| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Add support for variable-length session keys in our client code.
This means that we now support 'net rpc join' with KRB5 (des based)
logins. Now, you need to hack 'net' to do that, but the principal is
important...
When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.
-
Add server-side support for variable-length session keys (as used by
DES based krb5 logins).
Andrew Bartlett
(This used to be commit 1287cf5f921327c9ea758de46220c4e2dedc485c)
|
|
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to
merge the 'client' and 'server' functions, so they both operate on a
single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of
data structures...
Andrew Bartlett
(This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
|
|
(This used to be commit 52c1973f39f4c4161097843fcf395e0102531575)
|
|
(This used to be commit a6cc763333943bc6e360bb7e78cf9bfb1bc936e8)
|
|
Jeremy.
(This used to be commit 13d32f561b23f2d69daf103a971acbdae547703d)
|
|
Revision 1.50.2.12:
Put in a work-around for ENOTSUP not being defined on OpenBSD.
Revision 1.50.2.10-11
Apply latest of Derrell Lippman's changes to libsmbclient.
Commit Derrell's changes to libsmbclient plus a small change to
configure.in to see if SGI and other platforms will build.
(This used to be commit e32826980eefeb501e4ae19c689d83153d9fe5e6)
|
|
Revision 1.2.2.5:
Remove some unused variables uncovered by the build farm.
(This used to be commit c0585399ac3b6adb22b514478ba44e3c8a96b050)
|
|
Jeremy.
(This used to be commit 124a8ddae63adff4f601242a8e6d05abcaf4d9bf)
|
|
According to Ethereal we have a 32-Bit quantity here. And with SSVAL valgrind
reports an unitialized read which is obviously correct. And I hate valgrind
errors ;-)
Volker
(This used to be commit 73fc6da6cf2b52f65c3dbfb7705899e6cbea447a)
|
|
of the problems with this.
From: Derrell.Lipman@unwireduniverse.com
(This used to be commit 8e3d2708c5e5a9968aeb9a6fe6c828aa8a5b22a9)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit 5c050a735f86927c7ef2a98b6f3a56abe39e4674)
|
|
map in errormap for ERROR_MORE_DATA -> ERRDOS, ERRmoredata.
Jeremy.
(This used to be commit 8458f4c52f32ef192287ddb8371638f42a370c6f)
|
|
when reverse connecting back to a client for printer notify.
Jeremy.
(This used to be commit 7fde193efeb856ec325d5d563f1e710c45dc65d7)
|
|
Jeremy.
(This used to be commit 419834edee09567c8523ad3afba674a12504282d)
|
|
We are doing NT error codes now.... If we have an NT error, report that
back the same way we handle the DOS error. Although I don't see why
BUFFER_TOO_SMALL should not be handled as an error, simply copy the logic.
This is only called from smbcacls and smbcquotas.
Jeremy.
(This used to be commit f67154fe41d7d458a11dfb9b2f0c6c26609c9a72)
|
|
(should help track down out of sequence bugs).
Jeremy.
(This used to be commit c6a36d4e486bf1aa384adf7db37878e485476216)
|
|
#ifdef HAVE_STAT_ST_BLKSIZE and #ifdef HAVE_STAT_ST_BLOCKS,
respectively.
Fixes bug 550 reported by Joachim Schmitz <schmitz@hp.com>.
(This used to be commit 3d777f5389ed6b4ab8c42eb110d41f7df309bead)
|
|
validated the same way.
Jeremy.
(This used to be commit 960e2b4a5f09d3ef80a926894ee7a28549b8de45)
|
|
>Applied Steve Langasek's patch for bug #450.
(This used to be commit 50ae61b674550082e30f7156f2a9129b7abebb14)
|
|
mode domains.
Jeremy.
