1
0
mirror of https://github.com/samba-team/samba.git synced 2025-07-27 07:42:04 +03:00
Commit Graph

211 Commits

Author SHA1 Message Date
5afd47147d r516: On GNU/Linux distributions which allow to use both 2.4 and 2.6 kernels
there is SYS_utimes syscall defined at compile time in glibc-kernheaders but
it is available on 2.6 kernels only. Therefore, we can't rely on syscall at
compile time but have to check that behaviour during program execution. An easy
workaround is to have replacement for utimes() implemented within our wrapper and
do not rely on syscall at all. Thus, if REPLACE_UTIME is defined already (by packager),
skip these syscall shortcuts.
(This used to be commit e278e2e6e0)
2007-10-10 10:51:26 -05:00
5b6286b26b r240: I'm pretty happy with the 'ntlm-server-1' helper protocol now, and as
there is now a public patch that uses it, make it always available.

(It was #ifdef DEVELOPER)

Andrew Bartlett
(This used to be commit aa3bc79835)
2007-10-10 10:51:15 -05:00
8e87cf8ad9 r201: Fix bugs in the --helper-protocol=ntlm-server-1 implementation.
(allow the use of base64 encoded strings, LM or NT passwords)

Andrew Bartlett
(This used to be commit 57a5563b42)
2007-10-10 10:51:13 -05:00
f4b35be4dd r191: Only send the ntlm_auth 'ntlm-server-1' helper client a '.' after the
server had said something (such as an error).

Andrew Bartlett
(This used to be commit c05016a2f7)
2007-10-10 10:51:12 -05:00
4dad078256 r188: Add a new 'helper protocol' to ntlm_auth.
This protocol looks rather like SMTP headers/LDAP:

NT-Domain: TESTWG
Username: abartlet
...

Password: foo

Challenge-response passwords are in hexideciaml, while any 'plain'
string can be base64 encoded when like this:

Password:: Zm9vCg==

(the :: indicates it, just like LDAP - I hope)

The protocol is not final, so it is #ifdef DEVELOPER for now (so
nobody starts to rely on it until I'm happy), but we may as well get
this into subversion.

My intention is to use this to power the next version of my
PPP/ntlm_auth plugin, and hopefully entice a FreeRadius plugin out of
the woods.

Andrew Bartlett
(This used to be commit 8efdd957ba)
2007-10-10 10:51:12 -05:00
78b5dfadca r177: Split ntlm_auth --diagnostics into a seperate file, so as not to clutter
the main ntlm_auth program.

It quite possibly should belong in smbtorture, but relies on the
winbind client for now.

Andrew Bartlett
(This used to be commit 6e1b7a8848)
2007-10-10 10:51:12 -05:00
1c97474a59 r171: Continue the 'rename nt_session_key' work. This attempts to rename
this variable to 'user_session_key', where possible.  The command line
parameter is currently unchanged).

Andrew Bartlett
(This used to be commit da4177209d)
2007-10-10 10:51:11 -05:00
82285f2e0e r104: Fix ntlm_auth by adding the new strhex_to_data_blob() call.
Andrew Bartlett
(This used to be commit 0693b9e79f)
2007-10-10 10:51:09 -05:00
0bfc5729a5 r87: Fix the build that Andrew Bartlett broke. Andrew - don't check *ANYTHING* in
unless you have done a make clean; make.
Jeremy.
(This used to be commit 09d82a0bef)
2007-10-10 10:51:08 -05:00
869348dfcb r84: Implement --required-membership-of=, an ntlm_auth option that restricts
all authentication to members of this particular group.

Also implement an option to allow ntlm_auth to get 'squashed' error codes,
which are safer to communicate to remote network clients.

Andrew Bartlett
(This used to be commit eb1c1b5eb0)
2007-10-10 10:51:07 -05:00
d17425ed52 r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session key could
be anything, and may not be based on anything 'NT'.  This is also what microsoft
calls it.
(This used to be commit 724e8d3f33)
2007-10-10 10:51:06 -05:00
c2ff214772 Fix most of bug #169.
For a (very) long time, we have had a bug in Samba were an NTLMv2-only
PDC would fail, because it converted the password into NTLM format for
checking.

