summaryrefslogtreecommitdiff
path: root/source3/rpc_client/cli_netlogon.c
AgeCommit message (Collapse)AuthorFilesLines
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-3/+9
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-08-19- Fix the kerberos downgrade problem:Andrew Bartlett1-13/+2
- When connecting to the NETOGON pipe, we make a call to auth2, in order to verify our identity. This call was being made with negotiation flags of 0x1ff. This caused our account to be downgraded. If we instead make the call with flags > 1ff (such as 0x701ff), then this does not occour. - This is *not* related to the use of kerberos for the CIFS-level connection My theory is that Win2k has a test to see if we are sending *exactly* what NT4 sent - setting any other flags seems to cause us to remain intact. Also ensure that we only have 'setup schannel' code in a few places, not scattered around cmd_netlogon too. Andrew Bartlett (This used to be commit e10f0529fe9d8d245b3cd001cce6a9a86896679c)
2003-08-15get rid of more compiler warningsHerb Lewis1-3/+3
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-07-23Fix out of date comment.Tim Potter1-2/+1
(This used to be commit 2e5bd1665430768b06da99beba5ac11a59c9bf07)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke1-6/+12
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-05-01Turn down some DEBUG()s and remove some duplicate code spotted by dfenwick.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 542a8b1817d3930e03e08e16e9711cacceb6df61)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-18/+0
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-14Merge: incorrect arg to debug.Tim Potter1-1/+1
(This used to be commit 800b79e8364d761bbd8c99016211dfe199eee080)
2003-04-09Auth2, not also Auth3 sends us flags back, although all the callersVolker Lendecke1-4/+5
ignore it. Volker (This used to be commit 1e03e955450af7f05e564793e95258e45e08dabd)
2003-03-24(merge from HEAD)Andrew Bartlett1-1/+12
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-02-25Merge: const fixes.Tim Potter1-1/+1
(This used to be commit a20aba09996e470425a151271237f2d48a8302af)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-14/+9
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-26/+126
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17Sync 3.0 branch with HEADJelmer Vernooij1-392/+586
(This used to be commit 3823a2ff5a3c6edf325e2ac31bab50175420f0b1)
2002-03-17Renamed get_nt_error_msg() to nt_errstr().Tim Potter1-5/+5
(This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2001-12-05OK. Smbpasswd -j is DEAD.Andrew Bartlett1-70/+0
This moves the rest of the functionality into the 'net rpc join' code. Futhermore, this moves that entire area over to the libsmb codebase, rather than the crufty old rpc_client stuff. I have also fixed up the smbpasswd -a -m bug in the process. We also have a new 'net rpc changetrustpw' that can be called from a cron-job to regularly change the trust account password, for sites that run winbind but not smbd. With a little more work, we can kill rpc_client from smbd entirly! (It is mostly the domain auth stuff - which I can rework - and the spoolss stuff that sombody else will need to look over). Andrew Bartlett (This used to be commit 575897e879fc175ba702adf245384033342c903d)
2001-11-05Removed duplicate debug.Tim Potter1-2/+0
(This used to be commit 5c3521c937f9ba3c4c586495f54dc69a664c392a)
2001-10-31Don't accidentally return success when sending a broken NET_SAMLOGONTim Potter1-0/+1
request. This exposes a domain authentication bug with win2k where a rpc fault is returned but not propagated up as an error. (This used to be commit 27cd7ac85779bbc1e9488ee06e87b0c743c5b29c)
2001-10-30Fixed typo in debug message.Tim Potter1-1/+1
(This used to be commit 26fa0374bb5894ece460899ca37cf512c4424b2f)
2001-10-14the next step in the intl changeover. This should get us compiling agian,Andrew Tridgell1-4/+0
and also completes the switch to lang_tdb.c. SWAT should now work with a po file in the lib/ directory also removed useless SYSLOG defines in many files (This used to be commit 5296b20ad85d7519c870768455cb4d8df048c55a)
2001-10-02Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header.Tim Potter1-1/+0
(This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e)
2001-09-18Converted cli_net_auth2() and cli_nt_setup_creds() to return NTSTATUS.Tim Potter1-7/+9
(This used to be commit e0bdcbc5994345fdc76f7590dba7bce5f0127d58)
2001-09-04the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but ↵Andrew Tridgell1-23/+24
the client code still needs some work (This used to be commit dcd6e735f709a9231860ceb9682db40ff26c9a66)
