1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1286 Commits

Author SHA1 Message Date
Günther Deschner
807628ecac s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
2013-09-20 14:57:06 +02:00
Günther Deschner
639f60b151 s3-rpc_cli: remove unused schannel calls from dcerpc_helpers.c
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:09:49 +02:00
Günther Deschner
5a628490e4 s3-rpc: use gensec for schannel footer processing.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-19 11:09:44 +02:00
Volker Lendecke
7d91ffc6fd smbd: Fix flawed share_mode_stale_pid API
The comment for this routine said:

> Modifies d->num_share_modes, watch out in routines iterating over
> that array.

Well, it turns out that *every* caller of this API got it wrong. So I
think it's better to change the routine.

This leaves the array untouched while iterating but filters out the
deleted ones while saving them back to disk.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-09-03 17:13:53 +02:00
Volker Lendecke
696bc569b1 smbd: Don't store in-memory only flags in locking.tdb
Hey, pidl knows the [skip] attribute ... :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-09-03 17:13:53 +02:00
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Stefan Metzmacher
a36ccdc83e s3:dcerpc_helpers: remove unused DEBUG message of schannel_state->seq_num.
This is a layer violation and not needed anymore as we know
how the seqnum handling works now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:58 +02:00
Stefan Metzmacher
9f2e81ae02 libcli/auth: maintain the sequence number for the NETLOGON SSP as 64bit
See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:56 +02:00
Günther Deschner
c11a79c5a0 s3: libnet_join: add admin_domain.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:30:00 +02:00
Günther Deschner
9b4fb5b074 s3-rpc_cli: pass down ndr_interface_table to rpc_pipe_open_ncalrpc().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:29:59 +02:00
Volker Lendecke
78d4bdc0b8 smbd: Obsolete MSG_SMB_OPEN_RETRY
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-04-26 15:17:22 -07:00
Volker Lendecke
234edb525d smbd: Obsolete MSG_SMB_BREAK_RESPONSE
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-04-26 15:17:21 -07:00
Gregor Beck
1ed22ba4b7 s3:smbd: add a scavenger process for disconnected durable handles
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2013-04-18 13:15:13 +02:00
Michael Adam
aa77161871 s3:winbindd: remove wbint_Sid2Gid from the wbint.idl
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:26 +01:00
Michael Adam
8b73556e3f s3:winbindd: remove wbint_Sid2Uid() from the wbint.idl
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:26 +01:00
Michael Adam
28e7d73bdc s3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->child
This implicitly also hands the type of the resulting unix-id that the idmap
backend has created back to the caller. This is important for backends that
would set a broader type than the requested one, e.g. rid backend returning
BOTH instead of UID or GID.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-03 08:48:22 +01:00
Stefan Metzmacher
6b123607c8 s3:librpc: add support for PFC_FLAG_OBJECT_UUID when parsing packets (bug #9382)
Now the logic matches the one in dcerpc_read_ncacn_packet_done().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-11-20 17:37:19 +01:00
Michael Adam
a6726f9023 s3:open_files.idl: add stat-info to vfs_default_durable_cookie.
Pair-programmed-with: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-10-19 17:13:35 +02:00
Stefan Metzmacher
506249b863 s3:open_files.idl: add write_time specific stuff to vfs_default_durable_cookie
metze

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2012-10-19 15:25:17 +02:00
Stefan Metzmacher
7be7ec803f s3:smbXsrv.idl: add session_global_id to smbXsrv_tcon_global
This is required for some debugging tools like smbstatus.

metze

Signed-off-by: Michael Adam <obnox@samba.org>
2012-10-19 12:15:02 +02:00
Michael Adam
eabe4c8fc4 s3:vfs_default: add basic support for durable handle request and reconnect
We only grant durable handles for CIFS/SMB2 only access,
that means "kernel oplocks", "kernel share modes" and "posix locking"
need to be set to "no".

