summaryrefslogtreecommitdiff
path: root/source3/libsmb
AgeCommit message (Collapse)AuthorFilesLines
2003-07-14Fix SMB signing when using NTLMSSP...Andrew Bartlett2-93/+8
It's so simple now I know how it works - and it has nothing to do with NTLMSSP (it's just a slightly different use of the old algorithm). :-). Note: This is actually less secure then the non-NTLMSSP code, as there is no per-session random data included for NTLM logins. (NTLMv2 is better, fortunetly). Andrew Bartlett (This used to be commit 95ec8317d4c6817d192bcd52eec44a22286e10ee)
2003-07-14Jeremy requested that I get my NTLMSSP patch into CVS. He didn't requestAndrew Bartlett7-96/+385
the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
2003-07-14Delete obsolete comment.Tim Potter1-1/+0
(This used to be commit 5416c51133297e866210ec0d8454e04c25541d91)
2003-07-10i guess i'm the only one this ever annyoed...Gerald Carter1-1/+1
fix the confusion when we tdb_lock_bystring() but we retrieve an entry using tdb_fetch_by_string. It's now always tdb.*bystring() (This used to be commit 66359531b89368939f0e8f584a45844b5f2f99e7)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison5-8/+8
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-07-03fix bug #190; WINS server was getting marked as dead when it was not.Gerald Carter1-2/+14
(This used to be commit fa354f3ceefe53bdfd4f543559041d337b75613f)
2003-07-01* fixed volker's wbinfo -a lockup again. This one was my fault.Gerald Carter1-60/+19
It was caused by the winbind_ping() call in is_trusted_domain() o if we are a DC then we check our own direct trust relationships we have to rely on winbindd to update the truatdom_cache o if we are a domain member, then we can update the trustdom_cache ourselves if winbindd is not there (This used to be commit 22dfcafb37f7109dc455f4fb6323a25ba4f097bc)
2003-07-01* fix the trustdom_cache to work when winbindd is not running.Gerald Carter2-22/+202
smbd will update the trustdom_cache periodically after locking the timestamp key (This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a)
2003-06-30* cleanup more DC name resolution issues in check_*domain_security()Gerald Carter2-2/+79
* is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e)
2003-06-30removing old codeGerald Carter1-172/+0
(This used to be commit 80df684b72f273f9efc0c00646f26d17f1b4bc70)
2003-06-26cleaning up more build issues. TestedGerald Carter1-2/+4
"--with-ads=no --with-ldap=yes" and "--with-ads=yes && make everything" (This used to be commit 3e9e4bb7d1a2f5a95539f415aa101f033b67932a)
2003-06-25* fix typos in a few debug statementsGerald Carter1-1/+1
* check negative connection cache before ads_try_connect() in ads_find_dc() (This used to be commit 2a76101a3a31f5fca2f444b25e3f0486f7ef406f)
2003-06-25forgot one fileGerald Carter1-0/+158
(This used to be commit ef978bd851431da373e005177504dbef2611cf4f)
2003-06-25large change:Gerald Carter4-550/+353
*) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091)
2003-06-23* s/get_dc_name/rpc_dc_name/g (revert a previous change)Gerald Carter2-69/+18
* move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-0/+238
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-06-13Forward port the app-head changes for dc name cache into 3.0.Jeremy Allison3-31/+186
Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc)
2003-06-10fixed libsmb code to set correct timeout in cli_state when waiting forAndrew Tridgell1-2/+2
a blocking lock (This used to be commit 3515476fe436132d4569ac9067ea6195ab087e77)
2003-06-10use ZERO_STRUCT() instead of memsetAndrew Tridgell1-1/+1
(This used to be commit 082084042307f5f7d532b28debdeac11753a05f9)
2003-06-08Fix some memory leaks and extra cache startups/shutdowns from the trustedAndrew Bartlett2-4/+5
domains lookup code. Andrew Bartlett (This used to be commit 0ec1b1207041a3b6050046ba6d7b466dd4fcf341)
2003-06-08Enforce 'client plaintext auth', 'client lanman auth' and 'client ntlmv2 auth'.Andrew Bartlett1-9/+49
