Age | Commit message (Collapse) | Author | Files | Lines |
|
supporttrunk/source/smbd/sesssetup.c
(This used to be commit aab17a7095a18b243a271f8f3f824facd6932f23)
|
|
Jeremy.
(This used to be commit 1de27da47051af08790317f5b48b02719d6b9934)
|
|
safe for using our headers and linking with C++ modules. Stops us
from using C++ reserved keywords in our code.
Jeremy
(This used to be commit 9506b8e145982b1160a2f0aee5c9b7a54980940a)
|
|
keytab and security != ads
(This used to be commit 3faaa5c3eb3b2057984586e069a47cb210c99140)
|
|
aruna.prabakar@hp.com).
This re-enables the Samba 2.2 behavior where a user that was
successfully authenticated by a remote DC would be mapped
to the guest account if there was not existing UNIX account
for that user and we could not create one.
(This used to be commit b7455fbf81f4e47c087c861f70d492a328730a9b)
|
|
(This used to be commit 4cda2bd035276bd090bf0fbd4e3b2eff657a80cb)
|
|
version to 3.0.20pre1
(This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
|
|
(This used to be commit c70c5c4ee9b14fbdb174f542607aceebe0e88470)
|
|
about unitialized variable
(This used to be commit 3a91b20e4bcc78c91932e6c4394b3f6f153b2ff5)
|
|
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
|
|
1. using smbc_getxattr() et al, one may now request all access control
entities in the ACL without getting all other NT attributes.
2. added the ability to exclude specified attributes from the result set
provided by smbc_getxattr() et al, when requesting all attributes,
all NT attributes, or all DOS attributes.
3. eliminated all compiler warnings, including when --enable-developer
compiler flags are in use. removed -Wcast-qual flag from list, as that
is specifically to force warnings in the case of casting away qualifiers.
Note: In the process of eliminating compiler warnings, a few nasties were
discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces
are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED
kerberos interfaces are being used. Someone who knows kerberos
should look at these and determine if there is an alternate method
of accomplishing the task.
(This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
|
|
client caps.
Jeremy.
(This used to be commit 4868e4202775c1c0a60828e0c6f6fa23cf8346e1)
|
|
using krb5
(This used to be commit 19a639ac468237b22f16d917c0150fbf10c9623e)
|
|
Jeremy.
(This used to be commit 3e10c36cb50462d1f220029e8fa64c3b6e554e6c)
|
|
consistent
enum type for Protocol extern.
Jeremy.
(This used to be commit 65dfae7ea45d4c9452b2a08efa09b01d870142f3)
|
|
(This used to be commit e1364ff774b62f46c0f50864695da49972352126)
|
|
any more.
Andrew Bartlett
(This used to be commit 9d5821d5ee5e9f666dfbe75419e97508af9cad5e)
|
|
kawasa_r@itg.hitachi.co.jp. A couple of mem leak fixes in
mainline code paths though :-).
Jeremy.
(This used to be commit 4695cc95fe576b6da0d0cb0686f208fc306b2646)
|
|
key could
be anything, and may not be based on anything 'NT'. This is also what microsoft
calls it.
(This used to be commit 724e8d3f33719543146280062435c69a835c491e)
|
|
(This used to be commit 40b5794ae0919c6c6f1b8a451871dcc95bbab5cc)
|
|
LANMAN password. This also corrects the 'session key'
for these connections.
(This used to be commit 26d8791ddedb7964c219067480cf4a7d61877765)
|
|
ago.
This patch re-adds support for 'optional' SMB signing. It also ensures that
we are much more careful about when we enable signing, particularly with
on-the-fly smb.conf reloads.
The client code will now attempt to use smb signing by default, and disable
it if the server doesn't correctly support it.
Andrew Bartlett
(This used to be commit e27b5cbe75d89ec839dafd52dd33101885a4c263)
|
|
current_user_info struct in register_vuid() -- shouldn't be any more broken than we were
(This used to be commit a90c3bd281e7a62bb8482e42aa3b674eeeb5995a)
|
|
use default domain = yes
(This used to be commit f2eaa14b1eb7e89c945b2b06a48e17998c75d620)
|
|
initialise the session key. Fixes segfaults with security=server, and
encrypt passwords = no.
Andrew Bartlett
(This used to be commit 493ac5ce98fa3fcddb596139240dd762e70d4ac3)
|
|
register_vuid correctly. We ended up with the local netbios name in
substitutions for %D later.
Volker
P.S: Tridge, I can *really* see why you want to get rid of global variables
:-)
(This used to be commit 3d9931fe291559a907c3e172a66fbce1155497a3)
|
|
Jeremy.
(This used to be commit 8e20c06ed31d9ec10ff0155b1624eee3d60cd006)
|
|
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.
Jerry: This is a change in behaviour, but I think it is necessary.
