Age | Commit message (Collapse) | Author | Files | Lines |
|
Changes all over the shop, but all towards:
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to
merge the 'client' and 'server' functions, so they both operate on a
single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of
data structures...
Andrew Bartlett
(This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
|
|
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
|
|
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
|
|
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
|
|
searching and not finding otherwise we return a valid looking pointer
that was whatever crap was on the stack.
Jeremy.
(This used to be commit b6e78900175d4362f3a4d0216aa635931a0c11e9)
|
|
workstation, we have to use the workstation type, if we have a BDC account,
we must use the BDC type - even if we are pretending to be a workstation
at the moment.
Also actually store and retreive the last change time, so we can do
periodic password changes again (for RPC at least).
And finally, a couple of minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
|
|
The current locking scheme in winbind is a complete mess - indeed, the
next step should be to push the locking into cli_full_connection(), but
I'll leave it for now.
This patch works on the noted behaviour that 2 parts of the connection
process need protection - and independent protection. Tim Potter did
some work on this a little while back, verifying the second case.
The two cases are:
- between connect() and first session setup
- during the auth2 phase of the netlogon pipe setup.
I've removed the counter on the lock, as I fail to see what it gains us.
This patch also adds 'anonymous fallback' to our winbindd -> DC connection.
If the authenticated connection fails (wbinfo -A specifed) - say that
account isn't trusted by a trusted DC - then we try an anonymous.
Both tpot and mbp like the patch.
Andrew Bartlett
(This used to be commit 0620320002082298a15cbba72bd79aecfc607947)
|
|
Jeremy.
(This used to be commit 3d04872499332ef2d8e7479b924afc8fc1ac29d7)
|
|
Jeremy.
(This used to be commit af8a5d79682410482646eea075dff2d344d60e31)
|
|
server = DC1 *
(This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60)
|
|
90% fix for CR 1076. The password server parameter will no take things
like
password server = DC1 *
which means to contact DC1 first and the go to auto lookup if it
fails.
jerry
(This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3)
|
|
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
(This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
|
|
than the version in APPLIANCE so watch out for boogs.
(This used to be commit 1e054e3db654801fbb5580211529cdfdea9ed686)
|
|
anonymous support) is blank.
(This used to be commit 7badccda46a0837dd9da802b44c2fbcb4f38845a)
|
|
choose the server that has the most bits in common in its IP with one
of our interfaces.
(This used to be commit 31774dce67844b67cb405e65f307a20354f2cedb)
|
|
that app-head does.
Jeremy.
(This used to be commit b521abd86b10573ca8f9116907c81e6deb55f049)
|
|
* s/driverlocation/comment
* detect native mode domain and enumerate local groups
Also
* Added sendfile stats from SAMBA_2_2
(This used to be commit 764b58e2c0b3179cffe157c0ab58761b156b8423)
|
|
(This used to be commit 38a956c79bbdb5e1eedfcb1cf3ad4f7c906d0cf7)
|
|
(This used to be commit dd948a302ad6bd4307ecdfb10510e12185150eae)
|
|
from APP_HEAD
(This used to be commit 38c9e4299845fd77cc8629945ce2d259489f7437)
|
|
had it...).
Jeremy.
(This used to be commit 6929b65954ff5b94d11db79c8fc6a295311c238f)
|
|
Jeremy.
(This used to be commit c4fcbb2948beb3b6594d53a7ffdc8b94fd0d94e0)
|
|
Jeremy.
(This used to be commit 38c67632ade40413c0cc2b91e04105e4065a18b7)
|
|
the DC being out of sync with the local machine.
(This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
|
|
changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch.
pass also the negociation flags all the way.
all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient.
in the future we will be able to call auth_2 or auth_3 as we want.
J.F.
(This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e)
|
|
can be used to find a BDC
2nd try ....
(This used to be commit f757223ebe88148b83e1a32b87c014c15c0a68dd)
|
|
can be used to find a BDC
(This used to be commit e95d8e2c9ee5cf22b628f3e0d99fb74bcc632ea0)
|
|
(This used to be commit b8dba26978c281259e02b9d6ebacaa7cba4f7787)
|
|
(This used to be commit 68e70b000b273ba72206c87ad1efd6efc2c7c487)
|
|
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
(This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
|
|
code.
(This used to be commit 3929532e3bfb98b925d73d331c8cbb319fdc8b9a)
|
|
permanently down. Found by Dan Coppock.
