Age | Commit message (Collapse) | Author | Files | Lines |
|
SMB signing works the same regardless of the used auth mech.
We need to start with the temp signing ("BSRSPYL ")
and the session setup response with NT_STATUS_OK
is the first signed packet.
Now we set the krb5 session key if we got the NT_STATUS_OK
from the server and then recheck the packet.
All this is needed to make the fallback from krb5 to
ntlmssp possible. This commit also resets the cli->vuid
value to 0, if the krb5 auth didn't succeed. Otherwise
the server handles NTLMSSP packets as krb5 packets.
The restructuring of the SMB signing code is needed to
make sure the krb5 code only starts the signing engine
on success. Otherwise the NTLMSSP fallback could not initialize
the signing engine (again).
metze
|
|
|
|
|
|
|
|
This parameter makes smb_spice_chain add padding before the bytes field
|
|
|
|
|
|
|
|
Every sane compiler will only allocate "*SMBSERVER" once
|
|
In this form, the prots array is fully read-only in the text segment and thus
can be shared between processes.
Probably pointless, but I had fun doing it :-)
|
|
Remove three pointless variables
|
|
Also eliminates name conflicts with OneFS system libraries
|
|
|
|
|
|
|
|
otherwise (to clarify we can also pass in structs smaller than
sockaddr_storage, such as sockaddr_in).
|
|
Guenther
|
|
as proposed by James Peach.
Jeremy.
(This used to be commit 5c27ad75836136c39774c9456d63f46fa62e281f)
|
|
buffers for large read/write - make sure we take account of the large
read/write SMB headers as well as the buffer space.
Jeremy.
(This used to be commit 19519bca9b64b736d2fe0447b7cd495f00dba60a)
|
|
Win2008 domain (merged from v3-0-test).
commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405
Author: Steven Danneman <sdanneman@isilon.com>
Date: Wed May 7 13:34:26 2008 -0700
spnego SPN fix when contacting trusted domains
cli_session_setup_spnego() was not taking into consideration the situation
where we're connecting to a trusted domain, specifically one (like W2K8)
which doesn't return a SPN in the NegTokenInit.
This caused two problems:
1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we
were always using our default realm, not the realm of the domain we're
connecting to.
2) When falling back on NTLMSSP for authentication we were passing the name
of the domain we're connecting to for use in our credentials when we should be
passing our own workgroup name.
The fix for both was to split the single "domain" parameter into
"user_domain" and "dest_realm" parameters. We use the "user_domain"
parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN
if none was returned in the NegTokenInit2 packet. If no "dest_realm" is
provided we assume we're connecting to our own domain and use the credentials
cache to build the SPN.
Since we have a reasonable guess at the SPN, I removed the check that defaults
us directly to NTLM when negHint is empty.
(This used to be commit b78b14c88e8354aadf9ba7644bdb1c29245fe419)
|
|
Guenther
(This used to be commit a159ec5f1f3ec8e9232b8f3230a996a3f9986bc1)
|
|
Guenther
(This used to be commit d077ef64cd1d9bbaeb936566c2c70da508de829f)
|
|
(This used to be commit a9061e52e1ff8e31aa480f4a30cda64c9d93214e)
|
|
This allows to switch on the cli->fallback_after_kerberos switch.
Guenther
(This used to be commit 15ba45e567d910c1b2336dcc0c475e12b082f30f)
|
|
(This used to be commit 494b32197f0872b115f0cd1a35421d00a89360a6)
|
|
the space taken by the unicode password to be one byte too
long (as we're on an odd byte boundary here). Reduce the
count by 1 to cope with this. Fixes smbclient against NetApp
servers which can't cope. Fix from
bryan.kolodziej@allenlund.com in bug #3840.
Jeremy.
(This used to be commit 1e7e7d86a1ae1cd2c3cc3de9f36b7326ad249b82)
|
|
Not that I think it is of any importance...
