summaryrefslogtreecommitdiff
path: root/source4/auth/ntlmssp
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r14701: Allow, with non-default options, NTLMSSP to access the LM session key,Andrew Bartlett1-2/+3
even when not sending the LM response. Needed to pass the test_session_key against Win2k3. Yes, I think this is a security flaw in the use of Win2k3-compatible NTLM. Andrew Bartlett (This used to be commit cb6c27b4f29878a6a904f798e228eea05cc658e1)
2007-10-10r14542: Remove librpc, libndr and libnbt from includes.hJelmer Vernooij1-0/+1
(This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f)
2007-10-10r14477: Remove the NOPROTO property - it's no longer used as proto.h is gone.Jelmer Vernooij1-1/+0
(This used to be commit 9c37f847d32d2f327a88c53a90af0c73126b76be)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-1/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r14380: Reduce the size of structs.hJelmer Vernooij3-2/+3
(This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe)
2007-10-10r14071: fix the buildStefan Metzmacher1-2/+4
metze (This used to be commit af63ed9eb3a5af3e4eeb84c66397255ea90ea764)
2007-10-10r14070: this functions need to be exported,Stefan Metzmacher1-2/+2
it's ugly, but they're used in torture tests I hope to find a better solution for this later... metze (This used to be commit be8874e9d3f1a022a42ccd1262dc5ce7bd5d1a91)
2007-10-10r14064: - split out MSRPC_PARSE into a speperate subsystemStefan Metzmacher5-2/+10
- build gensec_ntlmssp always static for now, because torture/auth/ntlmssp.c needs to access functions from it metze (This used to be commit 43733c9556c1c92336780206e3f71bdee6e43eee)
2007-10-10r13960: Generate makefile rules for installing/removing shared modules.Jelmer Vernooij1-2/+2
(This used to be commit 2c746980328431ab04852dc668899e3eb042da99)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij4-1/+4
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13903: Don't generate prototypes for modules and binaries in include/proto.h byJelmer Vernooij1-1/+2
default. (This used to be commit c80a8f1102caf744b66c13bebde38fba74983dc4)
2007-10-10r13472: After Volker's advise, try every combination of parameters. ThisAndrew Bartlett1-4/+6
isn't every parameter on NTLMSSP, but it is most of the important ones. This showed up that we had the '128bit && LM_KEY' case messed up. This isn't supported, so we must look instead at the 56 bit flag. Andrew Bartlett (This used to be commit 990da31b5f63f1e707651af8bf1a3241a8309811)
2007-10-10r13471: With more 'try all options' testing, I found this 'simple' but in theAndrew Bartlett1-1/+1
NTLM2 signing code. Andrew Bartlett (This used to be commit 16e5c968756c40b8595503da47a1adb9cb09c447)
2007-10-10r13470: Thanks to a report from VL:Andrew Bartlett4-25/+39
We were causing mayhem by weakening the keys at the wrong point in time. I think this is the correct place to do it. The session key for SMB signing, and the 'smb session key' (used for encrypting password sets) is never weakened. The session key used for bulk data encryption/signing is weakened. This also makes more sense, when we look at the NTLM2 code. Andrew Bartlett (This used to be commit 3fd32a12094ff2b6df52f5ab2af7c0ffceb5a4a0)
2007-10-10r13467: Add new parametric options (for testing) controlling LM_KEY and 56-bitAndrew Bartlett1-5/+13
encryption behaviour. Andrew Bartlett (This used to be commit 2b3b2f33a4c531f2b0f65521cc352e6d762e95bd)
2007-10-10r13252: Cleanup, both in code, comments and talloc use:Andrew Bartlett2-11/+33
In particular, I've used the --leak-report-full option to smbd to track down memory that shouldn't be on a long-term context. This is now talloc_free()ed much earlier. Andrew Bartlett (This used to be commit c6eb74f42989d62c82d2a219251837b09df8491c)
2007-10-10r13170: Remove some dependencies on -1 implying the size of pstringJelmer Vernooij1-6/+4
(This used to be commit f7c28d31481f6479f258cd878d173cbc42ed9de0)
2007-10-10r12927: Fix typo.Andrew Bartlett1-1/+1
(This used to be commit 01e98966ca955e86ec46f8bce3892899e2717df9)
2007-10-10r12919: Ensure we never 'extend' the session key length, or fill in past theAndrew Bartlett1-1/+5
