summaryrefslogtreecommitdiff
path: root/source3/rpc_client/cli_pipe.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r21382: Important fix for winbind when using non-AD domains.Günther Deschner1-1/+7
Jeremy, I'm afraid you removed the "domain->initialized" from the set_dc_types_and_flags() call when the connect to PI_LSARPC_DS failed (with rev. 19148). This causes now that init_dc_connection_network is called again and again which in turn rescans the DC each time (which of course fails each time with NT_STATUS_BUFFER_TOO_SMALL). Just continue with the non-PI_LSARPC_DS scan so that the domain is initialized properly. Guenther (This used to be commit c6f63a08f55a4121cbe5aac537d2ef983dc25a97)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-1/+1
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r16255: Fix 'net ads join' when the workgroup is set incorrectlyGerald Carter1-6/+9
in smb.conf. This did work before the join rewrite. Samba will have problems if you try to run any of the daemons with an incorrect workgroup but it should not fail to join. The summary is that a member server should always use it's own machine name when setting up schannel since that is the only account it has. Thanks to Volker for the discussion. (This used to be commit 95763b94f709fe1ad9e381dbc6b364c2f3759024)
2007-10-10r16253: Fix another host/ UPN case in (the currently unused)Günther Deschner1-2/+2
cli_rpc_pipe_open_krb5. Guenther (This used to be commit fa19099112490daa085bb310f2f4ed877bb22b40)
2007-10-10r15129: Separate out mechanism and policy for NTLMSSP auth/sign/seal.Jeremy Allison1-0/+18
With this change (and setting lanman auth = no in smb.conf) we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth. Jeremy (This used to be commit 93ca3eee55297eb7fdd38fca38103ce129987e2a)
2007-10-10r14643: Merge dcerpc_errstr from Samba 4.Günther Deschner1-1/+1
Might need to rework prs_dcerpc_status(). Guenther (This used to be commit 38b18f428ba941f4d9a14fa2de45cb0cd793a754)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner1-1/+1
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14449: fix the build (sorry everyone)Gerald Carter1-1/+2
(This used to be commit e49ca3af8c2522aee670e6b807d7b3df31be47f6)
2007-10-10r14448: * protect against NULL cli_state* pointers in cli_rpc_pipe_open()Gerald Carter1-0/+6
* Fix inverted logic check for machine accounts in get_md4pw() (This used to be commit a36529535dcb5a262e7627b80fb62a31240dc8ad)
2007-10-10r14121: We never pass NULL to the rpc_api_pipe fn so don'tJeremy Allison1-2/+2
trigger coverity checks by testing for NULL. Jeremy. (This used to be commit 6b4484159293d725613249adbfa01472dea1c722)
2007-10-10r13722: Ensure we use the correct enumerated type. Bug #3558Jeremy Allison1-1/+1
from jason@ncac.gwu.edu. Jeremy. (This used to be commit 00f8b4e1aa44904c91af8eb6ac4c3f196986c339)
2007-10-10r13641: Finish fix for #3510. Don't use client schannel when toldJeremy Allison1-9/+13
not to, cope with a server that doesn't offer schannel also. Jeremy (This used to be commit 68005f6bdb70883eace0d9067c76c3360a803023)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-3/+3
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12275: Fix memory leak found by Mikhail Kshevetskiy <kl@laska.dorms.spbu.ru>Jeremy Allison1-0/+2
and followed up by derrell@samba.org. Jeremy. (This used to be commit 5cab88f1444177129bb5521ccc4afd8869e9bf25)
2007-10-10r12236: r11740@cabra: derrell | 2005-12-14 13:16:58 -0500Derrell Lipman1-1/+1
check in the DEBUG message referenced in the previous commit (This used to be commit 6c04a8f9adfcd40fb0f1e1fcd4e22056ee463046)
2007-10-10r12225: r11729@cabra: derrell | 2005-12-13 22:59:45 -0500Derrell Lipman1-0/+9
