1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

122 Commits

Author SHA1 Message Date
Kai Blin
a8209904a5 ntlm_auth: Parse configfile after parsing it's location, not before.
(This used to be commit cf671ca35b)
2008-01-31 09:42:18 +01:00
Kai Blin
b133f5ac0a ntlm_auth: Get rid of statics in manage_squid_ntlmssp_request
(This used to be commit 97768628f5)
2008-01-19 13:16:24 +01:00
Kai Blin
4b05fd29e6 ntlm_auth: Rewrite manage_client_ntlmssp_request without statics.
(This used to be commit af43842622)
2008-01-19 13:16:24 +01:00
Kai Blin
40db1a1625 nltm_auth: Use struct ntlm_auth_state in helper functions.
Now rewriting the helpers one after the other can start.
(This used to be commit 2479a0c3ad)
2008-01-19 13:16:24 +01:00
Kai Blin
83f30d72e0 ntlm_auth: Prepare for a deeper rewrite of the helper functions
(This used to be commit f8243d1913)
2008-01-19 13:16:24 +01:00
Kai Blin
f22a29e1bd ntlm_auth: Dynamically allocate the read buffer.
This ports over my changes from Samba4
(This used to be commit 4a475baf26)
2008-01-19 13:16:23 +01:00
Kai Blin
805caafd44 util_str: Don't return memory from talloc_tos(), use mem_ctx instead.
(This used to be commit ab0ee6e9a6)
2008-01-19 02:20:16 +01:00
Jeremy Allison
43717a16e2 Fix CID 476. Ensure a valid pac_data pointer is always passed to
ads_verify_ticket as it's always derefed.
Jeremy.
(This used to be commit 0599d57eff)
2008-01-11 23:53:27 -08:00
Jeremy Allison
7faee02d0d Remove the char[1024] strings from dynconfig. Replace
them with malloc'ing accessor functions. Should save a
lot of static space :-).
Jeremy.
(This used to be commit 52dc5eaef2)
2007-12-10 11:30:37 -08:00
Jeremy Allison
adf6d848de Getting to the home stretch for elimination of pstrings...
Jeremy.
(This used to be commit 0411635511)
2007-12-03 18:48:41 -08:00
Jeremy Allison
90b8a7c8fe Add talloc stackframe for ntlm_auth.c
Jeremy.
(This used to be commit 6f9c2910bd)
2007-11-20 19:17:47 -08:00
Volker Lendecke
62b97b0156 Make base64_encode_data_blob return a talloced string
(This used to be commit 5f205ab48d)
2007-11-09 15:12:30 +01:00
Jeremy Allison
30191d1a57 RIP BOOL. Convert BOOL -> bool. I found a few interesting
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3c)
2007-10-18 17:40:25 -07:00
Stefan Metzmacher
28d076d20f r25143: rename public functions from winbind_client.h
init_request	=> winbindd_init_request
free_response	=> winbindd_free_response
read_reply	=> winbindd_read_reply

write_sock	=> winbind_write_sock
read_sock	=> winbind_read_sock
close_sock	=> winbind_close_sock(void)

metze
(This used to be commit 8a95d7a7ed)
2007-10-10 12:30:45 -05:00
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Gerald Carter
4caefdf348 r23474: Here's a small patch that disables the libkrb5.so replay cache
when verifying a ticket from winbindd_pam.c.

I've found during multiple, fast, automated SSH logins (such
as from a cron script) that the replay cache in MIT's krb5
lib will occasionally fail the krb5_rd_req() as a replay attack.

There seems to be a small window during which the MIT krb5
libs could reproduce identical time stamps for ctime and cusec
in the authenticator since Unix systems only give back
milli-seconds rather than the micro-seconds needed by the
authenticator.  Checked against MIT 1.5.1.  Have not
researched how Heimdal does it.

