summaryrefslogtreecommitdiff
path: root/source3/utils/ntlm_auth.c
AgeCommit message (Collapse)AuthorFilesLines
2004-04-03Fix most of bug #169.Andrew Bartlett1-0/+1
For a (very) long time, we have had a bug in Samba were an NTLMv2-only PDC would fail, because it converted the password into NTLM format for checking. This patch performs the direct comparison required for interactive logons to function in this situation. It also removes the 'auth flags', which simply where not ever used. Natrually, this plays with the size of structures, so rebuild, rebuild rebuild... Andrew Bartlett (This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba)
2004-03-24Fix bugzilla # 1208Jim McDonough1-1/+2
Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929)
2004-03-11Restore the contract on all convert_stringXX() interfaces. Add a ↵Jeremy Allison1-1/+1
"allow_bad_conv" boolean parameter that allows broken iconv conversions to work. Gets rid of the nasty errno checks in mangle_hash2 and check_path_syntax and allows correct return code checking. Jeremy. (This used to be commit 7b96765c23637613f079d37566d95d5edd511f05)
2004-02-08Make this table static const.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 0686bc9e076c722e33dd9b236cf7c33d448c3b34)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-5/+10
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett1-1/+3
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett1-11/+23
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-12-30Make the name of the NTLMSSP client more consistant before we lock it in stone.Andrew Bartlett1-2/+2
(This used to be commit 0fa268863b7352343eb7f211181a02f60848bd0c)
2003-12-30Remove testing hackAndrew Bartlett1-2/+0
(This used to be commit 96f3beb462a6d4a489e894c1f05c528107135b3a)
2003-12-30Move our basic password checking code from inside the authenticationAndrew Bartlett1-54/+254
subsystem into a seperate file - ntlm_check.c. This allows us to call these routines from ntlm_auth. The purpose of this exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to avoid talking to winbind. This should allow for easier debugging. ntlm_auth itself has been reorgainised, so as to share more code between the SPNEGO-wrapped and 'raw' NTLMSSP modes. A new 'client' NTLMSSP mode has been added, for use with a Cyrus-SASL module I am writing (based on vl's work) Andrew Bartlett (This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)
2003-12-30Refactor our authentication and authentication testing code.Andrew Bartlett1-342/+181
The next move will be to remove our password checking code from the SAM authentication backend, and into a file where other parts of samba can use it. The ntlm_auth changes provide for better use of common code. Andrew Bartlett (This used to be commit 2375abfa0077a884248c84614d5109f57dfdf5b1)
2003-12-24Thanks to Serassio Guido for noticing issues in our Squid NTLMSSPAndrew Bartlett1-4/+9
implementation. We were not resetting the NTLMSSP state for new negotiate packets. Andrew Bartlett (This used to be commit e0a026c9b561893e5534923b18ca748e6177090e)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-72/+112
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-06Final round of printf warnings fixes for the moment.Tim Potter1-2/+2
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
2003-08-15get rid of more compiler warningsHerb Lewis1-39/+39
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-08-15Add the gss-spnego kerberos server side to ntml_auth. This uses theVolker Lendecke1-10/+68
same ads_verify_ticket routine that smbd uses, so in the current state we have to be have the host password in secrets.tdb instead of the keytab. This means we have to be an ADS member, but it's a start. Volker (This used to be commit dc2d2ad467927affbd1461df75f77f07ddfbc3b1)
