| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
the schannel code, but I've included that anyway. :-)
This patch revives the client-side NTLMSSP support for RPC named pipes
in Samba, and cleans up the client and server schannel code. The use of the
new code is enabled by the 'sign', 'seal' and 'schannel' commands in
rpcclient.
The aim was to prove that our separate NTLMSSP client library actually
implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation,
in the hope that knowing this will assist us in correctly implementing
NTLMSSP signing for SMB packets. (Still not yet functional)
This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with
calls to libsmb/ntlmssp.c. In the process, we have gained the ability to
use the more secure NT password, and the ability to sign-only, instead of
having to seal the pipe connection. (Previously we were limited to sealing,
and could only use the LM-password derived key).
Our new client-side NTLMSSP code also needed alteration to cope with our
comparatively simple server-side implementation. A future step is to replace
it with calls to the same NTLMSSP library.
Also included in this patch is the schannel 'sign only' patch I submitted to
the team earlier. While not enabled (and not functional, at this stage) the
work in this patch makes the code paths *much* easier to follow. I have also
included similar hooks in rpccleint to allow the use of schannel on *any* pipe.
rpcclient now defaults to not using schannel (or any other extra per-pipe
authenticiation) for any connection. The 'schannel' command enables schannel
for all pipes until disabled.
This code is also much more secure than the previous code, as changes to our
cli_pipe routines ensure that the authentication footer cannot be removed
by an attacker, and more error states are correctly handled.
(The same needs to be done to our server)
Andrew Bartlett
(This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19)
|
|
Fixes remote printer publishing of shared printers from a Samba server.
(This used to be commit 7f363fa32d3b660567fc87d5d0b1e1d4dd58461a)
|
|
purpose. Replace with an array of SAM_ACCOUNT/DOMAIN_GRP entries.
ZERO struct's in smbd/uid.c stops core dumps when sid_to_XX
functions fail. Getting ready to add caching.
Jeremy.
(This used to be commit 9d0692a54fe2cb087f25796ec2ab5e1d8433e388)
|
|
strupper_m/strlower_m.
I really want people to think about when they're using multibyte strings.
Jeremy.
(This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
|
|
- The 'not implmented' checks are now done by all auth modules
- the ntdomain/trustdomain/winbind modules are more presise as to
what domain names they can and cannot handle
- The become_root() calls are now around the winbind pipe opening only,
not the entire auth call
- The unix username is kept seperate from the NT username, removing the
need for 'clean off the domain\' in parse_net.c
- All sid->uid translations are now validated with getpwuid() to put a very
basic stop to logins with 'half deleted' accounts.
Andrew Bartlett
(This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec)
|
|
When winbindd is running on a PDC the SAM_ACCOUNT for a trusted user
has a username of DOMAIN\user. Make sure to trim the domain part
from the username when filling in the net_sam_logon reply.
This fixes the browsing issues i was seen across domain trusts.
(This used to be commit 62e36e6ede067ace23f5473d04917c7eeedf07e2)
|
|
Jeremy.
(This used to be commit 7ed1118ae61a13de2c781a94fc2394090efd1f9b)
|
|
not sorting returned ACE's correctly w.r.t. W2K - implemented the correct
algorithm.
Jeremy.
(This used to be commit fa23a4158ec23c0b8dbdc6c53f29958243107dee)
|
|
(This used to be commit 944480b89a829f159cabff100d83a72400aa6b6c)
|
|
Jeremy.
(This used to be commit 72ecdb387db60a4afab4d4fabf76f4c1d7ecbeeb)
|
|
leak memory.
Jeremy.
(This used to be commit 07a76eb2e01833d5e2e447391cffeda712118c20)
|
|
(This used to be commit 7f8634c35aed0d8c3fe8f7700ca1175c10b6e031)
|
|
Jeremy.
(This used to be commit d6f23166420d89ea7d3d5433e3234529681cb330)
|
|
This gets us closer to W2k+ in what we return for file ACLs. Fix horribly
broken make_sec_desc() that screwed up the size when given a SD with no
owner or group (how did it get this bad... ?).
Jeremy.
(This used to be commit 183c9ed4052ab14e269ed1234ca557053f77e77a)
|
|
here's a small patch which renames the symbol 'log' to some better names
to avoid compiler warnings about shodow global var 'log'
in proto.h
we now have a GLOBAL_SECTION_SNUM -1
so we should use it in swat too:-)
(This used to be commit a4733a0748b4d24457558304ad47852c69905cb2)
|
|
back a different sized blob of encrypted password data then we were
expecting. There's an extra 32 bytes of unknown stuff.
(This used to be commit 285952fd626b02362fb6732f90c5a3ce0d2d5ae0)
|
|
Volker
(This used to be commit 47c36290db5e1f84ddf78913b3971aea04d243ab)
|
|
(This used to be commit 7fd7af121ee8ba4f9540394f64fe3c78e2e96cd2)
|
|
(This used to be commit fd0cd6200b4b9b4b002dc5b640620c3fb533873b)
|
|
a pstrcpy/fstrcpy or at most a safe_strcpy().
These have the advantage of being compiler-verifiable.
Get these out of the way, along with a rewrite of 'get_short_archi' in the
spoolss client and server. (This pushes around const string pointers, rather
than copied strings).
Andrew Bartlett
(This used to be commit 32fb801ddc035e8971e9911ed4b6e51892e9d1cc)
|
|
It can itself determine the length of the string it has to
transfer. Andrew B., could you take a look at the length calculation?
Is that safe?
Thanks,
Volker
(This used to be commit 0ef69b586a8f1fa11a41a3900180ea2090b60bfd)
|
|
Volker
(This used to be commit 5af417a6ba24e6bb09979488511f482efa4894b8)
|
|
multi-PDU encode/decode with SCHANNEL. Also need to test against WNT DC.
