summaryrefslogtreecommitdiff
path: root/source3/rpc_client
AgeCommit message (Collapse)AuthorFilesLines
2003-11-26Merge from 3.0:Andrew Bartlett1-8/+4
- NTLM2 fixes, don't force NTLM2 - Don't use NTLM2 for RPC, it doesn't work yet - Add comments to winbindd_pam.c - Merge 64 bit fixes and better debug messages in winbindd.c Andrew Bartlett (This used to be commit ba94e4a1ab6dc3335bbb29686ca6795d0ffad5b0)
2003-11-24strequal() returns a BOOL, not an int like strcmp(); this fixes a bug in ↵Gerald Carter1-2/+2
check_bind_response() (This used to be commit 84f0e97e5882375b765b818e89a6d96736cd5932)
2003-11-23Merge from 3.0:Andrew Bartlett1-6/+6
Add support for variable-length session keys in our client code. This means that we now support 'net rpc join' with KRB5 (des based) logins. Now, you need to hack 'net' to do that, but the principal is important... When we add kerberos to 'net rpc', it should be possible to still do user management and the like over RPC. - Add server-side support for variable-length session keys (as used by DES based krb5 logins). Andrew Bartlett (This used to be commit 1287cf5f921327c9ea758de46220c4e2dedc485c)
2003-11-22(merge from 3.0)Andrew Bartlett3-19/+38
Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... Andrew Bartlett (This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
2003-11-17From 3_0:Volker Lendecke1-1/+2
This fixes a bug when establishing trust against a german W2k3 AD server. In the bind response to WKSSVC it does not send \PIPE\ntsvcs as NT4 (did not check w2k) but \PIPE\wkssvc. I'm not sure whether we should make this check at all, so making it a bit more liberal should hopefully not really hurt. Volker (This used to be commit dbd17dd0366d6cd20a2d5d8247dd5842563da2ca)
2003-10-30Another round of GUID->struct uuid.Jim McDonough1-2/+3
Takes care of the lsass pipe (This used to be commit 3dca3efa4b427fa3094a8cd392fe5744b5f6f6a8)
2003-10-24New files for support of initshutdown pipe. Win2k doesn't respond properlyJim McDonough1-0/+104
to all requests on the winreg pipe, so we need to handle this new pipe. First part of fix for bug #534 (This used to be commit 532fab74c12d8c55872c2bad2abead2647f919d7)
2003-10-22Merge from 3_0:Volker Lendecke1-0/+1
In cli_lsa_lookup_sids don't leave the domain field uninitialized if some sid could not be mapped. Otherwise this call is unnecessarily complicated to call. Volker (This used to be commit 198b01fc54ce7a5beeddc680b30da291639b4eda)
2003-10-20Merge Volker's fix.Jeremy Allison1-0/+6
It's a perfectly valid condition to have zero alias members. Jeremy. (This used to be commit aa7fb71357921c9d1fa1d32e5eaff912428e4fdf)
2003-10-18Add client side code to do endpoint map queries. Currently does oneJim McDonough1-0/+61
fixed query. Updates to come soon. (This used to be commit 3ca8240affba20bb26749354f59b83799b4f1e44)
2003-10-06split some security related functions in their own files.Simo Sorce1-3/+3
(no need to include all of smbd files to use some basic sec functions) also minor compile fixes (This used to be commit 66074d3b097d8cf2a231bf08c7f4db62da68189d)
2003-10-01commit sign only patch from Andrew; bug 167; tested using 2k & XP ↵Gerald Carter1-17/+12
clientspreviously joined to the Samba domain (This used to be commit 9d2e585e5e6f9066c6901aa8d8308734f8667296)
2003-09-29Merge from 3.0:Tim Potter1-8/+8
>Fix for #480. Change the interface for init_unistr2 to not take a length >but a flags field. We were assuming that 2*strlen(mb_string) == length of ucs2-le string. >This is not the case. Count it after conversion. >Jeremy. (This used to be commit e2ab9e54cd0ec0002175cf18ff364f4aebaf85a0)
2003-09-22fix some warnings found by the Sun C compilerGerald Carter1-1/+1
(This used to be commit 585764305aa84a7732f71f2e01227e1a6a08664f)
2003-09-09sync 3.0 into HEAD for the last timeGerald Carter3-31/+25
(This used to be commit c17a7dc9a190156a069da3e861c18fd3f81224ad)
2003-08-02port latest changes from SAMBA_3_0 treeSimo Sorce5-21/+127
(This used to be commit 3101c236b8241dc0183995ffceed551876427de4)
2003-07-17fix the build. Ifdef out some codeGerald Carter1-0/+3
