Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit e3cb0cd0d60d90a76e5f74d5bda702148584ab30)
|
|
mode domains.
Jeremy.
(This used to be commit c816aacefb6621533194a374251835f186ca838f)
|
|
portion of NTLMv2 key exchange. Also revert the default for
'client ntlmv2 auth' to no. This caused no ends of grief in
different cases.
And based on abartlet's mail....
> All I care about at this point is that we use NTLMv2
> in our client code when connecting to a server that
> supports it.
There is *no* way to tell this. The server can't tell us, because it
doesn't know what it's DC supports. The DC can't tell us, because it
doesn't know what the trusted DC supports. One DC might be Win2k, and
the PDC could be an older NT4.
(This used to be commit fe585d49cc3df0d71314ff43d3271d276d7d4503)
|
|
as that's what they do. Fix string_replace() to fast-path ascii.
Jeremy.
(This used to be commit f35e9a8b909d3c74be47083ccc4a4e91a14938db)
|
|
Removed calls to clobber_region when not compiling with developer as
they were hiding speed problems.
Added fast path to convert_string() when dealing with ascii -> ascii,
ucs2-le to ascii and ascii to ucs2-le with values <= 0x7F. This
gives a speedup of 22% on my nbench tests.
Next I will do this on convert_string_allocate.
Jeremy.
(This used to be commit ef140d15ea0d76a3e7cdcadbfd3e917c210a9411)
|
|
iconv wasn't re-initialised on reading of "charset" parameters. This
caused workgroup name to be set incorrectly if it contained an
extended character.
Jeremy.
(This used to be commit 84ae44678a6c59c999bc1023fdd9b7ad87f4ec18)
|
|
wins hook is called with unix charset.
Jeremy.
(This used to be commit ecb80573870103de7b3f332fb53bf6b952f25ee7)
|
|
when decidiing whether or not use ntlmv2 in client connections
(This used to be commit 6e82c9fdf9c1db6feec319b4550b07cbfad4defb)
|
|
Jeremy.
(This used to be commit eb792727437c74417f5ef7614b300ab84f06fdaf)
|
|
conversion simply copy as is. Also fixed the horrid malloc-twice-copy code
in the convert alloc path.
Jeremy.
(This used to be commit cfde7477fd12caef943a9422b52174438092a135)
|
|
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
|
|
- Make winbindd try to use kerberos for connections to DCs, so that it can
access RA=2 servers, particularly for netlogon.
- Make rpcclient follow the new flags for the NETLOGON pipe
- Make all the code that uses schannel use the centralised functions for doing so.
Andrew Bartlett
(This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)
|
|
elsewhere in the code. This will allow us to try kerberos, then another user
then guest in the winbindd code.
Also, re-introduce the seperate, NT1 'guest' session setup code, as I found
some problems with doing guest under NTLMSSP.
Andrew Bartlett
(This used to be commit 33109fefe7d306a97ac48a75e3e67c166daff4ea)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
same ads_verify_ticket routine that smbd uses, so in the current state
we have to be have the host password in secrets.tdb instead of the
keytab. This means we have to be an ADS member, but it's a start.
Volker
(This used to be commit dc2d2ad467927affbd1461df75f77f07ddfbc3b1)
|
|
Currently I'm compiling against MIT Kerberos 1.2.8.
Anthony, you said you have a heimdal installation available. Could you
please compile this stuff with krb and check it with valgrind?
Thanks,
Volker
(This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
|
|
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
|
|
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.
When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login. If you don't, your machine
account is demoted to NT4.
Andrew Bartlett
(This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
|
|
can not figure that we got no ticket.
Volker
(This used to be commit 2a724a7a873c08f14644427766bfd48908ddb501)
|
|
Volker
(This used to be commit 9f453f27be7eeb792b57d5c60284bb5efc84b408)
|
|
authentication.
NTLM2 is a version of NTLM, that involves both a client and server challenge,
and the creating of a new (presuable more secure) session key.
Unfortunetly this is not quite the same as NTLMv2, and we don't know how to
get the session key. I suggest looking very closely at what MSCHAPv2, and
other MS auth protocols do...
Andrew Bartlett
(This used to be commit d4a5f4fdf97b707b44a0787267e1e4388d1b5388)
|
|
Jeremy.
(This used to be commit a4d2dd1d40f6b1322e69d430023aa89dac86fda3)
|
|
Jeremy.
(This used to be commit ba075ff03af06dfc2f4bcb952508bbc4a6967d85)
|
|
Volker
(This used to be commit f6d853d36a37dd854a410717af2f7eaf9457eeb5)
|
|
Volker
(This used to be commit 447f130619ad7aaab351c2b46d3e57eaf31a9454)
|
|
Volker
(This used to be commit 49c4f8a764a2b9e266c33f018515e6a742cfc8b0)
|
|
to be able to ask a LMB for the servers in its workgroup. Against
W2k this only works on port 139....