1. Fix a crash bug which should have reared its ugly head ages ago, but for some reason, remained dormant until recently. The bug pertained to libsmbclient doing a structure assignment of a cli after having opened a pipe. The pipe open code makes a copy of the cli pointer that was passed to it. If the cli is later copied (and that cli pointer that was saved is no longer valid), the pipe code will cause a crash during shutdown or when the copied cli is closed. 2. The 'type' field in enumerated shares was not being set correctly with the new RPC-based mechanism for enumerating shares. (This used to be commit 62a02b8f2a1fcb66881a9c9636e0b27e3049c5a1)
2007-10-10r11492: Fix bug #3224 (I hope). Correctly use machine_account_nameJeremy Allison1-8/+13
and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb)
2007-10-10r11491: If we get a reject ensure we're printing out the server/domain/machineJeremy Allison1-2/+2
a/c we were asking for. Jeremy. (This used to be commit 3ba5d02cff61d64dbab1fef28f74ea6509f4f8e9)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-10/+10
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10801: Janitor for tpot - remember to keep 3.0 in sync.Jeremy Allison1-0/+4
Jeremy. (This used to be commit 92fa541f6e92c03a49372ff73f9790afa2c0151c)
2007-10-10r10780: Fix typo noticed by Volker.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 76408ddd5bec22bbbee2236101bf65b407d2c664)
2007-10-10r10778: Allow schannel setup over NTLMSSP authenticated pipes.Jeremy Allison1-0/+106
Jeremy. (This used to be commit ed62720f897ebf10f5ae50a3e9cf7788c9570183)
2007-10-10r10747: Remove overparanoid check that broke RPC function calls with noJelmer Vernooij1-5/+0
[in] parameters. (This used to be commit 03a3caaddd5bf28a059d4edb5e55031f7e5de94a)
2007-10-10r10745: Fix artificial 1k restriction.Jeremy Allison1-1/+3
Jeremy. (This used to be commit bb1ba9a9089b38bf400d48b992f7977ce926aeaf)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-1147/+2012
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r8805: Merge a duplicate struct. Get ready to support SPNEGO rpc binds.Jeremy Allison1-3/+4
Jeremy. (This used to be commit fd6e342746edfda2f25df1ae0067d359b756e0cd)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-111/+214
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r7385: Rewrite the RPC bind parsing functions to follow the spec. I haven't yetJeremy Allison1-5/+10
tested this so I may have screwed this up - however it now follows the DCE spec. valgrinded tests to follow.... Jeremy. (This used to be commit 877e0a61f5821c89149b1403d08675dd7db8039e)
2007-10-10r4570: Replace cli->nt_pipe_fnum with an array of NT file numbers, one for eachVolker Lendecke1-26/+26
supported pipe. Netlogon is still special, as we open that twice, one to do the auth2, the other one with schannel. The client interface is completely unchanged for those who only use a single pie. cli->pipe_idx is used as the index for everything except the "real" client rpc calls, which have been explicitly converted in my last commit. Next step is to get winbind to just use a single smb connection for multiple pipes. Volker (This used to be commit dc294c52e0216424236057ca6cd35e1ebf51d0da)
2007-10-10r4561: This looks a lot larger than it is, this is to reduce the clutter on ↵Volker Lendecke1-12/+12
future patches. Pass down the pipe_idx down to all functions in cli_pipe where nt_pipe_fnum is referenced. First step towards having multiple pipes on a cli_struct. The idea is to not have a single nt_pipe_fnum but an array for the pipes we support. Volker (This used to be commit 93eab050201d4e55096a8820226749f001597b5d)
2007-10-10r1380: adding debug message when encouting an ASU specific bug in an ↵Gerald Carter1-3/+5
rpc_bind reply (This used to be commit c6e73ff091b4d87111b33735400fdd10d4c8671c)
2007-10-10r991: Allow winbindd to use the domain trust account passwordGerald Carter1-3/+0
for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea)
2007-10-10r704: BUG 1315: fix for schannel client connections to server's that don't ↵Gerald Carter1-6/+18
support 128 bit encryption (This used to be commit 316ba5ad89ddfa445d44d28141c5901fc64aec90)
2004-03-27Ensure we correctly set cli->nt_pipe_fnum on failure to correctly open theAndrew Bartlett1-0/+2
NT session. Andrew Bartlett (This used to be commit 01fff20e6e0212e9f70a5a66c3e46f7079b342f1)