For now we also don't grant durable handles if delete on close
is active on the handle.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Volker Lendecke <vl@samba.org>
2012-09-08 19:48:20 +02:00
Stefan Metzmacher
5e63494508 s3:smbXsrv.idl: add properties for durable handles to smbXsrv_open_global0
Pair-Programmed-With: Michael Adam <obnox@samba.org>

metze
2012-09-08 03:39:06 +02:00
Stefan Metzmacher
6f9610e618 smbXsrv.idl: add nonce_* to smbsrv_session
metze
2012-08-23 08:23:07 +02:00
Christof Schmitt
bd23c8f1ce s3-winbind: Return the DC name from DC_PING
The DC that was attempted to ping is useful for troubleshooting. Return
the DC name in the response to the wbclient.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-15 11:44:42 +10:00
Stefan Metzmacher
205185e88c s3:smbXsrv.idl: remove smbXsrv_*0 defines
This makes ctags more usable.

metze
2012-08-10 15:56:13 +02:00
Jeremy Allison
b70f23c2b5 Correctly check for errors in strlower_m() returns. 2012-08-09 12:08:18 -07:00
Stefan Metzmacher
8734887348 s3:smbXsrv.idl: add encryption_required to smbXsrv_tcon_global0
metze
2012-08-09 08:21:35 +02:00
Stefan Metzmacher
8e1c6d4232 s3:rpc_client: rename pipe_auth_data->user_session_key to transport_session_key
metze
2012-08-01 14:17:15 +02:00
Andrew Bartlett
f3562424b6 lib/param: Move all enum declarations to lib/param
This is in preperation for the parameter table being made common.

Andrew Bartlett

Pair-Programmed-With: Andrew Tridgell <tridge@samba.org>
2012-07-24 11:01:17 +02:00
Stefan Metzmacher
9c8e2b5af0 s3:smbXsrv.idl: add smbXsrv_open* structures
struct smbXsrv_open will represent a SMB 1 or SMB 2
open file handle, while 'files_struct' will be changed
to handle just the protocol independent glue for the SMB_VFS layer.

Note: the format is not stable yet, we need to add more things
      when we start to support durable handles.

metze
2012-06-29 19:11:04 +02:00
Stefan Metzmacher
9f2c89cbea s3:smbXsrv.idl: add smbXsrv_session_close*
metze
2012-06-25 20:55:07 +02:00
Stefan Metzmacher
da40aa0e68 s3:messaging.idl: define MSG_SMBXSRV_SESSION_CLOSE
metze
2012-06-25 20:55:07 +02:00
Stefan Metzmacher
463b308f16 s3:smbd: make use of smbXsrv_tcon and smbXsrv_session for smb2
The removes the protocol specific smbd_smb2_session and
smbd_smb2_tcon.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
80f9abf637 s3:smbXsrv.idl: add smbXsrv_tcon* structures
struct smbXsrv_tcon will represent a SMB 1 or SMB 2
tree connect. It will replace 'struct smbd_smb2_tcon' and
'connection_struct' will be changed to handle just the protocol
independent glue for the SMB_VFS layer.

metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
5b3c07fa89 s3:smbXsrv.idl: add smbXsrv_session* structures
struct smbXsrv_session will represent a SMB 1 or SMB 2
session. It will replace 'struct smbd_smb2_session' and
'user_struct' will be changed to handle just the protocol
independent glue for the SMB_VFS layer.

metze
2012-06-25 20:55:06 +02:00
Stefan Metzmacher
e09806000b s3:librpc/idl/smbXsrv.idl: add smbXsrv_version_* structures
metze
2012-06-25 20:55:05 +02:00
Stefan Metzmacher
47ddfe2e59 s3:librpc: add smbXsrv.idl
metze
2012-06-25 20:55:05 +02:00
David Disseldorp
ac7b60a17b s3-rpcclient: add fsrvp commands
fss_create_expose connects to an FSRVP server and negotiates the
creation and exposure of a share shadow-copy.
shadow-copies of multiple shares can be requested with a single
fss_create_expose request.

