Age | Commit message (Collapse) | Author | Files | Lines |
|
there were 2 bugs:
1) we were sending a null challenge when we should have sent an empty
challenge
2) the password can be in unicode if unicode is negotiated. This means
our client code was wrong too :(
(This used to be commit 1a6dfddf6788b30fc81794b1bfe749693183b2c1)
|
|
patches:
Andrew Bartlett
From his e-mail:
Below I attach the following patches as a result of my work
on trusted domains support:
1) srv_samr_nt.c.diff
This fixes a bug which caused to return null string as
the first entry of enumerated accounts list (no matter what
entry, it was always null string and rid) and possibly
spoiled further names, depeding on their length.
I found that while testing my 'net rpc trustdom list'
against nt servers and samba server.
2) libsmb.diff
Now, fallback to anonymous connection works correctly.
3) smbpasswd.c.diff
Just a little fix which actually allows one to create
a trusting domain account using smbpasswd
4) typos.diff
As the name suggests, it's just a few typos fix :)
(This used to be commit 888d595fab4f6b28318b743f47378cb7ca35d479)
|
|
(This used to be commit f4f2b613a2a804a6d2e5e78cc7dd7f3482675fcd)
|
|
distinction between uchar and char).
Lots of const etc.
Andrew Bartlett
(This used to be commit 8196ee908e10db2119e480fe1b0a71b31a16febc)
|
|
wrappers.
Andrew Bartlett
(This used to be commit 95519d408caa7da00dbb2a8323cc4374a517cd69)
|
|
generating a warning
(This used to be commit cd82ba41b8df024f034fcfa24e967ed8c3c8d035)
|
|
bytes which follow the header, not the full packet size.
[Yes, the length field is either 17-bits, or (per the RFCs) it is a
16-bit length field preceeded by an 8-bit flags field of which only
the low-order bit may be used. If that bit is set, then add 65536 to
the 16-bit length field. (In other words, it's a 17-bit unsigned
length field.)
...unless, of course, the transport is native TCP [port 445] in which
case the length field *might* be 24-bits wide.]
Anyway, the change is a very minor one. We were including the four bytes
of the header in the length count and, as a result, sending four bytes of
garbage at the end of the SESSION REQUEST packet.
Small fix in function cli_session_request().
(This used to be commit cd2b1357066a712efcf87ac61922ef871118e8de)
|
|
(This used to be commit 6b28ca8bd2a6613989bb23be951836d173296197)
|
|
few more places to use it.
Andrew Bartlett
(This used to be commit 23689b0746d5ab030d8693abf71dd2e80ec1d7c7)
|
|
Replaced with "unsigned int".
Jeremy.
(This used to be commit 5841ca54b6a8c36f3d76c12570ff8f2211ed2363)
|
|
rebind proc (some give an extra paramter to pass a void* paramater) and
some small changes for the SMB signing code to reset things when the
signing starts, and to 'turn off' signing if the session setup failed.
Andrew Bartlett
(This used to be commit a8805a34e5d96eeb5ffe15681b241d5a449a6144)
|
|
The problem was that *all* packets were being signed, even packets before
signing was set up. (This broke the session request).
This fixes it to be an 'opt in' measure - that is, we only attempt to sign
things after we have got a valid, non-guest session setup as per the CIFS spec.
I've not tested this against an MS server, becouse my VMware is down, but
at least it doesn't break the build farm any more.
Andrew Bartlett
(This used to be commit 1dc5a8765876c1ca822e454651f8fd4a551965e9)
|
|
Jeremy.
(This used to be commit 9d461933766f26ce772f6d5ea849ef9218c4d534)
|
|
(const, takes unix string as arg)
Also update cli_full_connection to take NULL pointers as 'undefined' correctly,
and therefore do its own lookup etc. This what was intended, but previously
you needed to supply a 0.0.0.0 IP address.