2001-08-27converted another bunch of stuff to NTSTATUSAndrew Tridgell1-2/+2
(This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e)
2001-08-24More status32 conversions.Tim Potter1-12/+10
(This used to be commit 031a19639ce862bd01c1a72d8b5ff21b0eae99d2)
2001-08-24Fixed typo in debug message.Tim Potter1-1/+1
(This used to be commit ea8c0a75affe56f8fbcb987cd6f8cdcd24e8a537)
2001-08-10Removed nt_error field from cli_state as it was not used anywhere.Tim Potter1-7/+1
(This used to be commit 589aaa5fb1ac55d8b0d5ae95921f071eb6ddacf6)
2001-07-04The big character set handling changeover!Andrew Tridgell1-6/+6
This commit gets rid of all our old codepage handling and replaces it with iconv. All internal strings in Samba are now in "unix" charset, which may be multi-byte. See internals.doc and my posting to samba-technical for a more complete explanation. (This used to be commit debb471267960e56005a741817ebd227ecfc512a)
2001-05-17Broke out change trust account password routines into separate fileTim Potter1-218/+0
since they're only used in one place anyway (timeout_processing() in process.c) (This used to be commit d1e5d5d62fcb5da30e3f2619721c5146db753f3c)
2001-03-11Removed JRATEST line.Jeremy Allison1-4/+0
Jeremy. (This used to be commit be9933ce353d0ad607c55e6e02aae09627bf9dd9)
2001-03-09Serious (and I *mean* serious) attempt to fix little/bigendian RPC issues.Jeremy Allison1-12/+12
We were reading the endainness in the RPC header and then never propagating it to the internal parse_structs used to parse the data. Also removed the "align" argument to prs_init as it was *always* set to 4, and if needed can be set differently on a case by case basis. Now ready for AS/U testing when Herb gets it set up :-). Jeremy. (This used to be commit 0cd37c831d79a12a10e479bf4fa89ffe64c1292a)
2001-02-25rpc_client/cli_netlogon.c: Fixed incorrect printf.Jeremy Allison1-1/+2
Added Solaris ACL support. Jeremy. (This used to be commit f0d11b6997cc46a0210adef8cf572cf8b7e2467a)
2001-02-24This patch (donated by Marc Jacobsen of HP) should make Sun and HP very ↵Jeremy Allison1-58/+112
happy :-). Probably Veritas too... :-). It allows Samba as a domain member to authenticate against an AS/U server such as the older HP PDC product or PD Netlink. It does this by trying a netlogon with info level 3 and then falling back to info level 2 if the PDC returns invalid info level. Jeremy. (This used to be commit bda1d6d4a4b3d2cfc260549280a2ce3e57fd0f86)
2001-02-14Merge of i18n fixes from appliance branch. Samba can now talk to a networkTim Potter1-12/+17
with a PDC that has international netbios name and domain name. There's still quite a bit of i18n stuff to fix though... (This used to be commit 79045bd72ace9144e7dd73785b1d10a71b0d15aa)
2000-12-19Fixed bug found by Gerald. If a Samba server joins a domain and is setJeremy Allison1-1/+2
to search for a DC to authenticate to using the "*" syntax than ensure that for the first hour after the password change is searches for the PDC using the 1B name not the 1C name as domain replication may not have occured. Jeremy. (This used to be commit c25533de9918ed9b0c79fd039e11d1b79f513db0)
2000-07-27Ok - this is a *BIG* change - but it fixes the problems with static stringsJeremy Allison1-12/+12
in the RPC code. This change was prompted by trying to save a long (>256) character comment in the printer properties page. The new system associates a TALLOC_CTX with the pipe struct, and frees the pool on return of a complete PDU. A global TALLOC_CTX is used for the odd buffer allocated in the BUFFERxx code, and is freed in the main loop. This code works with insure, and seems to be free of memory leaks and crashes (so far) but there are probably the occasional problem with code that uses UNISTRxx structs on the stack and expects them to contain storage without doing a init_unistrXX(). This means that rpcclient will probably be horribly broken. A TALLOC_CTX also needed associating with the struct cli_state also, to make the prs_xx code there work. The main interface change is the addition of a TALLOC_CTX to the prs_init calls - used for dynamic allocation in the prs_XXX calls. Now this is in place it should make dynamic allocation of all RPC memory on unmarshall *much* easier to fix. Jeremy. (This used to be commit 0ff2ce543ee54f7364e6d839db6d06e7ef1edcf4)
2000-07-26Fixed memory leak in modify_trust_password()Tim Potter1-0/+4
(This used to be commit 7145689bf55b9f3100632badac486fde30ee4972)
2000-06-03moved secrets fns into secrets.cAndrew Tridgell1-2/+2
(This used to be commit f890bcf06786e7c63bf76fad2fd46d287a99a270)