ddiss@plati:~> bin/rpcclient -k -U 'LURCH\administrator%password' \
                             ncacn_np:lutze[sign]
rpcclient $> fss_create_expose backup ro hyper
381884f2-b578-45ea-b8d2-cf82491f4011: shadow-copy set created
...
share hyper@{B6137E21-9CBB-4547-A21D-E7AD40D0874B} exposed as a snapshot
of \\lutze\hyper

fss_delete removes the shadow-copy share:
rpcclient $> fss_delete hyper 381884f2-b578-45ea-b8d2-cf82491f4011 \
                        b6137e21-9cbb-4547-a21d-e7ad40d0874

Shadow-copies can be created read-write or read-only.
Experimenting with Windows Server "8" beta, a recovery complete call is
required after creating a read-write (ATTR_AUTO_RECOVERY) shadow copy.
Otherwise subsequent creation requests fail with
FSRVP_E_SHADOW_COPY_SET_IN_PROGRESS.
2012-06-08 13:34:31 +02:00
Andreas Schneider
2b144531f1 gse: Use the smb_gss_oid_equal wrapper.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-05-23 17:51:51 +03:00
Alexander Bokovoy
2ddf89a2bc Introduce system MIT krb5 build with --with-system-mitkrb5 option.
System MIT krb5 build also enabled by specifying --without-ad-dc

When --with-system-mitkrb5 (or --withou-ad-dc) option is passed to top level
configure in WAF build we are trying to detect and use system-wide MIT krb5
libraries. As result, Samba 4 DC functionality will be disabled due to the fact
that it is currently impossible to implement embedded KDC server with MIT krb5.

Thus, --with-system-mitkrb5/--without-ad-dc build will only produce
  * Samba 4 client libraries and their Python bindings
  * Samba 3 server (smbd, nmbd, winbindd from source3/)
  * Samba 3 client libraries

In addition, Samba 4 DC server-specific tests will not be compiled into smbtorture.
This in particular affects spoolss_win, spoolss_notify, and remote_pac rpc tests.
2012-05-23 17:51:50 +03:00
Stefan Metzmacher
bffa1c5547 s3:gse: implement gensec_gse_expire_time()
metze
2012-05-17 20:04:33 +02:00
Stefan Metzmacher
9ec866fb6c s3:gse: remember the expire time
metze
2012-05-17 20:04:31 +02:00
Volker Lendecke
d38a171a43 s3: Attempt to fix the build without kerberos
Autobuild-User: Volker Lendecke <vl@samba.org>
Autobuild-Date: Tue Apr 24 15:04:14 CEST 2012 on sn-devel-104
2012-04-24 15:04:13 +02:00
Simo Sorce
08c733d75f Make krb5 wrapper library common so they can be used all over 2012-04-23 19:20:38 -04:00
Michael Adam
499e7372be s3:id_cache: do not use the in-memory idmap cache (it is going to be removed)
This also removes the ID_CACHE_FLUSH message.
2012-04-20 23:17:36 +02:00
Volker Lendecke
99fa29ae09 s3-dbwrap: Add dbwrap_record_watch_send/recv
With this API you can asynchronously wait for a record to be modified
2012-04-19 22:24:18 +02:00
Volker Lendecke
843432d56f s3: New notify implementation
From notify_internal.c:

        /*
         * The notify database is split up into two databases: One
         * relatively static index db and the real notify db with the
         * volatile entries.
         */

This change is necessary to make notify scale better in a cluster
2012-04-17 10:21:02 +02:00
Simo Sorce
46ab219005 gse: Remove unnecessary header.
Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:43 +02:00
Simo Sorce
88d5d5c4b4 auth-krb: Nove oid packet check to gensec_util.
This is clearly a utiliy function generic to gensec.  Also the 3 callers
had identical implementations. Provide a generic implementation for all
of them and avoid duplicating the code everywhere.