This patch performs the direct comparison required for interactive
logons to function in this situation.  It also removes the 'auth flags', which
simply where not ever used.

Natrually, this plays with the size of structures, so rebuild, rebuild
rebuild...

Andrew Bartlett
(This used to be commit 9598593bcf)
2004-04-03 15:41:32 +00:00
9a8e30d04b Fix bugzilla # 1208
Winbind tickets expired.  We now check the expiration time, and acquire
new tickets.  We couln't rely on renewing them, because if we didn't get
a request before they expired, we wouldn't have renewed them.  Also, there
is a one-week limit in MS on renewal life, so new tickets would have been
needed after a week anyway.   Default is 10 hours, so we should only be
acquiring them that often, unless the configuration on the DC is changed (and
the minimum is 1 hour).
(This used to be commit c2436c433a)
2004-03-24 17:32:55 +00:00
e3f5b54270 Restore the contract on all convert_stringXX() interfaces. Add a "allow_bad_conv"
boolean parameter that allows broken iconv conversions to work. Gets rid of the
nasty errno checks in mangle_hash2 and check_path_syntax and allows correct
return code checking.
Jeremy.
(This used to be commit 7b96765c23)
2004-03-11 22:48:24 +00:00
e0acf3780a Make this table static const.
Andrew Bartlett
(This used to be commit 0686bc9e07)
2004-02-08 01:02:12 +00:00
7d068355aa This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.

The routines used for this behaviour have been upgraded to modern Samba
codeing standards.

This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.

This is in line with existing behaviour for native mode domains, and for
our primary domain.

As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values.  These changes move more routines to ADS_STATUS to return
kerberos errors.

Also found when valgrinding the setup, fix a few memory leaks.

While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.

Andrew Bartlett
(This used to be commit 7c34de8096)
2004-01-08 08:19:18 +00:00
bcd0e51e28 Get the DOMAIN\username around the right way (I had username\domain...)
Push the unix username into utf8 for it's trip across the socket.

Andrew Bartlett
(This used to be commit 3225f262b1)
2003-12-30 22:27:33 +00:00
829188b34f Try to gain a bit more consistancy in the output of usernames from ntlm_auth:
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.

This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.

Andrew Bartlett
(This used to be commit 7a3a5a6361)
2003-12-30 13:20:39 +00:00
43772e1d4a Make the name of the NTLMSSP client more consistant before we lock it in stone.
(This used to be commit 0fa268863b)
2003-12-30 08:52:46 +00:00
ca1b7e353d Remove testing hack
(This used to be commit 96f3beb462)
2003-12-30 07:38:32 +00:00
adc07646a3 Move our basic password checking code from inside the authentication
subsystem into a seperate file - ntlm_check.c.

This allows us to call these routines from ntlm_auth.  The purpose of this
exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to
avoid talking to winbind.  This should allow for easier debugging.

ntlm_auth itself has been reorgainised, so as to share more code between
the SPNEGO-wrapped and 'raw' NTLMSSP modes.  A new 'client' NTLMSSP mode
has been added, for use with a Cyrus-SASL module I am writing (based on vl's
work)

Andrew Bartlett
(This used to be commit 48315e8fd2)
2003-12-30 07:33:58 +00:00
bccf3f374b Refactor our authentication and authentication testing code.
The next move will be to remove our password checking code from the SAM
authentication backend, and into a file where other parts of samba can use
it.

The ntlm_auth changes provide for better use of common code.

Andrew Bartlett
(This used to be commit 2375abfa00)
2003-12-30 05:02:32 +00:00
2e9deb12bf Thanks to Serassio Guido for noticing issues in our Squid NTLMSSP
implementation.  We were not resetting the NTLMSSP state for new
negotiate packets.

