Age | Commit message (Collapse) | Author | Files | Lines |
|
It is never correct to ask for a machine$ principal as the target of a
kerberos connection. You should always connect via the
servicePrincipalName.
This current code appears to have built up from a series of minimal
changes, as the codebase adapted the to lack of a SPNEGO principal
from Windows 2008.
Andrew Bartlett
|
|
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
|
|
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sat Nov 20 15:28:26 CET 2010 on sn-devel-104
|
|
When winbind sees a signing error on the smb connection to a DC (for whatever
reason, our bug, network glitch, etc) it should recover properly. The "old"
code in clientgen.c just closed the socket in this case. This is the right
thing to do, this connection is spoiled anyway. The new, async code did not do
this so far, which led to the code in winbindd_cm.c not detect that we need to
reconnect.
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Nov 14 10:24:02 UTC 2010 on sn-devel-104
|
|
transaction id of packets it was requested to send via a client, and
only store replies that match these ids. On the client side change
clients to always attempt to ask nmbd first for name_query and
node_status calls, and then fall back to doing socket calls if
we can't talk to nmbd (either nmbd is not running, or we're not
root and cannot open the messaging tdb's). Fix readers of unexpected.tdb
to delete packets they've successfully read.
This should fix a long standing problem of unexpected.tdb
growing out of control in noisy NetBIOS envioronments with
lots of bradcasts, yet still allow unprivileged client apps
to work mostly as well as they already did (nmblookup for
example) in an environment when nmbd isn't running.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sun Nov 14 05:22:45 UTC 2010 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Thu Nov 11 18:54:00 UTC 2010 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Thu Nov 11 16:59:27 UTC 2010 on sn-devel-104
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
using SMB signing.
The underlying problem is that the old code invoked by cli_write() increments
cli->mid directly when issuing outstanding writes. This should now be done only
in libsmb/clientgen.c to make metze's new signing engine works correctly. Just
deleting this code fixes the problem.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Nov 11 02:50:08 UTC 2010 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Thu Nov 4 22:08:53 UTC 2010 on sn-devel-104
|
|
Following the review of this patch series by Derrell Lipman, remove
the seperate storage of the debug_stderr variable from the
libsmbclient SMBC_internal_data context.
Andrew Bartlett
|
|
This isn't quite what you would expect from this interface, but actually
avoids some really nasty situations if you ever have more than one
libsmbclient context in a process.
In the real world, if you have asked for DEBUG() to stderr in one part
of the code, you will want it globally, even in a different thread
(which in the past would have rest everything to stdout again, at
least while starting up).
Andrew Bartlett
|
|
All future assignments of the debug level should go via
lp_set_cmdline("log level", "x") because this will ensure the value is
not overwritten in an smb.conf load.
Andrew Bartlett
|
|
This change improves the setup_logging() API so that callers which
wish to set up logging to stderr can simply ask for it, rather than
directly modify the dbf global variable.
Andrew Bartlett
|
|
Based on an initial patch from H Hasegawa <hasegawa.hiroyuki@fujixerox.co.jp>.
Convert cli_list and associated functions to take calls that return NTSTATUS.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Oct 29 19:40:16 UTC 2010 on sn-devel-104
|
|
Based on a fix from Sven Neumann <s.neumann@raumfeld.com>.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Oct 27 22:02:11 UTC 2010 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Oct 24 21:28:08 UTC 2010 on sn-devel-104
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Oct 24 12:22:22 UTC 2010 on sn-devel-104
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Oct 24 10:23:29 UTC 2010 on sn-devel-104
|
|
|
|
|
|
|
|
|
|
|
|
metze
|
|
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
|
|
Same argument as in 997a64f6fb11e19d78c: If tdb_close() was needed at exit
time, we'd have more severe problems by now.
|
|
Guenther
|
|
This is freed in this routine a few lines down
|
|
TDB_CLEAR_IF_FIRST tdb's. For tdb's like gencache where we open
without CLEAR_IF_FIRST and then with CLEAR_IF_FIRST if corrupt
this is still safe to use as if opening an existing tdb the new
hash will be ignored - it's only used on creating a new tdb not
opening an old one.
Jeremy.
|
|
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid NetBIOS session request is received the code in name_len() in
libsmb/nmblib.c can hit an assert.
Re-write name_len() and name_extract() to use "buf/len" pairs and
always limit reads.
Jeremy.
|
|
Both allocated blobs are freed in their routines
|
|
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
|
|
squashed: add michlistMIC signature checks
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Volker, please check.
Guenther
|