| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
|
|
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
|
|
(This used to be commit 8315b9c3119dde62aeb72ad5e20f63aee89abd0b)
|
|
Andrew Bartlett
(This used to be commit fb680f610ceb9a0f350c99456cf7ab1a507543fe)
|
|
(This used to be commit 2e1e5719f188a933e6b691fbd48037a0d29497e4)
|
|
(This used to be commit 6df38e250af1a8e7213ad66342c71c52ce118a12)
|
|
(This used to be commit b757a4374832d76500a889e4785622320881018d)
|
|
Small clenaup patches:
- safe_string.h - don't assume that __FUNCTION__ is available
- process.c - use new workaround from safe_string.h for the same
- util.c - Show how many bytes we smb_panic()ed trying to smb_xmalloc()
- gencache.c - Keep valgrind quiet by always null terminating.
- clistr.c - Add copyright
- srvstr.h - move srvstr_push into a .c file again, as a real function.
- srvstr.c - revive, with 'safe' checked srvstr_push
- loadparm.c - set a default for the display charset.
- connection.c - use safe_strcpy()
Andrew Bartlett
(This used to be commit c91e76bddbe1244ddc8d12b092eba875834029ac)
|
|
- safe_string.h - don't assume that __FUNCTION__ is available
- process.c - use new workaround from safe_string.h for the same
- util.c - Show how many bytes we smb_panic()ed trying to smb_xmalloc()
- gencache.c - Keep valgrind quiet by always null terminating.
- clistr.c - Add copyright
- srvstr.h - move srvstr_push into a .c file again, as a real function.
- srvstr.c - revive, with 'safe' checked srvstr_push
- loadparm.c - set a default for the display charset.
Andrew Bartlett
(This used to be commit a7eba37aadeb0b04cb1bd89deddb58be8aba825c)
|
|
to the integer for SIVAL().
(This used to be commit e8b4b136669e7e415557956d698c66c254b28ec1)
|
|
to the integer for SIVAL().
(This used to be commit 5e20868fadc4e01ea09639bc57c51d1eb687f78c)
|
|
Andrew Bartlett
(This used to be commit 6bf04c41ed88528345f6bb19d48f5909753a8322)
|
|
Andrew Bartlett
(This used to be commit 05a63bd17e4c35979b3864b0969b2bfd945335d9)
|
|
issues.
Also pick up these link failures at compile time (rather than runtime).
Andrew Bartlett
(This used to be commit 23c7342bc40daffbcd70ef04727cae2c2b2c366b)
|
|
complete now.
(This used to be commit 72bb5615f3eef1c5b27716dfcabe4c8288729458)
|
|
when sending(and vice versa when receiving).
(This used to be commit 5310447ec6e0df1c000e3ee14572f5b7fee31f28)
|
|
on 2000.
sending messages to 9x needs to be fixed, but that didn't work anyway
(This used to be commit ca066502a2a3dbdd8943d515c9c6d21e62d757b6)
|
|
Jeremy.
(This used to be commit f93c64b5ca1bc21f5fa89200034cd82dcbc0910b)
|
|
Jeremy.
(This used to be commit fb925a72a6323d96d8fae658c4271ca05e8256de)
|
|
buffer size.
(This used to be commit 27ec538eca0905e1f749de4c49cc2555c5932d5c)
|
|
A much better SMB signing module, that allows for mulitple signing algorithms
and correctly backs down from signing when the server cannot sign the reply.
This also attempts to enable SMB signing on NTLMSSP connections, but I don't
know what NTLMSSP flags to set yet.
This would allow 'client use signing' to be set by default, for server
compatability. (A seperate option value should be provided for mandetory
signing, which would not back down).
Andrew Bartlett
(This used to be commit 1c87be7a3d127201a6ab78d22d17c971af16b86b)
|
|
Andrew Bartlett
(This used to be commit f4ae028c2ad6ff8c7da3a6ef77a92762861144e1)
|
|
This patch catches up on the rest of the work - as much string checking
as is possible is done at compile time, and the rest at runtime.
Lots of code converted to pstrcpy() etc, and other code reworked to correctly
call sizeof().
Andrew Bartlett
(This used to be commit c5b604e2ee67d74241ae2fa07ae904647d35a2be)
|
|
used to be commit f0d009c3e91979b0dc3443e16f3f545bcc64cfda)
|
|
is as stable as possible in the string department and some pain now
will help later :-).
Jeremy.
(This used to be commit 86e3eddac698d90f4666b8492b4603a4efbbd67b)
|
|
signed/unsigned (mostly i counters)
a little bit of const.
Andrew Bartlett
(This used to be commit 50f0ca752e5058c4051f42a9337361373ba1f727)
|
|
session key and auth verifier patches.
