Age | Commit message (Collapse) | Author | Files | Lines |
|
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
|
|
Andrew Bartlett
(This used to be commit b5260cf0d4c4f2e81a310d1c94160c9fbaaa331f)
|
|
(untested at this point).
Andrew Bartlett
(This used to be commit ef7f9a01b4f3fa41fd7981b260fa2fadc7ce10ad)
|
|
cli_credentials code shortly.
Andrew Bartlett
(This used to be commit 13d09c8e9a50ae265059e4a0d92a07c651018a6c)
|
|
painful, so don't call lp_*() functions until the post stage (rather
than in the cli_credentails_init(), which is called in the pre stage),
and don't open the secrets.ldb looking for the machine account details
until we actually need them (well after popt is done, and we know we have the other things right).
Set the domain and realm, as well as the account and password for -P
(fetch machine password) operation.
Allow NETLOGON credentials to be stored in this structure - will allow
SCHANNEL to be made more generic.
Clarify why we don't do special checks for NULL pointers, particularly
in the anonymous check (it indicates a programmer error, not a
run-time condition).
Also make lib/credentials.c a little more consistant.
Andrew Bartlett
(This used to be commit 730e6056b730c15008772c30cd6f7c03fb6b7e5f)
|
|
(This used to be commit 0559f22bbe854b7d5e15db471e51264cce413e6f)
|
|
(This used to be commit ed11601aef11df35f30b10e422e7113976dc6f26)
|
|
( from tridges junkcode at http://samba.org/ftp/unpacked/junkcode/rpcecho-win32 )
(This used to be commit e33397f383342d91326a5c2939c5213a5fc5d9cd)
|
|
option, rather than all binding options for each transport.
This means that we get to most of the tests earlier, with at least
some binding options. (And allows us to have some confidence before
waiting for an RPC-SAMR test to finish with bigendian).
Andrew Bartlett
(This used to be commit 5c3e4df804e38037d0337e8ef288127d6cdda28a)
|
|
is used, in the reply.
metze
(This used to be commit 618dadb7ef092af0f2c13c2e67874041f54f4e98)
|
|
metze
(This used to be commit 3d3e09af16c4f9a6bc8f6ae615f744a04f352ed0)
|
|
I think I now understand how it works:-)
metze
(This used to be commit f8add2e66a56896d9bb18991091e1b17c29910b1)
|
|
(from librpc) will be moved into schannel.c soon.
Andrew Bartlett
(This used to be commit d6c80ff74b0550641c253316b37f1050c207791c)
|
|
+ principal names per endpoint) to gepdump. Still need to fix memory management
in the GTK+ utilities...
(This used to be commit b48a0af0b0fbf1234627ec785699896a44b23e75)
|
|
secrets system, and not the old system from Samba3.
This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.
In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v(). The vast majority of this patch is the simple
rename that followed,
(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).
Andrew Bartlett
(This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
|
|
ask for a password when kerberos is being used.
(This used to be commit 642ec7cbef6d392b49ed0fe86d1816d4953e30ad)
|
|
(This used to be commit f3006e623bcf65a05238fbd3362ee958b948e70b)
|
|
good idea....
Andrew Bartlett
(This used to be commit 84b566a36bbe7101c5fbd90c131b13e6c259c990)
|
|
Andrew Bartlett
(This used to be commit 41dea45892362c4b25a93d8719fb7843485a7b98)
|
|
This adds the auth_domain module to the auth subsystem, and cleans up
some small details around the join process (ensuring all the right
info is in the DB).
Andrew Bartlett
(This used to be commit 858cbfb8210239aa85a01da95e5beb9546a998a5)
|
|
(This used to be commit 6149bd3702a0293fc1f798de7c399e3e6858416d)
|
|
Test_DoublePointer test failure.
