summaryrefslogtreecommitdiff
path: root/source3/libsmb
AgeCommit message (Collapse)AuthorFilesLines
2004-01-26This adds client-side support for the unicode/SAMR password change scheme.Andrew Bartlett3-55/+113
As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
2004-01-25Fix the initialisation vectors for NTLM2, so that they at least make sense,Andrew Bartlett1-2/+2
even if they don't work yet. Andrew Bartlett (This used to be commit 636b98dab9bc27f55bdc65d7dedb58cdf8d8563b)
2004-01-17Fix for a signing bug when the mid wraps.Jeremy Allison1-3/+11
Found by Fran Fabrizio <fran@cis.uab.edu>. Add to the *start* of the list not the end of the list. This ensures that the *last* send sequence with this mid is returned by preference. This can happen if the mid wraps and one of the early mid numbers didn't get a reply and is still lurking on the list. Jeremy. (This used to be commit 25d739978fe9081ba0946c36901492127248e3e0)
2004-01-15* BUG 446Gerald Carter1-1/+1
- setup_logging() in smbclient to be interactive (remove the timestamps) - Fix bad return value in pull_ucs2( needs more testing to make sure this didn't break something else) that caused clistr_pull() to always read the same string from the buffer (pull_usc2() could return -1 if the original source length was given as -1) - increment some debugging messages to avoid printing them out so often (This used to be commit 79fe75dcdf6cc38e18ca1231e4357893db4d4a08)
2004-01-13* allow dns lookups to be disabled for DOMAIN#1c (and #1b)Gerald Carter1-7/+26
names * fix some a mispelled variable name (This used to be commit bca702c97620ad8f66015d6e4b41abd4adf22076)
2004-01-09fix some warnings from the Sun compilerGerald Carter1-1/+1
(This used to be commit ebabf72a78f0165521268b73e0fcabe1ea7834fd)
2004-01-09Romve debugging assertions (oops...)Andrew Bartlett1-6/+0
Andrew Bartlett (This used to be commit 7e75a6d681fc63cacc7e5caa7a04568c6019367f)
2004-01-09Add a new type of name lookup 'ads'. This seperates this from normalAndrew Bartlett1-33/+59
hostname lookups, and ensures that we don't lookup 'short' (ie NetBIOS) domain names in DNS. Andrew Bartlett (This used to be commit 35f6347a73ce7423adb78c7e95492bb6d98f4c40)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett3-32/+40
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-08Make it clearer that the domain here is the domain of the user forAndrew Bartlett1-5/+5
authentication. Andrew Bartlett (This used to be commit 7e6cc8f0037f9948230a1e1bd380f30cec5d511e)
2004-01-05Fix more cases to ensure that as a server, we don't complain to the clientAndrew Bartlett1-3/+1
about our server-side lack of session key. Andrew Bartlett (This used to be commit ba33f1e0d5fe2aed3e378c9c23511c0b4d6f7d14)
2004-01-05Ensure we set "always sign" flag if set. We don't currently do anything withJeremy Allison1-0/+4
this but we should log the fact it was negotiated. Jeremy. (This used to be commit 84d34e32be03ec99ce19520f24bb4daaeeddbbc3)
2004-01-05Don't free the encrypted_session_key early - that causes the subsequentAndrew Bartlett1-1/+1
test for a valid length to fail... This should fix 'security=server' and hosts-equiv failures picked up by the build farm. Andrew Bartlett (This used to be commit 39311495de3bd0a902f730967f30176db97be05a)
2004-01-05Correctly handle per-pipe NTLMSSP inside a NULL session. Previously weAndrew Bartlett1-2/+8
would attempt to supply a password to the 'inside' NTLMSSP, which the remote side naturally rejected. Andrew Bartlett (This used to be commit da408e0d5aa29ca1505c2fd96b32deae9ed940c4)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett2-17/+12
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2004-01-05Make it clear that we cannot sign if we don't have a session key.Andrew Bartlett1-14/+43
