Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
|
|
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
|
|
would attempt to supply a password to the 'inside' NTLMSSP, which the
remote side naturally rejected.
Andrew Bartlett
(This used to be commit da408e0d5aa29ca1505c2fd96b32deae9ed940c4)
|
|
rpc_parse/parse_lsa.c:
nsswitch/winbindd_rpc.c:
nsswitch/winbindd.h:
- Add const
libads/ads_ldap.c:
- Cleanup function for use
nsswitch/winbindd_ads.c:
- Use new utility function ads_sid_to_dn
- Don't search for 'dn=', rather call the ads_search_retry_dn()
nsswitch/winbindd_ads.c:
include/rpc_ds.h:
rpc_client/cli_ds.c:
- Fixup braindamage in cli_ds_enum_domain_trusts():
- This function was returning a UNISTR2 up to the caller, and
was doing nasty (invalid, per valgrind) things with memcpy()
- Create a new structure that represents this informaiton in a useful way
and use talloc.
Andrew Bartlett
(This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
|
|
defaults specified by the caller to prevail.
Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing.
Call ntlmssp_sign_init() unconditionally in the client - we setup the
session key, why not setup the rest of the data.
Andrew Bartlett
(This used to be commit 48123f7e42c3fde85887de23c80ceee04c2f6281)
|
|
check_bind_response()
(This used to be commit 5e062f72baad6f7a70f1a3c8cf190535ccacc89e)
|
|
This means that we now support 'net rpc join' with KRB5 (des based)
logins. Now, you need to hack 'net' to do that, but the principal is
important...
When we add kerberos to 'net rpc', it should be possible to still do
user management and the like over RPC.
(server-side support to follow shortly)
Andrew Bartlett
(This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
the bind response to WKSSVC it does not send \PIPE\ntsvcs as NT4 (did not
check w2k) but \PIPE\wkssvc. I'm not sure whether we should make this check at
all, so making it a bit more liberal should hopefully not really hurt.
Volker
(This used to be commit 029dcb351bcfab70ed0afa4acf4bd64316bfd757)
|
|
used to be commit e569418861a867437cd5e2cce87ad82e752da3fb)
|
|
to all requests on the winreg pipe, so we need to handle this new pipe.
First part of fix for bug #534
(This used to be commit 532fab74c12d8c55872c2bad2abead2647f919d7)
|
|
In cli_lsa_lookup_sids don't leave the domain field uninitialized if
some sid could not be mapped. Otherwise this call is unnecessarily
complicated to call.
Volker
(This used to be commit 198b01fc54ce7a5beeddc680b30da291639b4eda)
|
|
some sid could not be mapped. Otherwise this call is unnecessarily
complicated to call.
Volker
(This used to be commit 1337338522242a430b3c5655ffdff3f701fbfcce)
|
|
It's a perfectly valid condition to have zero alias members.
Jeremy.
(This used to be commit aa7fb71357921c9d1fa1d32e5eaff912428e4fdf)
|
|
Volker
(This used to be commit ccdcd88732c99497fc563379df7837c35eba72be)
|
|
fixed query. Updates to come soon.
(This used to be commit 3ca8240affba20bb26749354f59b83799b4f1e44)
|
|
(no need to include all of smbd files to use some basic sec functions)
also minor compile fixes
couldn't compile to test these due to some kerberos problems wirh 3.0,
but on HEAD they're working well, so I suppose it's ok to commit
(This used to be commit c78f2d0bd15ecd2ba643bb141cc35a3405787aa1)
|
|
(no need to include all of smbd files to use some basic sec functions)
also minor compile fixes
(This used to be commit 66074d3b097d8cf2a231bf08c7f4db62da68189d)
|
|
clientspreviously joined to the Samba domain
(This used to be commit 9d2e585e5e6f9066c6901aa8d8308734f8667296)
|
|
clientspreviously joined to the Samba domain
(This used to be commit 3802f5895ee18507c6f467bd11db0b1147a6fdfd)
|
|
>Fix for #480. Change the interface for init_unistr2 to not take a length
>but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string.
>This is not the case. Count it after conversion.
