summaryrefslogtreecommitdiff
path: root/source3/libsmb/cliconnect.c
AgeCommit message (Collapse)AuthorFilesLines
2003-07-30Add a command line option (-S on|off|required) to enable signing on clientJeremy Allison1-3/+6
connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison1-5/+11
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-25More printf portability fixes. Got caught out by some gcc'isms lastTim Potter1-1/+1
time. )-: (This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
2003-07-24More printf fixes - size_t is long on some architectures.Tim Potter1-1/+1
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter1-1/+1
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-16Refactor signing code to remove most dependencies on 'struct cli'.Jeremy Allison1-0/+5
Ensure a server can't do a downgrade attack if client signing is mandatory. Add a lp_server_signing() function and a 'server signing' parameter that will act as the client one does. Jeremy (This used to be commit 203e4bf0bfb66fd9239e9a0656438a71280113cb)
2003-07-16Spelling.Tim Potter1-1/+1
(This used to be commit 2750418752e491c5e87f0f2adf253291e31ee4c2)
2003-07-15Added the "required" keyword to the "client signing" parameter to force itJeremy Allison1-2/+14
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing to add signing on server side. Jeremy. (This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
2003-07-14Fix SMB signing when using NTLMSSP...Andrew Bartlett1-2/+5
It's so simple now I know how it works - and it has nothing to do with NTLMSSP (it's just a slightly different use of the old algorithm). :-). Note: This is actually less secure then the non-NTLMSSP code, as there is no per-session random data included for NTLM logins. (NTLMv2 is better, fortunetly). Andrew Bartlett (This used to be commit 95ec8317d4c6817d192bcd52eec44a22286e10ee)
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett1-0/+6
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-06-26cleaning up more build issues. TestedGerald Carter1-2/+4
"--with-ads=no --with-ldap=yes" and "--with-ads=yes && make everything" (This used to be commit 3e9e4bb7d1a2f5a95539f415aa101f033b67932a)
2003-06-25large change:Gerald Carter1-3/+3
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-08Enforce 'client plaintext auth', 'client lanman auth' and 'client ntlmv2 auth'.Andrew Bartlett1-9/+49
(this now causes things like the LANMAN protocol and contacting servers with 'encrypt passwords = no' set to fail, if configured) 'client ntlmv2 auth' (a BOOL) forces both plaintext and lanman off, and is the most secure setting for compatible hosts. Perhaps we should change this to 'client minimum auth'? Andrew Bartlett (This used to be commit e1fb681e4c921456fde154b87687722a18ed4aac)
2003-05-21fix for UNICODE plaintext passwords (bug #59) and fix smbclient to send the ↵Gerald Carter1-3/+16
unicode plain text password if negoitated (This used to be commit e7d635af80c844f17ff9f34c26c1e9c978951ce1)
2003-05-14spellingTim Potter1-1/+1
(This used to be commit 865c11275685c85124b506c9bbd2a8bde2e760b9)
2003-05-09Finally get NTLMv2 working on the client!Andrew Bartlett1-3/+12
With big thanks to tpot for the ethereal disector, and for the base code behind this, we now fully support NTLMv2 as a client. In particular, we support it with direct domain logons (tested with ntlm_auth --diagnostics), with 'old style' session setups, and with NTLMSSP. In fact, for NTLMSSP we recycle one of the parts of the server's reply directly... (we might need to parse for unicode issues later). In particular, a Win2k domain controller now supplies us with a session key for this password, which means that doman joins, and non-spnego SMB signing are now supported with NTLMv2! Andrew Bartlett (This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81)
2003-05-05Allow the NTLMv2 functions to spit out both possible varients on the sessionAndrew Bartlett1-1/+1
key, so we can test it in ntlm_auth. I suspect the 'lm' version doesn't exist, but it's easy to change back. Andrew Bartlett (This used to be commit 5efd95622c411f123660b6613b86c7a68bba68e8)
2003-04-23Add a check to ensure that the server returns the correct device type, notAndrew Bartlett1-3/+0
just the correct error. This should help us avoid breaking NT4 IPC$ connections, for example. This has required that we don't overwrite the device type for IPC$ in our tcon&X code, but only smbwrapper even uses it, and a server that doesn't send a correct dev type breaks other things pretty badly. In any case, I'll 'fix' smbwrapper :-). Andrew Bartlett (This used to be commit a93057efcb6e639be05b7bdcb9729ed8f39f5f62)
2003-04-14Merge cliconnect.c so smbtree builds.Tim Potter1-1/+113
(This used to be commit 5df53e9d8a8b1861d9997a775cfd6d8fe472bdc4)
2003-03-18Merge from HEAD:Andrew Bartlett1-50/+44
A much better SMB signing module, that allows for mulitple signing algorithms and correctly backs down from signing when the server cannot sign the reply. This also attempts to enable SMB signing on NTLMSSP connections, but I don't know what NTLMSSP flags to set yet. This would allow 'client use signing' to be set by default, for server compatability. (A seperate option value should be provided for mandetory signing, which would not back down). Andrew Bartlett (This used to be commit 1c87be7a3d127201a6ab78d22d17c971af16b86b)
2003-03-18Jeremy merged across my string parinoia fixes, but forgot to enable them! :-)Andrew Bartlett1-2/+2
This patch catches up on the rest of the work - as much string checking as is possible is done at compile time, and the rest at runtime. Lots of code converted to pstrcpy() etc, and other code reworked to correctly call sizeof(). Andrew Bartlett (This used to be commit c5b604e2ee67d74241ae2fa07ae904647d35a2be)