(This used to be commit a2f6dec05b3b30292ec3e42808dc89f1bf5c7ab4)
2004-01-05Automaticly initialise the signing engine, if we have a session key.Andrew Bartlett1-0/+6
(This used to be commit cb063c1b6949a2a9637689537c6ab8dc881bc568)
2004-01-04Even if the 'device type' is always an ascii string, use push_string to getAndrew Bartlett1-1/+1
it out onto the wire. Avoids valgrind warnings because the fstrcpy() causes part of the wire buffer to be 'marked'. Andrew Bartlett (This used to be commit 53d802c72aa712e099dc8de666ab66a21e18fae1)
2004-01-03There is not a particularly good excuse for complaining to the *client* thatAndrew Bartlett1-4/+12
it sent 'INVALID_PARAMETER', when it was us as the server that could not come up with a session key. Instead, allow normal authentication to take place, but do not setup a session key. Andrew Bartlett (This used to be commit e5abd93d799e5f86839560feca448743c13a9055)
2003-12-31auth/auth_util.c:Andrew Bartlett1-1/+1
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-30Move our basic password checking code from inside the authenticationAndrew Bartlett1-0/+377
subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)
2003-12-28Shutting down the connection closes outstanding sessions, so we don't needAndrew Bartlett1-1/+0
to do it twice... Amdrew Bartlett (This used to be commit 8f9a069c59cbd357cbef8814764c10f6d8b6e6e8)
2003-12-27This patch corrects some errors in the NTLMSSP implementation, thatAndrew Bartlett1-9/+18
would incorrectly return INVALID_PARAMETER, instead of allowing a login. Andrew Bartlett (This used to be commit 76c59469a340209959c420bd5c2e947d3347bdb1)
2003-12-27Preliminary fix for our signing problem with failed NTLMSSP logins. This patchVolker Lendecke2-9/+19
solves the problem for me here, I can still successfully set up signing using NTLMSSP against w2k3 and it does not show a signing error anymoe when the password was wrong. Jeremy, you might want to take a further look at it as this is not particularly elegant. Volker (This used to be commit f5afaafd61dc7bd191225ffa8eee184125dd97c3)
2003-12-17Add in comments explaining NTLMv2 selection. Use lm session key if that'sJeremy Allison1-1/+13
all there is. Jeremy. (This used to be commit b611f8d170743f1f4d71b1def83bb757d9f467af)
2003-12-17Tidyup debug message in ntlmssp code. Add brackets around dodgy if statement.Jeremy Allison1-5/+17
Jeremy (This used to be commit 5aab4b976c0aced68d71c1e71e85287072a6f3c7)
2003-12-17Make sure we correctly generate the lm session key.Gerald Carter2-2/+26
This fixes a problem joining a Samba domain from a vanilla win2k client that doesn't set the NTLMSSP_NEGOTIATE_NTLM2 flag. Reported on samba ml as "decode_pw: incorrect password length" when handling a samr_set_userinfo(23 or 24) RPC. (This used to be commit ef4ab8d7c497e4229d0c1deeb20d05c95bd8feb9)
2003-12-09Make intent to return only one address clear.Jeremy Allison1-2/+2
Jeremy. (This used to be commit d3d0353baeba580d8a7a4688f847463b1b2e750c)
2003-12-04Fix incorrect smb flags2 for connections to pre-NT servers (causes smbclient toSteve French1-0/+7
fail to OS2 for example) (This used to be commit 54e2fcb8f4a9d603b3210baa014b3f5f15070a22)
2003-12-04Picked up by the build farm - despite all my efforts, security=server wasAndrew Bartlett1-8/+13
broken by my NTLM2 commit. This should correctly cause the NTLM2 case not to be negotiated when 'security=server' is in effect. Andrew Bartlett (This used to be commit 19bb4b582f98eb1da41e22c9a2a2c11602cb95e4)
2003-12-01Client connect signing error messages should be level zero elseJeremy Allison1-2/+2
they're easy to miss. Jeremy. (This used to be commit 7fa89b093709053650d197d2d0f091b9a1cd8218)
2003-12-01Fix spurious error msg. when seq=0.Jeremy Allison1-0/+2
