Age | Commit message (Collapse) | Author | Files | Lines |
|
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to
merge the 'client' and 'server' functions, so they both operate on a
single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of
data structures...
Andrew Bartlett
(This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
|
|
(This used to be commit 720f5e5629c54e851c3e9026dc88676795e44c8e)
|
|
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
|
|
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
|
|
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
|
|
workstation, we have to use the workstation type, if we have a BDC account,
we must use the BDC type - even if we are pretending to be a workstation
at the moment.
Also actually store and retreive the last change time, so we can do
periodic password changes again (for RPC at least).
And finally, a couple of minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
|
|
(This used to be commit eeeae14fed62ad9d15f2c5a8fa9357da4bb7b3a1)
|
|
for doc purposes right now (you can see it in the debug logs).
(This used to be commit 046c2087a11b9ce7a02aece34ffb129ce0d66b08)
|
|
keys for kerberos authentication.
Andrew Bartlett
(This used to be commit 8b798f03dbbdd670ff9af4eb46f7b0845c611e0f)
|
|
- Provide generic functions for
- get valid encryption types
- free encryption types
- Add encryption type parm to generic function create_kerberos_key_from_string()
- Try to merge the two versions (between HEAD and SAMBA_3_0) of kerberos_verify.c
I think this should work for both MIT and heimdal, in HEAD. If all goes smooth,
I'll move it over to 3.0 soon...
(This used to be commit 45e409fc8da9f26cf888e13d004392660d7c55d4)
|
|
to figure out if we have got our ticket yet.
Andrew Bartlett
(This used to be commit a66ced2cf69145c0a5be5ed91ac306db50c313d1)
|
|
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
|
|
decode a type 23 ticket when the machine account is setup for non-DES
tickets
(This used to be commit 144d4429d7d91e8597263da6abc8041098f2a4c3)
|
|
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
|
|
Now smbclient, net, and swat use their own proto files - now the global
proto.h
The change to libads/kerberos.c was to break up the dependency on secrets.c -
we want to be able to write an ADS client that doesn't need local secrets.
I have other breakups in the works - I will remove the dependency of
rpc_parse on passdb (and therefore secrets.c) shortly.
(NOTE: This patch does *not* break up includes.h, or other such forbidden
actions).
Andrew Bartlett
(This used to be commit edb41dad2df0ae3db364dbc3896cc75956262edf)
|