summaryrefslogtreecommitdiff
path: root/source3/libsmb
AgeCommit message (Collapse)AuthorFilesLines
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett9-383/+671
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-22adding a useful debugGerald Carter1-0/+1
(This used to be commit e374ce779efaec001c1476e0710ceaa9c3b84e8d)
2003-11-05Fix coredump in cli_get_backup_list.Jeremy Allison1-5/+2
Jeremy. (This used to be commit 29413db303d30d28c2fb0cc6e6e963e725ad4101)
2003-11-03Fix more 64-bit printf warnings.Tim Potter1-2/+2
(This used to be commit 23443e3aa079710221557e18158d0ddb8ff48a36)
2003-10-29Fixes to check for wraps which could cause coredumps.Jeremy Allison2-5/+4
Jeremy. (This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
2003-10-27Remove some unused variables uncovered by the build farm.Richard Sharpe1-3/+0
(This used to be commit 084e4678c0876ebd6e756192866103ae037f3258)
2003-10-25Put in a work-around for ENOTSUP not being defined on OpenBSD.Richard Sharpe1-1/+4
(This used to be commit ca3d98d08bfe2c5c8a0f1a0d17160800f85d84b7)
2003-10-24Apply latest of Derrell Lippman's changes to libsmbclient.Richard Sharpe1-9/+13
(This used to be commit 84e620e5ba65c040df1c0ebdcf39fa5648dd37d9)
2003-10-24Commit Derrell's changes to libsmbclient plus a small change to configure.inRichard Sharpe2-392/+1931
to see if SGI and other platforms will build. (This used to be commit cf9311044c372695592db1b95b814b0870b8cf29)
2003-10-23According to Ethereal we have a 32-Bit quantity here. And with SSVAL valgrindVolker Lendecke1-1/+1
reports an unitialized read which is obviously correct. And I hate valgrind errors ;-) Volker (This used to be commit e5dbf2441c2ce7e7cb62f2538786e38bb8c8bdd9)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-1/+1
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-10-21Fix for bug #64, Win9x Nexus tools not working against Samba3.0. MissingJeremy Allison1-0/+4
map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata. Jeremy. (This used to be commit 7eaae388b35cb3d20cdd968b00d65c88fcee5878)
2003-10-21Patch from Stefan Metzmacher <metze@metzemix.de> to fix signing problemsJeremy Allison1-1/+1
when reverse connecting back to a client for printer notify. Jeremy. (This used to be commit 06aa434c3fdb139e3f3143d19413556945cbcd4f)
2003-10-21Fix signing miss-sequence noticed by Stefan Metzmacher <metze@metzemix.de>Jeremy Allison1-46/+27
Jeremy. (This used to be commit 63f331564396e7a4f16dce95bb98d3b6c4b75351)
2003-10-20We are doing NT error codes now.... If we have an NT error, report thatVolker Lendecke1-0/+11
back the same way we handle the DOS error. Although I don't see why BUFFER_TOO_SMALL should not be handled as an error, simply copy the logic. This is only called from smbcacls and smbcquotas. Volker (This used to be commit 169f4dfee08e8de05e729fd48209df91cf8ba255)
2003-10-14Enable us to see what sequence number we were expecting when we fail a signJeremy Allison1-4/+4
(should help track down out of sequence bugs). Jeremy. (This used to be commit 6e21261fe40698b2ee46c802bd1c044a909f8e5d)
2003-10-14Enclose usage of st_blksize and st_blocks struct stat members inTim Potter1-0/+4
#ifdef HAVE_STAT_ST_BLKSIZE and #ifdef HAVE_STAT_ST_BLOCKS, respectively. Fixes bug 550 reported by Joachim Schmitz <schmitz@hp.com>. (This used to be commit 18adfdbe0c6ed79ba8ac07956b1e7abc226556c3)
2003-10-08Fixup error code returns from Samba4 tester. Ensure invalid paths areJeremy Allison1-1/+1
validated the same way. Jeremy. (This used to be commit 6ad2f0ba27566ab3928ccbbbb3c3a64b09ca139c)
2003-09-16Applied Steve Langasek's patch for bug #450.Tim Potter1-3/+4
(This used to be commit e3cb0cd0d60d90a76e5f74d5bda702148584ab30)
2003-09-16Fix #442 which Alexander considered a showstopper. Allow us to join mixedJeremy Allison2-8/+6
mode domains. Jeremy. (This used to be commit c816aacefb6621533194a374251835f186ca838f)
2003-09-06address bug #359. Andrew B's patch for implementing clientGerald Carter2-31/+37