Signed-off-by: Andreas Schneider <asn@samba.org>
2012-04-12 12:06:42 +02:00
Jeremy Allison
c10ed730d4 Second part of bugfix for bug #8837 - smbd crashes when deleting directory and veto files are enabled.
Store the 'struct security_token' as well as the 'struct security_unix_token'
inside the locking db when setting a delete on close.
2012-04-04 14:58:42 -07:00
Stefan Metzmacher
8d00fe57c2 s3:gse: fix debug message in gse_get_server_auth_token()
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Mar 17 03:21:06 CET 2012 on sn-devel-104
2012-03-17 03:21:06 +01:00
Andrew Bartlett
49bb7f248a s3-krb5: Remove GSS_WRAP_IOV conditional
We already confirm that we have this functionality before we set HAVE_KRB5 at
configure time.

Andrew Bartlett
2012-03-15 09:29:02 +11:00
Jeremy Allison
21528da9cd Fix a bunch of "unused variable" warnings.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sat Feb 18 06:22:40 CET 2012 on sn-devel-104
2012-02-18 06:22:40 +01:00
Andrew Bartlett
674278d5b0 auth/kerberos: Move gse_get_session_key() to common code and use in gensec_gssapi
Thie ensures that both code bases use the same logic to determine the use
of NEW_SPNEGO.

Andrew Bartlett
2012-02-17 17:36:38 +11:00
Andrew Bartlett
a315350341 s3-gse: Allow kerberos key type OID to be optional 2012-02-17 17:36:37 +11:00
Andrew Bartlett
6088f44ed7 s3-gse: Fix OID to read for kerberos key type 2012-02-17 17:36:37 +11:00
Andrew Bartlett
05cf2d41cc s3-librpc: Remove backup declaration of GSS_C_DCE_STYLE
All our supported krb5 libs provide this.

Andrew Bartlett
2012-02-17 17:36:37 +11:00
Andrew Bartlett
9eb8f07fc4 s3-gse: Remove unused OID declaration 2012-02-17 17:36:37 +11:00
Andrew Bartlett
91c325bb70 s3-librpc: Remove gse_verify_server_auth_flags
gensec_update() ensures that DCE-style and sign/seal are negotiated correctly
for DCE/RPC pipes.  Also, the smb sealing client/server already check for the
gensec_have_feature().

This additional check just keeps causing trouble, and is 'protecting'
an already secure negoitated exchange.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104
2012-02-16 21:19:44 +01:00
Andrew Bartlett
2b511f0e92 s3-librpc: Use gensec_spnego for DCE/RPC authentication
This ensures that we use the same SPNEGO code on session setup and on
DCE/RPC binds, and simplfies the calling code as spnego is no longer
a special case in cli_pipe.c

A special case wrapper function remains to avoid changing the
application layer callers in this patch.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:42 +01:00
Andrew Bartlett
5c9b6db68e s3-gse: Use the session key type, not the lucid context to set NEW_SPNEGO
Using gss_krb5_export_lucid_sec_context() is a problem with MIT krb5, as
it (reasonably, I suppose) invalidates the gssapi context on which it
is called.  Instead, we look to the type of session key which is
negotiated, and see if it not AES (or newer).

If we negotiated AES or newer, then we set GENSEC_FEATURE_NEW_SPENGO
so that we know to generate valid mechListMic values in SPNEGO.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:42 +01:00
Andrew Bartlett
1d0684c845 s3-librpc: Remove unused bool gensec_hook
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-02-16 15:18:42 +01:00
Stefan Metzmacher
01588585b1 s3:gse: return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INTERNAL_ERROR
This matches the behavior of ads_verify_ticket().

Note that ads_verify_ticket() calls krb5_to_nt_status(), but
as a server it's likely to always returns NT_STATUS_UNSUCCESSFUL.
ads_verify_ticket() maps NT_STATUS_UNSUCCESSFUL to NT_STATUS_LOGON_FAILURE.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Jan 26 10:48:36 CET 2012 on sn-devel-104
2012-01-26 10:48:36 +01:00
Stefan Metzmacher
0f039b196a s3-gse: add GENSEC_FEATURE_NEW_SPNEGO detection in gensec_gse_have_feature()
metze
2012-01-25 08:44:33 +01:00
Stefan Metzmacher
7fe189749e s3-gse: make sure GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG
metze
2012-01-20 23:55:54 +01:00
Stefan Metzmacher
6f0f10c798 s3-gse: implement fill_mem_keytab_from_[system|dedicated]_keytab
metze
2012-01-20 23:55:53 +01:00
Stefan Metzmacher
6158ea1abd s3-gse: create memory keytab in gse_krb5_get_server_keytab()
The other functions just add entries to it.