Andrew Bartlett
(This used to be commit 3f9616a68a855acbae3f405c27ee2358fbe7ba2c)
|
|
Andrew Bartlett
(This used to be commit 980f2eb7c2efa1a2c83098aebecf0e25a05724cb)
|
|
Andrew Bartlett
(This used to be commit a12e8524997e329a4f4cd766d6371e384698795a)
|
|
- signed/unsigned
- quieten warning about assignment as truth value
- whitespace
Andrew Bartlett
(This used to be commit a13ce0df4b4a776fa635a1fb804dd00d195f58d0)
|
|
This patch enables the compile-time checking of strings assable by means of
sizeof(). (Original code had the configure check reversed).
This is extended to all safe_strcpy() users, push_string and pull_string,
as well as the cli and srv derivitives. There is an attempt to cap strings
at the end of the cli buffer, and clobber_region() of the speified length
(when not -1 :-).
Becouse of the way they are declared, the 'overmalloc a string' users of
safe_strcpy() have been changed to use overmalloc_safe_strcpy() (which skips
some of the checks).
This whole ball of mud worked fine, until I pulled out my 'fix' for our
statcache. When jeremy fixes that, we should be able to get back to testing
this stuff.
This patch also includes a 'marker' of the last caller to clobber_region (ie,
the function that called pstrcpy() that called clobber_region) to assist in
debugging problems that may have smashed the stack. This is printed at
smb_panic() time. (Original idea and patch by metze).
It also removes some unsused functions, and #if 0's some others that are
unused but probably should be used in the near future.
For now, this patch gives us some confidence on one class of trivial parsing
error in our code.
Andrew Bartlett
(This used to be commit 31f4827acc2a2f00399a5528fc83a0dae5cebaf4)
|
|
(This used to be commit f6ea572cd57d4e655d387fe225a5d7122d587a9b)
|
|
(This used to be commit aa12379b3fd9646199a8ff3f217ec7dfef1942a5)
|
|
Andrew Bartlett
(This used to be commit 2effcae13f9dfbff40b34d32c7fd82118c3fd096)
|
|
Andrew Bartlett
(This used to be commit 7ab6559369b4e6ee3c5269d8cff04e5a39f6b493)
|
|
(This used to be commit f07a93eaeba20f5704f43c7f02141adc564db136)
|
|
Who knows what .NET server brings, though ...? ;-)
Rafal
(This used to be commit d81b0d26903004be6a99ac029dd531fd18947268)
|
|
(This used to be commit 3f4cb7b2c4d9b54b41bcc184ccfd00032e2b021b)
|
|
Andrew Bartlett
(This used to be commit f9c3c93f55cac774e576fd5975c0582e0b334d6a)
|
|
respond to a
lock - so to make the torture tests valid I give it a grace time of 10
seconds instead of 2'
Jeremy.
(This used to be commit 41571a69e04838c00de7d4a528c59cd1e88919d0)
|
|
lock - so to make the torture tests valid I give it a grace time of 10
seconds instead of 2
(This used to be commit c9c9e9eb26ec3042395637d14a6661d04a629ccc)
|
|
Jeremy.
(This used to be commit 33b11d5eb53bdeb9d279d221fd5c01579253e1c7)
|
|
Jeremy.
(This used to be commit 2e9880ef7c259b67eb75edc8098b734c3b7b22c1)
|
|
Volker
(This used to be commit 329911e43681b724cb0579aad77b4a658759d7ba)
|
|
Volker
(This used to be commit 54c99ee1fbaf4541fb3fa10a9b764da1367af6d3)
|
|
get Win2k to send a valid signiture in it's session setup reply - which it will
give to win2k clients.
So, I need to look at becoming 'more like MS', but for now I'll get this code
into the tree. It's actually based on the TNG cli_pipe_ntlmssp.c, as it was
slightly easier to understand than our own (but only the utility functions
remain in any way intact...).
This includes the mysical 'NTLM2' code - I have no idea if it actually works.
(I couldn't get TNG to use it for its pipes either).
Andrew Bartlett
(This used to be commit a034a5e381ba5612be21e2ba640d11f82cd945da)
|
|
(This used to be commit 05cffbee56f0556f550b4d14f3111bd7db972621)
|
|
The intention is to allow for NTLMSSP and kerberos signing of packets, but
for now it's just what I call 'simple' signing. (aka SMB signing per the SNIA
spec)
Andrew Bartlett
(This used to be commit b9cf95c3dc04a45de71fb16e85c1bfbae50e6d8f)
|
|
(This used to be commit c2a266b7b661d319e13982bfdbc3a86e8502b8a4)
|
|
Jeremy.
(This used to be commit 60b0cfc8a5b6275d3460ebc6bf17d0f08e25b67e)
|
