summaryrefslogtreecommitdiff
path: root/source3/rpc_client/cli_netlogon.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23380: netr_getdcname returns WERROR not NTSTATUS.Günther Deschner1-7/+7
Guenther (This used to be commit 5e75ea7f2b568d76c8ced5f43171741532cc97c2)
2007-10-10r23219: Two warningsVolker Lendecke1-1/+2
(This used to be commit eccd50abdaed3e4e06cc5da5473ca1beeb3fc49a)
2007-10-10r23210: Very funny, we thought to use netr_GetDcName (e.g. in winbind) but ↵Günther Deschner1-23/+23
were using netr_GetDcAnyName all the time (which is the correct thing to do). Fix the naming and opcode mixup in all branches. Guenther (This used to be commit def6464c872a5939f0028837254f2c019d2d71c8)
2007-10-10r23127: Fill in some more netlogon dsgetdcname flavours (netr_DsRGetDCNameEx,Günther Deschner1-61/+177
netr_DsRGetDCNameEx2) and add new ds request and reply flags, also add some more WERROR codes. Guenther (This used to be commit 37ae7f419702c563bcd0d9c27c02bde7efd34dd7)
2007-10-10r23091: Add rpccli_netlogon_sam_network_logon_ex, fix its parsing. This does notVolker Lendecke1-0/+92
use the credential chain and only works over netlogon, but it would allow multiple outstanding auth requests for a single workstation account. (This used to be commit 123290d0947191abca4a3b3d81718c823c1bc4a0)
2007-10-10r20970: Allow to define workstation for samlogon in rpcclient (for testing).Günther Deschner1-1/+6
Guenther (This used to be commit 5d4747fdf2e5874cb5d2238ee62e4fcac1676134)
2007-10-10r19161: Add NET_GETANYDCNAME (getdcname only gives the PDC while getanydcnameGünther Deschner1-0/+38
gives just any DC), also make sure to set timeouts in rpcclient accordingly so that we actually get the DC's reply. Guenther (This used to be commit 6091c8152a3998d2503cb0911a217ee904509633)
2007-10-10r19143: getdcname on the NETLOGON pipe returns WERROR, not NTSTATUS.Günther Deschner1-7/+7
Guenther (This used to be commit 44e228ac796fca2db8509915067511ed705032bf)
2007-10-10r18654: Rename "struct uuid" => "struct GUID" for consistency.Jelmer Vernooij1-3/+3
(This used to be commit 5de76767e857e9d159ea46e2ded612ccd6d6bf19)
2007-10-10r18188: merge 3.0-libndr branchJelmer Vernooij1-1/+1
(This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675)
2007-10-10r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon().Günther Deschner1-1/+0
Guenther (This used to be commit c201e51de387d3d49880ed519eb9d825df92f5af)
2007-10-10r13539: Add 128 bit creds processing client and server. Thanks to Andrew ↵Jeremy Allison1-1/+2
Bartlett's Samba4 code. Jeremy. (This used to be commit a2fb436fc5dd536cfe860be93f55f9cb58139a0e)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-14/+14
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12853: Fix segfault in "net rpc vampire|samdump" (Bugzilla #3390).Günther Deschner1-4/+1
The session key, after beeing set, was zeroed later on by the prs_init in the CLI_DO_RPC macro. Guenther (This used to be commit eaaeaa767e86151886964dcdd9f3186f0b31ed53)
2007-10-10r11853: Add Dsr_GetSiteName (handy for experimenting with GPOs).Günther Deschner1-0/+41
Guenther (This used to be commit c54430a7b5e40d3bdf8afdc813eb722c0a3b861e)
2007-10-10r11706: Implement dsr_getdcname client code. It's handy: It not only gives ↵Volker Lendecke1-0/+123
you the IP address but also the fqdn of the remote dc and site info. Volker (This used to be commit 62d01ce7e6c14971084c208ab61f379cb172cb22)
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison1-8/+10
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r11492: Fix bug #3224 (I hope). Correctly use machine_account_nameJeremy Allison1-2/+3
and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb)
2007-10-10r11338: Move knowledge of \\ needed into rpc_client/cli_netlogonJeremy Allison1-1/+3
(this is the way it's been done in other functions). Instead of moving this into the IDL, I think the best solution would be to write a wrapper function around any call that needs this (this is what we already do for many of the calls). Jeremy. (This used to be commit aeca4efa11728be53b81967bb5442b5b09d1a975)
2007-10-10r11336: Start to get my control back :-). Volker, I thinkJeremy Allison1-2/+4
Andrew Bartlett is right - making lsa code do it the netlogon way, not vica-versa. Jeremy. (This used to be commit f313757e36215cb3dd956e4a73de6d30258a6974)
2007-10-10r11320: Fix error handling for rpccli_netlogon_getdcname. Jeremy, the other ↵Volker Lendecke1-2/+2
functions in cli_netlogon look similarly suspicious. Volker (This used to be commit 8d7713431efd80bd358daffcbbc4d715611b8b4b)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-5/+5