portion of NTLMv2 key exchange. Also revert the default for 'client ntlmv2 auth' to no. This caused no ends of grief in different cases. And based on abartlet's mail.... > All I care about at this point is that we use NTLMv2 > in our client code when connecting to a server that > supports it. There is *no* way to tell this. The server can't tell us, because it doesn't know what it's DC supports. The DC can't tell us, because it doesn't know what the trusted DC supports. One DC might be Win2k, and the PDC could be an older NT4. (This used to be commit fe585d49cc3df0d71314ff43d3271d276d7d4503)
2003-09-05More tuning from cachegrind. Change most trim_string() calls to trim_char(0,Jeremy Allison2-3/+4
as that's what they do. Fix string_replace() to fast-path ascii. Jeremy. (This used to be commit f35e9a8b909d3c74be47083ccc4a4e91a14938db)
2003-09-04Used cachegrind to track down some bottlenecks.Jeremy Allison1-0/+3
Removed calls to clobber_region when not compiling with developer as they were hiding speed problems. Added fast path to convert_string() when dealing with ascii -> ascii, ucs2-le to ascii and ascii to ucs2-le with values <= 0x7F. This gives a speedup of 22% on my nbench tests. Next I will do this on convert_string_allocate. Jeremy. (This used to be commit ef140d15ea0d76a3e7cdcadbfd3e917c210a9411)
2003-08-27Fix the character set handling properly in nmbd. Also fix bug whereJeremy Allison1-2/+1
iconv wasn't re-initialised on reading of "charset" parameters. This caused workgroup name to be set incorrectly if it contained an extended character. Jeremy. (This used to be commit 84ae44678a6c59c999bc1023fdd9b7ad87f4ec18)
2003-08-22Use correct size (17 not 16) when doing a push_ascii(). Ensure thatJeremy Allison1-1/+1
wins hook is called with unix charset. Jeremy. (This used to be commit ecb80573870103de7b3f332fb53bf6b952f25ee7)
2003-08-22revert abartet's change that removed the check for CAP_EXTENDED_SECURITY ↵Gerald Carter1-2/+2
when decidiing whether or not use ntlmv2 in client connections (This used to be commit 6e82c9fdf9c1db6feec319b4550b07cbfad4defb)
2003-08-22Ensure nmb_namestr() converts back from CH_DOS to CH_UNIX.Jeremy Allison1-13/+16
Jeremy. (This used to be commit eb792727437c74417f5ef7614b300ab84f06fdaf)
2003-08-20Attempt to fix the charcnv issues causing nmbd to crash. If we get a failedJeremy Allison1-1/+1
conversion simply copy as is. Also fixed the horrid malloc-twice-copy code in the convert alloc path. Jeremy. (This used to be commit cfde7477fd12caef943a9422b52174438092a135)
2003-08-20metze's autogenerate patch for version.hGerald Carter1-1/+1
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
2003-08-19 - Make 'net' use a single funciton for setting the 'use machine account' code.Andrew Bartlett1-5/+4
- Make winbindd try to use kerberos for connections to DCs, so that it can access RA=2 servers, particularly for netlogon. - Make rpcclient follow the new flags for the NETLOGON pipe - Make all the code that uses schannel use the centralised functions for doing so. Andrew Bartlett (This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)
2003-08-19Break up 'cli_full_connection' to allow for the session setups to be doneAndrew Bartlett1-35/+114
elsewhere in the code. This will allow us to try kerberos, then another user then guest in the winbindd code. Also, re-introduce the seperate, NT1 'guest' session setup code, as I found some problems with doing guest under NTLMSSP. Andrew Bartlett (This used to be commit 33109fefe7d306a97ac48a75e3e67c166daff4ea)
2003-08-15get rid of more compiler warningsHerb Lewis2-19/+19
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-08-15Add the gss-spnego kerberos server side to ntml_auth. This uses theVolker Lendecke1-0/+14
same ads_verify_ticket routine that smbd uses, so in the current state we have to be have the host password in secrets.tdb instead of the keytab. This means we have to be an ADS member, but it's a start. Volker (This used to be commit dc2d2ad467927affbd1461df75f77f07ddfbc3b1)
2003-08-15Fix memleaks.Volker Lendecke1-1/+3
Currently I'm compiling against MIT Kerberos 1.2.8. Anthony, you said you have a heimdal installation available. Could you please compile this stuff with krb and check it with valgrind? Thanks, Volker (This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
