Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2010-02-17 | Fix bug #7146 - Samba miss-parses authenticated RPC packets. | Jeremy Allison | 1 | -15/+47 | |
Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy | |||||
2010-01-06 | s3: Fix infinite loop in NCACN_IP_TCP asa there is no timeout. Assume ↵ | Bo Yang | 1 | -4/+22 | |
lsa_pipe_tcp is ok but network is down, then send request is ok, but select() on writeable fds loops forever since there is no response. Signed-off-by: Bo Yang <boyang@samba.org> | |||||
2009-12-22 | s3:ntlmssp: only include ntlmssp.h where actually needed | Andrew Bartlett | 1 | -0/+1 | |
Andrew Bartlett | |||||
2009-12-22 | s3:ntlmssp: remove the typedef NTLMSSP_STATE | Andrew Bartlett | 1 | -1/+1 | |
Andrew Bartlett | |||||
2009-11-27 | s3-kerberos: only use krb5 headers where required. | Günther Deschner | 1 | -0/+1 | |
This seems to be the only way to deal with mixed heimdal/MIT setups during merged build. Guenther | |||||
2009-11-26 | s3-rpc: running minimal_includes.pl on rpc_client and rpc_server. | Günther Deschner | 1 | -2/+0 | |
Guenther | |||||
2009-11-12 | Remove erroneous 'presult = NULL' changes. Now presult only gets set | Jeremy Allison | 1 | -9/+2 | |
if NTSTATUS == OK. Jeremy. | |||||
2009-11-12 | Revert "Ensure every return path initializes presult as NULL." | Jeremy Allison | 1 | -40/+0 | |
Vl is correct, this is the wrong way to fix this. This reverts commit 83c2c177a5e86d04da37384f1f04230c8274e1e6. | |||||
2009-11-12 | Ensure all callers to the rpc_client/cli_pipe functions correctly | Jeremy Allison | 1 | -2/+2 | |
initialize return variables. Jeremy. | |||||
2009-11-12 | Ensure every return path initializes presult as NULL. | Jeremy Allison | 1 | -0/+40 | |
Ensures no crashes in calling code that forgets to init return as null. Jeremy. | |||||
2009-11-10 | s3-rpc_client: make sure cli_rpc_pipe_open_schannel() does not always return ↵ | Günther Deschner | 1 | -1/+3 | |
NT_STATUS_OK. Guenther | |||||
2009-11-08 | Revert "s3: Do not directly reference the ndr_table_* in rpcclient" | Volker Lendecke | 1 | -14/+0 | |
This reverts commit 70c698fd547c4bc19cf77693608bbb34acac40b5. | |||||
2009-11-08 | s3: Do not directly reference the ndr_table_* in rpcclient | Volker Lendecke | 1 | -0/+14 | |
2009-11-07 | s3: Register the ndr_interfaces dynamically | Volker Lendecke | 1 | -37/+110 | |
2009-11-07 | s3: Get rid of a NULL terminator | Volker Lendecke | 1 | -2/+1 | |
2009-11-07 | s3: Get rid of explicit pipe names | Volker Lendecke | 1 | -49/+54 | |
2009-11-07 | s3: get_pipe_name_from_iface -> get_pipe_name_from_syntax | Volker Lendecke | 1 | -7/+9 | |
2009-11-06 | s3-kerberos: modify cli_krb5_get_ticket to take a new impersonate_princ_s arg. | Günther Deschner | 1 | -1/+1 | |
Guenther | |||||
2009-11-03 | s3: Remove debug_ctx() | Volker Lendecke | 1 | -17/+17 | |
smbd just crashed on me: In a debug message I called a routine preparing a string that itself used debug_ctx. The outer routine also used it after the inner routine had returned. It was still referencing the talloc context that the outer debug_ctx() had given us, which the inner DEBUG had already freed. | |||||
2009-10-13 | s3: use enum netr_SchannelType all over the place. | Günther Deschner | 1 | -1/+1 | |
Guenther | |||||
2009-10-05 | s3: Remove a scary error message -- talloc_move can not fail :-) | Volker Lendecke | 1 | -5/+0 | |
Signed-off-by: Günther Deschner <gd@samba.org> | |||||
2009-09-25 | s3:rpc_client: don't randomly fragment rpc pdu's in developer mode | Stefan Metzmacher | 1 | -2/+2 | |
This is really confusing and also breaks against windows, as it doesn't accept fragmented bind requests. metze | |||||
2009-09-17 | spnego: share spnego_parse. | Günther Deschner | 1 | -0/+1 | |
Guenther | |||||
2009-09-16 | libcli/auth: rewrite schannel sign/seal code to be more generic | Stefan Metzmacher | 1 | -17/+24 | |
This prepares support for HMAC-SHA256/AES. metze | |||||