metze
2012-01-20 23:55:53 +01:00
Stefan Metzmacher
f86ab29470 s3-gse: fix SECRETS_AND_KEYTAB fallback in gse_krb5_get_server_keytab()
metze
2012-01-20 23:55:53 +01:00
Andrew Bartlett
e249bdd32e s3-gse: align common elements between gse_context and gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:25 +01:00
Andrew Bartlett
45ec777e0e s3-gse: Make gensec_gse cope with non-DCE GSSAPI
The validation of the mutual authentication reply produces no further
data to send to the server.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:25 +01:00
Stefan Metzmacher
545c1ad1b9 s3-gse: the server should not check for GSS_C_MUTUAL_FLAG
It up to the client to ask for GSS_C_MUTUAL_FLAG,
except for the dcerpc case, where the server is stricter.

metze
2012-01-18 16:23:25 +01:00
Stefan Metzmacher
c5864deadc s3-gse: verify that we got GSS_C_DCE_STYLE when expected
GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG, so also check for it.

metze
2012-01-18 16:23:24 +01:00
Andrew Bartlett
ed88012dd2 s3-gse Remove authenticated flag from gse
The only user for this flag is called only directly after it was set.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
c759097956 s3-gse remove special more_processing hook from gse
The NT_STATUS_MORE_PROCESSING_REQUIRED status code is what gensec
is expecting in any case.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
5b90bcf83b s3-gse Rename gss_c_flags and ret_flags in gse
This make it clearer what type of flags these are and matches
gensec_gssapi

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
cf39b63a7b s3-gse Rename gss_ctx to match gensec_gssapi_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
e8c8d293d8 s3-gse Rename delegated_creds to match gensec_gssapi_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Stefan Metzmacher
f14bcdf8ec s3-gse gss_wrap_iov_length() only needs the type and length
metze
2012-01-18 16:23:23 +01:00
Andrew Bartlett
23a062b51b s3-gse Make seal parameter a boolean for clarity
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
f2efb0f6a3 s3-librpc Remove special case for spnego session key
SPNEGO is implemented only in terms of gensec mechanisms now.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
1818612830 s3-librpc Remove special case for spnego dcerpc sign/seal
SPNEGO is implemented only in terms of gensec mechanisms now.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
ad14b8c655 s3-gse Move GSS_C_DCE_STYLE backup definition to gse.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
0132cca825 s3-gse Add const
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
90efbe0fad s3-gse Remove or make static unused/local-only GSE functions
The GSE layer is now used via the GENSEC module, so we do not need these
functions exposed any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
f70c9fb76c s3-librpc Remove layer around struct gensec_security
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
5ddec1182e s3-librpc: Simplify SPNEGO code now that all mechs use a struct gensec_security
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
0c1b4c2321 s3-librpc Call SPENGO/GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing
with a struct gensec_security, and allows the gensec module being
used to implement GSSAPI to be swapped for AD-server operation.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
53cc9c6a30 s3-librpc Allow spnego_generic_init_client to handle kerberos too
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
e012ad9d8b s3-librpc Call GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing with a
struct gensec_security, and allows the gensec module being used to
implement GSSAPI to be swapped when required for AD-server operation.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
d95d59138c s3-gse Make gse available as a gensec client module
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
cbd8231e34 s3-gse: Add gensec wrapper for gse GSSAPI client
This brings in part of the s4 gensec_gssapi as the boilerplate for the
new module.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:21 +01:00
Volker Lendecke
cfebba96bd s3: Put an indirection layer into share_mode_lock
Signed-off-by: Jeremy Allison <jra@samba.org>
2012-01-12 23:59:22 +01:00
Andrew Bartlett
49bafcfa48 s3-librpc Supply target service and server to spnego_generic_init_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:09:43 +01:00
Andrew Bartlett
50a939ad85 s3-librpc: Rename spnego_ntlmssp_init_client and make generic
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:05:01 +01:00
Andrew Bartlett
e8cd972177 s3-librpc: rename get_ntlmssp_auth_footer to be more generic
This can handle any gensec auth type now.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 09:04:52 +01:00
Andrew Bartlett
6412ff84ce s3-librpc Return user principal name on supplied mem_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:25:19 +01:00
Andrew Bartlett
a00032a92d s3-libsmb Make auth_ntlmssp client more generic
As well as renaming, this allows us to start the mech by DCE/RPC auth
type or OID.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-06 08:12:49 +01:00
Andrew Bartlett
4ac34f3288 s3-librpc remove unused headers
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:29 +01:00
Stefan Metzmacher
73ed88df35 s3:gse: MIT krb5 1.8.1 has a bug in gss_wrap_iov()
gss_krb5int_make_seal_token_v3_iov() doesn't set '*conf_state'.