Volker
(This used to be commit 62b04d7776852098dd768268500f36c3a362f688)
|
|
1) don't ask trusted DC's for a list of trusted domains. This causes
us to treat non-transitive ones as if they were transitive. Not
needed anyways
2) Fix dc lookup bug where we would always try to use DNS to resolve
the DC's for a domain (even if it was a trusted NT4 domain).
(This used to be commit 4d3acce5066d3adf53ee8fbaa627c42523b3cbc3)
|
|
Jeremy.
(This used to be commit 68590b9e2266cf76b46a68cca0acaa47733811fe)
|
|
updated by 2 if there is no open reply outstanding, else by one....
Yes - this makes no sense....
Jeremy.
(This used to be commit b43ce1ff6109f6422a621329ceb713b42df40040)
|
|
I was storing the mid of the oplock break - I should have been
storing the mid from the open. There are thus 2 types of deferred
packet sequence returns - ones that increment the sequence number
(returns from oplock causing opens) and ones that don't (change notify
returns etc). Running with signing forced on does lead to some
interesting tests :-).
Jeremy.
(This used to be commit 85907f02cec566502d9e4adabbd414020a26064d)
|
|
Now I know where the mechListMIC changes came from: Ethereal ;-)
Volker
(This used to be commit 4e9eed1273035d09ac3b427b9711327ba8c6ebfc)
|
|
(This used to be commit 73d02e3a2b0f9e84ab6d8685e4ad6a03ef9249b2)
|
|
fixes signing for oplocks.
Jeremy.
(This used to be commit 69c56ee8bce122839a8fec4e59198f84b0757166)
|
|
Jeremy.
(This used to be commit 9a8ffc239c0f1aada713de7e9e007066738d8874)
|
|
Otherwise we find spurious mid sign records on reply_ntcancel calls (they cancel
by mid). That took a *lot* of tracking down. I still need to remove the mid
records from the sign state on reply_ntcancel to avoid leaking memory....
Jeremy.
(This used to be commit 270bf20fe3e226ab5cfc689bd20ed4c22b2fa7e6)
|
|
are updated correctly on returning an error for server trans streams.
Ensure we turn off client trans streams on error.
Jeremy.
(This used to be commit 3a789cb7f01115c37404e5a696de363287cb0e5f)
|
|
-> smbd
sequence number problem.
Jeremy.
(This used to be commit 844898dbd8e99837ef1621aa73024714aa819ce4)
|
|
numbers and MIDs when in trans/trans2/nttrans code.
Jeremy.
(This used to be commit 901544b29b4d815709b3dbad3012f1d2c419d904)
|
|
bug with w2k. Turns out that when we're doing a trans/trans2/nttrans call
the MID and send_sequence_number and reply_sequence_number must remain constant.
This was something we got very wrong in earlier versions of Samba. I can now
get a directory listing from WINNT\SYSTEM32 with the older earlier parameters
for clilist.c
This still needs to be fixed for the server side of Samba, client appears to
be working happily now (I'm doing a signed smbtar download of an entire W2K3
image to test this :-).
Jeremy.
(This used to be commit 2093a3130d4087d0659b497eebd580e7a66e5aa3)
|
|
(This used to be commit c9b209be2b17c2e4677cc30b46b1074f48878f43)
|
|
queue if the posix lock failed with EACCES or EAGAIN (this means another
lock conflicts). Else return an error and don't queue the request.
Jeremy.
(This used to be commit 43fbc18fdc184bf29c15186c16bc99fb208de963)
|
|
Volker
(This used to be commit bc39c9b57fa6258674e1ee44b3446f25bf63661e)
|
|
by aliguori: NegTokenInit.mechListMIC is an Octet String.
Second: add a free_spnego_data function.
Both thanks to aliguori.
Volker
(This used to be commit 6c252440fba33eb69827d5515a95fbb3e8e9a653)
|
|
on when signing was mandatory.
Jeremy.
(This used to be commit 7c58673a103195435ca75ebb2684880d1f7242d3)
|
|
connections. Overrides smb.conf parameter if set.
Jeremy.
(This used to be commit 879309671df6b530e0bff69559422a417da4a307)
|
|
Use W2K parameters. tpot please re-test smbclient with your problem
directory.
Jeremy.
(This used to be commit 677d3a3c4ca0b67148e5e56fa876773a067679bd)
|
|
Jeremy.
(This used to be commit b8f6b836468b3a0ae75977dc65cae8400f74734c)
|
|
from Jim McDonough. It is to enable cyrus sasl to provide the
gss-spnego support. For a preliminary patch to cyrus sasl see
http://samba.sernet.de/cyrus-gss-spnego.diff
Volker
(This used to be commit 45cef8f66e46abe4a25fd2b803a7d1051c1c6602)
|
|
(This used to be commit 2c395a3904395c2743df9c3035459c6f3866232d)
|