2003-08-14Fix the build for non-kerberos environments.Volker Lendecke1-0/+8
Volker (This used to be commit c8f4d7952ffbe0438e33c37ae1365e5dd4f1734a)
2003-08-12This adds *experimental* kerberos gss spnego client support to ntlm_auth.Volker Lendecke1-12/+110
(This used to be commit 5522c79045dd9ee6804bc2bf2114178cbed6df48)
2003-08-12Some more shuffling around gss-spnego serverVolker Lendecke1-34/+37
(This used to be commit f2c85595dae81e119d0f7f9ec769ff865916a052)
2003-08-12Clarify gss spnego ntlmssp server a bitVolker Lendecke1-36/+29
(This used to be commit 807b452a7fe7960acd0259a289f0c67011cb1aaf)
2003-08-12Fix for bug 269. Change wbinfo and ntlm_auth to convert domain, usernameTim Potter1-3/+17
and workstation to utf8 before sending the winbindd request. Also, don't continue when the call to pull_utf8() fails but rather return a winbind error. (This is what was causing the crash) (This used to be commit ca1c463360b75538a93b56a87cbb4a6ee7b6cec6)
2003-08-04Changes to make gss-spnego ntlmssp client work against W2k AD.Volker Lendecke1-26/+42
Now I know where the mechListMIC changes came from: Ethereal ;-) Volker (This used to be commit 4e9eed1273035d09ac3b427b9711327ba8c6ebfc)
2003-08-01Add ntlmssp client support to ntlm_auth. Find the corresponding cyrus saslVolker Lendecke1-25/+310
module under http://samba.sernet.de/cyrus-gss-spnego.diff Volker (This used to be commit a82f6a00969f7ea377626c28ec05ace04f8135a9)
2003-07-31Fixes for memory leaks in gss spnego handling by aliguori.Volker Lendecke1-13/+9
Volker (This used to be commit 946695242f0a6db0e8c712f9bd97ac3cb99c4119)
2003-07-29This adds gss-spnego to ntlm_auth. It contains some new spnego supportVolker Lendecke1-1/+225
from Jim McDonough. It is to enable cyrus sasl to provide the gss-spnego support. For a preliminary patch to cyrus sasl see http://samba.sernet.de/cyrus-gss-spnego.diff Volker (This used to be commit 45cef8f66e46abe4a25fd2b803a7d1051c1c6602)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter1-1/+1
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-07and so it begins....Gerald Carter1-20/+20
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-05-12Fix up a bit of my sloppy C.Andrew Bartlett1-3/+2
(This used to be commit f67cc24acf37a9f46427c993574ecf261d7aec1a)
2003-05-12Give up on the idea of avoiding lp_load() in ntlm_auth....Andrew Bartlett1-8/+18
Also, we might be given a 0 length challenge, so don't smb_panic() for smb_xmalloc() of zero size. Andrew Bartlett (This used to be commit 4842de04cf2e1528e726dfad070dfe3a82f46fa2)
2003-05-10Reverse previous patch from Stefan and me after comments by Andrew BartlettJelmer Vernooij1-2/+0
(This used to be commit d817eaf0ecca2d878ab1ffcf7a747a02d71c811e)
2003-05-10Patch from metze and me that adds dummy smb_register_*() functions soJelmer Vernooij1-0/+2
that is now possible to, for example, load a module which contains an auth method into a binary without the auth/ subsystem built in. (This used to be commit 74d9ecfe2dd7364643d32acb62ade957bd71cd0d)
2003-05-09Finally get NTLMv2 working on the client!Andrew Bartlett1-84/+29
With big thanks to tpot for the ethereal disector, and for the base code behind this, we now fully support NTLMv2 as a client. In particular, we support it with direct domain logons (tested with ntlm_auth --diagnostics), with 'old style' session setups, and with NTLMSSP. In fact, for NTLMSSP we recycle one of the parts of the server's reply directly... (we might need to parse for unicode issues later). In particular, a Win2k domain controller now supplies us with a session key for this password, which means that doman joins, and non-spnego SMB signing are now supported with NTLMv2! Andrew Bartlett (This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81)
2003-05-09Added some more diagnostic tests to check out a theory that having either hashTim Potter1-12/+174