Andrew Bartlett
(This used to be commit e0a026c9b5)
2003-12-24 09:56:51 +00:00
fcbfc7ad06 Changes all over the shop, but all towards:
- NTLM2 support in the server
 - KEY_EXCH support in the server
 - variable length session keys.

In detail:

 - NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).

 * This is known as 'NTLMv2 session security' *

(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes.  We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)

This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed.  This also needs to be turned off for
'security=server', which does not support this.

- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.

- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.

- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure.  This should help the SPNEGO implementation.

- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.

- The other big change is to allow variable length session keys.  We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter.  However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.

 * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *

- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe.  This
should help reduce some of the 'it just doesn't work' issues.

- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer.  (just allocate)


REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0d)
2003-11-22 13:19:38 +00:00
9f154119e8 Final round of printf warnings fixes for the moment.
(This used to be commit 0519a7022b)
2003-11-06 22:11:08 +00:00
aa39cc37da get rid of more compiler warnings
(This used to be commit 398bd14fc6)
2003-08-15 04:42:05 +00:00
4ad85bf48e Add the gss-spnego kerberos server side to ntml_auth. This uses the
same ads_verify_ticket routine that smbd uses, so in the current state
we have to be have the host password in secrets.tdb instead of the
keytab. This means we have to be an ADS member, but it's a start.

Volker
(This used to be commit dc2d2ad467)
2003-08-15 02:57:59 +00:00
fbf072599b Fix the build for non-kerberos environments.
Volker
(This used to be commit c8f4d7952f)
2003-08-14 17:21:22 +00:00
5929cfd451 This adds *experimental* kerberos gss spnego client support to ntlm_auth.
(This used to be commit 5522c79045)
2003-08-12 20:50:56 +00:00
1d67e6b225 Some more shuffling around gss-spnego server
(This used to be commit f2c85595da)
2003-08-12 19:00:08 +00:00
61a1fa97af Clarify gss spnego ntlmssp server a bit
(This used to be commit 807b452a7f)
2003-08-12 01:54:26 +00:00
dffd0f379f Fix for bug 269. Change wbinfo and ntlm_auth to convert domain, username
and workstation to utf8 before sending the winbindd request.  Also, don't
continue when the call to pull_utf8() fails but rather return a winbind
error.  (This is what was causing the crash)
(This used to be commit ca1c463360)
2003-08-12 00:46:15 +00:00
a4954bd3d2 Changes to make gss-spnego ntlmssp client work against W2k AD.
Now I know where the mechListMIC changes came from: Ethereal ;-)

Volker
(This used to be commit 4e9eed1273)
2003-08-04 13:10:43 +00:00
f5b5a9793a Add ntlmssp client support to ntlm_auth. Find the corresponding cyrus sasl
module under http://samba.sernet.de/cyrus-gss-spnego.diff

Volker
(This used to be commit a82f6a0096)
2003-08-01 07:59:23 +00:00
deb62c1410 Fixes for memory leaks in gss spnego handling by aliguori.
Volker
(This used to be commit 946695242f)
2003-07-31 10:24:10 +00:00
7730b658a1 This adds gss-spnego to ntlm_auth. It contains some new spnego support
from Jim McDonough. It is to enable cyrus sasl to provide the
gss-spnego support. For a preliminary patch to cyrus sasl see

http://samba.sernet.de/cyrus-gss-spnego.diff

Volker
(This used to be commit 45cef8f66e)
2003-07-29 15:00:38 +00:00
3a5dc7c2ec convert snprintf() calls using pstrings & fstrings
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len.  At least this helps to be consistent.
(This used to be commit 9f835b85dd)
2003-07-23 12:33:59 +00:00
0b18acb841 and so it begins....
* remove idmap_XX_to_XX calls from smbd.  Move back to the
  the winbind_XXX and local_XXX calls used in 2.2

* all uid/gid allocation must involve winbindd now

* move flags field around in winbindd_request struct

* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
  to prevent automatic allocation for unknown SIDs

