Age | Commit message (Collapse) | Author | Files | Lines |
|
Kerberos CCACHE into the system.
This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.
It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.
Andrew Bartlett
(This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
|
|
requirements, and for better error reporting.
In particular, the composite session setup (extended security/SPNEGO)
code now returns errors, rather than NT_STATUS_NO_MEMORY. This is
seen particularly when GENSEC fails to start.
The tighter interface rules apply to NTLMSSP, which must be called
exactly the right number of times. This is to match some of our other
less-tested modules, where adding flexablity is harder. (and this is
security code, so let's just get it right). As such, the DCE/RPC and
LDAP clients have been updated.
Andrew Bartlett
(This used to be commit 134550cf752b9edad66c3368750bfb4bbd9d55d1)
|
|
(This used to be commit 5e6d330e7388e47e1b2bfc96fff07682e90f63a5)
|
|
names.
(This used to be commit 26b191b3c9529b2dae5d004819dab46657064408)
|
|
rafal
(This used to be commit 40061d7bd66be702d92c80da2c5f955b640eda22)
|
|
doesn't include 'host'
(This used to be commit 77a1e3076a8d5c711fc96a69dd1a58c00d1f9604)
|
|
enum type has now been replaced with unsigned 32-bit field and
message data is passed as void pointer.
This allows various extension implementers to plug their monitor
messages in more easily.
rafal
(This used to be commit 4a6ab58133a59d3da3209b3e46c2a8cf848d25e7)
|
|
(This used to be commit f5910ceef5e1ec3fe40b4589e919fe502593b582)
|
|
(This used to be commit 7abd634701e2f07ad0497cdbb41467b8911369c7)
|
|
Session Setup code.
Add a mem_ctx argument to a few of the NTLMv2 support functions, and
add smb.conf options to control client NTLMv2 behaviour.
Andrew Bartlett
(This used to be commit 3f35cdb218a3dae08a05e77452ca9f73716ceb28)
|
|
in this case.
rafal
(This used to be commit b0bae584a4936845732d68aa7d2ccce4411dd1d7)
|
|
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
|
|
(This used to be commit 96d9b7fc988405a0d771b778e95a9f60b1efe514)
|
|
(This used to be commit c1ccaa0cc9de9c8f781162674bc73ca0ff88fedd)
|
|
(This used to be commit 43e1bd870d9d7ca67e0ce1d2d1a1589aad41d770)
|
|
(This used to be commit b896daf11c3efb1b3ca939575da9dab82b395777)
|
|
rafal
(This used to be commit f7aaa0bfcae7fd4518256a703ad237693ff0c295)
|
|
Andrew Bartlett
(This used to be commit 77b67da5b8187951ba8c25af85bbf716cf5b3561)
|
|
Andrew Bartlett
(This used to be commit 6d7f1daaf2a521864994e06b013c36287f27a129)
|
|
rafal
(This used to be commit 47a7a6c3fcfd1ab159a6baa71cd5c7984334fddb)
|
|
- qfsinfo (query file system information)
- appendacl (append an ACL to existing file's security descriptor and get new
full ACL)
The second one also includes an improvement to security descriptor handling
which allows to copy security descriptor. Written by Peter Novodvorsky
<peter.novodvorsky@ru.ibm.com>
Both functions have corresponding torture tests added. Tested under valgrind and
work against Samba 4 and Windows XP.
ToDo: document composite call creation process in prog_guide.txt
(This used to be commit 441cff62ac75ed16851ce7b8daf9d03eb4c3ec79)
|
|
client. The issue was actually a cut-and-paste bug, I was filling in
the .old not the .nt1 part of the union.
I've also removed the 'error checks' - I'll shortly document the API
for the credentials code to clarify that it will always return a
pointer here, except in cases of programmer error.
Tridge: I hope this is OK.
Andrew Bartlett
(This used to be commit 6439de9ec8c8d24197ea69dc337473e54c8b36b8)
|
|
(This used to be commit ff6663aac8ed475bf65d9c06d7f2447a9827898c)
|
|
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
|
|
should be NT_STATUS_HAVE_NO_MEMORY(state->loadfile) instead of
NT_STATUS_NOT_OK_RETURN(status).