(this now causes things like the LANMAN protocol and contacting servers with 'encrypt passwords = no' set to fail, if configured) 'client ntlmv2 auth' (a BOOL) forces both plaintext and lanman off, and is the most secure setting for compatible hosts. Perhaps we should change this to 'client minimum auth'? Andrew Bartlett (This used to be commit e1fb681e4c921456fde154b87687722a18ed4aac)
2003-06-08Rework our smb signing code again, this factors out some of the commonAndrew Bartlett1-54/+109
MAC calcuation code, and now supports multiple outstanding packets. Fixes bug #40 Andrew Bartlett (This used to be commit dd33212f1ec08f46223d6de8e5ff3140ce367a9a)
2003-06-06applying David Lee's climessage patch to make sending messages more extendableGerald Carter1-6/+32
(This used to be commit a5240adc4944342529702542e080c378d3883a09)
2003-06-06merge from APP_HEAD. Push negative connection cacheGerald Carter1-7/+148
into rpc_find_dc(). Should probably be extended some more in 3.0 but this is what we have for the moment. (This used to be commit 0e23abf95cf7ba2d0a314a34bddb4d46de2a3cd1)
2003-06-06fixed a pstrcpy() that is not on a pstringAndrew Tridgell1-1/+1
(This used to be commit f644b3d6d238e3c44d0358b44296a9360d16bb41)
2003-05-30More on bug 137: rename more of krb5_xxx functions to not start with krb5_Jim McDonough2-15/+15
(This used to be commit 10f1da3f4a9680a039a2aa26301b97e31c06c38d)
2003-05-26Fix list of servers in 'smbclient -L' (debian bug #194553, patch by Heine ↵Jelmer Vernooij1-1/+1
Larsen) (This used to be commit e9df7d2820441c63c35e7b4fc5b3cc594053781c)
2003-05-21fix for UNICODE plaintext passwords (bug #59) and fix smbclient to send the ↵Gerald Carter1-3/+16
unicode plain text password if negoitated (This used to be commit e7d635af80c844f17ff9f34c26c1e9c978951ce1)
2003-05-14spellingTim Potter3-3/+3
(This used to be commit 865c11275685c85124b506c9bbd2a8bde2e760b9)
2003-05-12Add NT quota support. Patch from Stefan (metze) MetzemacherAlexander Bokovoy1-0/+1
1. Allows to change quota settings for shared mount points from Win2K and WinXP from Explorer properties tab 2. Disabled by default and when requested, will be probed and enabled only on Linux where it works 3. Was tested for approx. two weeks now on Linux by two independent QA teams, have not found any bugs so far Documentation to follow (This used to be commit 4bf022ce9e45be85609426762ba2644ac2031326)
2003-05-10Fix from Tom.Lackemann@falconstor.com to correctly set the flags basedJeremy Allison1-1/+9
on the security entries sent. Jeremy. (This used to be commit 45953d59f707b58e66b980512afc7f929d360ad5)
2003-05-09Finally get NTLMv2 working on the client!Andrew Bartlett3-35/+102
With big thanks to tpot for the ethereal disector, and for the base code behind this, we now fully support NTLMv2 as a client. In particular, we support it with direct domain logons (tested with ntlm_auth --diagnostics), with 'old style' session setups, and with NTLMSSP. In fact, for NTLMSSP we recycle one of the parts of the server's reply directly... (we might need to parse for unicode issues later). In particular, a Win2k domain controller now supplies us with a session key for this password, which means that doman joins, and non-spnego SMB signing are now supported with NTLMv2! Andrew Bartlett (This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81)
2003-05-08Revert a patch that somehow slipped in...Volker Lendecke1-2/+2
Volker (This used to be commit 6cde3d4d655bbe1d81e68ec2ec7a23669ac82120)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke1-2/+2
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-05-07SMB Signing with NTLMv2 works!Andrew Bartlett1-11/+2