(This used to be commit e66541d0e1befec5d589890994454dd639ea0665)
2003-07-16trying to get HEAD building again. If you want the codeGerald Carter5-628/+630
prior to this merge, checkout HEAD_PRE_3_0_0_BETA_3_MERGE (This used to be commit adb98e7b7cd0f025b52c570e4034eebf4047b1ad)
2003-05-16Merge: clarify secure channel connection comment.Tim Potter1-4/+4
(This used to be commit dd063a298f9d5244d7b79c029c563b4d966019c1)
2003-04-28Fixes from Ronan Waide <waider@waider.ie> for large RPC writes.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 30512b7d3ea3470e4aca08638a5c0ea14791a6e7)
2003-04-25Minor cleanup of enum domain groups/aliases:Tim Potter1-12/+18
- return NT_STATUS_NO_MEMORY instead of NT_STATUS_UNSUCESSFUL if a talloc fails - don't try and tallocate memory when the number of entries returned was zero - rename some cut&pasted variable names in enum domain aliases function (This used to be commit cb94b2b2d141c3df1209b2b389b0cd6752ac2b6b)
2003-04-22Always initialise this, to assist callers doing loops over this call.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 6da9fd157b4e61fe72f569e4657166ca9d9ab6dc)
2003-04-16Fixes to make SCHANNEL work against a W2K DC. Still need to fixJeremy Allison1-13/+24
multi-PDU encode/decode with SCHANNEL. Also need to test against WNT DC. Jeremy. (This used to be commit ec82e8e9f4a6bf807a91ac265af39a516c7ab631)
2003-04-16Store the type of 'sec channel' that we establish to the DC. If we are aAndrew Bartlett1-18/+0
workstation, we have to use the workstation type, if we have a BDC account, we must use the BDC type - even if we are pretending to be a workstation at the moment. Also actually store and retreive the last change time, so we can do periodic password changes again (for RPC at least). And finally, a couple of minor fixes to 'net'. Andrew Bartlett (This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)
2003-04-14Removed unused variables.Tim Potter1-2/+0
(This used to be commit 27a608d6a337e772dce114d73e45f6d0bf3148b4)
2003-04-14Fixed incorrect argument to debug.Tim Potter1-1/+1
(This used to be commit a4704754d912e1f704f574b733257bbcb3976141)
2003-04-11A new RPC pipe! The \pipe\echo named pipe is for testing large RPCTim Potter1-0/+187
requests and responses and is only compiled in when --enable-developer is passed to configure. It includes server and client side code for generating and responding to functions on this pipe. The functions are: - AddOne: add one to the uint32 argument and return ig - EchoData: echo back a variable sized char array to the caller - SourceData: request a variable sized char array - SinkData: send a variable sized char array and throw it away There's a win32 implementation of the client and server in the junkcode CVS repository in the rpcecho-win32 subdirectory. (This used to be commit 4ccd34ef836eba05f81dc2da73fd7cfaac201798)
2003-04-09This is the netlogon schannel client code. Try aVolker Lendecke1-18/+305
rpcclient -S pdc -U% -c "samlogon user password" and it should work with the schannel. Needs testing platforms different from NT4SP6. Volker (This used to be commit ecd0ee4d248e750168597ccf79c389513bb0f740)
2003-04-09Auth2, not also Auth3 sends us flags back, although all the callersVolker Lendecke1-4/+5
ignore it. Volker (This used to be commit 6ac6b0f4c0df9e09644d8c1f1272c8645642e842)
2003-04-04SAMR lookupdomain rpc client patches from amber palekar <amber@nu3.net>Tim Potter1-0/+46
(This used to be commit 67bc6bccc22e22e2a6e5cae7c57a1b2b53f49dfd)
2003-03-23NTLM Authentication:Andrew Bartlett1-1/+12
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-03-18Ignore .po and .po32 files.Martin Pool1-0/+3
(This used to be commit 8d64419625dda242fdb7a5d956644b052b43a2ea)
2003-02-25More const fixes and flow on fixes from yesterday's const-fest.Tim Potter5-19/+24
(This used to be commit 018733eedd7897e6811e8461c07e3acf418c0e09)
2003-02-24Merge:Tim Potter1-7/+5
> Exit path cleanup for cli_samr_enum_dom_users() (This used to be commit 655c1e03519d4fa174a85534c165bdd1ce163ae8)
2003-02-21Exit path cleanup for cli_samr_enum_dom_users()Tim Potter1-34/+18
(This used to be commit 0bc1dfc68b0d411801a4209c9681c735cd7a73cc)