Guenther
(This used to be commit 352f8440c74bc22416e21783e1dc5fecf5869902)
|
|
Guenther
(This used to be commit 6363c383d6989d2dfb2ee488ffa7aeb128c5385b)
|
|
(This used to be commit ffc1c8cc03e6bad40ed2be91392074b4f038a1bf)
|
|
(This used to be commit db6ae9ed2326e6cd68475375d049084cf1d5a98c)
|
|
(This used to be commit 621db68f32f7007de8b2c4d7cf604a5778725615)
|
|
If I'm not completely blind, we should return here. Not doing it here seems not
to be a major flaw, as far as I can see we're only missing the error code. This
might account for some of the very unhelpful NT_STATUS_UNSUCCESSFUL error
messages people see during joins.
All with stake in Samba client, please check!
(This used to be commit eadd15c9363a57c214ede3c489057646baca48f8)
|
|
Jeremy.
(This used to be commit 2df0cdaafdced798f81e30d34371aa1d8e963208)
|
|
Jeremy.
(This used to be commit 090061b73a1c086ff8a7797e1a63532eacd91148)
|
|
During 'net ads join' the cli->desthost is a hostname (e.g.
rupert.galaxy.site). Check if we have a hostname and use only the
first part, the machine name, of the string.
(This used to be commit 5f60ed4af680ba2811db8d9f8267348ce05f26d2)
|
|
negotiation works.
Jeremy.
(This used to be commit d78045601af787731f0737b8627450018902b104)
|
|
Guenther
(This used to be commit 763e13315fc71237b14a186810bc201e725648f5)
|
|
When warning that "client plaintext auth" is not enabled where the server
requested them we should not talk about "client use plaintext auth"
(This used to be commit 7799e18994354b2705ee8c64ae8c75e062ace460)
|
|
to cause us to behave like Vista when looking for remote
machine principal. Modified by me.
Jeremy.
(This used to be commit d0e33840fb4cfc85990d3ee327428b0854a22722)
|
|
for a server. We should have been doing this for a while,
but it's more critical with IPv6.
Original patch fixed up by James.
Jeremy.
(This used to be commit 5c7f7629a97ef0929e00e52f1fae4386c984000b)
|
|
Remove all vestiges of pstring (except for smbctool as noted
in previous commit).
Jeremy
(This used to be commit 4c32a22ac50ada3275d2ffba3c1aa08bee7d1549)
|
|
Remove pstring from libsmb/clidfs.c except for a nasty
hack (that will be removed when pstrings are gone from
client/).
Jeremy.
(This used to be commit cc257b71d13daa47e6f2315d0f07a60eb4aaeca6)
|
|
Make us very explicit about how long a talloc ctx
should last.
Jeremy.
(This used to be commit ba9e2be2b5a59684e854609f9d82ea1633448c62)
|
|
I'm not sure why this used to be static, to me it seems that every time this
variable is overwritten. I just don't see how name_status_find() could return
true and not overwrite name. Can someone please review this and potentially
check it in?
Thanks,
Volker
(This used to be commit 329c688e4a9e69b71996fd1b0eee2202a849f3f5)
|
|
This is better done with a 'lp_do_parameter(-1, "socket options", ..);
(This used to be commit 814bed029efa391e664ac432d0d68dfeab26381f)
|
|
Jeremy.
(This used to be commit 7a1de5b44e84a7474e78518c6ba33b3fedc42b5f)
|
|
it with accessor functions. "One global or pstring a day...." :-).
Jeremy.
(This used to be commit d50d14c300abc83b7015718ec48acc8b3227a273)
|
|
zero_addr(&ss). All current uses were always of the
AF_INET form, so simplify the call. If in the future
we need to zero an addr to AF_INET6 this can be
done separately.
Jeremy.
(This used to be commit 2e92418a138bf2738b77b7e0fcb2fa37ad84fc0c)
|
|
to struct sockaddr_storage in most places that matter (ie.
not the nmbd and NetBIOS lookups). This passes make test
on an IPv4 box, but I'll have to do more work/testing on
IPv6 enabled boxes. This should now give us a framework
for testing and finishing the IPv6 migration. It's at
the state where someone with a working IPv6 setup should
(theorecically) be able to type :
smbclient //ipv6-address/share
and have it work.
Jeremy.
(This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd)
|
|
bugs in various places whilst doing this (places that assumed
BOOL == int). I also need to fix the Samba4 pidl generation
(next checkin).
Jeremy.
(This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f)
|