length of the (possibly null) pointer. In reality this should come to us either 16 or 0 bytes in length, but this is the safest test. This is bug 3401 in Samba3, thanks to Yau Lam Yiu <yiuext at cs.ust.hk> Andrew Bartlett (This used to be commit f3aa702944ed7086d93bf05075f910e7e4617d9c)
2007-10-10r12804: This patch reworks the Samba4 sockets layer to use a socket_addressAndrew Bartlett1-1/+2
structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2007-10-10r12795: remember the gensec_security contextStefan Metzmacher2-0/+3
metze (This used to be commit ec1a7b5cefc32172ea97338a7101fe8416071b69)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij1-0/+1
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-1/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not usingJelmer Vernooij1-2/+1
the difference between these at all, and in the future the fact that INIT_OBJ_FILES include smb_build.h will be sufficient to have recompiles at the right time. (This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
2007-10-10r11366: Pass around the flags which indicate if we should support plaintextAndrew Bartlett1-0/+1
logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
2007-10-10r11244: Relative path names in .mk filesJelmer Vernooij1-5/+5
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
2007-10-10r11214: Remove scons files (see ↵Jelmer Vernooij1-0/+0
http://lists.samba.org/archive/samba-technical/2005-October/043443.html) (This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
2007-10-10r11081: Remember to remove unused variables.Jeremy Allison1-1/+0
Jeremy. (This used to be commit bfa41398a65037c6017b0af0ea1f0423011df150)
2007-10-10r11080: Narrowing down on the #1828 PPC bug. The PPC client sends anJeremy Allison1-19/+7
initial NTLMSSP negotiate blob of only 16 bytes - no strings added ! (So don't try parsing them). Jeremy. (This used to be commit 42d93a317ab424a0720620b83c285b5118bcc06f)
2007-10-10r11076: Still working on bug #1828, PPC hell. The PPC client sends theJeremy Allison1-2/+12
NTLMSSP client and domain strings as Unicode, even when setting flags as OEM. Cope with this. Jeremy. (This used to be commit 77399e1cecc44674c3398143d8a5bb59c600abcd)
2007-10-10r11052: bring samba4 uptodate with the samba4-winsrepl branch,Stefan Metzmacher1-5/+0
before the bad merge metze (This used to be commit 471c0ca4abb17fb5f73c0efed195c67628c1c06e)
2007-10-10r11037:Stefan Metzmacher1-0/+5
(This used to be commit 6913e338405a5aca5c70cf6e022532c596ed0a36)
2007-10-10r10981: Pull code to decide between and implement NTLMv2, NTLM and LMAndrew Bartlett1-125/+50
authentication out of the various callers and into the kitchen sink.. err, credentials subsystem. This should ensure consistant logic, as well as get us one step closer to security=server operation in future. Andrew Bartlett (This used to be commit 09c95763301c0f7770d56462e8af4169b8c171fb)
2007-10-10r10669: reverted jelmers commit 10663 as it was causing lots of panics in ↵Andrew Tridgell2-8/+13
'make test' I also think the method of getting rid of pstring isn't the right one. I certainly do want to get rid of pstring/fstring, but the reason for removing them is the use of arbitrary sized fixed length strings on the stack and in structures. Changing to another fixed length stack string format isn't really a win, and moving to use strncpy() is actually worse than pstrcpy() as strncpy() has the absolutely awful semantics of always zeroing all remaining bytes, so it ends up taking a lot of cpu doing pointless memory writes. I'd rather move to more use of asprintf()/talloc_asprintf() and similar functions for dynamic string allocation. You also have to be very careful about some of these system defined string limits. One some systems PATH_MAX could be 64k or even larger, which can quickly blow the stack out when you allocate a few of them. (This used to be commit 194efd26e42d621b239052ed1fec8da916bd2144)
2007-10-10r10663: Eliminate use of pstringJelmer Vernooij2-13/+8
(This used to be commit 57cfbe51e61e27098fad3f9b1113c6f8f69f9a55)
2007-10-10r10478: More work on proto headers; we now generate a couple of smaller onesJelmer Vernooij1-5/+0
that are then included by include/proto.h (This used to be commit 703ffbaaaca11f3d8781cfe9e7542fcaa626d991)
2007-10-10r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.Andrew Bartlett1-2/+2