* add 'winbind trusted domains only' parameter to force a domain member
  server to use matching users names from /etc/passwd for its domain
  (needed for domain member of a Samba domain)

* rename 'idmap only' to 'enable rid algorithm' for better clarity
  (defaults to "yes")

code has been tested on

  * domain member of native mode 2k domain
  * ads domain member of native mode 2k domain
  * domain member of NT4 domain
  * domain member of Samba domain
  * Samba PDC running winbindd with trusts

Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'

This will be a long week of changes.  The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4)
2003-07-07 05:11:10 +00:00
69306dcdd9 Fix up a bit of my sloppy C.
(This used to be commit f67cc24acf)
2003-05-12 01:49:03 +00:00
80f402837f Give up on the idea of avoiding lp_load() in ntlm_auth....
Also, we might be given a 0 length challenge, so don't smb_panic() for
smb_xmalloc() of zero size.

Andrew Bartlett
(This used to be commit 4842de04cf)
2003-05-12 00:18:45 +00:00
0914e541f5 Reverse previous patch from Stefan and me after comments by Andrew Bartlett
(This used to be commit d817eaf0ec)
2003-05-10 11:49:51 +00:00
c507ebe567 Patch from metze and me that adds dummy smb_register_*() functions so
that is now possible to, for example, load a module which contains
an auth method into a binary without the auth/ subsystem built in.
(This used to be commit 74d9ecfe2d)
2003-05-10 10:53:48 +00:00
d06f95ca78 Finally get NTLMv2 working on the client!
With big thanks to tpot for the ethereal disector, and for the base code
behind this, we now fully support NTLMv2 as a client.

In particular, we support it with direct domain logons (tested with ntlm_auth
--diagnostics), with 'old style' session setups, and with NTLMSSP.

In fact, for NTLMSSP we recycle one of the parts of the server's reply directly...

(we might need to parse for unicode issues later).

In particular, a Win2k domain controller now supplies us with a session key
for this password, which means that doman joins, and non-spnego SMB signing
are now supported with NTLMv2!

Andrew Bartlett
(This used to be commit 9f6a26769d)
2003-05-09 14:42:20 +00:00
917c2fcf6a Added some more diagnostic tests to check out a theory that having either hash
- auth with ntlmv2 and lmv2 but deliberately break the ntlmv2 hash
  - auth with ntlmv2 and lmv2 but deliberately break the lmv2 hash
  - auth with ntlm and lm but deliberately break the ntlm hash
  - auth with ntlm and lm but deliberately break the lm hash

My theory is that the NTLM or NTLMv2 field must be correct and if it is,
it doesn't matter what the value of the LM or LMv2 field is.

Fixed cosmetic test name display bug.
(This used to be commit 5dcde9451b)
2003-05-09 06:03:11 +00:00
9eccc216de We also get back the LM session key on pure 'NTLM' logins.
Andrew Bartlett
(This used to be commit 7342c70b4c)
2003-05-05 13:23:07 +00:00
89f6691cdc Add some comments.
(This used to be commit 855fab395f)
2003-05-05 06:33:58 +00:00
0e1c8fa7c3 Add some more tests to the ntlm_auth diagnositics package.
Our NTLMv2 client code needs work, becouse we don't get the session key for
any of the NTLMv2 stuff...

Also test some of the more 'odd' auth cases - like putting the NT password
into the LM feild.

Clean up some static globals into static locals.

Andrew Bartlett
(This used to be commit 62f0acc991)
2003-05-05 05:01:59 +00:00
90d17c04ca Fix for AIX - you can't qualify a return type as const, when it's not a
pointer.

(merge from HEAD).

Andrew Bartlett
(This used to be commit 9e3d0cd9de)
2003-04-30 14:01:16 +00:00
90dbd21cd0 Fix compiler warning.
(This used to be commit f127f96425)
2003-04-28 06:19:11 +00:00
4ea3cd2629 Merge of const fixes from HEAD.
(This used to be commit a847ebd827)
2003-04-28 05:18:30 +00:00