Age | Commit message (Collapse) | Author | Files | Lines |
|
all there is.
Jeremy.
(This used to be commit b611f8d170743f1f4d71b1def83bb757d9f467af)
|
|
Jeremy
(This used to be commit 5aab4b976c0aced68d71c1e71e85287072a6f3c7)
|
|
This fixes a problem joining a Samba domain from a
vanilla win2k client that doesn't set the
NTLMSSP_NEGOTIATE_NTLM2 flag.
Reported on samba ml as "decode_pw: incorrect password length"
when handling a samr_set_userinfo(23 or 24) RPC.
(This used to be commit ef4ab8d7c497e4229d0c1deeb20d05c95bd8feb9)
|
|
Jeremy.
(This used to be commit d3d0353baeba580d8a7a4688f847463b1b2e750c)
|
|
fail to OS2 for example)
(This used to be commit 54e2fcb8f4a9d603b3210baa014b3f5f15070a22)
|
|
broken by my NTLM2 commit. This should correctly cause the NTLM2 case
not to be negotiated when 'security=server' is in effect.
Andrew Bartlett
(This used to be commit 19bb4b582f98eb1da41e22c9a2a2c11602cb95e4)
|
|
they're easy to miss.
Jeremy.
(This used to be commit 7fa89b093709053650d197d2d0f091b9a1cd8218)
|
|
Jeremy
(This used to be commit 4912ad8f18041c9c3abe2cfa67dd26a324c9c31e)
|
|
does this.
Jeremy.
(This used to be commit 8adf0cd27a23b1bc6e0da08789a8b1e9eefb54a7)
|
|
state info each packet.
Jeremy.
(This used to be commit 818cf32d6330f7e7855ce662326003e75d4a1d46)
|
|
packet is the one that matters for checking the signing replies. Need to
check the server code does this correctly too....
Bug #832 reported by Volker.
Jeremy.
(This used to be commit 6750dc33b46c422582176b704592d9b2f1fb04d7)
|
|
it fails later. Only turn it off automatically if it fails at the start.
Jeremy.
(This used to be commit 4a145531c2b6353291cd25f14f5572aa31e86594)
|
|
defaults specified by the caller to prevail.
Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing.
Call ntlmssp_sign_init() unconditionally in the client - we setup the
session key, why not setup the rest of the data.
Andrew Bartlett
(This used to be commit 48123f7e42c3fde85887de23c80ceee04c2f6281)
|
|
ignore it. Only fail if signing is set to "required".
Jeremy.
(This used to be commit 8916ddfc39c3e70265188926f24034152f0e7b6b)
|
|
This means that we now support 'net rpc join' with KRB5 (des based)
logins. Now, you need to hack 'net' to do that, but the principal is
important...
When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.
(server-side support to follow shortly)
Andrew Bartlett
(This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
(This used to be commit e374ce779efaec001c1476e0710ceaa9c3b84e8d)
|
|
Jeremy.
(This used to be commit 29413db303d30d28c2fb0cc6e6e963e725ad4101)
|
|
(This used to be commit 23443e3aa079710221557e18158d0ddb8ff48a36)
|
|
Jeremy.
(This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
|
|
(This used to be commit 084e4678c0876ebd6e756192866103ae037f3258)
|
|
(This used to be commit ca3d98d08bfe2c5c8a0f1a0d17160800f85d84b7)
|
|
(This used to be commit 84e620e5ba65c040df1c0ebdcf39fa5648dd37d9)
|
|
to see if SGI and other platforms will build.
(This used to be commit cf9311044c372695592db1b95b814b0870b8cf29)
|
|
reports an unitialized read which is obviously correct. And I hate valgrind
errors ;-)
Volker
(This used to be commit e5dbf2441c2ce7e7cb62f2538786e38bb8c8bdd9)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
Jeremy.
(This used to be commit 7eaae388b35cb3d20cdd968b00d65c88fcee5878)
|
|
when reverse connecting back to a client for printer notify.
Jeremy.
(This used to be commit 06aa434c3fdb139e3f3143d19413556945cbcd4f)
|
|
Jeremy.
(This used to be commit 63f331564396e7a4f16dce95bb98d3b6c4b75351)
|
|
back the same way we handle the DOS error. Although I don't see why
BUFFER_TOO_SMALL should not be handled as an error, simply copy the logic.