My thinking is that if someone can spoof the KDC and TDS
services we are pretty hopeless anyways.
(This used to be commit cbd33da9f7)
2007-10-10 12:23:19 -05:00
Volker Lendecke
b4a7b7a888 r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and
replace all data_blob(NULL, 0) calls.
(This used to be commit 3d3d61687e)
2007-10-10 12:22:01 -05:00
Stefan Metzmacher
56ba447668 r22001: change prototype of dump_data(), so that it takes unsigned char * now,
which matches what samba4 has.

also fix all the callers to prevent compiler warnings

metze
(This used to be commit fa322f0cc9)
2007-10-10 12:18:59 -05:00
Jeremy Allison
9f8e8e1aac r21663: Fix from the Wine guys: Robert Shearman <rob@codeweavers.com>
The background behind this patch is that we're using ntlm_auth with
Wine. Windows allows us to pass in a NULL domain and a username of the
form of "user@domain" and this is converted into an NTLMSSP_AUTH packet
with a NULL domain name and a username of the same form.
Jeremy.
(This used to be commit 32b040fe05)
2007-10-10 12:18:22 -05:00
Günther Deschner
69cee2a3ec r21240: Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".

Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).

Guenther
(This used to be commit 7e1a84b722)
2007-10-10 12:17:50 -05:00
Gerald Carter
6ff9007252 r21010: fix the pstring change in ntlm_auth for require-membership-of in ntlm_auth
(This used to be commit 2d877e41d1)
2007-10-10 12:17:26 -05:00
Volker Lendecke
6655e1e997 r18029: More C++ stuff
(This used to be commit 089b51e28c)
2007-10-10 11:43:23 -05:00
Jeremy Allison
56fc287080 r17984: Ensure we never indirect a null opt_username if it wasn't
specified.
Jeremy.
(This used to be commit 5d9bb91ab7)
2007-10-10 11:39:45 -05:00
Jeremy Allison
f5cc2b4807 r17981: Hmmm. Don't break helper functions that don't need
the username by forcing it to be specified. Still
split out domain \ user for the ones that do use
it.
Jeremy.
(This used to be commit c097e10739)
2007-10-10 11:39:45 -05:00
Jeremy Allison
037eac7065 r17979: Make ntlm_auth more intelligent about figuring out it's
domain and user args. if only given a parameter of the
form --username DOMAIN\user. When called by firefox
or other user apps they may not know what the domain
is (and they don't care). They just want to pass the
contents of $USERNAME without having to parse it
or guess a domain.
Jeremy.
(This used to be commit 5f51417916)
2007-10-10 11:39:45 -05:00
Jeremy Allison
3247b4f15a r17921: Comment is obsolte. This is now implemented in winbindd.
Jeremy.
(This used to be commit 37c636eb48)
2007-10-10 11:38:59 -05:00
Jeremy Allison
364cb7f71a r17903: Fix null deref caught by Stanford checker. Don't
call ntlmssp_end on a null pointer ! (Doh !).
Jeremy.
(This used to be commit 7b53932b51)
2007-10-10 11:38:58 -05:00
Jeremy Allison
b41e14abfd r17610: Added the ability for firefox to drive the winbindd
ntlm_auth module to allow it to use winbindd cached
credentials.The credentials are currently only stored
in a krb5 MIT environment - we need to add an option to
winbindd to allow passwords to be stored even in an NTLM-only
environment.
Patch from Robert O'Callahan, modified with some fixes
by me.
Jeremy.
(This used to be commit ae7cc298a1)
2007-10-10 11:38:43 -05:00
Volker Lendecke
175aa92e9e r17446: Fix some C++ warnings and two memleaks found by Coverity, IDs 304 and 305.
Volker
(This used to be commit 4f6605a488)
2007-10-10 11:38:34 -05:00
Andrew Bartlett
fe348fdb28 r17216: From Kai Blin <kai.blin@gmail.com>:
A patch to make ntlm_auth recognize three new commands in
ntlmssp-client-1 and squid-2.5-ntlmssp:

The commands are the following:

Command: SF <hex number>
Reply: OK
Description: Takes feature request flags similar to samba4's
gensec_want_feature() call. So far, only NTLMSSP_FEATURE_SESSION_KEY,
NTLMSSP_FEATURE_SIGN and NTLMSSP_FEATURE_SEAL are implemented, using the same
values as the corresponding GENSEC_FEATURE_* flags in samba4.

Command: GF
Reply: GF <hex number>
Description: Returns the negotiated flags.

Command: GK
Reply: GK <base64 encoded session key>
Description: Returns the negotiated session key.

(These commands assist a wine project to use ntlm_auth for signing and
sealing of bulk data).