2003-02-17Return a WERROR instead of a NTSTATUS like the rest of the srvsvcTim Potter1-11/+7
rpc calls. (This used to be commit 619af61644ecc221c45e5cf69d562451b5b9f951)
2003-02-14Ensure that only parse_prs.c access internal members of the prs_struct.Jeremy Allison1-10/+10
Needed to move to disk based i/o later. Jeremy. (This used to be commit 4c3ee228fcdb089eaeead95e79532a9cf6cb0de6)
2003-02-12initial server side privileges implementation, using a tdb. This needs to be ↵Andrew Tridgell1-1/+1
hooked into pdb, and we need some access control on changing privileges. That's next (This used to be commit f4f1f84a6bf1d356ccc83f0ecb135bef4a39619e)
2003-02-10added the 'lsaenumacctwithright' command to rpcclient. This allows youAndrew Tridgell1-0/+52
to lookup what SIDs have a particular privilege (that is how privileges are stored). (This used to be commit 3ddb5fb0dd33992b7db54a661752551a3fefc0b4)
2003-02-01One more signed/unsigned fixAndrew Bartlett1-1/+1
(This used to be commit 013fa874733566169ecefb25458d26065190f302)
2003-01-29Pass down max_size parameter to cli_samr_query_dispinfo() instead ofTim Potter1-2/+35
using a hardcoded value later on. Added a helper function that returns the observed values for max_entries and max_size for each cli_samr_query_dispinfo() call. These values were obtained from watching the NT4 user manager application with ethereal and are the only ones that can enumerate a 60k user domain reliably under Windows 2000. (This used to be commit 2eea2813d9adc414f0a7ea074826b23697f376ee)
2003-01-28added LsaRemoveAccountRightsAndrew Tridgell1-0/+42
this now gives us complete remove privileges control in the client libs, so we are in good shape for starting on the server side. (This used to be commit bf99440398db86f46233eb2f5adddffb61280a1b)
2003-01-28cleaned up the lsa_enum_acct_rights function and added aAndrew Tridgell1-0/+43
lsa_add_acct_rights function. This allows us to add privileges remotely to accounts using rpcclient. (This used to be commit 2e5e659e095a94b0716d97f673f993f0af99aabe)
2003-01-17reverted this patch till I sort out the craziness with UNIHDRAndrew Tridgell1-8/+8
(This used to be commit e3d00fa47d38cd214f5e350e1d6b30d90ed8a52c)
2003-01-17This removes the 3rd argument from init_unistr2(). There were 240Andrew Tridgell1-8/+8
calls to init_unistr2() in the code and every one of them got the 3rd argument incorrect, so I thought it best just to remove the argument. The incorrect usage was caused by callers using strlen() to determine the length of the string. The 3rd argument to init_unistr2() was supposed to be the character length, not the byte length of the string, so for non-english this could come out wrong. I also removed the bogus 'always allocate at least 256 bytes' hack. There may be some code that relies on this, but if there is then the code is broken and needs fixing. (This used to be commit b9eff31b1433c81fbff733e194914a40f25e3bda)
2003-01-17Let's clean up client side ntlmssp!Tim Potter1-10/+0
Removed a dead function. (This used to be commit a1c790b5ea8de120a1d8710ac190955aea28246f)
2003-01-15added cli_lsa_enum_account_rights() call. Note that this is inAndrew Tridgell1-0/+57
principal similar to the existing cli_lsa_enum_privsaccount() call, except that cli_lsa_enum_account_rights() doesn't require a call to open_account first. There is also the minor matter that cli_lsa_enum_account_rights() works whereas cli_lsa_enum_privsaccount() doesn't! this call can be used to find what privileges an account or group has. This is a first step towards proper privileges support in Samba. (This used to be commit 65bac11d716f873dcdbda528313c33634c26a072)
2003-01-14Added comment about a SMB_ASSERT()Tim Potter1-0/+3
(This used to be commit 056bdfbce73bbd7ddaa198d18e596b94b2224d3d)
2003-01-13Make sure that those cleanups actually went in.Richard Sharpe1-2/+2
(This used to be commit 9a38e378115a1c36d0cd7c41f4c5767c23b4eb3f)
2003-01-11[merge] make sure to updatre print queue cache during timeout_processing() ↵Gerald Carter1-0/+2
to send notify events; CR 1491 (This used to be commit 142c5029c701e7a82074e301278846c02843f46f)