2004-03-22remove unused variableGerald Carter1-2/+0
(This used to be commit 170c443b19604c3ec997ae494954c473e356e59d)
2004-03-19missed some of Derrel's changesGerald Carter1-1/+1
(This used to be commit 3aac1e549eaf4693ded84be432a2c94b6331ef6d)
2004-03-17asu/syntax/pc_netlink doesn't fill in the pipe name in the rpc_bind response ↵Gerald Carter1-0/+2
so dont check for it (This used to be commit 4d68d3d5ddeda9589f2e3387144fdac616bb791f)
2004-02-28Add 'net rpc group [add|del]mem' for domain groups and aliases.Volker Lendecke1-0/+2
Volker (This used to be commit e597420421e085b17dcdc062c5900518d0d4e685)
2004-01-05Correctly handle per-pipe NTLMSSP inside a NULL session. Previously weAndrew Bartlett1-5/+12
would attempt to supply a password to the 'inside' NTLMSSP, which the remote side naturally rejected. Andrew Bartlett (This used to be commit da408e0d5aa29ca1505c2fd96b32deae9ed940c4)
2003-11-25Do not add NTLM2 to the NTLMSSP flags unconditionally - allow theAndrew Bartlett1-8/+4
defaults specified by the caller to prevail. Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing. Call ntlmssp_sign_init() unconditionally in the client - we setup the session key, why not setup the rest of the data. Andrew Bartlett (This used to be commit 48123f7e42c3fde85887de23c80ceee04c2f6281)
2003-11-24strequal() returns a BOOL, not an int like strcmp(); this fixes a bug in ↵Gerald Carter1-2/+2
check_bind_response() (This used to be commit 5e062f72baad6f7a70f1a3c8cf190535ccacc89e)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-14/+17
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-17This fixes a bug when establishing trust against a german W2k3 AD server. InVolker Lendecke1-1/+2
the bind response to WKSSVC it does not send \PIPE\ntsvcs as NT4 (did not check w2k) but \PIPE\wkssvc. I'm not sure whether we should make this check at all, so making it a bit more liberal should hopefully not really hurt. Volker (This used to be commit 029dcb351bcfab70ed0afa4acf4bd64316bfd757)
2003-10-01commit sign only patch from Andrew; bug 167; tested using 2k & XP ↵Gerald Carter1-17/+12
clientspreviously joined to the Samba domain (This used to be commit 3802f5895ee18507c6f467bd11db0b1147a6fdfd)
2003-08-19- Fix the kerberos downgrade problem:Andrew Bartlett1-1/+5
- When connecting to the NETOGON pipe, we make a call to auth2, in order to verify our identity. This call was being made with negotiation flags of 0x1ff. This caused our account to be downgraded. If we instead make the call with flags > 1ff (such as 0x701ff), then this does not occour. - This is *not* related to the use of kerberos for the CIFS-level connection My theory is that Win2k has a test to see if we are sending *exactly* what NT4 sent - setting any other flags seems to cause us to remain intact. Also ensure that we only have 'setup schannel' code in a few places, not scattered around cmd_netlogon too. Andrew Bartlett (This used to be commit e10f0529fe9d8d245b3cd001cce6a9a86896679c)
2003-08-15get rid of more compiler warningsHerb Lewis1-8/+8
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-08-14Change Samba to always use extended security for it's guest logins, (ie,Andrew Bartlett1-1/+1
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to all of Samba's clients. When connecting to an Active Directory DC, you must initiate the CIFS level session setup with Kerberos, not a guest login. If you don't, your machine account is demoted to NT4. Andrew Bartlett (This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
2003-08-04Memory leak fix for create_rpc_bind_req()Tim Potter1-0/+1
(This used to be commit 4d26feabd75d5b298276b0c5880b9765507bb6ae)
2003-07-30Save us from possibly uninitialised variable (caught by gcc).Jeremy Allison1-4/+4
Jeremy. (This used to be commit f3f29665bd2c396c4756cd23f603ac768fea66fd)
2003-07-25domain in schannel bind credentials must be the dest domain, not oursGerald Carter1-1/+3
(This used to be commit e12f6a8c13f27c3caea96b467cc4294e20dad341)