1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

103 Commits

Author SHA1 Message Date
Andreas Schneider
197781a651 s4-librpc: Add capabilities check for AES encrypted connections.
Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 13:26:34 +02:00
Stefan Metzmacher
780006db9d s4:librpc/rpc: add DCERPC_SCHANNEL_AES support
metze

Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 10:58:39 +02:00
Stefan Metzmacher
342a2e6181 s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodc
The RODC stuff doesn't depend on the schannel algorithm.

metze

Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 10:58:38 +02:00
Stefan Metzmacher
e7c7a91130 s4:librpc/rpc/dcerpc_schannel: rework downgrade logic
metze

Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17 10:58:38 +02:00
Andreas Schneider
a7541fc27e s4-librpc: Fix netlogon schannel client connect.
As a client we request as much flags as possible. The server checks
which flags it supports and returns the same negotiation flags or less.
So we need to store the negotiate flags from the server. We need them
later if we have to call netr_LogonGetCapabilities.
2011-12-22 17:48:24 +01:00
Andreas Schneider
17d124490b s4-librpc: Fix NETLOGON credential chain with Windows 2008.
Windows Server 2008 returns NT_STATUS_DOWNGRADE_DETECTED if you call
netrServerAuthenticate2 during a domain join without setting the strong
keys flag (128bit crypto).

Only for NT4 we need to do a downgrade to the returned negotiate flags.

See also 0970369ca0.
2011-12-14 13:41:28 +01:00
Andrew Tridgell
9bae4cd3d9 s4-rpc: added target_principal binding handle option
this allows you to specify a target SPN for a connection

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-01 22:31:57 -07:00
Andrew Tridgell
67ac8555b1 s4-auth: set the RODC bit for RODC schannel
When we are using SEC_CHAN_RODC we need to set the
NETLOGON_NEG_RODC_PASSTHROUGH bit in the negotiated flags in
ServerAuthenticate2

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15 15:39:34 +10:00
Andrew Tridgell
52445e1583 s4-schannel: fixed reference to context after free
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15 15:39:34 +10:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Stefan Metzmacher
398f477941 s4:librpc/rpc/dcerpc_schannel.c: make use of use tevent_req based dcerpc_binding_handle stubs
metze
2010-03-12 15:25:48 +01:00
Andrew Tridgell
f01f124969 s4-rpc: don't use s->credentials after it is freed 2010-03-05 16:12:05 +11:00
Stefan Metzmacher
8ba2128e1e s4:librpc/rpc: make use of explicit dcerpc_*_recv functions
metze
2010-03-01 16:11:55 +01:00
Andrew Bartlett
5095d7b1c8 Rework Samba4 to use the new common libcli/auth code
In particular, this is the rename from creds_ to netlogon_creds_, as
well as other links to use the new common crypto.

Andrew Bartlett
2009-04-14 16:23:44 +10:00
Jelmer Vernooij
b034c519f5 Add gensec_settings structure. This wraps loadparm_context for now, but
should in the future only contain some settings required for gensec.
2008-11-02 02:05:48 +01:00
Günther Deschner
1798e9d7ec s4-netlogon: merge netr_ServerReqChallenge from s3 idl.
Guenther
2008-10-29 08:57:52 +01:00
Günther Deschner
8e4c691c0a s4-netlogon: merge netr_ServerAuthenticate{2,3} from s3 idl.
Guenther
2008-10-29 08:57:51 +01:00
Jelmer Vernooij
afe3e8172d Install public header files again and include required prototypes.
(This used to be commit 47ffbbf674)
2008-04-02 04:53:27 +02:00
Jelmer Vernooij
bca631be1f r26329: Fix more loadparm_context references. Only about a 100 left now.
(This used to be commit ddf233346d)
2007-12-21 05:48:42 +01:00
Jelmer Vernooij
4c4323009f r26327: Explicit loadparm_context for RPC client functions.
(This used to be commit eeb2251d22)
2007-12-21 05:48:41 +01:00
Stefan Metzmacher
0d7d5a6d49 r24560: rename some DCERPC_ prefixes into NDR_
metze
(This used to be commit f874eca5da)
2007-10-10 15:02:15 -05:00
Stefan Metzmacher
f14bd1a90a r24557: rename 'dcerpc_table_' -> 'ndr_table_'
metze
(This used to be commit 84651aee81)
2007-10-10 15:02:15 -05:00
Stefan Metzmacher
b8cdadced4 r24551: rename dcerpc_interface_table -> ndr_interface_table
rename dcerpc_interface_list  -> ndr_interface_list