Jeremy (This used to be commit 4912ad8f18041c9c3abe2cfa67dd26a324c9c31e)
2003-12-01Ensure we use the same mid for the secondary trans requests, W2K3Jeremy Allison1-0/+6
does this. Jeremy. (This used to be commit 8adf0cd27a23b1bc6e0da08789a8b1e9eefb54a7)
2003-12-01Better fix for client signing bug. Ensure we don't malloc/free trans signingJeremy Allison2-36/+40
state info each packet. Jeremy. (This used to be commit 818cf32d6330f7e7855ce662326003e75d4a1d46)
2003-11-30Fix signing bug with secondary client trans requests. Turns out the lastJeremy Allison1-0/+20
packet is the one that matters for checking the signing replies. Need to check the server code does this correctly too.... Bug #832 reported by Volker. Jeremy. (This used to be commit 6750dc33b46c422582176b704592d9b2f1fb04d7)
2003-11-25If signing starts successfully, don't just turn it off automatically ifJeremy Allison1-5/+5
it fails later. Only turn it off automatically if it fails at the start. Jeremy. (This used to be commit 4a145531c2b6353291cd25f14f5572aa31e86594)
2003-11-25Do not add NTLM2 to the NTLMSSP flags unconditionally - allow theAndrew Bartlett1-2/+6
defaults specified by the caller to prevail. Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing. Call ntlmssp_sign_init() unconditionally in the client - we setup the session key, why not setup the rest of the data. Andrew Bartlett (This used to be commit 48123f7e42c3fde85887de23c80ceee04c2f6281)
2003-11-25When server signing is set to "auto", if the client doesn't sign justJeremy Allison1-2/+23
ignore it. Only fail if signing is set to "required". Jeremy. (This used to be commit 8916ddfc39c3e70265188926f24034152f0e7b6b)
2003-11-22Add support for variable-length session keys in our client code.Andrew Bartlett1-0/+40
This means that we now support 'net rpc join' with KRB5 (des based) logins. Now, you need to hack 'net' to do that, but the principal is important... When we add kerberos to 'net rpc', it should be possible to still do user management and the like over RPC. (server-side support to follow shortly) Andrew Bartlett (This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett9-383/+671
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-22adding a useful debugGerald Carter1-0/+1
(This used to be commit e374ce779efaec001c1476e0710ceaa9c3b84e8d)
2003-11-05Fix coredump in cli_get_backup_list.Jeremy Allison1-5/+2
Jeremy. (This used to be commit 29413db303d30d28c2fb0cc6e6e963e725ad4101)
2003-11-03Fix more 64-bit printf warnings.Tim Potter1-2/+2
(This used to be commit 23443e3aa079710221557e18158d0ddb8ff48a36)
2003-10-29Fixes to check for wraps which could cause coredumps.Jeremy Allison2-5/+4
Jeremy. (This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
2003-10-27Remove some unused variables uncovered by the build farm.Richard Sharpe1-3/+0
(This used to be commit 084e4678c0876ebd6e756192866103ae037f3258)
2003-10-25Put in a work-around for ENOTSUP not being defined on OpenBSD.Richard Sharpe1-1/+4
(This used to be commit ca3d98d08bfe2c5c8a0f1a0d17160800f85d84b7)
2003-10-24Apply latest of Derrell Lippman's changes to libsmbclient.Richard Sharpe1-9/+13
(This used to be commit 84e620e5ba65c040df1c0ebdcf39fa5648dd37d9)
2003-10-24Commit Derrell's changes to libsmbclient plus a small change to configure.inRichard Sharpe2-392/+1931
to see if SGI and other platforms will build. (This used to be commit cf9311044c372695592db1b95b814b0870b8cf29)
2003-10-23According to Ethereal we have a 32-Bit quantity here. And with SSVAL valgrindVolker Lendecke1-1/+1
reports an unitialized read which is obviously correct. And I hate valgrind errors ;-) Volker (This used to be commit e5dbf2441c2ce7e7cb62f2538786e38bb8c8bdd9)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-1/+1
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)