summaryrefslogtreecommitdiff
path: root/source3/smbd/negprot.c
AgeCommit message (Collapse)AuthorFilesLines
2012-05-12s3:smbd: introduce struct smbXsrv_connectionStefan Metzmacher1-5/+6
This will represent a transport connection for SMB 1 or 2 in the server. smbd_server_connection will slowly be moved to the SMB_VFS layer to satisfy the existing modules, but it will hopefully be protocol independend in future. metze
2012-03-24lib/util: Remove obsolete sys_getpid() and sys_fork().Jelmer Vernooij1-14/+14
The performance of these is minimal (these days) and they can return invalid results when used as part of applications that do not use sys_fork(). Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
2012-03-08s3-auth: Follow auth_ntlmssp and use auth4_context for Session SetupAndrew Bartlett1-1/+1
This patch ensures consistency in behaviour between NTLMSSP and NTLM session setup handlers. By calling the same layer that auth_ntlmssp calls, we can not only allow redirection of all authentication to the AD DC, we ensure that map to guest and username map handling is consistent, even in the file server alone. Andrew Bartlett
2012-03-04s3-auth: Remove security=share (depricated since 3.6).Andrew Bartlett1-1/+0
This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-02-27s3-param: Align lp_{max,min}protocol with lib/param namesAndrew Bartlett1-2/+2
This adds an alisas to ensure that both our loadparm systems know all the names. I would like to move to the 'server ..' name as canonical, and this will be raised on the list. Andrew Bartlett
2012-02-16s3-smbd Remove unused code now we always have SPNEGO via gensecAndrew Bartlett1-36/+4
This was previously needed because SPNEGO was only available in the AD DC. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3-auth Remove ntlmssp_wrap.h which is no longer requiredAndrew Bartlett1-1/+0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3-auth use gensec directly rather than via auth_generic_stateAndrew Bartlett1-5/+5
This is possible because the s3 gensec modules are started as normal gensec modules, so we do not need a wrapper any more. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05s3-auth Add TALLOC_CTX * to auth_generic_prepare()Andrew Bartlett1-1/+2
This makes the long term owner of this memory more clear. So far only the clear cases have been moved from NULL however. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22s3-auth rename auth_ntlmssp_prepare() -> auth_generic_prepare()Andrew Bartlett1-1/+1
This function handles more than NTLMSSP now, at least when we are an AD DC and so changing the name may avoid some confusion in the future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-22s3-auth rename auth_ntlmssp_state -> auth_generic_stateAndrew Bartlett1-1/+1
This structure handles more than NTLMSSP now, at least when we are an AD DC and so changing the name may avoid some confusion in the future. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-12-16s3:smbd: avoid using sconn_server_id()Stefan Metzmacher1-1/+1
metze
2011-12-15s3:smbd: pass smbd_server_connection and a snumused function pointer to ↵Stefan Metzmacher1-2/+2
reload_services() metze
2011-11-16s3:smbd: calculate the negprot signing flags from the signing_stateStefan Metzmacher1-3/+10
We should map from lp_server_signing() just once in srv_init_signing(). metze Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Nov 16 18:59:49 CET 2011 on sn-devel-104
2011-11-04s3:smbd: also send the server name in the negprot responseStefan Metzmacher1-0/+8
This matches W2K (at least sp4) and higher. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Nov 4 15:50:06 CET 2011 on sn-devel-104
2011-11-03s3:smbd: make use of SMB_SIGNING_* constantsStefan Metzmacher1-4/+5
metze
2011-10-21s3-ntlmssp Remove auth_ntlmssp_update wrapperAndrew Bartlett1-2/+2
We now just call gensec_update directly. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
2011-09-14s3:smbd: make use of better SMB signing negotiationStefan Metzmacher1-1/+0
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Wed Sep 14 09:41:02 CEST 2011 on sn-devel-104
2011-09-10libcli/smb: s/FLAGS2_UNKNOWN_BIT4/FLAGS2_SMB_SECURITY_SIGNATURES_REQUIREDStefan Metzmacher1-1/+1
metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Sat Sep 10 00:34:50 CEST 2011 on sn-devel-104
2011-09-05s3:smb2_server: add basic support for SMB 2.1Stefan Metzmacher1-0/+1
This adds support for the 2 stage negprot, from SMB 1 to SMB 2.1. Support for this of for now and "max protocol = SMB2" still maps to "max protocol = SMB2_02" PROTOCOL_SMB2_02. In order to activate smb2.1, you need to use "max protocol = SMB2_10". metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Mon Sep 5 19:30:58 CEST 2011 on sn-devel-104
2011-09-05s3:smbd: make use of PROTOCOL_SMB2_02Stefan Metzmacher1-1/+1
metze
2011-08-31s3: Fix bug 8334, do not fork the echo handler for smb2Volker Lendecke1-1/+2