metze
2012-01-05 17:17:28 +01:00
Andrew Bartlett
a1fd1a4c65 s3-librpc store the sign/seal flags we got in the gssapi client
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
860ad734ba s3-libads Factor out a new routine kerberos_get_principal_from_service_hostname()
This is now used in the GSE GSSAPI client, so that when we connect to
a target server at the CIFS level, we use the same name to connect
at the DCE/RPC level.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
25d7675d69 s3-librpc Use gsskrb5_get_subkey() where available to get the session key
This allows gse_get_session_key() to work against Heimdal.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
21fb9a47ea s3-librpc Use gensec_sig_size() instead of a fixed NTLMSSP_SIG_SIZE
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 22 20:57:27 CET 2011 on sn-devel-104
2011-12-22 20:57:27 +01:00
Andrew Bartlett
6391fff9da s3-auth rename auth_ntlmssp_state -> auth_generic_state
This structure handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22 19:25:10 +01:00
Volker Lendecke
3441c01b16 s3: Convert open_files.idl to tab indents 2011-12-13 14:14:24 +01:00
Stefan Metzmacher
4eb5b0b392 s3:messaging.idl: obsolete unused MSG_SMB_SAM_*
metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Dec 13 14:13:38 CET 2011 on sn-devel-104
2011-12-13 14:13:38 +01:00
Volker Lendecke
1c46fb5c3e s3: Use autogenerated open_files.idl 2011-12-02 22:43:05 +01:00
Volker Lendecke
0c325463a2 s3: Add open_files.idl 2011-12-02 22:43:05 +01:00
Volker Lendecke
a86c536227 s3: Remove some leftovers of old ctdb tdb2 code 2011-10-31 12:48:06 +01:00
Andrew Bartlett
321204eaeb s3-ntlmssp Remove references to auth_ntlmssp_context from the rpc code
We always dereferenced auth_ntlmssp_state->gensec_security, so now we
do not bother passing around the whole auth_ntlmssp_state.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:50:55 +02:00
Andrew Bartlett
0a0839821a s3-ntlmssp Remove auth_ntlmssp_session_key()
We now just call the gensec_session_key() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:38 +02:00
Andrew Bartlett
3f079885b2 s3-ntlmssp Remove auth_ntlmssp_want_feature()
We now just call the gensec_want_feature() directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:33 +02:00
Andrew Bartlett
bd29f79463 s3-ntlmssp use gensec_{seal,unseal,sign,check}_packet
This avoids the indirection via the auth_ntlmsssp wrapper functions.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:23 +02:00
Andrew Bartlett
083025ccd5 s3-ntlmssp Remove auth_ntlmssp_update wrapper
We now just call gensec_update directly.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-21 08:43:10 +02:00
Andrew Bartlett
f9b042641f s3-ntlmssp split auth_ntlmssp_client_start() into two parts
This will allow it to be a wrapper around a gensec module, which
requires that they options be set on a context, but before the
mechanism is started.

