1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

369 Commits

Author SHA1 Message Date
Stefan Metzmacher
1c7bd2b71c s3:smbd: remove unused variable in sesssetup.c
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Aug  5 23:09:06 CEST 2012 on sn-devel-104
2012-08-05 23:09:06 +02:00
Stefan Metzmacher
ff75fd9eda s3:smbd: setup the application session key with the first tcon on a session
Look for Server.Session.SessionKeyState in [MS-SMB].
The first SMBtconX sets the state to available, which makes it possible
to protect the session key at that stage, if client and server
support TREE_CONNECT_ANDX_EXTENDED_SIGNATURE.

metze
2012-08-04 12:33:06 +02:00
Stefan Metzmacher
49d0432efd s3:smbd: setup session->global->signing_/application_key during SPNEGO SMB1 session setups
metze

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Aug  4 11:09:42 CEST 2012 on sn-devel-104
2012-08-04 11:09:42 +02:00
Stefan Metzmacher
2265e4633a s3:smbd: setup session->global->signing_/application_key during old SMB1 session setups
metze
2012-08-04 09:10:23 +02:00
Stefan Metzmacher
3d63e4da17 s3:smbd: keep the "application session key" during SMB1 reauth
metze
2012-08-04 09:10:22 +02:00
Stefan Metzmacher
e77000259c s3:smbd/sesssetup: implement dynamic re-authentication and expire session if client supports it
metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
a129e271b5 s3:smbd: make use of smbXsrv_session for smb1
Pair-Programmed-With: Michael Adam <obnox@samba.org>

metze
2012-06-25 20:55:06 +02:00
Michael Adam
73b200064f s3:util: rename procid_equal() to serverid_equal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-06-21 08:27:32 +02:00
Volker Lendecke
53cfde7204 s3: Remove a user of procid_is_me
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-06-21 08:27:30 +02:00
Stefan Metzmacher
02d9ba6ee1 s3:smbd: change user_struct->vuid to uint64_t
Only sconn->smb1.sessions.next_vuid remains as uint16_t,
so that we do not generate larger values yet.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Jun  6 12:07:33 CEST 2012 on sn-devel-104
2012-06-06 12:07:33 +02:00
Stefan Metzmacher
f52e5738a2 s3:smbd: use 'struct user_struct' instead of typedef'ed 'user_struct'
metze
2012-06-06 10:18:39 +02:00
Stefan Metzmacher
8693a4fff9 s3:lib: split things into a conn_tdb.h
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jun  5 19:28:35 CEST 2012 on sn-devel-104
2012-06-05 19:28:35 +02:00
Stefan Metzmacher
d58f7cd546 s3:smbd: allow creating new spnego sessions only with a 0 vuid
Found by the raw.context test.

metze
2012-05-18 16:36:16 +02:00
Stefan Metzmacher
1e7f8d5ad0 s3:smbd/sesssetup: use a helper variable 'action' to mark guest access
metze
2012-04-16 10:39:50 +02:00
Volker Lendecke
11d087aa04 s3: Remove chain_reply
<insert your favourite tombstone ascii art here>
2012-03-10 15:34:12 +01:00
Volker Lendecke
90b33a05e9 s3: Make sure the andX chains are ended correctly
Normally chain_reply took care of this. This will go away soon.
2012-03-10 15:34:11 +01:00
Andrew Bartlett
50547a9950 s3-auth: Follow auth_ntlmssp and use auth4_context for Session Setup
This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers.  By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.

Andrew Bartlett
2012-03-08 10:14:05 +01:00
Andrew Bartlett
d7bb961859 s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-03-04 23:33:05 +01:00
Andrew Bartlett
2f74f2f180 s3-auth: Add extra error messages on authentication or authorization failure
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-17 10:48:09 +01:00
Andrew Bartlett
eb3e34e965 s3-smbd Remove unused code now we always have SPNEGO via gensec
This was previously needed because SPNEGO was only available in the AD DC.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:43 +01:00
Stefan Metzmacher
507872f90f s3:smbd: inline code in reply_sesssetup_and_X_spnego()
This makes the logic much easier to follow.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jan 31 21:52:45 CET 2012 on sn-devel-104
2012-01-31 21:52:45 +01:00
Stefan Metzmacher
5f79ad5f87 s3:smbd: the spnego session setup don't need to copy the in blob
metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
ec0142dd31 s3:smbd: rework reply_spnego_ntlmssp to reply_spnego_generic
This removes the unused spnego_gen_auth_response() wrapping.

metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
ee15790d7a s3:smbd: remove unused code from sesssetup.c
metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
63f6567ca9 s3:smbd: remove pending_auth_data logic
This is handled by the gensec_spnego module.

metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
8327ee94db s3:smbd: always use the gensec code path in sesssetup.c
The other code pathes are unused, because we always have
the spnego gensec module.

metze
2012-01-31 20:17:10 +01:00
Stefan Metzmacher
d3e5a0bea4 s3:smbd: explicitly ask for GENSEC_FEATURE_UNIX_TOKEN
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Jan 12 11:22:53 CET 2012 on sn-devel-104
2012-01-12 11:22:53 +01:00
Andrew Bartlett
16e463e169 s3-auth Remove ntlmssp_wrap.h which is no longer required
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
3042e38d51 s3-auth use gensec directly rather than via auth_generic_state
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
1075efabc7 s3-auth Add TALLOC_CTX * to auth_generic_prepare()
This makes the long term owner of this memory more clear.  So far only the
clear cases have been moved from NULL however.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
c17131685c s3-auth remove auth_ntlmssp_start(), call auth_generic_start() directly
This makes it clear that this can support more than just NTLMSSP.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
1100f6eca5 s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()
This function handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Andrew Bartlett
6391fff9da s3-auth rename auth_ntlmssp_state -> auth_generic_state
This structure handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Stefan Metzmacher
03455519e7 s3:smbd: pass smbd_server_connection and a snumused function pointer to reload_services()
metze
2011-12-15 11:11:24 +01:00
Andrew Bartlett
3f079885b2 s3-ntlmssp Remove auth_ntlmssp_want_feature()
We now just call the gensec_want_feature() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:33 +02:00
Andrew Bartlett
083025ccd5 s3-ntlmssp Remove auth_ntlmssp_update wrapper
We now just call gensec_update directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:10 +02:00
Andrew Bartlett
915fe7981b s3-auth remove auth_ntlmssp_session_info()
Instead, call gensec_session_info() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:02 +02:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Stefan Metzmacher
abb24bf8e8 s3:smbd: make use of better SMB signing negotiation
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Sep 14 09:41:02 CEST 2011 on sn-devel-104
2011-09-14 09:41:02 +02:00
Andrew Bartlett
fec25c3a62 ntlmssp: Add ntlmssp_blob_matches_magic()
This avoids having the same check in 3 different parts of the code

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Aug  3 12:45:04 CEST 2011 on sn-devel-104
2011-08-03 12:45:04 +02:00
Andrew Bartlett
8fca9741fe s3-auth rename auth_ntlmssp_steal_session_info()
There is no longer any theft of memory as the underlying routines now
produce a new auth_session_info for this caller, allocating it
on the supplied memory context.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
b0dd2cde86 s3-smbd Be consistent with %U subs on guest logins
The NTLMSSP code always specified "" as the username, and this makes
guest logins via the old-style session setup do the same.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
d3524f2eae s3-auth use auth_generic_start to get full GENSEC in Samba3 session setup
This tests if the auth_generic_start() hook is available on the auth
context during the negprot, and if so it uses auth_generic_start() to
hook to GENSEC to handle the full SPNEGO blob.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
23bbf4e758 s3-smbd clarify behaviour by not passing an OID that will not be used
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
36112a442f s3-smbd Ensure we do not read past the end of a possible NTLMSSP blob
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
9a45bf3952 s3-auth set session_info->sanitized_username in create_local_token()
Rather than passing this value around the callers, and eventually
setting it in register_existing_vuid(), we simply pass it to
create_local_token().  This also removes the need for
auth_ntlmssp_get_username().

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
8b983d2326 s3-ntlmssp Split auth_ntlmssp_start into two functions
This helps map on to the GENSEC semantics better, and ensures that the
full set of desired features are set before the mechanism starts.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:04 +10:00
Andrew Bartlett
778bf87d8d s3-ntlmssp Remove calls to auth_ntlmssp_and_flags from the server
This is changed so that the callers ask for the additional flags
that they need, starting with no additional flags.

This helps to create a proper abstraction layer in
ntlmssp_wrap/auth_ntlmssp.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
6d7ac4f1ad s3-ntlmssp Add mem_ctx argument to auth_ntlmssp_update
This clarifies the lifetime of the returned token.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
8a650243b3 s3-auth Move map to guest to directly after the check_password calls
This means we no longer need two different map to guest functions
and have consistent logic with fewer layering violations.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:02 +10:00