| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
(This used to be commit 2e5bd1665430768b06da99beba5ac11a59c9bf07)
|
|
so the shared sequence number will not be strictly odd/even.
Andrew Bartlett
(This used to be commit 77c3e69aef545d3f9b7cec9efdc366cbeb0c745e)
|
|
in both SCHANNEL and NTLMSSP.
(Try not to deal with a general case as individual special cases...)
Andrew Bartlett
(This used to be commit 6ca77bd28f16f9f65ff40bf8996e39356de5b4f8)
|
|
(This used to be commit ff0c71148e405eeb49efbc51461325c7f2207433)
|
|
of an inline replacement...
Andrew Bartlett
(This used to be commit d941255a97fc6d0d62eae1602075b1aa0481cde5)
|
|
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
Volker
(This used to be commit e5664adc07307a066c5312d9224cef2c69a40f77)
|
|
called. This is *essential* (and should be done on all the other cli_XX
rpc calls) to help debug winbindd problems remotely.
Jeremy.
(This used to be commit bc215612cb7c1abc7fb78eda4016ba9e64cdc785)
|
|
same session (TCP connection) as the one the challenge was requested
from.
(This used to be commit 5cb9b99f0f5dad589ac7def667e354d6f92f8822)
|
|
channel:
- If the domain name passed to create_rpc_bind_req() is empty, use
lp_workgroup()
- Correctly set the auth_padding field when the send_size is a multiple
of 8 bytes
I've tested with nt4sp6 and win2ksp0 and it seems to work, although
there are no password hashes transferred from win2k. The empty
passwords are being protected by the secure channel encryption though.
(This used to be commit a8c11e855611c91e94787387c62ac629232cacfa)
|
|
useful in the auth verifier yet. So this patch ignores it.
Really checking this would be a lot more intrusive: in rpc_api_pipe we
would have to distinguish between binds and normal requests, or have
more state in the netsec info of cli_state, which is also somewhat
hackish.
Volker
(This used to be commit 8de04fcf680a9bc5054965577eb500e0541ffe66)
|
|
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.
Volker
(This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
|
|
Andrew Bartlett
(This used to be commit 97bc047434284527f25e130a72981da704ed1212)
|
|
Andrew Bartlett
(This used to be commit 542a8b1817d3930e03e08e16e9711cacceb6df61)
|
|
Jeremy.
(This used to be commit a330bf170eb8e78200367c90833cbc90255642cb)
|
|
- return NT_STATUS_NO_MEMORY instead of NT_STATUS_UNSUCESSFUL if a
talloc fails
- don't try and tallocate memory when the number of entries returned was
zero
- rename some cut&pasted variable names in enum domain aliases function
(This used to be commit aa748e1da543f0e59df8a56996ebd9510732507e)
|
|
(This used to be commit f200a5b85832ac5ec7724d58da7270cd14c565e3)
|
|
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
|
|
tidying up. Samsync still doesn't work due to bad parsing of net_io_sam_alias_info
with a blank description. Still working on this....
Jeremy.
(This used to be commit 942fede9a57a9319cf67388004dd45fa8a045f41)
|
|
multi-PDU encode/decode with SCHANNEL. Also need to test against WNT DC.
Jeremy.
(This used to be commit ff66d4097088409205b6bad5124a78ef9946010d)
|
|
(This used to be commit dfa9412da567d2477ee5b1e6ecdc96b8dea3c21d)
|
|
(This used to be commit 800b79e8364d761bbd8c99016211dfe199eee080)
|
|
(This used to be commit 5b1807dddf0e4fb9fcaedcfe6f67dfd78fe117bb)
|
|
used to be commit 381649916ecbaddefbb6ee0e6137b7cc73eb54b1)
|
|
requests and responses and is only compiled in when --enable-developer
is passed to configure. It includes server and client side code for
generating and responding to functions on this pipe. The functions are:
- AddOne: add one to the uint32 argument and return ig
- EchoData: echo back a variable sized char array to the caller
- SourceData: request a variable sized char array
- SinkData: send a variable sized char array and throw it away
There's a win32 implementation of the client and server in the
junkcode CVS repository in the rpcecho-win32 subdirectory.
(This used to be commit 4ccd34ef836eba05f81dc2da73fd7cfaac201798)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing against platforms
different from NT4SP6.
Volker
(This used to be commit eaef0d8aeff1aa5a067679be3f17e08d7434e1e8)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing platforms
different from NT4SP6.
Volker
(This used to be commit ecd0ee4d248e750168597ccf79c389513bb0f740)
|
|
ignore it.
Volker
(This used to be commit 1e03e955450af7f05e564793e95258e45e08dabd)
|
|
ignore it.
Volker
(This used to be commit 6ac6b0f4c0df9e09644d8c1f1272c8645642e842)
|
|
(This used to be commit 67bc6bccc22e22e2a6e5cae7c57a1b2b53f49dfd)
|
|
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
|
|
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
|
|
used to be commit f0d009c3e91979b0dc3443e16f3f545bcc64cfda)
|
|
(This used to be commit 8d64419625dda242fdb7a5d956644b052b43a2ea)
|
|
(This used to be commit c2e9673328b2d989f13626632442f095727a03c6)
|
|
(This used to be commit a20aba09996e470425a151271237f2d48a8302af)
|
|
(This used to be commit 018733eedd7897e6811e8461c07e3acf418c0e09)
|
|
> Exit path cleanup for cli_samr_enum_dom_users()
(This used to be commit 655c1e03519d4fa174a85534c165bdd1ce163ae8)
|
|
(This used to be commit 0bc1dfc68b0d411801a4209c9681c735cd7a73cc)
|
|
(This used to be commit 7edaf937963fa1d0f06343969b46ed6e4f39a6ea)
|
|
rpc calls.
(This used to be commit 619af61644ecc221c45e5cf69d562451b5b9f951)
|
|
Needed to move to disk based i/o later.
Jeremy.
(This used to be commit 4c3ee228fcdb089eaeead95e79532a9cf6cb0de6)
|
|
Needed to move to disk based i/o later.
Jeremy.
(This used to be commit a823fee5b41a5b6cd4ef05aa1f85f7725bd272a5)
|
|
hooked into pdb, and we need some access control on changing privileges. That's next
(This used to be commit f4f1f84a6bf1d356ccc83f0ecb135bef4a39619e)
|
|
to lookup what SIDs have a particular privilege (that is how
privileges are stored).
(This used to be commit 3ddb5fb0dd33992b7db54a661752551a3fefc0b4)
|
|
(This used to be commit 013fa874733566169ecefb25458d26065190f302)
|
|
from HEAD. I had to do this for him as he was *so* tired, the poor
chap, plus he has this bad leg, plus the dog ate his homework etc. etc.
Jeremy.
(This used to be commit 1e752b48a12cdcf2cb6343705be83f304e5ee2b6)
|
|
using a hardcoded value later on.
Added a helper function that returns the observed values for
max_entries and max_size for each cli_samr_query_dispinfo() call.
These values were obtained from watching the NT4 user manager
application with ethereal and are the only ones that can enumerate a
60k user domain reliably under Windows 2000.
(This used to be commit 2eea2813d9adc414f0a7ea074826b23697f376ee)
|
|
Jeremy
(This used to be commit 49739be1e2f047fa2cc2fd42eadb190a82114485)
|
