summaryrefslogtreecommitdiff
path: root/source3/libsmb
AgeCommit message (Collapse)AuthorFilesLines
2003-07-31Turn the 'doing_signing' variable on - fix bug where it was only being setJeremy Allison1-1/+1
on when signing was mandatory. Jeremy. (This used to be commit 7c58673a103195435ca75ebb2684880d1f7242d3)
2003-07-30Add a command line option (-S on|off|required) to enable signing on clientJeremy Allison3-4/+28
connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307)
2003-07-30Fix bug we discovered in W2K client signing on secondary trans2 packets.Jeremy Allison1-2/+3
Use W2K parameters. tpot please re-test smbclient with your problem directory. Jeremy. (This used to be commit 677d3a3c4ca0b67148e5e56fa876773a067679bd)
2003-07-30Eliminate valgrind error when client gets bad sig on list. Some reformatting.Jeremy Allison2-12/+25
Jeremy. (This used to be commit b8f6b836468b3a0ae75977dc65cae8400f74734c)
2003-07-29This adds gss-spnego to ntlm_auth. It contains some new spnego supportVolker Lendecke1-0/+292
from Jim McDonough. It is to enable cyrus sasl to provide the gss-spnego support. For a preliminary patch to cyrus sasl see http://samba.sernet.de/cyrus-gss-spnego.diff Volker (This used to be commit 45cef8f66e46abe4a25fd2b803a7d1051c1c6602)
2003-07-27Fix commentAndrew Bartlett1-1/+1
(This used to be commit 2c395a3904395c2743df9c3035459c6f3866232d)
2003-07-27Try again to fix up 'session request' name exchange. This time we actualyAndrew Bartlett1-3/+3
get the names... Andrew Bartlett (This used to be commit 7c9e204f7eb15139532f2cc522ed87d0ac34d118)
2003-07-27Some small fixes to our charset conversion code:Andrew Bartlett1-4/+8
- Treat the NMB names in the 'session request' packet as 'ASCII'. This means that we do not get invalid multibyte from the wire, even if we truncate in the conversion. (Otherwise we panic when we try to strupper_m it). - Remove acnv_uxu2(), as it was duplicated by push_ucs2_allocate() - Remove acnv_dosu2(), as it is not used. - In push_ucs2(), with the STR_UPPER flag, do the case conversion *after* the UCS2 conversion, when it we know that the length can't change. Also faster, as we don't need to do another 2 UCS2 conversions. Andrew Bartlett (This used to be commit 912035af1178424583d0bf887a391a0cac2acd87)
2003-07-25W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison4-16/+44
Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00)
2003-07-25More printf portability fixes. Got caught out by some gcc'isms lastTim Potter2-3/+3
time. )-: (This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
2003-07-24More printf fixes - size_t is long on some architectures.Tim Potter2-2/+2
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
2003-07-24Fix packet signing with asynchronous oplock breaks. Removed bad error messageJeremy Allison1-5/+67
due to w2k bug. I think this code is now working.... Need more testing of course but works on all the obvious cases I can think of. Jeremy. (This used to be commit a6e537f6611cc1357fffea0b69901fba7c9ad6ea)
2003-07-24SMB signing is now working with change notify. Need to fix the disconnectJeremy Allison1-18/+28
when bad signature received, plus check the oplock breaks.... Jermey. (This used to be commit dd83931a00ec0a2c4b78b939c54bc101ec82312f)
2003-07-24Server side NTLM signing works - until the first async packet. Working on thisJeremy Allison1-22/+114
next.... Jeremy. (This used to be commit eff74a1fcc597497a4c70589a44c1b70e93ab549)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter3-5/+5
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-23fixed segv in calls to pstrcpy() in cliprint.cAndrew Tridgell1-6/+6
(This used to be commit 36bc2b99b4fec2c14f8471d89381b2d6c2f9d339)
2003-07-23Don't check in two places for signing turned off...Jeremy Allison1-3/+0
Jeremy. (This used to be commit f4b02e52e25556e5b101d493e2e6404563bf96dd)
2003-07-18Signing so far... the client code fails on a SMBtrans2 secondary transactionJeremy Allison1-50/+114
I think (my changes haven't affected this I believe). Initial support on the server side for smbclient. Still doesn't work for w2k clients I think... Work in progress..... (don't change). Jeremy. (This used to be commit e5714edc233424c2f74edb6d658f32f8e0ec9275)
2003-07-17Correctly toggle the signing state to what it was previosly when sendingJeremy Allison1-12/+5
an oplock break. Jeremy. (This used to be commit 9515de83a864250c417cf490b7be714c8e1e127e)
2003-07-17Putting the framework for server signing in place. Ensure we don't useJeremy Allison1-5/+67
sendfile when signing (I need to add this for readbraw/writebraw too...). Jeremy. (This used to be commit f2e84f1ba67b13ff29e24a38099b559d9033a680)
2003-07-16Refactor signing code to remove most dependencies on 'struct cli'.Jeremy Allison2-92/+118
Ensure a server can't do a downgrade attack if client signing is mandatory. Add a lp_server_signing() function and a 'server signing' parameter that will act as the client one does. Jeremy (This used to be commit 203e4bf0bfb66fd9239e9a0656438a71280113cb)
2003-07-16Add API framework for server SMB signing.Jeremy Allison1-0/+21
Jeremy. (This used to be commit 61fc9a7b2eafdf8cbed1f8d9aae016b828c91a08)
2003-07-16Add krb5_princ_component to Heimdal. Remove cli_ from mark packet signed.Jeremy Allison2-5/+18