Volker
(This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
|
|
Jeremy.
(This used to be commit ba0b5b8c9be9bfeba5e0b3f930ca0463d1e78c9c)
|
|
(This used to be commit 2f43a1c166dfc8679a9d03bd0f3cf9303aafcf74)
|
|
Jeremy.
(This used to be commit 4e73faa7b4af7f73bdce9fcc2ee1825249dc7da7)
|
|
cope.
Jeremy.
(This used to be commit 0d82ac57a59276adb403f8e023578c2d6d5136e4)
|
|
- NTLM2 support in the server
- KEY_EXCH support in the server
- variable length session keys.
In detail:
- NTLM2 is an extension of NTLMv1, that is compatible with existing
domain controllers (unlike NTLMv2, which requires a DC upgrade).
* This is known as 'NTLMv2 session security' *
(This is not yet implemented on the RPC pipes however, so there may
well still be issues for PDC setups, particuarly around password
changes. We do not fully understand the sign/seal implications of
NTLM2 on RPC pipes.)
This requires modifications to our authentication subsystem, as we
must handle the 'challege' input into the challenge-response algorithm
being changed. This also needs to be turned off for
'security=server', which does not support this.
- KEY_EXCH is another 'security' mechanism, whereby the session key
actually used by the server is sent by the client, rather than being
the shared-secret directly or indirectly.
- As both these methods change the session key, the auth subsystem
needed to be changed, to 'override' session keys provided by the
backend.
- There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation.
- The 'names blob' in NTLMSSP is always in unicode - never in ascii.
Don't make an ascii version ever.
- The other big change is to allow variable length session keys. We
have always assumed that session keys are 16 bytes long - and padded
to this length if shorter. However, Kerberos session keys are 8 bytes
long, when the krb5 login uses DES.
* This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. *
- Add better DEBUG() messages to ntlm_auth, warning administrators of
misconfigurations that prevent access to the privileged pipe. This
should help reduce some of the 'it just doesn't work' issues.
- Fix data_blob_talloc() to behave the same way data_blob() does when
passed a NULL data pointer. (just allocate)
REMEMBER to make clean after this commit - I have changed plenty of data structures...
(This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
|
|
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at
all and I really want to discourage that.
Jeremy.
(This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
|
|
sesssetup to fall back to 'user' instaed of failing is REA.LM\user
doesn't exist.
also fix include line in smb_acls.h as requested by metze
(This used to be commit 62ed2598b3441b3c198872df8eb55e594332807b)
|
|
(This used to be commit afbf15f94189f50cd447d9bcdebbc4886800b05a)
|
|
(This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272)
|
|
out. Return the standard 'logon failure' instead.
Andrew Bartlett
(This used to be commit a83506802fd331af78d2fd6e6a5cd507b5a40ca3)
|
|
Currently I'm compiling against MIT Kerberos 1.2.8.
Anthony, you said you have a heimdal installation available. Could you
please compile this stuff with krb and check it with valgrind?
Thanks,
Volker
(This used to be commit d8ab44685994b302bb46eed9001c72c194d13dc8)
|
|
auth.realm. So directly pass that instead of setting up and tearing
down the ADS_STRUCT.
Volker
(This used to be commit ce5b8d2ec20fe1f4d3d1956020d88272fb84124a)
|
|
(This used to be commit a2bd8f0bfa12f2a1e33c96bc9dabcc0e2171700d)
|
|
from RFC but I'm smelling a client bug here.
/* only look at the first OID for determining the mechToken --
accoirding to RFC2478, we should choose the one we want
and renegotiate, but i smell a client bug here..
Problem observed when connecting to a member (samba box)
of an AD domain as a user in a Samba domain. Samba member
server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
NTLMSSP mechtoken. --jerry */
(This used to be commit 731420b03dbc15977822f74047e931dc62284fc0)
|
|
as the ntlmssp case.
Jeremy.
(This used to be commit 79e0bf829875fc985f1940dc31ee418aad910ed6)
|
|
time. )-:
(This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0)
|
|
(This used to be commit ba4d334b822248d8ab929c9568533431603d967e)
|
|
next....
Jeremy.
(This used to be commit eff74a1fcc597497a4c70589a44c1b70e93ab549)
|
|
to pstr_sprintf() and fstr_sprintf() to try to standardize.
lots of snprintf() calls were using len-1; some were using
len. At least this helps to be consistent.
(This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
|
|
I think (my changes haven't affected this I believe). Initial support on the
server side for smbclient. Still doesn't work for w2k clients I think...
Work in progress..... (don't change).
Jeremy.
(This used to be commit e5714edc233424c2f74edb6d658f32f8e0ec9275)
|
|
on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing
to add signing on server side.
Jeremy.
(This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27)
|
|
Jeremy.
(This used to be commit 30bbf4c8c4cbed0f7980237ea9b78baa785dec3d)
|