Jeremy.
(This used to be commit ff66d4097088409205b6bad5124a78ef9946010d)
|
|
Only compiled in when --enable-developer argument passed to configure.
(This used to be commit 017da9393bab276543d0d5c50df8c760780f2450)
|
|
used to be commit 381649916ecbaddefbb6ee0e6137b7cc73eb54b1)
|
|
requests and responses and is only compiled in when --enable-developer
is passed to configure. It includes server and client side code for
generating and responding to functions on this pipe. The functions are:
- AddOne: add one to the uint32 argument and return ig
- EchoData: echo back a variable sized char array to the caller
- SourceData: request a variable sized char array
- SinkData: send a variable sized char array and throw it away
There's a win32 implementation of the client and server in the
junkcode CVS repository in the rpcecho-win32 subdirectory.
(This used to be commit 4ccd34ef836eba05f81dc2da73fd7cfaac201798)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing against platforms
different from NT4SP6.
Volker
(This used to be commit eaef0d8aeff1aa5a067679be3f17e08d7434e1e8)
|
|
rpcclient -S pdc -U% -c "samlogon user password"
and it should work with the schannel. Needs testing platforms
different from NT4SP6.
Volker
(This used to be commit ecd0ee4d248e750168597ccf79c389513bb0f740)
|
|
Volker
(This used to be commit 36362c602ba03ae5e89956b16820d5dff580bee7)
|
|
Volker
(This used to be commit 9fc3e4bf9fa7845b5d4a7eb4cacfec586045ebd0)
|
|
schannel clients.
Volker
(This used to be commit 0f348a35d09ff020837119157ef7f4b9e6f07643)
|
|
schannel clients.
Volker
(This used to be commit 41e92409e1c6912db05acc80b6c0d5dccd51859b)
|
|
No more XP requiresignorseal anymore!
Thanks again to Luke :-)
Volker
(This used to be commit 6b2b55901d66cab0c0c0c90bd0585c870be6e468)
|
|
TNG. Actually, it exists in the main Samba cvs tree in APPLIANCE_TNG
as I found out later :-)
It adds a new parameter: server schannel = yes/auto/no defaulting to
auto.
What does this mean to the user: No requireSignOrSeal registry patch
for XP anymore.
Many thanks for this code to Luke Leighton, Elrond and anybody else I
forgot to mention.
My next thing will be to see if this applies cleanly to 3_0.
Please test and comment!
Volker
(This used to be commit e1f953241eb020f19fe657f29afdae28dcf5a03b)
|
|
- Change 2 variable names to avoid conflicts (patch by Stephan Kulow <coolo@kde.org>)
(This used to be commit 71b05cd14ae6df8340730e7bad1c783dc278c5d3)
|
|
signed/unsigned (mostly i counters)
a little bit of const.
Andrew Bartlett
(This used to be commit 50f0ca752e5058c4051f42a9337361373ba1f727)
|
|
Fix an inconpatible poitner type that caused the IA64 not to build
Andrew Bartlett
(This used to be commit 37436b0aae108fceace3049d3868510e1ba592ac)
|
|
Jeremy.
(This used to be commit 40def80d43b14a853045a31b382226fe0381f38a)
|
|
(This used to be commit 80c45434092a881fe2c9ae7f90856deea4722cb0)
|
|
(for example, query to non-dc)
Andrew Bartlett
(This used to be commit d1dde5f684652f86e63ac6cfa34ff42a680693de)
|
|
genparser works fine, and it is a marvelous tool to store objects in tdb :)
(This used to be commit 4c6d461a8572f03cd33cba95500cc837638b732c)
|
|
(This used to be commit 52ef84b53495db1eac6ecfb0b926ef8df7ea5cc5)
|
|
(This used to be commit 21ec2b6ba3ddba6964f6ddb53f8494e4a8b48a83)
|
|
that changed that the client is monitoring.
* couple of comments abnout how we need to validate driver names
on SetPrinter() and AddPrinter()
* up the debug level on some overly verbose dev mode parsing messages
(This used to be commit 7377d671e8a95ac2ab0452f564b18b2a098699cb)
|
|
that changed that the client is monitoring.
* couple of comments abnout how we need to validate driver names
on SetPrinter() and AddPrinter()
* up the debug level on some overly verbose dev mode parsing messages
(This used to be commit e8939165b77c9e2ea8b3cef2e85885b9812c7184)
|
|
(This used to be commit a20aba09996e470425a151271237f2d48a8302af)
|
|
(This used to be commit 018733eedd7897e6811e8461c07e3acf418c0e09)
|
|
cache the printer_info_2 with the open printer handle.
cache is invalidated on a mod_a_printer() call **on that smbd**.
Yes, this means that the window for admins to step on each other
from different clients just got larger, but since handles a generally
short lived this is probably ok.
(This used to be commit 31272d3b6bb9ec62fd666301c7adfa0c1720a99b)
|
|
cache the printer_info_2 with the open printer handle.
cache is invalidated on a mod_a_printer() call **on that smbd**.
Yes, this means that the window for admins to step on each other
from different clients just got larger, but since handles a generally
short lived this is probably ok.
(This used to be commit 33c7b7522504fb15989f32add8e9a087c8d9d0fa)
|
|
* performance optimization in enumprinterdataex() when keyname is empty
* fix a few typos in comments
* reload services after addprinter_command()
dump registry data in ascii when the key is REG_SZ or REG_MULTI_SZ
(This used to be commit fde6ef7cc62c58d512dc8053b214f0a3c59a78ab)
|