This also simplfies the callers, by moving the lp_*() calls
into one place.

Andrew Bartlett
2011-10-18 12:25:30 +02:00
Andrew Bartlett
0c6e4adcb2 ntlmssp: Move ntlmssp code to auth/ntlmssp
This brings in the code from both libcli/auth and
source4/auth/ntlmssp.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-10-18 13:13:31 +11:00
Volker Lendecke
f5081df369 s3: Remove an unused variable 2011-09-30 10:21:43 +02:00
Andreas Schneider
61ada700a6 s3-id_cache: Use better names for id cache management ops
The IDMAP term is normally associated with Winbind's idmap stuff.
These functions deal with id caching not id mapping.

Signed-off-by: Simo Sorce <idra@samba.org>
2011-08-21 09:08:25 -04:00
Simo Sorce
5c1a8dcf8e s3-messaging: Add preforked child-parent message types
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
2011-08-21 09:05:06 -04:00
Simo Sorce
d1bc22eeb3 s3-rpc_server: Use rpc_epmapper_mode() in ep_register()
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
2011-08-21 09:05:03 -04:00
Simo Sorce
0825a52a36 Revert "s3-messaging: IDMAP_ messages belongs to the Winbind range"
This reverts commit 102f39ae3e.

These messages are handled by smbd not winbind, and could potentially be of
general interest.

Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Fri Aug 19 16:16:05 CEST 2011 on sn-devel-104
2011-08-19 16:16:05 +02:00
Simo Sorce
102f39ae3e s3-messaging: IDMAP_ messages belongs to the Winbind range
Autobuild-User: Simo Sorce <idra@samba.org>
Autobuild-Date: Tue Aug 16 22:27:05 CEST 2011 on sn-devel-104
2011-08-16 22:27:05 +02:00
Simo Sorce
9f12575712 s3-messaging: Change classification of MSG_SMB_CONF_UPDATED.
smbd is not the only daemon interested in smb.conf changes. Move this
message to the GENERAL class so that all interested partied (nmbd,
winbindd, spoolssd, etc..) can receive this notification.

Signed-off-by: Andreas Schneider <asn@samba.org>
2011-08-11 14:58:05 +02:00
Simo Sorce
b706fd37f6 s3-messaging: Fix messaging classes.
This has been broken since ff0ac5b0 (May 2007).
Basically all messages were belonging to the General class except for CTDB
messages.
This fixed the message_send_all() function to correctly compute the class, and
fixes registrations to include all they need to cope with the fact not all
messages are of calss general (registrations rotted a bit because as long as
FLAG_MSG_GENERAL was defined the process woould receive all messages).

Signed-off-by: Andreas Schneider <asn@samba.org>
2011-08-11 14:58:01 +02:00
Simo Sorce
cb1af61cb1 s3-messaging: Remove obsolete class.
The FLAG_MSG_PRINT_NOTIFY class is actually obsolete and never used, as the
only message belonging to it is not used either.

Signed-off-by: Andreas Schneider <asn@samba.org>
2011-08-11 14:57:55 +02:00
Andrew Bartlett
7b1d6a6a05 selftest: test plugin_s4_dc against all ncacn_np tests
Changes to the s3 epmapper behaviour seem to have fixed the rest of these
tests.

Andrew Bartlett
2011-08-03 18:48:05 +10:00
Andrew Bartlett
1231b784a1 s3-ntlmssp Remove auth_ntlmssp_and_flags()
There is no need to mask out these flags as they simply are not set
yet.

The correct abstraction is to ask for NTLMSSP features.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
bba5f0a641 s3-ntlmssp Remove auth_ntlmssp_or_flags
We now just use auth_ntlmssp_want_feature to get extra flags
on the NTLMSSP context

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
778bf87d8d s3-ntlmssp Remove calls to auth_ntlmssp_and_flags from the server
This is changed so that the callers ask for the additional flags
that they need, starting with no additional flags.