This is only called from smbcacls and smbcquotas.
Volker
(This used to be commit 169f4dfee08e8de05e729fd48209df91cf8ba255)
|
|
(should help track down out of sequence bugs).
Jeremy.
(This used to be commit 6e21261fe40698b2ee46c802bd1c044a909f8e5d)
|
|
#ifdef HAVE_STAT_ST_BLKSIZE and #ifdef HAVE_STAT_ST_BLOCKS,
respectively.
Fixes bug 550 reported by Joachim Schmitz <schmitz@hp.com>.
(This used to be commit 18adfdbe0c6ed79ba8ac07956b1e7abc226556c3)
|
|
validated the same way.
Jeremy.
(This used to be commit 6ad2f0ba27566ab3928ccbbbb3c3a64b09ca139c)
|
|
(This used to be commit e3cb0cd0d60d90a76e5f74d5bda702148584ab30)
|
|
mode domains.
Jeremy.
(This used to be commit c816aacefb6621533194a374251835f186ca838f)
|
|
portion of NTLMv2 key exchange. Also revert the default for
'client ntlmv2 auth' to no. This caused no ends of grief in
different cases.
And based on abartlet's mail....
> All I care about at this point is that we use NTLMv2
> in our client code when connecting to a server that
> supports it.
There is *no* way to tell this. The server can't tell us, because it
doesn't know what it's DC supports. The DC can't tell us, because it
doesn't know what the trusted DC supports. One DC might be Win2k, and
the PDC could be an older NT4.
(This used to be commit fe585d49cc3df0d71314ff43d3271d276d7d4503)
|
|
as that's what they do. Fix string_replace() to fast-path ascii.
Jeremy.
(This used to be commit f35e9a8b909d3c74be47083ccc4a4e91a14938db)
|
|
Removed calls to clobber_region when not compiling with developer as
they were hiding speed problems.
Added fast path to convert_string() when dealing with ascii -> ascii,
ucs2-le to ascii and ascii to ucs2-le with values <= 0x7F. This
gives a speedup of 22% on my nbench tests.
Next I will do this on convert_string_allocate.
Jeremy.
(This used to be commit ef140d15ea0d76a3e7cdcadbfd3e917c210a9411)
|
|
iconv wasn't re-initialised on reading of "charset" parameters. This
caused workgroup name to be set incorrectly if it contained an
extended character.
Jeremy.
(This used to be commit 84ae44678a6c59c999bc1023fdd9b7ad87f4ec18)
|
|
wins hook is called with unix charset.
Jeremy.
(This used to be commit ecb80573870103de7b3f332fb53bf6b952f25ee7)
|
|
when decidiing whether or not use ntlmv2 in client connections
(This used to be commit 6e82c9fdf9c1db6feec319b4550b07cbfad4defb)
|
|
Jeremy.
(This used to be commit eb792727437c74417f5ef7614b300ab84f06fdaf)
|
|
conversion simply copy as is. Also fixed the horrid malloc-twice-copy code
in the convert alloc path.
Jeremy.
(This used to be commit cfde7477fd12caef943a9422b52174438092a135)
|
|
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
|
|
- Make winbindd try to use kerberos for connections to DCs, so that it can
access RA=2 servers, particularly for netlogon.
- Make rpcclient follow the new flags for the NETLOGON pipe
- Make all the code that uses schannel use the centralised functions for doing so.
Andrew Bartlett
(This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)
|
|
elsewhere in the code. This will allow us to try kerberos, then another user
then guest in the winbindd code.
Also, re-introduce the seperate, NT1 'guest' session setup code, as I found
some problems with doing guest under NTLMSSP.
Andrew Bartlett
(This used to be commit 33109fefe7d306a97ac48a75e3e67c166daff4ea)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
same ads_verify_ticket routine that smbd uses, so in the current state
we have to be have the host password in secrets.tdb instead of the
keytab. This means we have to be an ADS member, but it's a start.
Volker
(This used to be commit dc2d2ad467927affbd1461df75f77f07ddfbc3b1)
|
|
Currently I'm compiling against MIT Kerberos 1.2.8.
Anthony, you said you have a heimdal installation available. Could you
please compile this stuff with krb and check it with valgrind?
Thanks,
Volker
(This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
|
|
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
|