and move them to libndr.h

metze
(This used to be commit 4adbebef5d)
2007-10-10 15:02:12 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Stefan Metzmacher
40cd2d7780 r22944: fix bug #4618:
rename private -> private_data

metze
(This used to be commit 58551f2f28)
2007-10-10 14:52:30 -05:00
Andrew Bartlett
13dbee3ffe r19598: Ahead of a merge to current lorikeet-heimdal:
Break up auth/auth.h not to include the world.

Add credentials_krb5.h with the kerberos dependent prototypes.

Andrew Bartlett
(This used to be commit 2b569c42e0)
2007-10-10 14:25:00 -05:00
Stefan Metzmacher
5c1d881091 r17326: make better usage of the composite api
metze
(This used to be commit 097c9f09f3)
2007-10-10 14:15:14 -05:00
Stefan Metzmacher
7847e7b644 r17320: - print the debug message before the composite context get received by the caller
- steal pipe2 to the state structure so we don't need to take about freeing is later

metze
(This used to be commit 4ba50fc29e)
2007-10-10 14:15:11 -05:00
Jelmer Vernooij
8528016978 r14464: Don't include ndr_BASENAME.h files unless strictly required, instead
try to include just the BASENAME.h files (containing only structs)
(This used to be commit 3dd477ca51)
2007-10-10 13:57:27 -05:00
Jelmer Vernooij
1060f6b3f6 r14402: Generate seperate headers for RPC client functions.
(This used to be commit 7054ebf024)
2007-10-10 13:57:19 -05:00
Jelmer Vernooij
e3f2414cf9 r14380: Reduce the size of structs.h
(This used to be commit 1a16a6f1df)
2007-10-10 13:57:16 -05:00
Rafal Szczesniak
beb9d4f794 r14175: More comments and my copyright.
rafal
(This used to be commit 384d97e0b2)
2007-10-10 13:56:58 -05:00
Stefan Metzmacher
53bbace785 r14137: move **p2 to the _recv function for setup the second pipe
metze
(This used to be commit 8b8d92beed)
2007-10-10 13:56:53 -05:00
Rafal Szczesniak
a1f08df37c r14123: Huge lump of code making all of our dcerpc connect code
asynchronous. Build is ok, and so are the tests.
More comments to follow.

rafal
(This used to be commit a74fb6c5a2)
2007-10-10 13:56:52 -05:00
Jelmer Vernooij
4ac2be9958 r13924: Split more prototypes out of include/proto.h + initial work on header
file dependencies
(This used to be commit 1228358767)
2007-10-10 13:52:24 -05:00
Andrew Bartlett
a5a79e8b8c r12865: Upgrade the librpc and libnet code.
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous.  This should better
function with servers that set restrict anonymous.

There are too many parts of Samba that get, parse and modify the
binding parameters.  Avoid the extra work, and add a binding element
to the struct dcerpc_pipe

The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern.  Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.

To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.

Andrew Bartlett
(This used to be commit d65b354959)
2007-10-10 13:50:55 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318)
2007-10-10 13:49:03 -05:00
Jelmer Vernooij
acd6a086b3 r12510: Change the DCE/RPC interfaces to take a pointer to a
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.

This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).

This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.

I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e)
2007-10-10 13:47:48 -05:00
Volker Lendecke
f2dedc629c r11809: Make dcerpc_bind_auth async.
This also removes dcerpc_bind_auth_password, the only user of
dcerpc_bind_auth. And this was not only passwords anyway.

Andrew Bartlett, as usual: Please take a close look.

Thanks,

Volker
(This used to be commit 2ff2dae3d0)
2007-10-10 13:46:31 -05:00
Andrew Bartlett
51cbc188df r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)

This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.

Also don't set the realm from a ccache, as then it overrides --option=realm=.