This helps to create a proper abstraction layer in
ntlmssp_wrap/auth_ntlmssp.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
6d7ac4f1ad s3-ntlmssp Add mem_ctx argument to auth_ntlmssp_update
This clarifies the lifetime of the returned token.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:03 +10:00
Andrew Bartlett
dee845eb70 s3-ntlmssp Add mem_ctx argument to auth_ntlmssp_get_session_key() 2011-08-03 18:48:02 +10:00
Andrew Bartlett
d3fe48ba48 gensec: Remove mem_ctx from calls that do not return memory
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-08-03 18:48:01 +10:00
Andreas Schneider
4b751b29e5 s3-librpc: Remove obsolete dcerpc_binding_vector_create(). 2011-08-01 08:50:35 +02:00
Andreas Schneider
02cdb65fc6 s3-librpc: Add dcerpc_binding_vector_replace_iface(). 2011-08-01 08:50:35 +02:00
Andreas Schneider
9cc6f90424 s3-librpc: Add dcerpc_binding_vector_dup(). 2011-08-01 08:50:35 +02:00
Andreas Schneider
169d0c4312 s3-librpc: Add dcerpc_binding_vector_add_unix(). 2011-08-01 08:50:35 +02:00
Andreas Schneider
eaced2e909 s3-librpc: Add dcerpc_binding_vector_add_port(). 2011-08-01 08:50:35 +02:00
Andreas Schneider
c810e47519 s3-librpc: Add dcerpc_binding_vector_add_np_default(). 2011-08-01 08:50:35 +02:00
Andreas Schneider
08523ed6b8 s3-librpc: Add dcerpc_binding_vector_new(). 2011-08-01 08:50:34 +02:00
Günther Deschner
3fd1652104 s3-secrets: add lsa_secret struct to secrets IDL.
Guenther
2011-07-31 22:37:26 +02:00
Andrew Bartlett
481f05ce02 s3-gse Work around the MIT 1.9 gss_krb5_import_cred
We detect this function at configure time, but it currently fails to
operate the way we need - that is, when the principal is not
specified, it gives this error.  When the principal is specified we
get 'wrong principal in request' in the GSS acceptor, so for now the
best option is to fall back to the alternate approach.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Jul 20 06:35:05 CEST 2011 on sn-devel-104
2011-07-20 06:35:05 +02:00
Andrew Bartlett
8ee3ba791d s3-gse Allow printing the partial error string
We may not be able to obtain the full error string, so print what we can get.

This is required when the error is the the GSSAPI layer, not the mechanism.

Andrew Bartlett
2011-07-20 12:04:45 +10:00
Andreas Schneider
c69f2c4de9 s3-librpc: Pass messaging context to dcerpc register functions. 2011-07-14 16:10:47 +02:00
Andreas Schneider
45f70db010 s3-auth: Added remote_address to ntlmssp server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-07-04 18:28:00 +10:00
Andreas Schneider
541f3cf639 s3-rpc_server: Migrate rpc function to tsocket_address.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-07-04 18:27:58 +10:00
Volker Lendecke
0a74caa473 s3: explicitly pass domain_sid to wbint_LookupRids() (bug #7841)
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Mon Jun 27 18:21:30 CEST 2011 on sn-devel-104
2011-06-27 18:21:30 +02:00
Andrew Bartlett
74eed8f3ed s3-param Remove special case for global_myname(), rename to lp_netbios_name()
There is no reason this can't be a normal constant string in the
loadparm system, now that we have lp_set_cmdline() to handle overrides
correctly.

Andrew Bartlett
2011-06-09 12:40:09 +02:00
Andrew Bartlett
a772797a38 librpc/idr Use the Samba3 notify.idl in common.
The extra fields in the structure that Samba4 does not use should not
bother it.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-09 12:40:08 +02:00
Andrew Bartlett
d057116cc2 server_id.idl: Bring server_id.idl in common
Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-09 12:40:08 +02:00
Andrew Bartlett
174893c312 s3-server_id change pid to hyper
This matches Samba4's server_id.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-06-09 12:40:08 +02:00