2003-03-05Connectathon fix. W2K -> W2K over port 445 doing a tconX does the fullJeremy Allison1-7/+2
\\server\share syntax, not just a "share" tconX syntax. This broke interop with a vendor. Jeremy. (This used to be commit 3cc2ace7718ac1162494b81fa21d4cc9de021d1c)
2003-02-24Merge from HEAD client-side authentication changes:Andrew Bartlett1-148/+165
- new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett (This used to be commit 837680ca517982f2e5944730581a83012d4181ae)
2003-01-28Merge from HEAD:Andrew Bartlett1-3/+4
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
2003-01-04Merge from HEAD - do an nt_errstr(nt_status) *after* assiging nt_status withAndrew Bartlett1-1/+1
the actual error value :-) Andrew Bartlett (This used to be commit 123ae99c7d51c62e9f765cd41018dcc1a70cdd22)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-26/+25
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-08Merge from HEAD:Andrew Bartlett1-1/+1
- change auth_sam to use the initialisation flags to determine if the password attributes are set - add const to secrets.c, cliconnect.c - passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd - SAMR: add debugs to show what fails for group enum. Andrew Bartlett (This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1)
2002-11-08patches from UrbanGerald Carter1-0/+3
(This used to be commit 850b185a6e33fa924fa59cdd6316c9160ba65270)
2002-10-17Added new error codes. Fix up connection code to retry in the same wayJeremy Allison1-1/+11
that app-head does. Jeremy. (This used to be commit ec7953f20145799f6286a295472df4826bfdfb8f)
2002-10-04merge of working dsrolegetprimdominfo() client code from APP_HEADGerald Carter1-1/+1
(This used to be commit 028477e35208e76fedbc7c743426fd9be94b7cf0)
2002-10-01Updates from Samba HEAD:Andrew Bartlett1-5/+1
- Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-115/+164
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17sync 3.0 branch with headJelmer Vernooij1-20/+27
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-07-15more bug updates from headAndrew Tridgell1-5/+0
(This used to be commit 8b769bf5bbbe54b1a39fd85cc24db09c1ab7faab)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-302/+226
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-07-01The 17-bit length field in the header contains the number ofChristopher R. Hertel1-1/+8
bytes which follow the header, not the full packet size. [Yes, the length field is either 17-bits, or (per the RFCs) it is a 16-bit length field preceeded by an 8-bit flags field of which only the low-order bit may be used. If that bit is set, then add 65536 to the 16-bit length field. (In other words, it's a 17-bit unsigned length field.) ...unless, of course, the transport is native TCP [port 445] in which case the length field *might* be 24-bits wide.] Anyway, the change is a very minor one. We were including the four bytes of the header in the length count and, as a result, sending four bytes of garbage at the end of the SESSION REQUEST packet. Small fix in function cli_session_request(). (This used to be commit d08471688b65371eb3de73b03a8ffaee86659ba0)
2002-04-06Always pass NT password as well as Lanman.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 146fb9d12bd3621087193f439e99c13d609ff658)
2002-03-06Removed duplicate \n from debug message.Tim Potter1-21/+13
Small tidyups. (This used to be commit 252da94ebb279c47263dfae36fd016d0a29a6dbf)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-20Fix a couple of memory leaks in the cli_establish_connection() code's failureAndrew Bartlett1-0/+2
case. Thanks to Nigel Williams <nigel@wednesday.demon.co.uk> for spotting these! Andrew Bartlett (This used to be commit 20e0b562283f75606ac9a36f3f104c6aaa294c40)
2002-01-11Same fix as went into 2.2 (I'm waiting for jerry to finish some code).Jeremy Allison1-18/+18
Jeremy. (This used to be commit 01ff6ce4963e1daff019f2b936cef218e1c93f67)
2002-01-11fixed a crash bug in domain auth caused by an uninitialised nt_statusAndrew Tridgell1-0/+2
(This used to be commit 0b0b937b58f4bf4e005fb622f0db19175fc46a47)
2002-01-11Fix up 'net ads join' to delete and rejoin if the account already exists.Andrew Bartlett1-1/+1
This fixes up a problem where a machine would join (or downgrade by trust password change) to NT4 membership and not be able to regain full ADS membership until a 'net ads leave'. Andrew Bartlett (This used to be commit ab8ff85f03b25a0dfe4ab63886a10da81207393c)
2002-01-06Check for winbind separator in user name for cli_session_setup()Tim Potter1-1/+2
Patch from Alexander Bokovoy <a.bokovoy@sam-solutions.net> (This used to be commit 6c42bf208976ed3020e57efff6281f984d9fe893)
2001-12-31Ensure the output cli can't have spurious values if the connection fails...Andrew Bartlett1-1/+7
(This used to be commit 2d1612dd3560bb5ef35fa1eeee00e3d7976bcd62)
2001-12-21- handle kerberos session setup reply with broken null terminationAndrew Tridgell1-4/+5
- don't display Domain=[] for auth protocols that don't give us a domain (This used to be commit 20368455ea59e6e9b85632848bbe92069e7b0f38)
2001-12-21try to handle end of packet for not null terminated domain stringsAndrew Tridgell1-1/+3
(This used to be commit 1da988456dbd885820093ae43c74e0ac66f72802)
2001-12-11handle a NULL hostname in cli_connect()Andrew Tridgell1-0/+3
(This used to be commit a181f49b4269baa1752ce6ed4f9093e38d2d3ce5)
2001-12-11detect attempts to connect to names of the type NAME#xx and do aAndrew Tridgell1-1/+11
netbios lookup for name NAME with node type xx. This affects all our client progs. Very useful :) (This used to be commit b4304c5231159fc6295c445f2eb4470c179b8d5e)
2001-12-04when using non-encrypted password ignore the ntpass variable toAndrew Tridgell1-2/+2
session setup (This used to be commit c7665706cd5633ede710afe41413624124038238)