(This used to be commit 07cfce283004d29d1f60e5d8c97e3e3d7c293805)
|
|
(This used to be commit 1a9145015d4b2ee7e7399099760cda13d619e740)
|
|
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
|
|
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
|
|
(This used to be commit 99feae7b5b1c229a925367b87c0c0f636d9a2d75)
|
|
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
|
|
(This used to be commit ab60980461f31ce3dcb582f195b3754807dd9174)
|
|
(This used to be commit cb4188941e93f8026a94a7378a51b0ec73ffcb8f)
|
|
Larsen)
(This used to be commit c9c8eccdba820e82e1f987f9078d882668a8061b)
|
|
unicode plain text password if negoitated
(This used to be commit 207186e1c8ff0aac2a2aba9c4037d0be0c4819c8)
|
|
(This used to be commit 249a6974702d050644d6d61f33f0034ce2a689ee)
|
|
on the security entries sent.
Jeremy.
(This used to be commit 748ae44d55f54291da3fe6ba2d60285d6da3d415)
|
|
Jeremy.
(This used to be commit 56fd8427389a45fe640d84b3481e9f3f3c24b4b7)
|
|
server hash for checking the server's signiture.
Andrew Bartlett
(This used to be commit 61255a2b3694ba13c72a2a33e5956d14c7d4d2c1)
|
|
workstation, we have to use the workstation type, if we have a BDC account,
we must use the BDC type - even if we are pretending to be a workstation
at the moment.
Also actually store and retreive the last change time, so we can do
periodic password changes again (for RPC at least).
And finally, a couple of minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
|
|
(This used to be commit 38efab087c86cab805c6b94c7455befaa9e94c5e)
|
|
(This used to be commit bd69cbce93054548b6d1e3bac89032ff4f693423)
|
|
(This used to be commit 74fab8f0d24004b1dfd5ce0fd7402895652f941f)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing platforms
different from NT4SP6.
Volker
(This used to be commit ecd0ee4d248e750168597ccf79c389513bb0f740)
|
|
Andrew Bartlett
(This used to be commit 9656b8709128f24dd63094d504a6646f99933c57)
|
|
The right thing to do is to try for the user's local one in ~/.smbc/smb.conf,
and if that fails, try the one in dyn_CONFIGFILE, and if that fails, keep
going with the defaults but log a message.
(This used to be commit 15fa48d19d178cf8bf214ea02f6c7a4c38890f71)
|
|
for broken-due-to-bad-sig.
Andrew Bartlett
(This used to be commit b010b6c2dc400a97eb2ad038cd1fdb34bbde2ef0)
|
|
just need to get the verifiction code working - we get back a signiture from
the server, and just can't verify it yet.
This also brings the short-packet checks into common code, and breaks the
connection if the server sends a signed reply, on an established connection,
that fails the test.
This breaks our read/write code at the moment, as we need to keep a list
of outstanding packets.
(signing is not enabled by default, unless the server demands it)
Not for 3.0 till I fix the outstanding packet list.
Andrew Barlett
(This used to be commit 808d1fcf20153970d587cb631a08607beb09703a)
|
|
Also, PLEASE, PLEASE, PLEASE, do not include bashism and Cisms in shell
scripts.
(This used to be commit 7f6367aac8c5440e1d4e97b26571b205140488ae)
|
|
(This used to be commit 41b320ffc560117c0184999e30cc69723f40acbe)
|
|
(This used to be commit b03ac852a86cf9f436ad2b994e09fb08dd929674)
|
|
(This used to be commit 21a99fdec321c44e31b69589248ff8d1cb927577)
|
|
(This used to be commit e1a159c55fdeaa1620a3147105be4efd205560ba)
|
|
(This used to be commit 8b5ad24231e5001e612c5fd4bbde2762caef5856)
|
|
(This used to be commit ca982a9f1d6485e2d388d4b2e9c13806736ad91e)
|
|
Andrew Bartlett
(This used to be commit 7064edf8534a6098fc4990bc516fcb45f4ff44bb)
|