(This used to be commit 4089d5f67d6e4121056a63ececb13187fd773636)
|
|
range())
(This used to be commit ec1eaa274b997197ca6996457229c802f1b76d56)
|
|
(This used to be commit 28914c89dc1400d8364c13258ec0e8558acc7dfd)
|
|
to make things more clear
metze
(This used to be commit adefeeb4f362dba06cddacf6f58194ef1f967ec9)
|
|
very usefull for creating a keytab file with
metze
(This used to be commit 15b80a28dbf2004f63648fede61e514e55030018)
|
|
infrustructure.
Andrew Bartlett
(This used to be commit d51718ab8a3771ada4e342a384b744edb803db40)
|
|
metze needs a working tree...
The main volume of this patch was what I started working on today:
- Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
- Uses sepereate inner loops for some of the DCE/RPC tests
The other and more important part of this patch fixes issues
surrounding the new credentials framwork:
This makes the struct cli_credentials always a talloc() structure,
rather than on the stack. Parts of the cli_credentials code already
assumed this.
There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.
Andrew Bartlett
(This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
|
|
(24 bytes) for singed packets
but it accepts 32 bytes from the client.
(w2k3 accept it the otherway arround too)
metze
(This used to be commit 08d4c3b9f8558ee40c73a22b3ec110b052f28110)
|
|
(This used to be commit 301cbb0d12919f83d6b735c2e23b49fb49d5394d)
|
|
- default to using va_copy(), thus assuming a modern libc
(This used to be commit 3060b26c9e745330682f6209d97e723113b65b56)
|
|
- allow standalone talloc to use gcc printf attributes
(This used to be commit e25aa54e962796e6e7385afed57aa287ef6f869d)
|
|
Support ncacn_spx in DCE/RPC bindings.
(This used to be commit a0233a3a9a83176ae46873d3a25ed601758a1511)
|
|
(This used to be commit f8cf161e0e59bd6b2a62135be8511403f4e9ca70)
|
|
Fix a couple of bugs in the new cli_credentials code
(This used to be commit 4ad481cfe5cde514d2ef9646147239f3faaa6173)
|
|
- gtk+ (returned by GtkHostBindingDialog as well now)
- torture/
- librpc/
- lib/com/dcom/
(This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
|
|
(This used to be commit e5bc6f4f1716568ae7022d61b5b35ee047b58414)
|
|
puts support for it into popt_common, adds a few utility functions
(in lib/credentials.c) and the callback functions for the command-line
(lib/cmdline/credentials.c). Comments are welcome :-)
(This used to be commit 1d49b57c50fe8c2683ea23e9df41ce8ad774db98)
|
|
Updated included popt to 1.7.
(This used to be commit d60cb643e8a46771f3d836307ea45b869f34dc9b)
|
|
for unknown hosts that I just did for IPv4.
Andrew Bartlett
(This used to be commit 7e1d82a200b3c679b727e0ef28a245389708ae2f)
|
|
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
|
|
the real ream, not just the short domain name.
Andrew Bartlett
(This used to be commit d585e1a759888df01cfabfec2d6d5506cf3bd426)
|
|
uses for trusted domain records) in the secrets join records.
Andrew Bartlett
(This used to be commit a6c502832c4ef471bd423b795f210abf3bb96ca5)
|
|
Andrew Bartlett
(This used to be commit 50af206477d8834d58629131e8cc994fb194adfe)
|
|
Andrew Bartlett
(This used to be commit 6b8b40f73bd8b7ce23effc8eb1d808db77bcbf8b)
|
|
implementation.
Andrew Bartlett
(This used to be commit a16339729d25fc5b12846207afe3800df7fca8d5)
|
|
Andrew Bartlett
(This used to be commit 7822101cb5213f192f3195648970784a9de4fac4)
|
|
are doing logins with.
Andrew Bartlett
(This used to be commit b7297c44faea0ae8b38fb9a90c22c5be3c8f689f)
|
|
Andrew Bartlett
(This used to be commit b484776cc4d48690d45c668f9253015eb0d6207d)
|
|
a good variety of things to test against.
Add code to testjoin to handle this just like test machine accounts
Soon I'll remove the 'must change password' flag, so we can do logins with it.
Andrew Bartlett
(This used to be commit 08b47e2dc067f7e4a52b982d358ff1b0209cc1df)
|