(This used to be commit 13c0cc830e3d787a0c3a1aedd47641597026541e)
|
|
as they're no longer new!
(This used to be commit 277f6bbb9a63541a473a80a7994e9bde5c6f22dc)
|
|
previously. Fix that.
Andrew Bartlett
(This used to be commit c552910477f0baca4d2173c2bdf4748de3c3b8ad)
|
|
few more places to use it.
Andrew Bartlett
(This used to be commit 23689b0746d5ab030d8693abf71dd2e80ec1d7c7)
|
|
(This used to be commit 897e64d2e0c1d04ab93441ccaffe369bf43be46e)
|
|
didn't make any sense, and its was always just strlen(password) anyway.
This fixes it to be strlen(password)+1
Andrew Bartlett
(This used to be commit c205b18bd6b9b69200ff3db55f2c641631d4ab40)
|
|
and should be rewritten, just not now... :-).
Jeremy.
(This used to be commit 5de792e7e9c2ad1422ac146caba632baa3f4e5c5)
|
|
- pam_winbind updates from vance, fixing a typo and making some the options
work properly.
- Extra parinoia in the winbind connection loop
- Allow pam_winbind to compile on HP-UX (Don Mcall, more work to do).
- Fix up configure.in to use the same method for building the test .so
as the Makefile uses.
Andrew Bartlett
(This used to be commit 8e705dd9215b1cb3f44d6348094679d7dc6a7fbd)
|
|
I forgot to clean this up when netlogon move across to the connection cache
arrangement.
Also add some smb_panics to the connection_ok() code to try to catch this kind
of thing better in future.
Andrew Bartlett
(This used to be commit f4f23fad6099143ec26550afc67655390070ceb8)
|
|
down some bugs with it...).
Andrew Bartlett
(This used to be commit ef68b28fa0e89345f817ca8fd8f04138a009c21e)
|
|
(This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302)
|
|
this prevents propogation delays in the SAM between the PDC and BDCs
(This used to be commit 967cb3ed0c3190f3e95a227e4d998a7312b5990b)
|
|
This commit builds on the auth subsystem to give Samba support for trusting NT4
domains. It is off by default, but is enabled by adding 'trustdomain' to the
'auth methods' smb.conf paramater.
Tested against NT4 only - there are still some issues with the join code for
Win2k servers (spnego stuff).
The main work TODO involves enumerating the trusted domains (including the RPC
calls to match), and getting winbind to run on the PDC correctly.
Similarly, work remains on getting NT4 to trust Samba domains.
Andrew Bartlett
(This used to be commit ac8c24a9a888a3f916e8b40238b936e6ad743ef7)
|
|
Fix bug where zeroip addresses were being checked.
Jeremy.
(This used to be commit 8ed49fe0df201833329c17b2afe1e3aa70646558)
|
|
This patch fixes the segfaults I introduced in the previous conneciton caching
patch. It cleans up the connection cache a *lot* - in particular it adds
significant robustness to the operation.
If a the DC goes down, we no longer fail the next operation - the code checks
if the connection died during one of its own operations on the socket, and
restarts the conneciton as required.
There is still a memory leak in here somewhere - but this code also cleans up a
number of these.
Also added is the abilty to sepecify the domain of the 'get around restrict anonymous'
user that winbind uses.
Andrew Bartlett
(This used to be commit 92cbefdf2783bf9dbbb2179c1b2f7cdb802d84a9)
|
|
Add a connection cache to the netlogon pipe. This makes a *massive* difference
to the time-per-auth. Also fix up *some* of the memory leaks in other
connection caches.
Add some debugging messages for the is_connected() code. I'm thinking we
should get a client implementation of SMBecho and call it here - as it would
allow us to always know the DC is around before we start.
Down the debug level for some of the pam_winbind code - I'll probably down it
further when I'm finished debugging.
Andrew Bartlett
(This used to be commit 49d3e476662220775ef8da7db01ea17e77e11b0b)
|
|
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
(This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
|
|
(This used to be commit 1f7172b48e77dcda8bfd20d8e79a90b523727493)
|
|
the "password server" smb.conf parameter when choosing a DC to connect to.
Due to the origin of the code in cm_get_dc_name() it wouldn't try
additional DCs if the first DC didn't work. This would wedge winbindd if you
had "password server = foo1, foo2" and foo1 was down.
(This used to be commit fc7ed1b4a8774a6a07a8d8fd08d9d2f15cd5c1dc)
|