Age | Commit message (Collapse) | Author | Files | Lines |
|
heimdal; also initialize some pointers
(This used to be commit be74e88d9a4b74fcaf25b0816e3fa8a487c91ab5)
|
|
Jeremy.
(This used to be commit b2ba4d5c1be6089e3818a20c68e3894432b53d87)
|
|
because not only does it not work on Heimdal, but also since ccaches
created within samba are memory-based, so we shouldn't touch a
FILE-based one (it was probably created via kinit or similar).
(This used to be commit 5971b0980ca8abae2208f22485c5af4c0dde0459)
|
|
bug 1208. Based on a fix from Guether Deschener.
Outstanding pieces:
- Heimdal FILE-based ccaches don't actually remove creds properly, so we
need to code a check for this
- what if ticket expires between our check and when we use it?
Guenther has coded up fixes for these parts, but I still need
to review them, as I'm not totally comfortable with the solutions.
(This used to be commit ef008b9710e682f87f0bbf526d30eb5114264233)
|
|
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
Currently I'm compiling against MIT Kerberos 1.2.8.
Anthony, you said you have a heimdal installation available. Could you
please compile this stuff with krb and check it with valgrind?
Thanks,
Volker
(This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
|
|
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
|
|
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.
When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login. If you don't, your machine
account is demoted to NT4.
Andrew Bartlett
(This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
|
|
(This used to be commit 73d02e3a2b0f9e84ab6d8685e4ad6a03ef9249b2)
|
|
Server code *should* also work (I'll check shortly). May be the odd memory
leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup
code (b) we need to ask for a subkey... (c). The client and server need to
ask for local and remote subkeys respectively.
Thanks to Paul Nelson @ Thursby for some sage advice on this :-).
Jeremy.
(This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
|
|
Jeremy.
(This used to be commit dd46f8b22d6e8411081a1279e1cd32929e40370b)
|
|
(This used to be commit 082084042307f5f7d532b28debdeac11753a05f9)
|
|
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
|
|
session key and auth verifier patches.
Andrew Bartlett
(This used to be commit 3f9616a68a855acbae3f405c27ee2358fbe7ba2c)
|
|
(This used to be commit e0c1f9ef61a0ec4f06a0b0e257497943195b5297)
|
|
(This used to be commit 77e1178a888f0d380a5ef94911a8f07bf04a7ba3)
|
|
(This used to be commit c7934f5cb56d54a90c9ffdbe2f7429a3c9227abe)
|
|
Jeremy.
(This used to be commit 90336900ad2a6d50e1d42f7bc59fdc7c762187d3)
|
|
the dog again.
(This used to be commit 6f89ee2c9dc7f03e3dbe7aa734bf67c6a434d135)
|
|
Jeremy.
(This used to be commit 1b71786c161cd8ec4c3c0c6b178370ed50feeef4)
|
|
Jeremy.
(This used to be commit 85dda434763bbcea260c800599e4b6b73afcf174)
|
|
I mistyped a comma :-).
Jeremy.
(This used to be commit 04cc149c756c396012cfa321a74724b077302b95)
|
|
(This used to be commit 51b319f57f28e3993919d7f3db0251a724902332)
|
|
kerberos_verify...
Jeremy.
(This used to be commit e8c4098da619a1429cc4c8251761333a7c0f3458)
|
|
if no kerberos selected. Noticed by Metze.
Jeremy.
(This used to be commit 0c98f779f05431ac4d298c9f021fca85d16aebae)
|
|
Jeremy.
(This used to be commit a7ee6ed64500a0d949849da6996b7dc837518f00)
|
|
(This used to be commit 9f1f3cb8bb3d7d9b4fb414b06ad10356f775bb28)
|
|
to add a function without an explicit #ifdef HEIMDAL which I'm trying
to avoid.
Jeremy.
(This used to be commit 92ecd0bf0fe2cc4f6c86ca48e6e458e726470a50)
|
|
case.
Andrew Bartlett
(This used to be commit 8129529c4faec5ea630acf70b7514a3efc0fbdcf)
|
|
warnings. (Adds a lot of const).
Andrew Bartlett
(This used to be commit 3a7458f9472432ef12c43008414925fd1ce8ea0c)
|
|
(This used to be commit 36bcb312e95f46d196575ed3535679deeddd89b0)
|
|
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
the method used for checking if a domain is a trusted domain is very
crude, we should really call a backend fn of some sort. For now I'm
using winbindd to do the dirty work.
(This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af)
|
|
(This used to be commit 23ef22f11700bbaa5778a9678a990a2b041fcefe)
|
|
this completes the first stage of the smbd ADS support
(This used to be commit 058a5aee901e6609969ef7e1d482a720a84a4a12)
|
|
name is a "principal", not a principle. English majors will complain :-).
Jeremy.
(This used to be commit b668d7d656cdd066820fb8044f24bcd4fda29524)
|
|
(This used to be commit 44bdb8b12b3d6a7bf3148c2ac651a79f10776db6)
|
|
(This used to be commit d1341d74b7aa5f6b3f72e5409b245f87f1ad670b)
|
|
(This used to be commit fd3a3daef3b8f7140e7006d30d23d739ac3aad2f)
|
|
it should give something for others to hack on and possibly find what
I'm doing wrong.
(This used to be commit 353c290f059347265b9be2aa1010c2956da06485)
|
|
(This used to be commit 888183a17cfb12c0cbf7d1ed515064d6f1716114)
|
|
enabled it by default if the server supports it. Let me know if this breaks anything. Choose kerberos with the -k flag to smbclient, otherwise it will use SPNEGO/NTLMSSP/NTLM
(This used to be commit 076aa97bee54d182288d9e93ae160ae22a5f7757)
|
|
(This used to be commit 8b692d8326a1548a7dbbd2cecee9ece6aa60473a)
|
|
packet which means I can extract the service and realm, so we should
now work with realms other than the local realm.
it also means we now check the list of OIDs given by the server just
in case it says that it doesn't support kerberos. In that case we
should fall back to NTLMSSP but that isn't written yet.
(This used to be commit 395cfeea94febb5280ea57027e8a8a3c7c3f9291)
|
|
(This used to be commit 919734c1a6fd8b3bd0e12e96d878f47b6d6ff5e0)
|
|
activate you need to:
- install krb5 libraries
- run configure
- build smbclient
- run kinit to get a TGT
- run smbclient with the -k option to choose kerberos auth
(This used to be commit d33057585644e1337bac743e25ed7653bfb39eef)
|