Andrew Bartlett
(This used to be commit 8fb1a9c6ba07dbf04a6aa1e30fa7bbd4c676ed28)
|
|
Jeremy.
(This used to be commit 3c05f7c06fc8c45307ea75128b160a5945fc5197)
|
|
unix and DOS strings.
This pushes all the 'have to uppercase, must be 14 chars' stuff behind the
the interface.
Andrew Bartlett
(This used to be commit dec650efa8ab1466114c2e6d469320a319499ea0)
|
|
Importantly:
The removal of the silly 'delete user script' behaviour when secuity=domain.
I have left the name the same - as it still does the (previously documented,
but not in smb.conf(5)) sane behaviour of deleting users on request.
When we decide what to do with the 'add user' functionality, we might
rename it.
Andrew Bartlett
(This used to be commit cdcfe3671eb7570e15649b77f708e6579055e7bc)
|
|
didn't make any sense, and its was always just strlen(password) anyway.
This fixes it to be strlen(password)+1
Andrew Bartlett
(This used to be commit c205b18bd6b9b69200ff3db55f2c641631d4ab40)
|
|
this:
More code cleanup - this lot a bit more dodgy than the last:
The aim is to trim pwd_cache down to size. Its overly complex, and a
pain to deal with. With a header comment like this:
'obfusticaion is planned'
I think it deserved to die (at least partly).
This was being done to allow 'cli_establish_connection' to die - its
functionality has been replaced by cli_full_connection(), which does
not duplicate code everywhere for creating names etc.
This also removes the little 'init' fucntions for the various pipes,
becouse they were only used in one place, and even then it was dodgy.
(I've reworked smbcacls not to use anonymous connections any more, as
this will (should) fail with a 'restrict anonymous' PDC).
This allowed me to remove cli_pipe_util.c, which was calling
cli_establish_connection.
tpot: I'm not sure what direction you were going with the client stuff,
and you may well have been wanting the init functions. If thats the case,
give me a yell and I'll reimplement them against cli_full_connection.
Andrew Bartlett
(This used to be commit fa67e4626bed623333c571e76e06ccd52cba5cc5)
|
|
This option was badly maintained, useless and confused our users and
distirbutors. (its SSL, therfore it must be good...)
No windows client uses this protocol without help from an SSL tunnel.
I can't see any reason why setting up a unix-side SSL wrapper would
be any more difficult than the > 10 config options this mess added
to samba in any case.
On the Samba client end, I think the LIBSMB_PROG hack should be
sufficient to start stunnel on the unix side. We might extend this
to take %i and %p (IP and port) if there is demand.
Andrew Bartlett
(This used to be commit b04561d3fd3ee732877790fb4193b20ad72a75f8)
|
|
(This used to be commit 7f923d738b94eef042b21e4d0143861755620d91)
|
|
Jeremy.
(This used to be commit 146fb9d12bd3621087193f439e99c13d609ff658)
|
|
Small tidyups.
(This used to be commit 252da94ebb279c47263dfae36fd016d0a29a6dbf)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
case.
Thanks to Nigel Williams <nigel@wednesday.demon.co.uk> for spotting these!
Andrew Bartlett
(This used to be commit 20e0b562283f75606ac9a36f3f104c6aaa294c40)
|
|
Jeremy.
(This used to be commit 01ff6ce4963e1daff019f2b936cef218e1c93f67)
|
|
(This used to be commit 0b0b937b58f4bf4e005fb622f0db19175fc46a47)
|
|
This fixes up a problem where a machine would join (or downgrade by trust
password change) to NT4 membership and not be able to regain full ADS
membership until a 'net ads leave'.
