlett	2235982092	ntlm_auth: Set ntlm_auth as the service_description into gensec This allows this use case to be clearly found when logged. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>	2017-03-29 02:37:25 +02:00
Stefan Metzmacher	541d687347	auth: let auth4_context->check_ntlm_password() return pauthoritative BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2017-03-24 11:57:10 +01:00
Stefan Metzmacher	d568ebbcf9	ntlm_auth3: let contact_winbind_auth_crap() return pauthoritative BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2017-03-24 11:57:09 +01:00
Volker Lendecke	9c72823a99	ntlm_auth: Use "all_zero" where appropriate ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>	2017-01-03 16:04:28 +01:00
Volker Lendecke	2adcbc94b8	ntlm_auth3: xfile->stdio Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-12-11 11:17:23 +01:00
Jeremy Allison	9fbd544b90	s3: ntlm_auth: Don't corrupt the output stream with debug messages. Calling programs expect to cleanly read from STDOUT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12467 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>	2016-12-11 11:17:23 +01:00
Volker Lendecke	4f702e4b44	ntlm_auth: Avoid some statics Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-11-20 17:29:07 +01:00
Volker Lendecke	df9e7c7ae5	lib: Remove global xfile.h includes This makes it more obvious where this legacy code is used Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sun Nov 20 06:23:19 CET 2016 on sn-devel-144	2016-11-20 06:23:19 +01:00
Stefan Metzmacher	3c27a10e1c	s3:ntlm_auth: don't use gensec_want_feature(gensec_security, GENSEC_FEATURE_{SIGN,SEAL}) as server They're always supported and using gensec_want_feature() on them would require them in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>	2016-10-26 11:20:12 +02:00
Stefan Metzmacher	9c994ba86e	s3:ntlm_auth: call fault_setup() in order to get usefull backtraces Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-07-22 16:03:25 +02:00
Stefan Metzmacher	825cce1f88	s3:ntlm_auth: make ntlm_auth_generate_session_info() more complete The generate_session_info() function maybe called more than once per session. Some may try to look/dereference session_info->security_token, so we provide simplified token. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11914 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-05-18 12:13:23 +02:00
Volker Lendecke	93b982faad	lib: Give base64.c its own .h Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-05-04 01:28:23 +02:00
Volker Lendecke	cf5a81013d	lib: Make callers of base64_encode_data_blob check for success Quite a few callers already did check for !=NULL. With the current code this is pointless due to a SMB_ASSERT in base64_encode_data_blob() itself. Make the callers consistently check, so that we can remove SMB_ASSERT from base64.c. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2016-05-04 01:28:23 +02:00
Stefan Metzmacher	ef1ad0e122	s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Mar 22 19:20:38 CET 2016 on sn-devel-144	2016-03-22 19:20:38 +01:00
Herwin Weststrate	0b500d413c	Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented). It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2. It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected). After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected). $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= Logon failure (0xc000006d) $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2 NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694 Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl> Reviewed-by: Kai Blin <kai@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>	2016-03-11 22:58:18 +01:00
Stefan Metzmacher	279d58c1e6	s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client" This implicitly fixes bug #10708. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10708 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-10 06:52:28 +01:00
Stefan Metzmacher	69a7ec7942	s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>	2016-03-10 06:52:27 +01:00
Andrew Bartlett	bfe4163f17	ntlm_auth: Allow --password force a local password check for ntlm-server-1 mode Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>	2016-01-07 04:36:23 +01:00
Wolfgang Ocker	dd9b12ad45	ntlm_auth: Add --offline-logon Signed-off-by: Wolfgang Ocker <weo@recco.de> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Sat Dec 5 01:24:56 CET 2015 on sn-devel-104	2015-12-05 01:24:56 +01:00
Stefan Metzmacher	965d9ce555	s3:ntlm_auth: don't start gensec backend twice ntlm_auth_start_ntlmssp_server() was used in two cases and both call gensec_start_mech_by_oid() again. So we remove gensec_start_mech_by_oid() and rename the function to ntlm_auth_prepare_gensec_server. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2015-06-23 22:12:08 +02:00
Richard Sharpe	57941aa044	s3: utils: Convert all uses of uint32/16/8 to _t. Signed-off-by: Richard Sharpe <rsharpe@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu May 7 04:53:39 CEST 2015 on sn-devel-104	2015-05-07 04:53:39 +02:00
Volker Lendecke	c51300ad89	lib: load_case_tables() -> smb_init_locale() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2015-03-24 00:00:20 +01:00
Matthew Newton	83cfb84b78	Use global context for winbindd_request_response Updating API call in libwbclient, wbinfo, ntlm_auth and winbind_nss_* as per previous commit to wb_common.c. Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>	2015-03-10 00:50:09 +01:00

1 2 3 4 5 ...

265 Commits