Jeremy. (This used to be commit dd46f8b22d6e8411081a1279e1cd32929e40370b)
2003-07-16Spelling.Tim Potter5-12/+12
(This used to be commit 2750418752e491c5e87f0f2adf253291e31ee4c2)
2003-07-16fix typo in debug logGerald Carter1-1/+1
(This used to be commit 074da426708555de082d0c2e5ae3a5cddaadcdf4)
2003-07-15Added the "required" keyword to the "client signing" parameter to force itJeremy Allison3-5/+19
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing to add signing on server side. Jeremy. (This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
2003-07-15Add a cli_ prefix to a few functions to ensure everything that takes a ↵Jeremy Allison1-10/+10
struct cli_state is so marked. Jeremy (This used to be commit 0b8724ed65799f94f2af5d1dbb9ba20f1bac53a7)
2003-07-14Fix SMB signing when using NTLMSSP...Andrew Bartlett2-93/+8
It's so simple now I know how it works - and it has nothing to do with NTLMSSP (it's just a slightly different use of the old algorithm). :-). Note: This is actually less secure then the non-NTLMSSP code, as there is no per-session random data included for NTLM logins. (NTLMv2 is better, fortunetly). Andrew Bartlett (This used to be commit 95ec8317d4c6817d192bcd52eec44a22286e10ee)
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett7-96/+385
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14Delete obsolete comment.Tim Potter1-1/+0
(This used to be commit 5416c51133297e866210ec0d8454e04c25541d91)
2003-07-10i guess i'm the only one this ever annyoed...Gerald Carter1-1/+1
fix the confusion when we tdb_lock_bystring() but we retrieve an entry using tdb_fetch_by_string. It's now always tdb.*bystring() (This used to be commit 66359531b89368939f0e8f584a45844b5f2f99e7)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison5-8/+8
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03fix bug #190; WINS server was getting marked as dead when it was not.Gerald Carter1-2/+14
(This used to be commit fa354f3ceefe53bdfd4f543559041d337b75613f)
2003-07-01* fixed volker's wbinfo -a lockup again. This one was my fault.Gerald Carter1-60/+19
It was caused by the winbind_ping() call in is_trusted_domain() o if we are a DC then we check our own direct trust relationships we have to rely on winbindd to update the truatdom_cache o if we are a domain member, then we can update the trustdom_cache ourselves if winbindd is not there (This used to be commit 22dfcafb37f7109dc455f4fb6323a25ba4f097bc)
2003-07-01* fix the trustdom_cache to work when winbindd is not running.Gerald Carter2-22/+202
smbd will update the trustdom_cache periodically after locking the timestamp key (This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter2-2/+79
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-30removing old codeGerald Carter1-172/+0
(This used to be commit 80df684b72f273f9efc0c00646f26d17f1b4bc70)
2003-06-26cleaning up more build issues. TestedGerald Carter1-2/+4
"--with-ads=no --with-ldap=yes" and "--with-ads=yes && make everything" (This used to be commit 3e9e4bb7d1a2f5a95539f415aa101f033b67932a)
2003-06-25* fix typos in a few debug statementsGerald Carter1-1/+1
* check negative connection cache before ads_try_connect() in ads_find_dc() (This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
2003-06-25forgot one fileGerald Carter1-0/+158
(This used to be commit ef978bd851431da373e005177504dbef2611cf4f)
2003-06-25large change:Gerald Carter4-550/+353
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter2-69/+18
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-0/+238
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-13Forward port the app-head changes for dc name cache into 3.0.Jeremy Allison3-31/+186
Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc)
2003-06-10fixed libsmb code to set correct timeout in cli_state when waiting forAndrew Tridgell1-2/+2
a blocking lock (This used to be commit 3515476fe436132d4569ac9067ea6195ab087e77)
2003-06-10use ZERO_STRUCT() instead of memsetAndrew Tridgell1-1/+1
(This used to be commit 082084042307f5f7d532b28debdeac11753a05f9)
2003-06-08Fix some memory leaks and extra cache startups/shutdowns from the trustedAndrew Bartlett2-4/+5
domains lookup code. Andrew Bartlett (This used to be commit 0ec1b1207041a3b6050046ba6d7b466dd4fcf341)
2003-06-08Enforce 'client plaintext auth', 'client lanman auth' and 'client ntlmv2 auth'.Andrew Bartlett1-9/+49
(this now causes things like the LANMAN protocol and contacting servers with 'encrypt passwords = no' set to fail, if configured) 'client ntlmv2 auth' (a BOOL) forces both plaintext and lanman off, and is the most secure setting for compatible hosts. Perhaps we should change this to 'client minimum auth'? Andrew Bartlett (This used to be commit e1fb681e4c921456fde154b87687722a18ed4aac)
2003-06-08Rework our smb signing code again, this factors out some of the commonAndrew Bartlett1-54/+109
MAC calcuation code, and now supports multiple outstanding packets. Fixes bug #40 Andrew Bartlett (This used to be commit dd33212f1ec08f46223d6de8e5ff3140ce367a9a)
2003-06-06applying David Lee's climessage patch to make sending messages more extendableGerald Carter1-6/+32
(This used to be commit a5240adc4944342529702542e080c378d3883a09)