sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-10-18 19:33:16 +03:00
Code Activity
131,131 Commits 64 Branches 1,177 Tags
d167b80dc729f8c8caf7052a3494433f9764b72c
Commit Graph

614 Commits

Author SHA1 Message Date
Volker Lendecke
d167b80dc7 smbXcli: Pass negotiate contexts through smbXcli_negprot_send/recv 
We already don't allow setting max_credits in the sync wrapper, so
omit the contexts there as well.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 26 19:54:03 UTC 2022 on sn-devel-184

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

(cherry picked from commit 4ddd277c0b)
 2023-08-15 08:00:08 +00:00
Stefan Metzmacher
c17f4256e5 CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos 
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2021-11-09 19:45:34 +00:00
Stefan Metzmacher
289b7a1595 s3:libsmb: close the temporary IPC$ connection in cli_full_connection() 
We don't need the temporary IPC$ connection used for the
SMB1 UNIX CIFS extensions encryption setup anymore,
so we can also let the server close it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14793

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Aug 11 23:03:11 UTC 2021 on sn-devel-184
 2021-08-11 23:03:11 +00:00
Andreas Schneider
b18fa931f3 s3:libsmb: Check return code of cli_credentials_set_conf() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-06-29 02:19:35 +00:00
Andreas Schneider
2fbc63cacc auth:creds: Add obtained arg to cli_credentials_set_gensec_features() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-04-28 03:43:34 +00:00
Andreas Schneider
521f77c667 auth:creds: Add obtained arg to cli_credentials_set_kerberos_state() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-04-28 03:43:34 +00:00
Andreas Schneider
78c4043a28 s3:libsmb: Pass cli_credentials to get_ipc_connect_master_ip() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
 2021-01-13 20:28:34 +00:00
Andreas Schneider
be18d600f7 s3:libsmb: Pass cli_credentials to get_ipc_connect() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
 2021-01-13 20:28:34 +00:00
Björn Baumbach
76121ae7cf s3:libsmb: set correct min and max smb protocol when smb2 is enforced on connect 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14105

Pair-programmed-with: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2020-12-17 13:59:38 +00:00
Björn Baumbach
f40da74e14 s3:libsmb: set min smb protocol when enforcing smb1 on connect 
Otherwise the connect fails if the configured client min protocol is
higher than NT1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14105

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2020-12-17 13:59:37 +00:00
Andreas Schneider
1298280a22 auth:creds: Rename CRED_USE_KERBEROS values 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
 2020-11-03 15:25:37 +00:00
Noel Power
b95eea6b29 s3: libsmb: Cleanup - ensure we initialize all stack variables to 'safe' values when calling resolve_name_list() 
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2020-09-07 13:23:39 +00:00
Stefan Metzmacher
8a5bc0a6a1 s3:libsmb: Add encryption support to cli_full_connection_creds*() 
Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-08-19 16:22:42 +00:00
Andreas Schneider
ba04151a01 s3:libsmb: Remove signing_state from cli_full_connection_creds() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2020-08-19 16:22:42 +00:00
Andreas Schneider
886f245ace s3:libsmb: Remove signing_state from cli_full_connection_creds_send() 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2020-08-19 16:22:42 +00:00
Andreas Schneider
62a4705dbc s3:libsmb: Use 'enum smb_signing_setting' in cliconnect.c 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2020-08-19 16:22:42 +00:00
Andreas Schneider
c58a301c27 s3:libsmb: Introduce CLI_FULL_CONNECTION_IPC 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2020-08-19 16:22:41 +00:00
Andreas Schneider
accbd9ee1c Revert "s3:libsmb: add a cache for cli_session_creds_prepare_krb5()" 
This reverts commit b458f8fbb7.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 10 10:10:16 UTC 2020 on sn-devel-184
 2020-06-10 10:10:15 +00:00
Stefan Metzmacher
b458f8fbb7 s3:libsmb: add a cache for cli_session_creds_prepare_krb5() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
 2020-06-09 16:02:59 +00:00
Volker Lendecke
2c6138f47d libsmb: Remove clistr_pull_talloc() 
This was just a 1:1 wrapper around pull_string_talloc()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2020-05-28 19:11:38 +00:00
Stefan Metzmacher
bae35ebcf3 s3:libsmb: remove finally unused credential flags 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu May 28 08:04:12 UTC 2020 on sn-devel-184
 2020-05-28 08:04:12 +00:00
Stefan Metzmacher
0de5c488ed s3:libsmb: remove unused cli_full_connection() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-05-28 06:43:39 +00:00
Stefan Metzmacher
2465301226 s3:libsmb: make use of get_cmdline_auth_info_creds() in get_ipc_connect() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-05-28 06:43:38 +00:00
Volker Lendecke
aa22ae6b40 libsmb: Slightly simplify get_ipc_connect() 
No else required with an early return