2000-05-29Fixed LsaQueryInformationPolicy level 3 to return primary domain info.Matthew Chapman1-1/+8
Domain SID is saved in secrets.tdb upon joining domain. Added "Authenticated Users" and "SYSTEM" well-known SIDs (under NT Authority). (This used to be commit 7710b4f48d3e8532df5e37f99a779758f750efdb)
2000-05-08added secrets.tdb and changed storage of trust account password to useAndrew Tridgell1-2/+2
it (This used to be commit 88ad00b82acc4636ab57dfe710af08ea85b82ff1)
2000-03-22acconfig.h configure configure.in: Added check for UT_SYSLEN for utmp code.Jeremy Allison1-26/+0
include/byteorder.h: Added alignment macros. include/nameserv.h: Added defines for msg_type field options - from rfc1002. lib/time.c: Typo fix. lib/util_unistr.c: Updates from UNICODE branch. printing/nt_printing.c: bzero -> memset. smbd/connection.c: Added check for UT_SYSLEN for utmp code. Other fixes : Rollback of unapproved commit from Luke. Please *ask* next time before doing large changes to HEAD. Jeremy. (This used to be commit f02999dbf7971b4ea05050d7206205d7737a78b2)
2000-03-22added the following message to all dce/rpc client/server code, exceptLuke Leighton1-0/+26
the spoolss code (it's cut from TNG) and the smb-dce/rpc interface code that jeremy has been working up to TNG-functionality. i also want this message to go into SAMBA_2_0 and SAMBA_2_0_RELEASE, because it is intolerable that potentially good modifications be made to code that is going to be thrown away, and people waste their time fixing bugs and adding enhancements that have already been carried out already, up to two years ago in the TNG branch. /* * THIS CODE IS OUT-OF-DATE BY TWO YEARS, IS LEGACY DESIGN AND VERY, VERY, * INCOMPLETE. PLEASE DO NOT MAKE ANY FURTHER ENHANCEMENTS TO THIS CODE * UNLESS THEY ARE ALSO CARRIED OUT IN THE SAMBA_TNG BRANCH. * * PLEASE DO NOT TREAT THIS CODE AS AUTHORITATIVE IN *ANY* WAY. * * REPEAT, PLEASE DO NOT MAKE ANY MODIFICATIONS TO THIS CODE WITHOUT * FIRST CHECKING THE EQUIVALENT MODULE IN SAMBA_TNG, UPDATING THAT * FIRST, *THEN* CONSIDER MAKING THE SAME MODIFICATION IN THIS BRANCH * * YOU WILL, ALMOST GUARANTEED, FIND THAT THE BUG-FIX OR ENHANCEMENT THAT * YOU THINK IS NECESSARY, HAS ALREADY BEEN IMPLEMENTED IN SAMBA_TNG. * IF IT HAS NOT, YOUR BUG-FIX OR ENHANCEMENT *MUST* GO INTO SAMBA_TNG * AS THE SAMBA_TNG CODE WILL REPLACE THIS MODULE WITHOUT REFERENCE TO * ANYTHING IN IT, WITH THE POSSIBLE RISK THAT THE BUG-FIX OR ENHANCEMENT * MAY BE LOST. * * PLEASE OBSERVE AND RESPECT THIS SIMPLE REQUEST. * * THANK YOU. * * lkcl@samba.org */ (This used to be commit cfaea90529be222f8df0e20a7ca1289f99c29e09)
2000-01-07this looks like a big commit, but it isn't really :)Andrew Tridgell1-1/+0
This fixes our netbios scope handling. We now have a 'netbios scope' option in smb.conf and the scope option is removed from make_nmb_name() this was prompted by a bug in our PDC finding code where it didn't append the scope to the query of the '*' name. (This used to be commit b563be824b8c3141c49558eced7829b48d4ab26f)
1999-12-21converted all our existing shared memory code to use a tdb databaseAndrew Tridgell1-1/+1
instead of either sysv or mmap shared memory or lock files. this means we can now completely remove locking_shm.c locking_slow.c shmem.c shmem_sysv.c and lots of other things also got simpler locking.c got a bit larger, but is much better compartmentalised now (This used to be commit e48c2d9937eea0667b8cd3332e49c06314ef31e7)
1999-12-13first pass at updating head branch to be to be the same as the SAMBA_2_0 branchAndrew Tridgell1-343/+415
(This used to be commit 453a822a76780063dff23526c35408866d0c0154)
1999-12-01damn, that took a while. nt login password was being stored incorrectlyLuke Leighton1-3/+4
in private .mac file (oops). ntlogin test now works. (This used to be commit c98c66690683965612e9631d77c2dff91ec8a872)
1999-12-01fixing joining to domain plus something weird going down with nt logins...Luke Leighton1-2/+3
(This used to be commit cef258f1c931ecb7c2dda9d5c9977153e4c1dc73)
1999-11-29first attempt at getting \PIPE\NETLOGON working. it's pretty horrible.Luke Leighton1-140/+166
(This used to be commit 44dd3efa6380544e9a515e91960f9271498cefaf)
1999-11-24ok. *whew*. this is the first completed part of the restructure.Luke Leighton1-2/+2
verified that lsaquery, lsalookupsids work, and found some bugs in the parameters of these commands :-) soo... we now have an lsa_* api that has the same arguments as the nt Lsa* api! cool! the only significant coding difference is the introduction of a user_credentials structure, containing user, domain, pass and ntlmssp flags. (This used to be commit 57bff6fe82d777e599d535f076efb2328ba1188b)