Age | Commit message (Collapse) | Author | Files | Lines |
|
With big thanks to tpot for the ethereal disector, and for the base code
behind this, we now fully support NTLMv2 as a client.
In particular, we support it with direct domain logons (tested with ntlm_auth
--diagnostics), with 'old style' session setups, and with NTLMSSP.
In fact, for NTLMSSP we recycle one of the parts of the server's reply directly...
(we might need to parse for unicode issues later).
In particular, a Win2k domain controller now supplies us with a session key
for this password, which means that doman joins, and non-spnego SMB signing
are now supported with NTLMv2!
Andrew Bartlett
(This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81)
|
|
Volker
(This used to be commit 6cde3d4d655bbe1d81e68ec2ec7a23669ac82120)
|
|
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.
Volker
(This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
|
|
(well, under certain conditions :-)
There is no length limit on the size of the authentication response added
into the MD5 hash. (We had previously limited this to lengths like 40, 44 or
64 in attempts to make sense of what the SNIA spec tells us).
Instead, the entire authentication response is added in.
Currently, this only works on a Win2k domain members with a Samba PDC,
becouse our NTLMv2 code currently fails against an Win2k PDC.
However, this splits the problem in half - particularly as the NTLMv2 format
is known, and even has an ethereal disector! (thanks tpot).
Andrew Bartlett
(This used to be commit 7645d3d28afbb8eea502c0e063df3afb3aa812f4)
|
|
Jeremy.
(This used to be commit f219e8309c7d17b332873e9283ab3c3796e7e799)
|
|
key, so we can test it in ntlm_auth.
I suspect the 'lm' version doesn't exist, but it's easy to change back.
Andrew Bartlett
(This used to be commit 5efd95622c411f123660b6613b86c7a68bba68e8)
|
|
This should make it clearer what magic numbers refer to the magic numbers
in the CIFS spec, and what bits and peices are being appended into the MD5
calculation where.
Andrew Bartlett
(This used to be commit 7f1c271cfb04f621e36f1acf60979652e82dc6f4)
|
|
Andrew Bartlett
(This used to be commit 542a8b1817d3930e03e08e16e9711cacceb6df61)
|
|
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code,
the winbind_idmap abstraction (not idmap proper, but the stuff that held up
the winbind LDAP backend in HEAD).
Andrew Bartlett
(This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
|
|
just the correct error.
This should help us avoid breaking NT4 IPC$ connections, for example.
This has required that we don't overwrite the device type for IPC$ in our
tcon&X code, but only smbwrapper even uses it, and a server that doesn't send
a correct dev type breaks other things pretty badly.
In any case, I'll 'fix' smbwrapper :-).
Andrew Bartlett
(This used to be commit a93057efcb6e639be05b7bdcb9729ed8f39f5f62)
|
|
merge last time. I hope this might fix a few failures on the build farm too.
Andrew Bartlett
(This used to be commit 0c837126923cc30fa60223a5a68d4f527971cc7b)
|
|
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
|
|
(This used to be commit c6c4f69b8ddc500890a65829e1b9fb7a3e9839e9)
|
|
would work now...
Volker
(This used to be commit 8c70f657cfb2f2b32fbaa31112d7953a3a6dc775)
|
|
used to be commit a50dc3f836a898d1aef08afbd12e7221db24440a)
|
|
- Stephan Kulow's changes (fixing warnings in libsmbclient)
- VFS modules
- Seperating libs
(This used to be commit 6e9b7802335428c88ecf4e44a0e2395ac58e96b5)
|
|
workstation, we have to use the workstation type, if we have a BDC account,
we must use the BDC type - even if we are pretending to be a workstation
at the moment.
Also actually store and retreive the last change time, so we can do
periodic password changes again (for RPC at least).
