1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1160 Commits

Author SHA1 Message Date
Stefan Metzmacher
8734887348 s3:smbXsrv.idl: add encryption_required to smbXsrv_tcon_global0
metze
2012-08-09 08:21:35 +02:00
Stefan Metzmacher
8e1c6d4232 s3:rpc_client: rename pipe_auth_data->user_session_key to transport_session_key
metze
2012-08-01 14:17:15 +02:00
Andrew Bartlett
f3562424b6 lib/param: Move all enum declarations to lib/param
This is in preperation for the parameter table being made common.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-24 11:01:17 +02:00
Stefan Metzmacher
9c8e2b5af0 s3:smbXsrv.idl: add smbXsrv_open* structures
struct smbXsrv_open will represent a SMB 1 or SMB 2
open file handle, while 'files_struct' will be changed
to handle just the protocol independent glue for the SMB_VFS layer.

Note: the format is not stable yet, we need to add more things
      when we start to support durable handles.

metze
2012-06-29 19:11:04 +02:00
Stefan Metzmacher
9f2c89cbea s3:smbXsrv.idl: add smbXsrv_session_close*
metze
2012-06-25 20:55:07 +02:00
Stefan Metzmacher
da40aa0e68 s3:messaging.idl: define MSG_SMBXSRV_SESSION_CLOSE
metze
2012-06-25 20:55:07 +02:00
Stefan Metzmacher
463b308f16 s3:smbd: make use of smbXsrv_tcon and smbXsrv_session for smb2
The removes the protocol specific smbd_smb2_session and
smbd_smb2_tcon.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
80f9abf637 s3:smbXsrv.idl: add smbXsrv_tcon* structures
struct smbXsrv_tcon will represent a SMB 1 or SMB 2
tree connect. It will replace 'struct smbd_smb2_tcon' and
'connection_struct' will be changed to handle just the protocol
independent glue for the SMB_VFS layer.

metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
5b3c07fa89 s3:smbXsrv.idl: add smbXsrv_session* structures
struct smbXsrv_session will represent a SMB 1 or SMB 2
session. It will replace 'struct smbd_smb2_session' and
'user_struct' will be changed to handle just the protocol
independent glue for the SMB_VFS layer.

metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
e09806000b s3:librpc/idl/smbXsrv.idl: add smbXsrv_version_* structures
metze
2012-06-25 20:55:05 +02:00
Stefan Metzmacher
47ddfe2e59 s3:librpc: add smbXsrv.idl
metze
2012-06-25 20:55:05 +02:00
David Disseldorp
ac7b60a17b s3-rpcclient: add fsrvp commands
fss_create_expose connects to an FSRVP server and negotiates the
creation and exposure of a share shadow-copy.
shadow-copies of multiple shares can be requested with a single
fss_create_expose request.

ddiss@plati:~> bin/rpcclient -k -U 'LURCH\administrator%password' \
                             ncacn_np:lutze[sign]
rpcclient $> fss_create_expose backup ro hyper
381884f2-b578-45ea-b8d2-cf82491f4011: shadow-copy set created
...
share hyper@{B6137E21-9CBB-4547-A21D-E7AD40D0874B} exposed as a snapshot
of \\lutze\hyper

fss_delete removes the shadow-copy share:
rpcclient $> fss_delete hyper 381884f2-b578-45ea-b8d2-cf82491f4011 \
                        b6137e21-9cbb-4547-a21d-e7ad40d0874

Shadow-copies can be created read-write or read-only.
Experimenting with Windows Server "8" beta, a recovery complete call is
required after creating a read-write (ATTR_AUTO_RECOVERY) shadow copy.
Otherwise subsequent creation requests fail with
FSRVP_E_SHADOW_COPY_SET_IN_PROGRESS.
2012-06-08 13:34:31 +02:00
Andreas Schneider
2b144531f1 gse: Use the smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-05-23 17:51:51 +03:00
Alexander Bokovoy
2ddf89a2bc Introduce system MIT krb5 build with --with-system-mitkrb5 option.
System MIT krb5 build also enabled by specifying --without-ad-dc

When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.

Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
  * Samba 4 client libraries and their Python bindings
  * Samba 3 server (smbd, nmbd, winbindd from source3/)
  * Samba 3 client libraries

In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
2012-05-23 17:51:50 +03:00
Stefan Metzmacher
bffa1c5547 s3:gse: implement gensec_gse_expire_time()
metze
2012-05-17 20:04:33 +02:00
Stefan Metzmacher
9ec866fb6c s3:gse: remember the expire time
metze
2012-05-17 20:04:31 +02:00
Volker Lendecke
d38a171a43 s3: Attempt to fix the build without kerberos
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
2012-04-24 15:04:13 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Michael Adam
499e7372be s3:id_cache: do not use the in-memory idmap cache (it is going to be removed)
This also removes the ID_CACHE_FLUSH message.
2012-04-20 23:17:36 +02:00
Volker Lendecke
99fa29ae09 s3-dbwrap: Add dbwrap_record_watch_send/recv
With this API you can asynchronously wait for a record to be modified
2012-04-19 22:24:18 +02:00
Volker Lendecke
843432d56f s3: New notify implementation
From notify_internal.c:

        /*
         * The notify database is split up into two databases: One
         * relatively static index db and the real notify db with the
         * volatile entries.
         */

This change is necessary to make notify scale better in a cluster
2012-04-17 10:21:02 +02:00
Simo Sorce
46ab219005 gse: Remove unnecessary header.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Jeremy Allison
c10ed730d4 Second part of bugfix for bug #8837 - smbd crashes when deleting directory and veto files are enabled.
Store the 'struct security_token' as well as the 'struct security_unix_token'
inside the locking db when setting a delete on close.
2012-04-04 14:58:42 -07:00
Stefan Metzmacher
8d00fe57c2 s3:gse: fix debug message in gse_get_server_auth_token()
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Mar 17 03:21:06 CET 2012 on sn-devel-104
2012-03-17 03:21:06 +01:00
Andrew Bartlett
49bb7f248a s3-krb5: Remove GSS_WRAP_IOV conditional
We already confirm that we have this functionality before we set HAVE_KRB5 at
configure time.

