Age | Commit message (Collapse) | Author | Files | Lines |
|
Looking at the original commit (9a747d500fad699038ecf75615c680a9fd9e4cc7)
this seem the right solution.
Andrew please check.
|
|
Jeremy.
|
|
This reverts commit edba46ce94c335411ab337eeb4ef6f88fb3aae80.
Conflicts:
source3/auth/auth_ntlmssp.c
|
|
This allows the right hooks to be called in GENSEC when s3compat
implements the auth_ntlmssp interface. Otherwise, we can't do the
signing or sealing as we have not negoitated it's use.
Andrew Bartlett
|
|
It's nicer to have an NTSTATUS return, and in s3compat there may be a
reason other than 'no memory' why this can fail.
Andrew Bartlett
|
|
This will make it possible to create plain rpc named pipe connnections.
Reviewed-by: Simo Sorce <idra@samba.org>
|
|
This ensures the results can't be easily left to leak.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
The code is not yet in common, but I hope to fix that soon.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
typedefs are no longer preferred Samba style.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
This makes it a little easier for it to writen in terms of GENSEC in future.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
|
|
metze
Signed-off-by: Günther Deschner <gd@samba.org>
|
|
Jeremy.
|
|
|
|
Make calling schannel much easier by removing the need to explicitly open the
database. Let the abstraction do it instead.
|
|
Alignment space calculations are tricky :-).
Jeremy.
|
|
Ensure we calculate the space correctly (including the ss_padding_len)
when constructing reply packets.
Jeremy.
|
|
Parts of the Samba RPC client and server code misinterpret authenticated
packets.
DCE authenticated packets actually look like this :
+--------------------------+
|header |
| ... frag_len (packet len)|
| ... auth_len |
+--------------------------+
| |
| Data payload |
... ....
| |
+--------------------------+
| |
| auth_pad_len bytes |
+--------------------------+
| |
| Auth footer |
| auth_pad_len value |
+--------------------------+
| |
| Auth payload |
| (auth_len bytes long) |
+--------------------------+
That's right. The pad bytes come *before* the footer specifying how many pad
bytes there are. In order to read this you must seek to the end of the packet
and subtract the auth_len (in the packet header) and the auth footer length (a
known value).
The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long
as the pad alignment is on an 8 byte boundary (there are some special cases in
the code for this).
Tridge discovered there are some (DRS replication) cases where on 64-bit
machines where the pad alignment is on a 16-byte boundary. This breaks the
existing S3 hand-optimized rpc code.
This patch removes all the special cases in client and server code, and allows
the pad alignment for generated packets to be specified by changing a constant
in include/local.h (this doesn't affect received packets, the new code always
handles them correctly whatever pad alignment is used).
This patch also works correctly with rpcclient using sign+seal from
the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow)
so even as a server it should still work with older libsmbclient and
winbindd code.
Jeremy
|
|
Andrew Bartlett
|
|
Guenther
|
|
This reverts commit 9621306351cdb469ef393a6d8cbeea456bc4bd9f.
|
|
This reverts commit 494b2aff8826947e3bd556aecb175746163da485.
|
|
|
|
|
|
|
|
|
|
Guenther
|
|
This prepares support for HMAC-SHA256/AES.
metze
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Found by RPC-SCHANNEL torture test.
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
netlogon server.
Guenther
|
|
|
|
|
|
|
|
Jeremy.
|
|
also check for an upper one (integer wrap).
Jeremy.
|
|
According to [MS-RPCE].pdf, section 2.2.2.11:
----
A client or a server that (during composing of a PDU) has allocated more space
for the authentication token than the security provider fills in SHOULD fill in
the rest of the allocated space with zero octets. These zero octets are still
considered to belong to the authentication token part of the PDU.<36>
----
RPC implementations are allowed to send padding bytes at the end of an auth
footer. Windows 7 makes use of this.
Thanks to Nick Meier <nmeier@microsoft.com>
Volker
|
|
Another 4k per open pipe
|
|
lp_use_kerberos_keytab parameter.
The first is "kerberos method" and replaces the "use kerberos keytab"
with an enum. Valid options are:
secrets only - use only the secrets for ticket verification (default)
system keytab - use only the system keytab for ticket verification
dedicated keytab - use a dedicated keytab for ticket verification.
secrets and keytab - use the secrets.tdb first, then the system keytab
For existing installs:
"use kerberos keytab = yes" corresponds to secrets and keytab
"use kerberos keytab = no" corresponds to secrets only
The major difference between "system keytab" and "dedicated keytab" is
that the latter method relies on kerberos to find the correct keytab
entry instead of filtering based on expected principals.
The second parameter is "dedicated keytab file", which is the keytab
to use when in "dedicated keytab" mode. This keytab is only used in
ads_verify_ticket.
|
|
This was mainly used for debugging output
|
|
|