(well, under certain conditions :-) There is no length limit on the size of the authentication response added into the MD5 hash. (We had previously limited this to lengths like 40, 44 or 64 in attempts to make sense of what the SNIA spec tells us). Instead, the entire authentication response is added in. Currently, this only works on a Win2k domain members with a Samba PDC, becouse our NTLMv2 code currently fails against an Win2k PDC. However, this splits the problem in half - particularly as the NTLMv2 format is known, and even has an ethereal disector! (thanks tpot). Andrew Bartlett (This used to be commit 7645d3d28afbb8eea502c0e063df3afb3aa812f4)
2003-05-07Force ASCII for client messages. Patch from David Lee <t.d.lee@durham.ac.uk>Jeremy Allison1-3/+2
Jeremy. (This used to be commit f219e8309c7d17b332873e9283ab3c3796e7e799)
2003-05-05Allow the NTLMv2 functions to spit out both possible varients on the sessionAndrew Bartlett3-13/+25
key, so we can test it in ntlm_auth. I suspect the 'lm' version doesn't exist, but it's easy to change back. Andrew Bartlett (This used to be commit 5efd95622c411f123660b6613b86c7a68bba68e8)
2003-05-04Add doco to our SMB signing code.Andrew Bartlett1-5/+32
This should make it clearer what magic numbers refer to the magic numbers in the CIFS spec, and what bits and peices are being appended into the MD5 calculation where. Andrew Bartlett (This used to be commit 7f1c271cfb04f621e36f1acf60979652e82dc6f4)
2003-05-01Turn down some DEBUG()s and remove some duplicate code spotted by dfenwick.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 542a8b1817d3930e03e08e16e9711cacceb6df61)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett2-136/+25
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
2003-04-23Add a check to ensure that the server returns the correct device type, notAndrew Bartlett1-3/+0
just the correct error. This should help us avoid breaking NT4 IPC$ connections, for example. This has required that we don't overwrite the device type for IPC$ in our tcon&X code, but only smbwrapper even uses it, and a server that doesn't send a correct dev type breaks other things pretty badly. In any case, I'll 'fix' smbwrapper :-). Andrew Bartlett (This used to be commit a93057efcb6e639be05b7bdcb9729ed8f39f5f62)
2003-04-23Merge torture tests from HEAD - it looks like we had rather an incompleteAndrew Bartlett1-1/+31
merge last time. I hope this might fix a few failures on the build farm too. Andrew Bartlett (This used to be commit 0c837126923cc30fa60223a5a68d4f527971cc7b)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-12/+20
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-21Merge SMB signing, cli buffer clobber and NTLMSSP signing tweaks from HEAD.Andrew Bartlett5-20/+50
(This used to be commit c6c4f69b8ddc500890a65829e1b9fb7a3e9839e9)
2003-04-20Merge a trivial fix across from HEAD. Not that thisVolker Lendecke1-1/+1
would work now... Volker (This used to be commit 8c70f657cfb2f2b32fbaa31112d7953a3a6dc775)
2003-04-17This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This ↵cvs2svn Import User1-0/+169
used to be commit a50dc3f836a898d1aef08afbd12e7221db24440a)
2003-04-16More merges from HEAD:Jelmer Vernooij4-104/+209
- Stephan Kulow's changes (fixing warnings in libsmbclient) - VFS modules - Seperating libs (This used to be commit 6e9b7802335428c88ecf4e44a0e2395ac58e96b5)
2003-04-16Store the type of 'sec channel' that we establish to the DC. If we are aAndrew Bartlett1-36/+29
workstation, we have to use the workstation type, if we have a BDC account, we must use the BDC type - even if we are pretending to be a workstation at the moment. Also actually store and retreive the last change time, so we can do periodic password changes again (for RPC at least). And finally, a couple of minor fixes to 'net'. Andrew Bartlett (This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
2003-04-15merge in metze' smbcquotas patch from HEADGerald Carter2-12/+15
(This used to be commit b6a77048886151435a4a5eeb9a04be44d397c504)
2003-04-15Add some more NT to unix error code mappings (from HEAD)Jelmer Vernooij1-3/+92
(This used to be commit 62dac3d6ebc72bec24f3c0df4c8d8e37029473e2)