IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing
to add signing on server side.
Jeremy.
(This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing against platforms
different from NT4SP6.
Volker
(This used to be commit eaef0d8aeff1aa5a067679be3f17e08d7434e1e8)
A much better SMB signing module, that allows for mulitple signing algorithms
and correctly backs down from signing when the server cannot sign the reply.
This also attempts to enable SMB signing on NTLMSSP connections, but I don't
know what NTLMSSP flags to set yet.
This would allow 'client use signing' to be set by default, for server
compatability. (A seperate option value should be provided for mandetory
signing, which would not back down).
Andrew Bartlett
(This used to be commit 1c87be7a3d127201a6ab78d22d17c971af16b86b)
- new kerberos code, allowing the account to change it's own password
without special SD settings required
- NTLMSSP client code, now seperated from cliconnect.c
- NTLMv2 client code
- SMB signing fixes
Andrew Bartlett
(This used to be commit 837680ca517982f2e5944730581a83012d4181ae)
samba domain.
The PDC must be running a special authenticaion module that spits out NT errors
based on username.
Andrew Bartlett
(This used to be commit adc7a6048c13342b79b6228beafb5142c50f318d)
libsmb has not been written to be setuid, with things like LIBSMB_PROG allowing
all sort of fun and games.
Andrew Bartlett
(This used to be commit 0c8e9339d8238de92e9146d04091694b62874c33)
NTLMSSP in cli_establish_connection()
What we really need to do is kill off the pwd_cache code. It is horrible,
and assumes the challenge comes in the negprot reply.
(This used to be commit 3f919b4360b3bfcc133f7d88bc5177e9d93f2db2)
loses things like username mapping. I wanted to get this in then
discuss it a bit to see how we want to split up the existing
session setup code
(This used to be commit b74fda69bf23207c26d8b2af23910d8f2eb89875)
activate you need to:
- install krb5 libraries
- run configure
- build smbclient
- run kinit to get a TGT
- run smbclient with the -k option to choose kerberos auth
(This used to be commit d33057585644e1337bac743e25ed7653bfb39eef)
major changes include:
- added NSTATUS type
- added automatic mapping between dos and nt error codes
- changed all ERROR() calls to ERROR_DOS() and many to ERROR_NT()
these calls auto-translate to the client error code system
- got rid of the cached error code and the writebmpx code
We eventually will need to also:
- get rid of BOOL, so we don't lose error info
- replace all ERROR_DOS() calls with ERROR_NT() calls
but that is too much for one night
(This used to be commit 83d9896c1ea8be796192b51a4678c2a3b87f7518)
out the error handling into a bunch of separate functions rather than all
being handled in one big function.
Fetch error codes from the last received packet:
void cli_dos_error(struct cli_state *cli, uint8 *eclass, uint32 *num);
uint32 cli_nt_error(struct cli_state *);
Convert errors to UNIX errno values:
int cli_errno_from_dos(uint8 eclass, uint32 num);
int cli_errno_from_nt(uint32 status);
int cli_errno(struct cli_state *cli);
Detect different kinds of errors:
BOOL cli_is_dos_error(struct cli_state *cli);
BOOL cli_is_nt_error(struct cli_state *cli);
BOOL cli_is_error(struct cli_state *cli);
This also means we now support CAP_STATUS32 as we can decode and understand
NT errors instead of just DOS errors. Yay!
Ported a whole bunch of files in libsmb to use this new API instead of the
just the DOS error.
(This used to be commit 6dbdb0d813f3c7ab20b38baa1223b0b479aadec9)
enabled by default
you can disable it by setting the environment variable CLI_FORCE_ASCII
(This used to be commit 4d59c08c5e6f54c0d6ced7650750cb987e77b6c9)
I've currently got this code disabled by default as it is
incomplete. You enable it by setting a USE_UNICODE environment
variable. Once the support is complete this check will be removed and
the CAP_UNICODE capability bit will be the sole determination of
whether the client library code uses unicode
right now I have converted session_setup and tconx. I will do more fns
over the next few days.
see clistr.c for the new client side string interface. Luckily it
tends to make the code smaller and neater while adding unicode
support.
(This used to be commit e1a04e621f1c28d8e6e543d43741ca0272e2237f)
in fixes from appliance-head and 2.2. Fixed multiple connection.tdb open
problem.
Jeremy.
(This used to be commit 0a40bc83e14c69a09948ec09bb6fc5026c4f4c14)
a byte range lock (write lock only, but Win2k breaks on read lock also so I
do the same) - if you think about why, this is obvious. Also fixed our client
code to do level II oplocks, if requested, and fixed the code where we would
assume the client wanted level II if it advertised itself as being level II
capable - it may not want that.
Jeremy.
(This used to be commit 213cd0b5192307cd4b0026cae94b2f52fb1b0c02)
in the RPC code. This change was prompted by trying to save a long (>256)
character comment in the printer properties page.
The new system associates a TALLOC_CTX with the pipe struct, and frees
the pool on return of a complete PDU.
A global TALLOC_CTX is used for the odd buffer allocated in the BUFFERxx
code, and is freed in the main loop.
This code works with insure, and seems to be free of memory leaks and
crashes (so far) but there are probably the occasional problem with
code that uses UNISTRxx structs on the stack and expects them to contain
storage without doing a init_unistrXX().
This means that rpcclient will probably be horribly broken.
A TALLOC_CTX also needed associating with the struct cli_state also,
to make the prs_xx code there work.
The main interface change is the addition of a TALLOC_CTX to the
prs_init calls - used for dynamic allocation in the prs_XXX calls.
Now this is in place it should make dynamic allocation of all RPC
memory on unmarshall *much* easier to fix.
Jeremy.
(This used to be commit 0ff2ce543ee54f7364e6d839db6d06e7ef1edcf4)
semi-connection and a rpcclient prompt, but no functionality there yet.
Will be a few more days on that.
These files changed only with the addition of some support functions
from TNG
--jerry
(This used to be commit a04ea15f723e559db3c60bed03318cc7be851f69)
the next step is splitting out the auth code, to make adding lukes
NTLMSSP support easier
(This used to be commit 10c5470835b43116ed48b3137c3b9cc867a20989)
assumption that we have one socket everywhere
while doing so I discovered a few bugs!
1) the clientgen session retarget code if used from smbd or nmbd would
cause a crash as it called close_sockets() which closed our main
socket! fixed by removing close_sockets() completely - it is unnecessary
2) the caching in client_addr() and client_name() was bogus - it could
easily get fooled and give the wrong result. fixed.
3) the retarget could could recurse, allowing an easy denial of
service attack on nmbd. fixed.
(This used to be commit 5937ab14d222696e40a3fc6f0e6a536f2d7305d3)