Andrew Bartlett
(This used to be commit bd3e06a0e4)
2007-10-10 11:38:19 -05:00
Andrew Bartlett
0dc8f720e1 r17005: Add a new helper mode to ntlm_auth: ntlm-change-password-1
This mode proxies pre-calculated blobs from a remote (probably VPN)
client into the domain.  This allows clients to change their password
over a PPTP connection (where they would not be able to connect to
SAMR directly).

The precalculated blobs do not reveal the plaintext password.

Original patch by Alexey Kobozev <cobedump@gmail.com>
(This used to be commit 967292b713)
2007-10-10 11:19:17 -05:00
Jeremy Allison
fbdcf2663b r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need
to do the upper layer directories but this is what
everyone is waiting for....

Jeremy.
(This used to be commit 9dafb7f48c)
2007-10-10 11:19:14 -05:00
Günther Deschner
f777697508 r15523: Honour the time_offset also when verifying kerberos tickets. This
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.

Guenther
(This used to be commit a75dd80c62)
2007-10-10 11:16:55 -05:00
Gerald Carter
8c9eb7631e r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit winbindd server
(This used to be commit a95d11345e)
2007-10-10 11:16:00 -05:00
Günther Deschner
485a286a65 r14585: Tighten argument list of kerberos_kinit_password again,
kerberos_kinit_password_ext provides access to more options.

Guenther
(This used to be commit afc519530f)
2007-10-10 11:15:38 -05:00
Volker Lendecke
4479d1b061 r14033: Fix Coverity bug # 126
(This used to be commit bb6d678575)
2007-10-10 11:11:06 -05:00
Gerald Carter
fb5362c069 r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()
macro which sets the freed pointer to NULL.
(This used to be commit b65be8874a)
2007-10-10 11:10:14 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Derrell Lipman
9c15bd311d r13212: r12414@cabra: derrell | 2006-01-28 17:52:17 -0500
lp_load() could not be called multiple times to modify parameter settings based
 on reading from multiple configuration settings.  Each time, it initialized all
 of the settings back to their defaults before reading the specified
 configuration file.

 This patch adds a parameter to lp_load() specifying whether the settings should
 be initialized.  It does, however, still force the settings to be initialized
 the first time, even if the request was to not initialize them.  (Not doing so
 could wreak havoc due to uninitialized values.)
(This used to be commit f2a24de769)
2007-10-10 11:06:18 -05:00
Jeremy Allison
c8f28c92a7 r12555: Fix more load_case_table swegfaults. Arggg.
What I'd give for a global constructor...
Jeremy.
(This used to be commit c970d7d0a5)
2007-10-10 11:05:59 -05:00
Jeremy Allison
fcceedd67c r11573: Adding Andrew Bartlett's patch to make machine account
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef8663)
2007-10-10 11:05:20 -05:00
Jeremy Allison
a5b339c799 r11232: Added ab's POSIX statvfs vfs call. Sorry for the delay ab.
Jeremy.
(This used to be commit af85458067)
2007-10-10 11:05:08 -05:00
Jeremy Allison
8d7c886671 r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4
x86_64 box.
Jeremy.
(This used to be commit d720867a78)
2007-10-10 11:05:02 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
Volker Lendecke
db8c38340b r9198: Convert hex_encode and strhex_to_data_blob to take a talloc context.
Volker
(This used to be commit c7d10e2c83)
2007-10-10 11:00:27 -05:00
Jeremy Allison
19ca97a70f r7882: Looks like a large patch - but what it actually does is make Samba
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145)
2007-10-10 10:58:00 -05:00
Gerald Carter
2d6e5ad90f r6450: * fix typo in htlm_auth help message
* add synonym for idmap_rid in better lining with
  other idmap backend names
* remove old debug messages when idmap {uid|gid} options
  are not defined
(This used to be commit 03ebf3ebfe)
2007-10-10 10:56:41 -05:00
Tim Potter
d9fc4d8a8a r4259: Fix cast in SMB_XMALLOC_ARRAY. Bugzilla #2168.
(This used to be commit 0c3bb181e8)
2007-10-10 10:53:40 -05:00
Jeremy Allison
acf9d61421 r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
functions so we can funnel through some well known functions. Should help greatly with
malloc checking.
HEAD patch to follow.
Jeremy.
(This used to be commit 620f2e608f)
2007-10-10 10:53:32 -05:00