- auth with ntlmv2 and lmv2 but deliberately break the ntlmv2 hash - auth with ntlmv2 and lmv2 but deliberately break the lmv2 hash - auth with ntlm and lm but deliberately break the ntlm hash - auth with ntlm and lm but deliberately break the lm hash My theory is that the NTLM or NTLMv2 field must be correct and if it is, it doesn't matter what the value of the LM or LMv2 field is. Fixed cosmetic test name display bug. (This used to be commit 5dcde9451bd0d6a7462b77cf5ed137bfd691adaa)
2003-05-05We also get back the LM session key on pure 'NTLM' logins.Andrew Bartlett1-1/+16
Andrew Bartlett (This used to be commit 7342c70b4cecfc1f42c46b19360db6c077604be2)
2003-05-05Add some comments.Andrew Bartlett1-0/+34
(This used to be commit 855fab395f97dd232fd9bb78e62ad12b16fe2a24)
2003-05-05Add some more tests to the ntlm_auth diagnositics package.Andrew Bartlett1-9/+373
Our NTLMv2 client code needs work, becouse we don't get the session key for any of the NTLMv2 stuff... Also test some of the more 'odd' auth cases - like putting the NT password into the LM feild. Clean up some static globals into static locals. Andrew Bartlett (This used to be commit 62f0acc99166e9518f59bc5d091b76c35837e65c)
2003-04-30Fix for AIX - you can't qualify a return type as const, when it's not aAndrew Bartlett1-1/+1
pointer. (merge from HEAD). Andrew Bartlett (This used to be commit 9e3d0cd9dea1234d6e6a26d03995b5edfaed5186)
2003-04-28Fix compiler warning.Tim Potter1-1/+1
(This used to be commit f127f964250c86986996afab905b40cff420bfd5)
2003-04-28Merge of const fixes from HEAD.Tim Potter1-1/+1
(This used to be commit a847ebd82732cc2b430c58c3b287a46db0e35ba1)
2003-04-23This const isn't quite vaild C.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit de96c1aaca9006696d61aa3d07151c0f74516e63)
2003-04-14Merge:Tim Potter1-1/+2
- Jelmer's latest popt changes (This used to be commit 6a54d9a0a77c71664dc6cdbed1adf492c28c0cce)
2003-04-07Merge the ntlm_auth updates (refactor, add --diagnostics) into Samba 3.0Andrew Bartlett1-121/+425
Andrew Bartlett (This used to be commit d711a1c95c92f5a89b43bf29bba8460b870d3b3a)
2003-03-24(merge from HEAD)Andrew Bartlett1-82/+82
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-02-25Merge: add popt_common_version to command line options table.Tim Potter1-0/+1
(This used to be commit 8de62f7896a53084e87b95c013d8693214c8ab85)
2003-01-17the 'static' keyword here is useless as we are not declaring aAndrew Tridgell1-1/+1
variable or function (This used to be commit f2c9c64900c4da24f73b188deb0f57271e3bf3e7)
2003-01-16Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett1-29/+150
of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
2003-01-02Add a dash of static.Andrew Bartlett1-3/+3
(This used to be commit 6d201c9616c5c30234c0d0d6cd9e2ca60bf736c5)
2003-01-02BIG patch...Andrew Bartlett1-1/+1
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-11-24Add support to switch between Squid 2.4 and 2.5 protocols - squid doesn'tAndrew Bartlett1-7/+20
encode the username, so don't decode it (users could play HTTP escaping games on usernames). Andrew Bartlett (This used to be commit 71e24d0200e71ffcf52eaa77edc89175f31a45cd)
2002-11-24Add ntlm_auth, a new program to provide a stable interface to winbind'sAndrew Bartlett1-0/+416
authentication code. In particular, ntlm_auth is designed to replace the winbind authentication 'helpers' currently supplied by Squid. I have added support for the current plaintext password protocol used by Squid, and will add the real guts (NTLMSSP support) shortly. I'll merge this into 3.0 when I've got the interface more stable (error message format etc) and got the important NTLMSSP support added. Also move SWAT's URL decoding code into util_str.c, for use in both utilities. Andrew Bartlett (This used to be commit 82dbf838879e8a2d2d3f9dd5be6eda50b780b787)