2003-08-15get rid of some sompiler warnings on IRIXHerb Lewis7-53/+63
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-14Change Samba to always use extended security for it's guest logins, (ie,Andrew Bartlett5-70/+33
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to all of Samba's clients. When connecting to an Active Directory DC, you must initiate the CIFS level session setup with Kerberos, not a guest login. If you don't, your machine account is demoted to NT4. Andrew Bartlett (This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
2003-08-13Don't wrap up anything that is not there. Otherwise upper layersVolker Lendecke1-0/+3
can not figure that we got no ticket. Volker (This used to be commit 2a724a7a873c08f14644427766bfd48908ddb501)
2003-08-13Only close anything that is not fid 0. Was very confusing in ethereal...Volker Lendecke1-1/+3
Volker (This used to be commit 9f453f27be7eeb792b57d5c60284bb5efc84b408)
2003-08-12As described in http://davenport.sourceforge.net/ntlm.html add NTLM2Andrew Bartlett1-3/+40
authentication. NTLM2 is a version of NTLM, that involves both a client and server challenge, and the creating of a new (presuable more secure) session key. Unfortunetly this is not quite the same as NTLMv2, and we don't know how to get the session key. I suggest looking very closely at what MSCHAPv2, and other MS auth protocols do... Andrew Bartlett (This used to be commit d4a5f4fdf97b707b44a0787267e1e4388d1b5388)
2003-08-12Fix client autonegotiate signing.Volker Lendecke1-10/+15
Jeremy. (This used to be commit a4d2dd1d40f6b1322e69d430023aa89dac86fda3)
2003-08-11Fallback to not using NTLMv2 is extended security not supported.Jeremy Allison1-1/+1
Jeremy. (This used to be commit ba075ff03af06dfc2f4bcb952508bbc4a6967d85)
2003-08-11I think this is the one to check...Volker Lendecke1-0/+3
Volker (This used to be commit f6d853d36a37dd854a410717af2f7eaf9457eeb5)
2003-08-11Revert the latest fix. Need to investigate further.Volker Lendecke1-4/+2
Volker (This used to be commit 447f130619ad7aaab351c2b46d3e57eaf31a9454)
2003-08-11Fix a segfault in ntlm_auth when we can't find a domain or hostname.Volker Lendecke1-2/+4
Volker (This used to be commit 49c4f8a764a2b9e266c33f018515e6a742cfc8b0)
2003-08-10Store the server domain from the ntlmssp challenge in the client structVolker Lendecke2-0/+4
to be able to ask a LMB for the servers in its workgroup. Against W2k this only works on port 139.... Volker (This used to be commit 62b04d7776852098dd768268500f36c3a362f688)
2003-08-08fix 2 bugs:Gerald Carter1-3/+13
1) don't ask trusted DC's for a list of trusted domains. This causes us to treat non-transitive ones as if they were transitive. Not needed anyways 2) Fix dc lookup bug where we would always try to use DNS to resolve the DC's for a domain (even if it was a trusted NT4 domain). (This used to be commit 4d3acce5066d3adf53ee8fbaa627c42523b3cbc3)
2003-08-08RPC fix from Ronan Waide <waider@waider.ie>. Tested with rpcecho.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 68590b9e2266cf76b46a68cca0acaa47733811fe)
2003-08-07An oplock break reply from the client causes the sequence number to beJeremy Allison1-1/+40
updated by 2 if there is no open reply outstanding, else by one.... Yes - this makes no sense.... Jeremy. (This used to be commit b43ce1ff6109f6422a621329ceb713b42df40040)
2003-08-07Turns out I had my packet sequences wrong for oplock break code.Jeremy Allison1-46/+19
I was storing the mid of the oplock break - I should have been storing the mid from the open. There are thus 2 types of deferred packet sequence returns - ones that increment the sequence number (returns from oplock causing opens) and ones that don't (change notify returns etc). Running with signing forced on does lead to some interesting tests :-). Jeremy. (This used to be commit 85907f02cec566502d9e4adabbd414020a26064d)
2003-08-04Changes to make gss-spnego ntlmssp client work against W2k AD.Volker Lendecke1-1/+17
Now I know where the mechListMIC changes came from: Ethereal ;-) Volker (This used to be commit 4e9eed1273035d09ac3b427b9711327ba8c6ebfc)