Andrew Bartlett
(This used to be commit ab8ff85f03b25a0dfe4ab63886a10da81207393c)
|
|
Patch from Alexander Bokovoy <a.bokovoy@sam-solutions.net>
(This used to be commit 6c42bf208976ed3020e57efff6281f984d9fe893)
|
|
(This used to be commit 2d1612dd3560bb5ef35fa1eeee00e3d7976bcd62)
|
|
- don't display Domain=[] for auth protocols that don't give us a domain
(This used to be commit 20368455ea59e6e9b85632848bbe92069e7b0f38)
|
|
(This used to be commit 1da988456dbd885820093ae43c74e0ac66f72802)
|
|
(This used to be commit a181f49b4269baa1752ce6ed4f9093e38d2d3ce5)
|
|
netbios lookup for name NAME with node type xx.
This affects all our client progs. Very useful :)
(This used to be commit b4304c5231159fc6295c445f2eb4470c179b8d5e)
|
|
session setup
(This used to be commit c7665706cd5633ede710afe41413624124038238)
|
|
'net' untility.
This should make it easier to port rpcclient code across to net.
It also allows SPNEGO (the NTLMSSP subsystem in particular) to work, becouse
it kills off the early destruction of the clear-text password.
Andrew Bartlett
(This used to be commit eee925861a3af3aa16efa3b1700a980c9510c14e)
|
|
(This used to be commit 23ef22f11700bbaa5778a9678a990a2b041fcefe)
|
|
(This used to be commit e790bb21d3895bef97522b68c6f00812e6c286f2)
|
|
(This used to be commit e2ba2383c9f679c076749a8f4fccefc3559e37ec)
|
|
and replaced with two functions:
void zero_ip(struct in_adder *ip);
BOOL is_zero_ip(struct in_addr ip);
(This used to be commit 778f5f77a66cda76348a7c6f64cd63afe2bfe077)
|
|
(This used to be commit 5100ae4ae032545edaf525de1dfbe5dc9dafecfc)
|
|
samba domain.
The PDC must be running a special authenticaion module that spits out NT errors
based on username.
Andrew Bartlett
(This used to be commit adc7a6048c13342b79b6228beafb5142c50f318d)
|
|
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)
|
|
open to w2k
- fix the string handling in the device name to match NT and smbd
- don't pull the domain from negprot if CAP_EXTENDED_SECURITY is set
(This used to be commit 618989b386b5564ba140afdc17ce7a07040c3c4e)
|
|
Jeremy.
(This used to be commit e6afe40f85d7dbe79322c82dac735d901e7e71df)
|
|
(This used to be commit 5b1c942a5cab828ebfcf2e8f5decb754c4cdb70e)
|
|
2.2 to HEAD?
(This used to be commit 4f47daf97b9e74ec75287f46e2c4aeddc944779e)
|
|
Andrew Bartlett.
From kai@cmail.ru Mon Oct 29 18:50:42 2001
Date: Fri, 19 Oct 2001 17:26:06 +0300
From: Andrew V. Samoilov <kai@cmail.ru>
To: samba-technical@lists.samba.org
Subject: [patch]: makes some arrays const to be shared between processes
Hi!
This patch makes some arrays const. So these arrays go to text/rodata
segment and are shared between all of the processes which use shared
library with these arrays.
Regards,
Andrew V. Samoilov.
P.S. Please cc your answer to kai@cmail.ru,
I don't subscribed to this list.
ChangeLog:
* cliconnect.c (prots): Make const.
* clierror.c (rap_errmap): Likewise.
* nmblib.c (nmb_header_opcode_names): Likewise.
(lookup_opcode_name): Make opcode_namep const. Eliminate i.
* nterr.c (nt_err_code_struct): Typedef const.
* smberr.c (err_code_struct): Make const.
(err_classes): Likewise.
(This used to be commit cb84485a2b0e1fdcb6fa90e0bfb97e125ae1b3dd)
|
|
(This used to be commit 12c10e876ea528fdf33e8ecfe42ab0ebb346b143)
|
|
NTLMSSP in cli_establish_connection()
What we really need to do is kill off the pwd_cache code. It is horrible,
and assumes the challenge comes in the negprot reply.
(This used to be commit 3f919b4360b3bfcc133f7d88bc5177e9d93f2db2)
|