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2020-04-18 02:29:34 +00:00
Volker Lendecke
67b097b823 libsmb: Move get_ipc_connect_master_ip_bcast() to smbtree.c 
... the only user

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2020-04-08 14:46:40 +00:00
Stefan Metzmacher
c403fa1a7f krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2020-02-10 16:32:37 +00:00
Andreas Schneider
7e36de99d7 s3:libsmb: Do not check the SPNEGO neg token for KRB5 
The list is not protected and this could be a downgrade attack.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Pair-Programmed-With: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2019-10-12 14:33:32 +00:00
Noel Power
ee6300470d s3/libsmb: clang: Fix 'Value stored during its initialization is never read' 
Fixes:

source3/libsmb/cliconnect.c:1877:11: warning: Value stored to 'status' during its initialization is never read <--[clang]
        NTSTATUS status = NT_STATUS_NO_MEMORY;

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2019-09-30 23:12:41 +00:00
Noel Power
18e2d6b009 s3/libsmb: clang: Fix 'warning: Value stored to 'p' is never read' 
Fixes:

source3/libsmb/cliconnect.c:649:2: warning: Value stored to 'p' is never read <--[clang]
        p += ret;
        ^    ~~~

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep 26 19:59:24 UTC 2019 on sn-devel-184
 2019-09-26 19:59:24 +00:00
Stefan Metzmacher
6ed18c12c5 s3:libsmb: let cli_session_creds_prepare_krb5() update the canonicalized principal to cli_credentials 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2019-09-24 18:30:37 +00:00
Stefan Metzmacher
361fb0efab s3:libsmb: avoid wrong debug message in cli_session_creds_prepare_krb5() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2019-09-24 18:30:37 +00:00
Mathieu Parent
a59e0ec895 Spelling fixes s/hierachy/hierarchy/ 
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
 2019-09-01 22:21:26 +00:00
Andreas Schneider
011a47f04d s3:libsmb: Add some useful debug output to cliconnect 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2019-04-02 01:12:09 +00:00
Aurelien Aptel
584dfc15fd libsmb,s3/smbd: dump SMB3+ session keys if debug parm is set 
Use of previously added smb.conf global param.

Sample usage:

$ smbclient //localhost/scratch --option='debugencryption=yes' \
                                 -e -mSMB3 -U aaptel%aaptel -c quit
debug encryption: dumping generated session keys
Session Id    [0000] 26 48 BF FD 00 00 00 00                             &H......
Session Key   [0000] 63 D6 CA BC 08 C8 4A D2   45 F6 AE 35 AB 4A B3 3B   c.....J. E..5.J.;
Signing Key   [0000] 4E FE 35 92 AC 13 14 FC   C9 17 62 B1 82 20 A4 12   N.5..... ..b.. ..
App Key       [0000] A5 0F F4 8B 2F FB 0D FF   F2 BF EE 39 E6 6D F5 0A   ..../... ...9.m..
ServerIn Key  [0000] 2A 02 7E E1 D3 58 D8 12   4C 63 76 AE 59 17 5A E4   *.~..X.. Lcv.Y.Z.
ServerOut Key [0000] 59 F2 5B 7F 66 8F 31 A0   A5 E4 A8 D8 2F BA 00 38   Y.[.f.1. ..../..8

We can now simply pass -ouat:smb2_seskey_list:<sesid>,<seskey> to
wireshark or tshark:

$ tshark -ouat:smb2_seskey_list:2648BFFD00000000,63D6CABC08C84AD245F6AE35AB4AB33B \
          -Y smb2 -r capture.pcap -Tfields -e _ws.col.Info
Negotiate Protocol Response
Negotiate Protocol Request
Negotiate Protocol Response
Session Setup Request, NTLMSSP_NEGOTIATE
Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
Session Setup Request, NTLMSSP_AUTH, User: WORKGROUP\aaptel
Session Setup Response
Tree Connect Request Tree: \\localhost\IPC$
Tree Connect Response
Decrypted SMB3;Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \localhost\scratch
Decrypted SMB3;Ioctl Response, Error: STATUS_NOT_FOUND
Decrypted SMB3;Tree Disconnect Request
Decrypted SMB3;Tree Disconnect Response
Decrypted SMB3;Tree Connect Request Tree: \\localhost\scratch
Decrypted SMB3;Tree Connect Response
Decrypted SMB3;Tree Disconnect Request
Decrypted SMB3;Tree Disconnect Response