Andrew Bartlett
2012-03-15 09:29:02 +11:00
Jeremy Allison
21528da9cd Fix a bunch of "unused variable" warnings.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Feb 18 06:22:40 CET 2012 on sn-devel-104
2012-02-18 06:22:40 +01:00
Andrew Bartlett
674278d5b0 auth/kerberos: Move gse_get_session_key() to common code and use in gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.

Andrew Bartlett
2012-02-17 17:36:38 +11:00
Andrew Bartlett
a315350341 s3-gse: Allow kerberos key type OID to be optional 2012-02-17 17:36:37 +11:00
Andrew Bartlett
6088f44ed7 s3-gse: Fix OID to read for kerberos key type 2012-02-17 17:36:37 +11:00
Andrew Bartlett
05cf2d41cc s3-librpc: Remove backup declaration of GSS_C_DCE_STYLE
All our supported krb5 libs provide this.

Andrew Bartlett
2012-02-17 17:36:37 +11:00
Andrew Bartlett
9eb8f07fc4 s3-gse: Remove unused OID declaration 2012-02-17 17:36:37 +11:00
Andrew Bartlett
91c325bb70 s3-librpc: Remove gse_verify_server_auth_flags
gensec_update() ensures that DCE-style and sign/seal are negotiated correctly
for DCE/RPC pipes.  Also, the smb sealing client/server already check for the
gensec_have_feature().

This additional check just keeps causing trouble, and is 'protecting'
an already secure negoitated exchange.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104
2012-02-16 21:19:44 +01:00
Andrew Bartlett
2b511f0e92 s3-librpc: Use gensec_spnego for DCE/RPC authentication
This ensures that we use the same SPNEGO code on session setup and on
DCE/RPC binds, and simplfies the calling code as spnego is no longer
a special case in cli_pipe.c

A special case wrapper function remains to avoid changing the
application layer callers in this patch.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:42 +01:00
Andrew Bartlett
5c9b6db68e s3-gse: Use the session key type, not the lucid context to set NEW_SPNEGO
Using gss_krb5_export_lucid_sec_context() is a problem with MIT krb5, as
it (reasonably, I suppose) invalidates the gssapi context on which it
is called.  Instead, we look to the type of session key which is
negotiated, and see if it not AES (or newer).

If we negotiated AES or newer, then we set GENSEC_FEATURE_NEW_SPENGO
so that we know to generate valid mechListMic values in SPNEGO.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:42 +01:00
Andrew Bartlett
1d0684c845 s3-librpc: Remove unused bool gensec_hook
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:42 +01:00
Stefan Metzmacher
01588585b1 s3:gse: return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INTERNAL_ERROR
This matches the behavior of ads_verify_ticket().

Note that ads_verify_ticket() calls krb5_to_nt_status(), but
as a server it's likely to always returns NT_STATUS_UNSUCCESSFUL.
ads_verify_ticket() maps NT_STATUS_UNSUCCESSFUL to NT_STATUS_LOGON_FAILURE.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Jan 26 10:48:36 CET 2012 on sn-devel-104
2012-01-26 10:48:36 +01:00
Stefan Metzmacher
0f039b196a s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in gensec_gse_have_feature()
metze
2012-01-25 08:44:33 +01:00
Stefan Metzmacher
7fe189749e s3-gse: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG
metze
2012-01-20 23:55:54 +01:00
Stefan Metzmacher
6f0f10c798 s3-gse: implement fill_mem_keytab_from_[system|dedicated]_keytab
metze
2012-01-20 23:55:53 +01:00
Stefan Metzmacher
6158ea1abd s3-gse: create memory keytab in gse_krb5_get_server_keytab()
The other functions just add entries to it.

metze
2012-01-20 23:55:53 +01:00
Stefan Metzmacher
f86ab29470 s3-gse: fix SECRETS_AND_KEYTAB fallback in gse_krb5_get_server_keytab()
metze
2012-01-20 23:55:53 +01:00
Andrew Bartlett
e249bdd32e s3-gse: align common elements between gse_context and gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:25 +01:00
Andrew Bartlett
45ec777e0e s3-gse: Make gensec_gse cope with non-DCE GSSAPI
The validation of the mutual authentication reply produces no further
data to send to the server.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:25 +01:00
Stefan Metzmacher
545c1ad1b9 s3-gse: the server should not check for GSS_C_MUTUAL_FLAG
It up to the client to ask for GSS_C_MUTUAL_FLAG,
except for the dcerpc case, where the server is stricter.

metze
2012-01-18 16:23:25 +01:00
Stefan Metzmacher
c5864deadc s3-gse: verify that we got GSS_C_DCE_STYLE when expected
GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG, so also check for it.

metze
2012-01-18 16:23:24 +01:00
Andrew Bartlett
ed88012dd2 s3-gse Remove authenticated flag from gse
The only user for this flag is called only directly after it was set.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
c759097956 s3-gse remove special more_processing hook from gse
The NT_STATUS_MORE_PROCESSING_REQUIRED status code is what gensec
is expecting in any case.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
5b90bcf83b s3-gse Rename gss_c_flags and ret_flags in gse
This make it clearer what type of flags these are and matches
gensec_gssapi

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
cf39b63a7b s3-gse Rename gss_ctx to match gensec_gssapi_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00