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2007-10-10r10348: Add scons scripts for remaining subsystems. Most subsystems build now,Jelmer Vernooij1-0/+5
but final linking still fails (as does generating files asn1, et, idl and proto files) (This used to be commit 4f0d7f75b99c7f4388d8acb0838577d86baf68b5)
2007-10-10r10292: This is set below from lp_server_role().Andrew Bartlett1-1/+0
Andrew Bartlett (This used to be commit 096c751f37172b06bb42b5c4d73b2743322d2f71)
2007-10-10r10153: This patch adds a new parameter to gensec_sig_size(), the size of theAndrew Bartlett1-1/+1
data to be signed/sealed. We can use this to split the data from the signature portion of the resultant wrapped packet. This required merging the gsskrb5_wrap_size patch from lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no longer use a static 45 byte value). This fixes one of the krb5 issues in my list. Andrew Bartlett (This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-30/+25
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r9678: Remove unused variables.Andrew Bartlett1-4/+0
Andrew Bartlett (This used to be commit 50e6229c7a13be9b5d10c954f9b895993cefe2b6)
2007-10-10r9505: Work on GENSEC and the code that calls it, for tighter interfaceAndrew Bartlett2-6/+13
requirements, and for better error reporting. In particular, the composite session setup (extended security/SPNEGO) code now returns errors, rather than NT_STATUS_NO_MEMORY. This is seen particularly when GENSEC fails to start. The tighter interface rules apply to NTLMSSP, which must be called exactly the right number of times. This is to match some of our other less-tested modules, where adding flexablity is harder. (and this is security code, so let's just get it right). As such, the DCE/RPC and LDAP clients have been updated. Andrew Bartlett (This used to be commit 134550cf752b9edad66c3368750bfb4bbd9d55d1)
2007-10-10r9416: Cleanups inspired by jra's work to migrate Samba4's NTLMSSP code backAndrew Bartlett3-104/+53
into Samba3. The NTLMSSP sign/seal code now assumes that GENSEC has already checked to see if SIGN or SEAL should be permitted. This simplfies the code ensures that no matter what the mech, the correct code paths have been set in place. Also remove duplication caused by the NTLMv2 code's history, and document why some of the things a bit funny. In SPNEGO, create a new routine to handle the negTokenInit creation. We no longer send an OID for a mech we can't start (like kerberos on the server without a valid trust account). Andrew Bartlett (This used to be commit fe45ef608f961a6950d4d19b4cb5e7c27b38ba5f)
2007-10-10r9411: Ensure we don't send a challenge without first getting a negotiate inAndrew Bartlett1-2/+8
NTLMSSP, unless we are in datagram mode (not fully implemented yet). Andrew Bartlett (This used to be commit 727f5109421e9414a335e42e3ad3dd3ff19776bd)
2007-10-10r8700: Propmted by tridge's need to do plaintext auth in ejs, rework theAndrew Bartlett1-10/+15
user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell1-4/+6
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r7827: Add in-memory keytab to Samba4, using the new MEMORY_WILDCARD keytabAndrew Bartlett1-0/+11
support in Heimdal. This removes the 'ext_keytab' step from my Samba4/WinXP client howto. In doing this work, I realised that the replay cache in Heimdal is currently a no-op, so I have removed the calls to it, and therefore the mutex calls from passdb/secrets.c. This patch also includes a replacement 'magic' mechanism detection, that does not issue extra error messages from deep inside the GSSAPI code. Andrew Bartlett (This used to be commit c19d5706f4fa760415b727b970bc99e7f1abd064)
2007-10-10r7757: Add NTLMv2 support to the NT1 Session setup (ie, not SPNEGO/NTLMSSP)Andrew Bartlett1-1/+2
Session Setup code. Add a mem_ctx argument to a few of the NTLMv2 support functions, and add smb.conf options to control client NTLMv2 behaviour. Andrew Bartlett (This used to be commit 3f35cdb218a3dae08a05e77452ca9f73716ceb28)
2007-10-10r7690: Move the NT hash generation into the credentials system, rather thanAndrew Bartlett1-22/+21
in all the callers. This also allows us to be more flexible in the type of password we store. Andrew Bartlett (This used to be commit 00b8588c68526e1d86fda0bd81c0b86f690b62c3)