Age | Commit message (Collapse) | Author | Files | Lines |
|
same session (TCP connection) as the one the challenge was requested
from.
(This used to be commit 5cb9b99f0f5dad589ac7def667e354d6f92f8822)
|
|
channel:
- If the domain name passed to create_rpc_bind_req() is empty, use
lp_workgroup()
- Correctly set the auth_padding field when the send_size is a multiple
of 8 bytes
I've tested with nt4sp6 and win2ksp0 and it seems to work, although
there are no password hashes transferred from win2k. The empty
passwords are being protected by the secure channel encryption though.
(This used to be commit a8c11e855611c91e94787387c62ac629232cacfa)
|
|
useful in the auth verifier yet. So this patch ignores it.
Really checking this would be a lot more intrusive: in rpc_api_pipe we
would have to distinguish between binds and normal requests, or have
more state in the netsec info of cli_state, which is also somewhat
hackish.
Volker
(This used to be commit 8de04fcf680a9bc5054965577eb500e0541ffe66)
|
|
important once we start doing schannel, as there would be a lot more
roundtrips for the second PIPE open and bind. With this patch logging
in to a member server is a matter of two (three if you count the
ack...) packets between us and the DC.
Volker
(This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
|
|
Andrew Bartlett
(This used to be commit 97bc047434284527f25e130a72981da704ed1212)
|
|
Andrew Bartlett
(This used to be commit 542a8b1817d3930e03e08e16e9711cacceb6df61)
|
|
Jeremy.
(This used to be commit a330bf170eb8e78200367c90833cbc90255642cb)
|
|
- return NT_STATUS_NO_MEMORY instead of NT_STATUS_UNSUCESSFUL if a
talloc fails
- don't try and tallocate memory when the number of entries returned was
zero
- rename some cut&pasted variable names in enum domain aliases function
(This used to be commit aa748e1da543f0e59df8a56996ebd9510732507e)
|
|
(This used to be commit f200a5b85832ac5ec7724d58da7270cd14c565e3)
|
|
This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.
This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.
Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
|
|
tidying up. Samsync still doesn't work due to bad parsing of net_io_sam_alias_info
with a blank description. Still working on this....
Jeremy.
(This used to be commit 942fede9a57a9319cf67388004dd45fa8a045f41)
|
|
multi-PDU encode/decode with SCHANNEL. Also need to test against WNT DC.
Jeremy.
(This used to be commit ff66d4097088409205b6bad5124a78ef9946010d)
|
|
(This used to be commit dfa9412da567d2477ee5b1e6ecdc96b8dea3c21d)
|
|
(This used to be commit 800b79e8364d761bbd8c99016211dfe199eee080)
|
|
(This used to be commit 5b1807dddf0e4fb9fcaedcfe6f67dfd78fe117bb)
|
|
used to be commit 381649916ecbaddefbb6ee0e6137b7cc73eb54b1)
|
|
requests and responses and is only compiled in when --enable-developer
is passed to configure. It includes server and client side code for
generating and responding to functions on this pipe. The functions are:
- AddOne: add one to the uint32 argument and return ig
- EchoData: echo back a variable sized char array to the caller
- SourceData: request a variable sized char array
- SinkData: send a variable sized char array and throw it away
There's a win32 implementation of the client and server in the
junkcode CVS repository in the rpcecho-win32 subdirectory.
(This used to be commit 4ccd34ef836eba05f81dc2da73fd7cfaac201798)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing against platforms
different from NT4SP6.
Volker
(This used to be commit eaef0d8aeff1aa5a067679be3f17e08d7434e1e8)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing platforms
different from NT4SP6.
Volker
(This used to be commit ecd0ee4d248e750168597ccf79c389513bb0f740)
|
|
ignore it.
Volker
(This used to be commit 1e03e955450af7f05e564793e95258e45e08dabd)
|
|
ignore it.
