summaryrefslogtreecommitdiff
path: root/source3/libsmb/ntlmssp.c
AgeCommit message (Collapse)AuthorFilesLines
2003-07-24More printf fixes - size_t is long on some architectures.Tim Potter1-1/+1
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett1-12/+95
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14Delete obsolete comment.Tim Potter1-1/+0
(This used to be commit 5416c51133297e866210ec0d8454e04c25541d91)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison1-2/+2
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-05-09Finally get NTLMv2 working on the client!Andrew Bartlett1-4/+6
With big thanks to tpot for the ethereal disector, and for the base code behind this, we now fully support NTLMv2 as a client. In particular, we support it with direct domain logons (tested with ntlm_auth --diagnostics), with 'old style' session setups, and with NTLMSSP. In fact, for NTLMSSP we recycle one of the parts of the server's reply directly... (we might need to parse for unicode issues later). In particular, a Win2k domain controller now supplies us with a session key for this password, which means that doman joins, and non-spnego SMB signing are now supported with NTLMv2! Andrew Bartlett (This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81)
2003-05-05Allow the NTLMv2 functions to spit out both possible varients on the sessionAndrew Bartlett1-1/+1
key, so we can test it in ntlm_auth. I suspect the 'lm' version doesn't exist, but it's easy to change back. Andrew Bartlett (This used to be commit 5efd95622c411f123660b6613b86c7a68bba68e8)
2003-04-21Merge SMB signing, cli buffer clobber and NTLMSSP signing tweaks from HEAD.Andrew Bartlett1-1/+1
(This used to be commit c6c4f69b8ddc500890a65829e1b9fb7a3e9839e9)
2003-04-07Make this match head.Andrew Bartlett1-1/+1
(This used to be commit a718630961e713ca2bacc98ad0b7c2e996e20bf5)
2003-04-03Fixup format warning.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 32dc4ddb04f4d3eecfdd542cb3495830067a2eed)
2003-03-24(merge from HEAD)Andrew Bartlett1-18/+32
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-03-18NTLMSSP updates from HEAD.Andrew Bartlett1-12/+25
Andrew Bartlett (This used to be commit f4ae028c2ad6ff8c7da3a6ef77a92762861144e1)
2003-02-24Merge from HEAD client-side authentication changes:Andrew Bartlett1-72/+416
- new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett (This used to be commit 837680ca517982f2e5944730581a83012d4181ae)
2003-01-28Factor out common code in the NTLMSSP/SPNEGO code.Andrew Bartlett1-4/+0
The idea here is to seperate, as much as possible, the SPNEGO layer from the NTLMSSP layer. This not only helps us with protocol correctness, but also should allow further mechinisms to be added with relitive ease. I indend to make the kerberos code use this shortly. I've never seen the 'zero length blob' form of the anonymous login, so I've removed that case. Andrew Bartlett (This used to be commit a8773c9f825539c5bc17e4200b16d7ebbe0b7620)
2003-01-16(missed in last commit)Andrew Bartlett1-5/+8
Change the 'cookie' to be the ntlmssp_context, and use the 'auth_context' on that to store the cookie. Ensures that simple callbacks can 'just work'. Also make it clear that we are doing a pull_string into a pstring, not just any sized buffer. Andrew Bartlett (This used to be commit c7793f27188e658b7fc6336aa51d367eab36fc17)
2003-01-15Missed auth_ntlmssp.c in last night's checkin. Also keep track of the currentAndrew Bartlett1-0/+4
challenge in the NTLMSSP context. Andrew Bartlett (This used to be commit ba13e058d4533b1ffba723b9e98e95090ad63d85)
2003-01-15Refactor the NTLMSSP code again - this time we use function pointers toAndrew Bartlett1-0/+278
eliminate the dependency on the auth subsystem. The next step is to add the required code to 'ntlm_auth', for export to Squid etc. Andrew Bartlett (This used to be commit 9e48ab86da40e4c1cafa70c04fb9ebdcce23dfab)