Andrew Bartlett
(This used to be commit 194e8f07c0)
2007-10-10 13:38:39 -05:00
Andrew Bartlett
24186a80eb r9728: A *major* update to the credentials system, to incorporate the
Kerberos CCACHE into the system.

This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.

It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.

Andrew Bartlett
(This used to be commit 6202267f6e)
2007-10-10 13:34:54 -05:00
Andrew Bartlett
5b19286df0 r7690: Move the NT hash generation into the credentials system, rather than
in all the callers.  This also allows us to be more flexible in the
type of password we store.

Andrew Bartlett
(This used to be commit 00b8588c68)
2007-10-10 13:18:23 -05:00
Andrew Tridgell
af237084ec r7633: this patch started as an attempt to make the dcerpc code use a given
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.

Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.

There were 3 places where I punted:

  - abartlet wanted me to add a gensec_set_event_context() call
    instead of adding it to the gensec init calls. Andrew, my
    apologies for not doing this. I didn't do it as adding a new
    parameter allowed me to catch all the callers with the
    compiler. Now that its done, we could go back and use
    gensec_set_event_context()

  - the ejs code calls auth initialisation, which means it should pass
    in the event context from the web server. I punted on that. Needs fixing.

  - I used a NULL event context in dcom_get_pipe(). This is equivalent
    to what we did already, but should be fixed to use a callers event
    context. Jelmer, can you think of a clean way to do that?

I also cleaned up a couple of things:

 - libnet_context_destroy() makes no sense. I removed it.

 - removed some unused vars in various places
(This used to be commit 3a3025485b)
2007-10-10 13:18:15 -05:00
Andrew Bartlett
85e9412c47 r6565: Cludge, cludge, cludge...
We need to pass the 'secure channel type' to the NETLOGON layer, which
must match the account type.

(Yes, jelmer objects to this inclusion of the kitchen sink ;-)

Andrew Bartlett
(This used to be commit 8ee208a926)
2007-10-10 13:16:26 -05:00
Richard Sharpe
c46c6e23ba r6229: Back out these changes ...
(This used to be commit 321fbae512)
2007-10-10 13:11:28 -05:00
Richard Sharpe
66a3750b14 r6219: This change allows us to fall back to authenticating without
DCERPC_SCHANNEL_128 if we fail. Thus, it allows us to work with Windows
NT DCs ...
(This used to be commit 3034b22670)
2007-10-10 13:11:27 -05:00
Andrew Bartlett
2eb3d68062 r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.

GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.

In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.

In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).

This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.

The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as.  This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.

To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.

In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module.  The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.

The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there.  This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.

The auth_domain module continues to be developed, but is now just as
functional as auth_winbind.  The changes here are consequential to the
schannel changes.

The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').

Andrew Bartlett
(This used to be commit 2301a4b38a)
2007-10-10 13:11:15 -05:00
Andrew Bartlett
645711c602 r5941: Commit this patch much earlier than I would normally prefer, but metze needs a working tree...
The main volume of this patch was what I started working on today:
 - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
 - Uses sepereate inner loops for some of the DCE/RPC tests

The other and more important part of this patch fixes issues
surrounding the new credentials framwork:

This makes the struct cli_credentials always a talloc() structure,
rather than on the stack.  Parts of the cli_credentials code already
assumed this.

There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.

Andrew Bartlett
(This used to be commit 0453f9d05d)
2007-10-10 13:11:11 -05:00
Jelmer Vernooij
05bc2d7b2c r5928: Use cli_credentials in:
- gtk+ (returned by GtkHostBindingDialog as well now)
 - torture/
 - librpc/
 - lib/com/dcom/
(This used to be commit ccefd78233)
2007-10-10 13:11:08 -05:00
Andrew Bartlett
df64302213 r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.

With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind.  This changes a lot of files, and these will again
be changed when jelmer does the credentials work.

I also correct some schannel IDL to distinguish between workstation
names and account names.  The distinction matters for domain trust
accounts.

Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.

In the schannel DB, we now store both the domain and computername, and
query on both.  This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.

In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.

This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.

The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.

The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests.  This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.

In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL.  This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc2)
2007-10-10 13:11:07 -05:00