2009-09-16 | s3-dcerpc: remove more obsolete or duplicate headers. | Günther Deschner | 1 | -22/+22 | |
Guenther | |||||
2009-09-16 | s3-schannel: add dump_NL_AUTH_SIGNATURE. | Günther Deschner | 1 | -20/+3 | |
Guenther | |||||
2009-09-16 | schannel: fully share schannel sign/seal between s3 and 4. | Günther Deschner | 1 | -41/+64 | |
Guenther | |||||
2009-09-16 | s3-schannel: fix blob length when pulling off a NL_AUTH_SIGNATURE in | Günther Deschner | 1 | -1/+1 | |
cli_pipe_verify_schannel(). Guenther | |||||
2009-09-15 | s3-dcerpc: fix remaining old auth level constants. | Günther Deschner | 1 | -6/+6 | |
Guenther | |||||
2009-09-15 | s3-dcerpc: remove unsed auth type defines as seen on the wire. | Günther Deschner | 1 | -5/+5 | |
Guenther | |||||
2009-09-15 | s3-dcerpc: use dcerpc_AuthLevel and remove duplicate set of flags. | Günther Deschner | 1 | -35/+35 | |
Guenther | |||||
2009-09-11 | s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_schannel(). | Günther Deschner | 1 | -3/+6 | |
Guenther | |||||
2009-09-11 | s3-rpc_client: add dcerpc_transport_t to cli_rpc_pipe_open_spnego_ntlmssp ↵ | Günther Deschner | 1 | -2/+8 | |
and cli_rpc_pipe_open_ntlmssp. Guenther | |||||
2009-09-11 | s3-rpc_client: add cli_rpc_pipe_open_noauth_transport. | Günther Deschner | 1 | -14/+26 | |
Guenther | |||||
2009-09-11 | s3-schannel: use NL_AUTH_SIGNATURE for schannel sign & seal (client & server). | Günther Deschner | 1 | -10/+29 | |
Guenther | |||||
2009-09-11 | s3-rpc_client: add enum dcerpc_transport_t to rpc_cli_transport struct. | Günther Deschner | 1 | -0/+8 | |
Guenther | |||||
2009-09-08 | s3-rpc_client: use NL_AUTH_MESSAGE in create_schannel_auth_rpc_bind_req(). | Günther Deschner | 1 | -7/+24 | |
Guenther | |||||
2009-09-08 | s3-schannel: Fix Bug #6697. Interdomain trusts with Windows 2008 R2 DCs. | Günther Deschner | 1 | -1/+1 | |
The Schannel verifier (aka NL_AUTH_SIGNATURE) structure (32 byte) sent from a W2k8r2 DC is passed in a buffer with the size of a NL_AUTH_SHA2_SIGNATURE (56 byte). We should just ignore the remaining 12 zeroed bytes and proceed. Guenther | |||||
2009-07-31 | s3:rpc_client: add dispatch_send/recv() to struct rpc_pipe_client | Stefan Metzmacher | 1 | -0/+8 | |
metze | |||||
2009-07-28 | Added prefer_ipv4 bool parameter to resolve_name(). | Jeremy Allison | 1 | -1/+1 | |
W2K3 DC's can have IPv6 addresses but won't serve krb5/ldap or cldap on those addresses. Make sure when we're asking for DC's we prefer IPv4. If you have an IPv6-only network this prioritizing code will be a no-op. And if you have a mixed network then you need to prioritize IPv4 due to W2K3 DC's. Jeremy. | |||||
2009-07-27 | Lift the event loop in rpc_api_pipe_req() one level into cli_do_rpc_ndr | Volker Lendecke | 1 | -33/+0 | |
2009-07-05 | Remove "typedef struct ndr_syntax_id RPC_IFACE;" | Volker Lendecke | 1 | -8/+9 | |
2009-05-18 | Fix a type-punned warning | Volker Lendecke | 1 | -1/+1 | |
2009-04-20 | Remove use of talloc_reference in cli_rpc_pipe_open_schannel_with_key() | Andrew Bartlett | 1 | -5/+7 | |
2009-04-14 | Make Samba3 use the new common libcli/auth code | Andrew Bartlett | 1 | -5/+5 | |
This is particuarly in the netlogon client (but not server at this stage) | |||||
2009-04-14 | Rework Samba3 to use new libcli/auth code (partial) | Andrew Bartlett | 1 | -0/+1 | |
This commit is mostly to cope with the removal of SamOemHash (replaced by arcfour_crypt()) and other collisions (such as changed function arguments compared to Samba3). We still provide creds_hash3 until Samba3 uses the credentials code in netlogon server Andrew Bartlett | |||||
2009-04-06 | Correct sync wrappers in cli_pipe.c | Volker Lendecke | 1 | -4/+14 | |
2009-03-24 | Convert rpc_pipe_bind to tevent_req | Volker Lendecke | 1 | -50/+46 | |
2009-03-24 | Convert rpc_cli_transport->trans to tevent_req | Volker Lendecke | 1 | -19/+11 | |
2009-03-24 | Convert rpc_cli_transport->write to tevent_req | Volker Lendecke | 1 | -10/+7 | |