>Jeremy.
(This used to be commit e2ab9e54cd0ec0002175cf18ff364f4aebaf85a0)
|
|
but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string.
This is not the case. Count it after conversion.
Jeremy.
(This used to be commit f82c273a42f930c7152cfab84394781744815e0e)
|
|
(This used to be commit 585764305aa84a7732f71f2e01227e1a6a08664f)
|
|
(This used to be commit e1fac713e25692a5790c3261ba323732930f5249)
|
|
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
|
|
- When connecting to the NETOGON pipe, we make a call to auth2, in order
to verify our identity. This call was being made with negotiation flags
of 0x1ff. This caused our account to be downgraded. If we instead make
the call with flags > 1ff (such as 0x701ff), then this does not occour.
- This is *not* related to the use of kerberos for the CIFS-level connection
My theory is that Win2k has a test to see if we are sending *exactly* what
NT4 sent - setting any other flags seems to cause us to remain intact.
Also ensure that we only have 'setup schannel' code in a few places, not
scattered around cmd_netlogon too.
Andrew Bartlett
(This used to be commit e10f0529fe9d8d245b3cd001cce6a9a86896679c)
|
|
up some of the false positives in "rpcclient -c getdriver".
Also make sure that we ask for version2 and 3 drivers on x86.
(This used to be commit 5be51515680da910b623f486108d91f9ea914bd2)
|
|
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
|
|
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.
When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login. If you don't, your machine
account is demoted to NT4.
Andrew Bartlett
(This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
|
|
(This used to be commit 4d26feabd75d5b298276b0c5880b9765507bb6ae)
|
|
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
|
|
(This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d)
|
|
* use DsEnumerateDomainTrusts() instead of LDAP search.
wbinfo -m now lists all trusted downlevel domains and
all domains in the forest.
Thnigs to do:
o Look at Krb5 connection trusted domains
o make sure to initial the trusted domain cache as soon
as possible
(This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
|
|
Jeremy.
(This used to be commit f3f29665bd2c396c4756cd23f603ac768fea66fd)
|
|
(This used to be commit f8abdd23e1d4aed56c263c3228e702b191af4c64)
|
|
trusted domains in a forest.
(This used to be commit c691c7f7d9afb8af542dc83cf934df1dfd38ef17)
|
|
(This used to be commit e12f6a8c13f27c3caea96b467cc4294e20dad341)
|
|
connection that set it up has been shut down.
(Also, pipes still connected, and reconnections to the same pipe (eg SAMR)
may continue to use that session key until their TCP/IP connection is shut
down)
Allow further testing by printing out the session key, and allowing it's input
into rpcclient.
Next step is automatic storage in a TDB.
Andrew Bartlett
(This used to be commit fa4d7be1619b51aacec37ddf995c940b8100aef9)
|
|
(This used to be commit 2e5bd1665430768b06da99beba5ac11a59c9bf07)
|
|
(This used to be commit e66541d0e1befec5d589890994454dd639ea0665)
|
|
so the shared sequence number will not be strictly odd/even.
Andrew Bartlett
(This used to be commit 77c3e69aef545d3f9b7cec9efdc366cbeb0c745e)
|
|
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE
(This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
|
|
in both SCHANNEL and NTLMSSP.
(Try not to deal with a general case as individual special cases...)
Andrew Bartlett
(This used to be commit 6ca77bd28f16f9f65ff40bf8996e39356de5b4f8)
|
|
(This used to be commit ff0c71148e405eeb49efbc51461325c7f2207433)
|
|
of an inline replacement...
Andrew Bartlett
(This used to be commit d941255a97fc6d0d62eae1602075b1aa0481cde5)
|
|
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
Volker
(This used to be commit e5664adc07307a066c5312d9224cef2c69a40f77)
|
|
called. This is *essential* (and should be done on all the other cli_XX
rpc calls) to help debug winbindd problems remotely.
Jeremy.
(This used to be commit bc215612cb7c1abc7fb78eda4016ba9e64cdc785)
|
|
(This used to be commit dd063a298f9d5244d7b79c029c563b4d966019c1)
|