Volker
(This used to be commit 6ac6b0f4c0df9e09644d8c1f1272c8645642e842)
|
|
(This used to be commit 67bc6bccc22e22e2a6e5cae7c57a1b2b53f49dfd)
|
|
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
|
|
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
|
|
used to be commit f0d009c3e91979b0dc3443e16f3f545bcc64cfda)
|
|
(This used to be commit 8d64419625dda242fdb7a5d956644b052b43a2ea)
|
|
(This used to be commit c2e9673328b2d989f13626632442f095727a03c6)
|
|
(This used to be commit a20aba09996e470425a151271237f2d48a8302af)
|
|
(This used to be commit 018733eedd7897e6811e8461c07e3acf418c0e09)
|
|
> Exit path cleanup for cli_samr_enum_dom_users()
(This used to be commit 655c1e03519d4fa174a85534c165bdd1ce163ae8)
|
|
(This used to be commit 0bc1dfc68b0d411801a4209c9681c735cd7a73cc)
|
|
(This used to be commit 7edaf937963fa1d0f06343969b46ed6e4f39a6ea)
|
|
rpc calls.
(This used to be commit 619af61644ecc221c45e5cf69d562451b5b9f951)
|
|
Needed to move to disk based i/o later.
Jeremy.
(This used to be commit 4c3ee228fcdb089eaeead95e79532a9cf6cb0de6)
|
|
Needed to move to disk based i/o later.
Jeremy.
(This used to be commit a823fee5b41a5b6cd4ef05aa1f85f7725bd272a5)
|
|
hooked into pdb, and we need some access control on changing privileges. That's next
(This used to be commit f4f1f84a6bf1d356ccc83f0ecb135bef4a39619e)
|
|
to lookup what SIDs have a particular privilege (that is how
privileges are stored).
(This used to be commit 3ddb5fb0dd33992b7db54a661752551a3fefc0b4)
|
|
(This used to be commit 013fa874733566169ecefb25458d26065190f302)
|
|
from HEAD. I had to do this for him as he was *so* tired, the poor
chap, plus he has this bad leg, plus the dog ate his homework etc. etc.
Jeremy.
(This used to be commit 1e752b48a12cdcf2cb6343705be83f304e5ee2b6)
|
|
using a hardcoded value later on.
Added a helper function that returns the observed values for
max_entries and max_size for each cli_samr_query_dispinfo() call.
These values were obtained from watching the NT4 user manager
application with ethereal and are the only ones that can enumerate a
60k user domain reliably under Windows 2000.
(This used to be commit 2eea2813d9adc414f0a7ea074826b23697f376ee)
|
|
Jeremy
(This used to be commit 49739be1e2f047fa2cc2fd42eadb190a82114485)
|
|
this now gives us complete remove privileges control in the client
libs, so we are in good shape for starting on the server side.
(This used to be commit bf99440398db86f46233eb2f5adddffb61280a1b)
|
|
Jeremy.
(This used to be commit 30a33920b4d834edc877cc0080291fbda983083a)
|
|
lsa_add_acct_rights function.
This allows us to add privileges remotely to accounts using rpcclient.
(This used to be commit 2e5e659e095a94b0716d97f673f993f0af99aabe)
|
|
(This used to be commit 648307ab3d16cb557cead27d6799a741a266c0d5)
|
|
(This used to be commit e3d00fa47d38cd214f5e350e1d6b30d90ed8a52c)
|
|
calls to init_unistr2() in the code and every one of them got the 3rd
argument incorrect, so I thought it best just to remove the argument.
The incorrect usage was caused by callers using strlen() to determine
the length of the string. The 3rd argument to init_unistr2() was
supposed to be the character length, not the byte length of the
string, so for non-english this could come out wrong.
I also removed the bogus 'always allocate at least 256 bytes'
hack. There may be some code that relies on this, but if there is then
the code is broken and needs fixing.
(This used to be commit b9eff31b1433c81fbff733e194914a40f25e3bda)
|
|
Removed a dead function.
(This used to be commit a1c790b5ea8de120a1d8710ac190955aea28246f)
|
|
(This used to be commit 7a4c87484237308cb3ad0d671687da7e0f6e733b)
|
|
principal similar to the existing cli_lsa_enum_privsaccount() call,
except that cli_lsa_enum_account_rights() doesn't require a call to
open_account first. There is also the minor matter that
cli_lsa_enum_account_rights() works whereas
cli_lsa_enum_privsaccount() doesn't!
this call can be used to find what privileges an account or group
has. This is a first step towards proper privileges support in Samba.
(This used to be commit 65bac11d716f873dcdbda528313c33634c26a072)
|