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-515/+345
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10269: Server-side fix for creds change - revert jcmd's change.Jeremy Allison1-1/+0
Jeremy. (This used to be commit e1c9813d63a441037bc71622a29acda099d72f71)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-20/+160
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r4561: This looks a lot larger than it is, this is to reduce the clutter on ↵Volker Lendecke1-10/+10
future patches. Pass down the pipe_idx down to all functions in cli_pipe where nt_pipe_fnum is referenced. First step towards having multiple pipes on a cli_struct. The idea is to not have a single nt_pipe_fnum but an array for the pipes we support. Volker (This used to be commit 93eab050201d4e55096a8820226749f001597b5d)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-3/+9
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett1-2/+2
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r991: Allow winbindd to use the domain trust account passwordGerald Carter1-2/+9
for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
2004-04-02Implement NETLOGON GetDCName client side. You can ask a DC for the name ofVolker Lendecke1-0/+49
a DC it trusts. Volker (This used to be commit ae6840320ff47827c2817549fe3133a57e3fe77f)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-3/+9
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-08-19- Fix the kerberos downgrade problem:Andrew Bartlett1-13/+2
- When connecting to the NETOGON pipe, we make a call to auth2, in order to verify our identity. This call was being made with negotiation flags of 0x1ff. This caused our account to be downgraded. If we instead make the call with flags > 1ff (such as 0x701ff), then this does not occour. - This is *not* related to the use of kerberos for the CIFS-level connection My theory is that Win2k has a test to see if we are sending *exactly* what NT4 sent - setting any other flags seems to cause us to remain intact. Also ensure that we only have 'setup schannel' code in a few places, not scattered around cmd_netlogon too. Andrew Bartlett (This used to be commit e10f0529fe9d8d245b3cd001cce6a9a86896679c)
2003-08-15get rid of more compiler warningsHerb Lewis1-3/+3
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-07-23Fix out of date comment.Tim Potter1-2/+1
(This used to be commit 2e5bd1665430768b06da99beba5ac11a59c9bf07)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke1-6/+12
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-05-01Turn down some DEBUG()s and remove some duplicate code spotted by dfenwick.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 542a8b1817d3930e03e08e16e9711cacceb6df61)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-18/+0
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-14Merge: incorrect arg to debug.Tim Potter1-1/+1
(This used to be commit 800b79e8364d761bbd8c99016211dfe199eee080)
2003-04-09Auth2, not also Auth3 sends us flags back, although all the callersVolker Lendecke1-4/+5
ignore it. Volker (This used to be commit 1e03e955450af7f05e564793e95258e45e08dabd)
2003-03-24(merge from HEAD)Andrew Bartlett1-1/+12
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-02-25Merge: const fixes.Tim Potter1-1/+1
(This used to be commit a20aba09996e470425a151271237f2d48a8302af)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-14/+9
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-26/+126
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17Sync 3.0 branch with HEADJelmer Vernooij1-392/+586
(This used to be commit 3823a2ff5a3c6edf325e2ac31bab50175420f0b1)
2002-03-17Renamed get_nt_error_msg() to nt_errstr().Tim Potter1-5/+5
(This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2001-12-05OK. Smbpasswd -j is DEAD.Andrew Bartlett1-70/+0
This moves the rest of the functionality into the 'net rpc join' code. Futhermore, this moves that entire area over to the libsmb codebase, rather than the crufty old rpc_client stuff. I have also fixed up the smbpasswd -a -m bug in the process. We also have a new 'net rpc changetrustpw' that can be called from a cron-job to regularly change the trust account password, for sites that run winbind but not smbd. With a little more work, we can kill rpc_client from smbd entirly! (It is mostly the domain auth stuff - which I can rework - and the spoolss stuff that sombody else will need to look over). Andrew Bartlett (This used to be commit 575897e879fc175ba702adf245384033342c903d)
2001-11-05Removed duplicate debug.Tim Potter1-2/+0
(This used to be commit 5c3521c937f9ba3c4c586495f54dc69a664c392a)