If a smb1 negprot negotiated smb2 we forked the echo responder. This will eventually lead to a panic from [2011/08/30 10:33:29.212578, 0, pid=3846917] smbd/smb2_server.c:243(smbd_smb2_request_create) Invalid SMB packet: first request: 0x0009 because from the echo responder we always read using the normal smb1 protocol handling routine. If that is a bit down the smb2 stream, we get a non-negprot packet and panic. BTW, the echo responder is not required for smb2 anyway, Microsoft confirmed that it probes the server liveness using TCP keepalives and not smb2 echo requests. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Wed Aug 31 17:58:48 CEST 2011 on sn-devel-104
2011-08-03s3-auth use auth_generic_start to get full GENSEC in Samba3 session setupAndrew Bartlett1-1/+27
This tests if the auth_generic_start() hook is available on the auth context during the negprot, and if so it uses auth_generic_start() to hook to GENSEC to handle the full SPNEGO blob. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-07-12s3:smbd: use PROTOCOL_SMB2_02 instead PROTOCOL_SMB2Stefan Metzmacher1-1/+1
metze
2011-06-09s3-param Remove special case for global_myname(), rename to lp_netbios_name()Andrew Bartlett1-2/+2
There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett
2011-06-09s3-talloc Change TALLOC_REALLOC_ARRAY() to talloc_realloc()Andrew Bartlett1-1/+1
Using the standard macro makes it easier to move code into common, as TALLOC_REALLOC_ARRAY isn't standard talloc. Andrew Bartlett
2011-05-20s3: Fork the echo handler only after SMB1 negprot is doneVolker Lendecke1-0/+5
This enables activating the echo responder also if SMB2 is enabled, albeit it will only be used for SMB1 at this moment. Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri May 20 15:06:03 CEST 2011 on sn-devel-104
2011-05-04BUGFIX when converting from safe_strcpy to strlcpy.Jeremy Allison1-1/+5
We must have a blob legth > 0 in order to safely copy the (possibly) 16 bytes + 1 byte zero character safely.
2011-04-14s3: only include smb profiling where needed.Günther Deschner1-0/+1
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Apr 14 01:31:39 CEST 2011 on sn-devel-104
2011-03-30s3-messages: only include messages.h where needed.Günther Deschner1-0/+1
Guenther
2011-03-30s3-auth: smbd needs auth.hGünther Deschner1-0/+1
Guenther
2011-03-30s3: include smbd/smbd.h where needed.Günther Deschner1-0/+1
Guenther
2011-03-23s3-safe_string: Add checked_strlcpy()Andrew Bartlett1-1/+1
This is strlcpy, just with an extra check of the parameters with sizeof(), use only where that works. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Wed Mar 23 03:39:35 CET 2011 on sn-devel-104
2011-03-02s3-server_id: only include server_id where needed.Günther Deschner1-0/+1
Guenther
2010-12-19s3: Fix some nonempty blank linesVolker Lendecke1-22/+22
2010-12-10s3-smbd Don't send SPNEGO principal (rfc4178 hint) by defaultAndrew Bartlett1-0/+3
This patch, based on the suggestion by Goldberg, Neil R. <ngoldber@mitre.org> turns off the sending of the principal in the negprot by default, matching Windows 2008 behaviour. This slowly works us back from this hack, which from an RFC perspective was never the right thing to do in the first place, but we traditionally follow windows behaviour. It also discourages client implmentations from relying on it, as if they do they are more open to man-in-the-middle attacks. Andrew Bartlett
2010-11-29Fix bug discovered with "encryped passwords = no".Jeremy Allison1-8/+1
message_push_string() and message_push_blob() both update the bcc value, so we don't need the old code that tries to do it manually. Jeremy. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Nov 29 22:24:01 CET 2010 on sn-devel-104
2010-09-26s3: Lift talloc_autofree_context() from make_auth_context_subsystem()Volker Lendecke1-1/+1
2010-08-31s3: use fine grained time in netprot responseBjörn Jacke1-3/+4
2010-08-18s3: Lift smbd_server_fd from reload_services()Volker Lendecke1-2/+2
2010-08-08s3: Lift the smbd_messaging_context from reload_servicesVolker Lendecke1-2/+2
2010-08-08s3:smbd: fix valgrind warning, sizeof(16) != 16...Stefan Metzmacher1-1/+1
metze
2010-07-20Fix one more data_blob -> data_blob_talloc. Move away from implicit NULL ↵Jeremy Allison1-2/+2
context tallocs. Jeremy.
2010-07-19Remove gen_negTokenInit() - change all callers to spnego_gen_negTokenInit().Jeremy Allison1-3/+3
We now have one function to do this in all calling code. More rationalization to follow. Jeremy.
2010-07-19Move the addition of the 16 byte guid out of spnego_gen_negTokenInit() andJeremy Allison1-23/+32
into negprot_spnego() where it belongs (it's not an SPNEGO operation). Add a TALLOC_CTX for callers of negprot_spnego(). Closer to unifying all the gen_negTokenXXX calls. Jeremy.
2010-07-19s3-auth: Simplify how we free the auth_contextSimo Sorce1-2/+1
Turn the freeing function into a destructor and attach it to the auth_context. Make all callers TALLOC_FREE() the auth_context instead of calling the free function. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-05s3: Remove procid_self() from reply_negprot()Volker Lendecke1-1/+1
2010-07-04s3: Remove serverid_[de]register_selfVolker Lendecke1-2/+3
This removes some deep references to procid_self()
2010-06-12s3: Explicitly pass sconn to negprot_spnego()Volker Lendecke1-3/+2
2010-06-12s3: Remove some global references to smbd_server_connVolker Lendecke1-10/+9