And finally, a couple of minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
|
|
(This used to be commit b6a77048886151435a4a5eeb9a04be44d397c504)
|
|
(This used to be commit 62dac3d6ebc72bec24f3c0df4c8d8e37029473e2)
|
|
used to be commit 35510176fd4feab6c1e3da2ee0ae791f9a064a2e)
|
|
(This used to be commit 21d7dba977037b83fc1d6d86b5d3d4cae6eb683d)
|
|
(This used to be commit 38efab087c86cab805c6b94c7455befaa9e94c5e)
|
|
(This used to be commit bd69cbce93054548b6d1e3bac89032ff4f693423)
|
|
(This used to be commit 5df53e9d8a8b1861d9997a775cfd6d8fe472bdc4)
|
|
(This used to be commit 93101a93dabe2dd7a6420e90acf82e0e08dce572)
|
|
used to be commit 381649916ecbaddefbb6ee0e6137b7cc73eb54b1)
|
|
(This used to be commit 74fab8f0d24004b1dfd5ce0fd7402895652f941f)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing against platforms
different from NT4SP6.
Volker
(This used to be commit eaef0d8aeff1aa5a067679be3f17e08d7434e1e8)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing platforms
different from NT4SP6.
Volker
(This used to be commit ecd0ee4d248e750168597ccf79c389513bb0f740)
|
|
Andrew Bartlett
(This used to be commit 9656b8709128f24dd63094d504a6646f99933c57)
|
|
(This used to be commit a718630961e713ca2bacc98ad0b7c2e996e20bf5)
|
|
The right thing to do is to try for the user's local one in ~/.smbc/smb.conf,
and if that fails, try the one in dyn_CONFIGFILE, and if that fails, keep
going with the defaults but log a message.
(This used to be commit 15fa48d19d178cf8bf214ea02f6c7a4c38890f71)
|
|
for broken-due-to-bad-sig.
Andrew Bartlett
(This used to be commit b010b6c2dc400a97eb2ad038cd1fdb34bbde2ef0)
|
|
just need to get the verifiction code working - we get back a signiture from
the server, and just can't verify it yet.
This also brings the short-packet checks into common code, and breaks the
connection if the server sends a signed reply, on an established connection,
that fails the test.
This breaks our read/write code at the moment, as we need to keep a list
of outstanding packets.
(signing is not enabled by default, unless the server demands it)
Not for 3.0 till I fix the outstanding packet list.
Andrew Barlett
(This used to be commit 808d1fcf20153970d587cb631a08607beb09703a)
|
|
Also, PLEASE, PLEASE, PLEASE, do not include bashism and Cisms in shell
scripts.
(This used to be commit 7f6367aac8c5440e1d4e97b26571b205140488ae)
|
|
(This used to be commit 41b320ffc560117c0184999e30cc69723f40acbe)
|
|
(This used to be commit 57c860b41b21bafc660f84070bfe9c8d90bc28a3)
|
|
(This used to be commit b03ac852a86cf9f436ad2b994e09fb08dd929674)
|
|
Jeremy.
(This used to be commit 32dc4ddb04f4d3eecfdd542cb3495830067a2eed)
|
|
(This used to be commit 21a99fdec321c44e31b69589248ff8d1cb927577)
|
|
(This used to be commit e1a159c55fdeaa1620a3147105be4efd205560ba)
|
|
(This used to be commit 8b5ad24231e5001e612c5fd4bbde2762caef5856)
|
|
(This used to be commit ca982a9f1d6485e2d388d4b2e9c13806736ad91e)
|
|
Andrew Bartlett
(This used to be commit 3d4c4b6cb3f4850f0801f140ea3dad2c8423ee52)
|
|
Andrew Bartlett
(This used to be commit 7064edf8534a6098fc4990bc516fcb45f4ff44bb)
|
|
(This used to be commit c95ae394c5dfe5e0fcc658119213b17bcb95fab5)
|
|
elsewhere so other code can use it.
(This used to be commit b988e16b7da824864cac6b69910ade27885e7f50)
|
|
(This used to be commit de49c3f48f85519b31e797730eca82cb979098dc)
|
|
Andrew Bartlett
(This used to be commit 5562f1865c90e3f52a3178d9d9ded60909bbe5f0)
|
|
(This used to be commit 1481cd9ecf1658312424c193d8cd3632766eb058)
|