For more info on Wireshark decryption support see
https://wiki.samba.org/index.php/Wireshark_Decryption

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Sat Feb  9 21:43:25 CET 2019 on sn-devel-144
 2019-02-09 21:43:25 +01:00
Volker Lendecke
f2e939b65b libads: Give krb5_errs.c its own header 
The protos were declared in lib/krb5_wrap but the functions are not
available there.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2018-11-27 07:13:14 +01:00
Volker Lendecke
39bdd175e9 libsmb: Give namequery.c its own header 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2018-04-11 01:06:39 +02:00
Stefan Metzmacher
e039e9b0d2 s3:cliconnect.c: remove useless ';' 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2018-02-22 23:15:16 +01:00
Stefan Metzmacher
0786a65cab s3:libsmb: allow -U"\\administrator" to work 
cli_credentials_get_principal() returns NULL in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2018-02-22 23:15:16 +01:00
Gary Lockyer
d11473b15d source3: remove sock_exec 
Remove the sock_exec code which is no longer needed and additionally has been
used by exploit code.

This was originally test support code, the tests relying on the sock_exec
code have been removed.

Past exploits have used sock_exec as a proxy for system() matching a talloc
destructor prototype.

See for example:
Exploit for Samba vulnerabilty (CVE-2015-0240) at
    https://gist.github.com/worawit/051e881fc94fe4a49295
    and the Red Hat post at
    https://access.redhat.com/blogs/766093/posts/1976553

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 20 07:20:13 CET 2017 on sn-devel-144
 2017-11-20 07:20:13 +01:00
Andreas Schneider
6d7681c73d s3:libsmb: Print the kinit failed message with DBGLVL_NOTICE 
The default debug level of smbclient is set to 'log level = 1'. So we
need to use at least NOTICE to not get the message when we do not force
kerberos.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 24 17:22:18 CEST 2017 on sn-devel-144
 2017-08-24 17:22:18 +02:00
Stefan Metzmacher
0f9d102460 s3:libsmb: let get_ipc_connect() use CLI_FULL_CONNECTION_FORCE_SMB1 
get_ipc_connect() is only used in code paths that require cli_NetServerEnum()
to work, so it must already require SMB1 only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12876

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2017-08-19 01:41:24 +02:00
Stefan Metzmacher
0a81af6824 s3:libsmb: add CLI_FULL_CONNECTION_DISABLE_SMB1 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2017-06-22 13:07:41 +02:00
Stefan Metzmacher
5a05b0b169 s3:libsmb: add CLI_FULL_CONNECTION_FORCE_SMB1 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2017-06-22 13:07:40 +02:00
Stefan Metzmacher
8c4cef218a s3:libsmb: no longer pass remote_realm to cli_state_create() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2017-06-22 13:07:40 +02:00
Jeremy Allison
50f50256aa s3: libsmb: Correctly do lifecycle management on cli->smb1.tcon and cli->smb2.tcon. 
Treat them identically. Create them on demand after for a tcon call,
and delete them on a tdis call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
 2017-06-17 06:39:20 +02:00
Stefan Metzmacher
e0069bd2a4 s3:libsmb: add cli_state_update_after_sesssetup() helper function 
This function updates cli->server_{os,type,domain} to valid values
after a session setup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2017-06-09 13:00:12 +02:00
Andreas Schneider
d18379fa00 Revert "s3:libsmb: Fix printing the session setup information" 
This reverts commit b6f87af427.

A different fix will follow.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2017-06-09 13:00:11 +02:00
Andreas Schneider
b6f87af427 s3:libsmb: Fix printing the session setup information 
This fixes a regression and prints the session setup on connect again:

Domain=[SAMBA-TEST] OS=[Windows 6.1] Server=[Samba 4.7.0pre1-DEVELOPERBUILD]
smb: \>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2017-06-07 05:15:16 +02:00
Stefan Metzmacher
f4424579a0 s3:libsmb: don't rely on gensec_session_key() to work on an unfinished authentication 
If smbXcli_session_is_guest() returns true, we should handle the authentication
as anonymous and don't touch the gensec context anymore.

Note that smbXcli_session_is_guest() always returns false, if signing is
required!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2017-05-21 21:05:08 +02:00
Andreas Schneider
c0e196b223 s3:libsmb: Only print error message if kerberos use is forced 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144
 2017-03-21 14:25:54 +01:00