(This used to be commit eb57a587889611bcf39d75d4e15b627f36899a53)
|
|
thinks are not needed. Now to see how this fares on the build farm :)
(This used to be commit 80ffcc650c9c86141507edd8338b97814a85f868)
|
|
(This used to be commit 7f54c8a339f36aa43c9340be70ab7f0067593ef2)
|
|
make it possible to add optimisations to the events code such as
keeping the next timed event in a sorted list, and using epoll for
file descriptor events.
I also removed the loop events code, as it wasn't being used anywhere,
and changed timed events to always be one-shot (as adding a new timed
event in the event handler is so easy to do if needed)
(This used to be commit d7b4b6de51342a65bf46fce772d313f92f8d73d3)
|
|
rename the core structure to composite_context and the wait routine to
composite_wait() (suggestion from metze)
(This used to be commit cf11d05e35179c2c3e51c5ab370cd0a3fb15f24a)
|
|
free the connection context. This left a whole lot of state hanging
around and didn't give the memory to the caller properly
(This used to be commit 3e13e1d526563d91cb2342ae68455e54eb49a9bd)
|
|
handle the inverted memory hierarchy that a normal session
establishment gave. The inverted hierarchy came from that fact that
you first establish a socket, then a transport, then a session and
finally a tree. That leads to the socket being at the top of the
memory hierarchy and the tree at the bottom, which makes no sense from
the users point of view, as they want to be able to free the tree and
have everything disappear.
The core problem was that the libcli interface didn't distinguish
between establishing a primary context and a secondary context. If you
establish a 2nd session on a transport then you want the transport to
be referenced by the session, whereas if you establish a primary
session then you want the transport to be a child of the session.
To fix this I have added "parent_ctx" and "primary" arguments to the
libcli intialisation functions. This makes using the library much
easier, and gives us a memory hierarchy that makes much more sense.
I was prompted to do this by a bug in the cifs backend, which was
caused by the socket not being properly torn down on a disconnect due
to the inverted memory hierarchy.
(This used to be commit 5e8fd5f70178992e249805c2e1ddafaf6840739b)
|
|
(This used to be commit 4a351901aa49090700d89274559d6dda76f06b7d)
|
|
server and
loads a file. Needs a smb url parsing wrapper.
Volker
(This used to be commit fa435bf7c878d4a5beb6afb2ed6e2990abc11e82)
|
|
in smb_composite_connect_send(). This makes doing parallel calls much
easier.
(This used to be commit 442308970c123b9fb25615673049e1c1c234a0b9)
|
|
(This used to be commit 347dfa47249d55c61e1e7c82d10444a71aca8a85)
|
|
one place. This makes the code more robust, and simpler (it would have
prevented the error that volker found).
(This used to be commit 420b53091ee784d7891fb62d48e2f5a225b4dbf8)
|
|
it is freed. The problem is that the handler might complete the
request, and called the c->async.fn() async handler. That handler
might free the request handle.
(This used to be commit c4faceadc74e0849f6197ccbec9952f6c94f6176)
|
|
interface. This patch removes the "stage" variable, which is really
better suited to the backend state structures
(This used to be commit 39da684ea8bc72d7a4a12c00eaad56b4f32890a9)
|
|
(thanks to abartlet for spotting this bug)
(This used to be commit 8b653f12f21e7a8eee8e60cefb193505c2df7f8f)
|
|
which will eventually try all resolution methods setup in smb.conf
- only resolution backend at the moment is bcast, which does a
parallel broadcast to all configured network interfaces, and takes
the first reply that comes in (this nicely demonstrates how to do
parallel requests using the async APIs)
- converted all the existing code to use the new resolve_name() api
- removed all the old nmb code (yay!)
(This used to be commit 239c310f255e43dd2d1c2433f666c9faaacbdce3)
|
|
(This used to be commit e16f67c931ba93011d52fdf14312d12a9b09c49a)
|
|
pointers in the composite code type safe.
This is a bit of an experiement, I'd be interested in comments on
whether we should use this more widely.
(This used to be commit 0e1da827b380998355f75f4ef4f424802059c278)
|
|
the minimal level I think (one private pointer for the composite
function, and one private pointer for the caller)
(This used to be commit 0240bf928163e32e7c69be88fe3ed4987dd18778)
|
|
proliferation of void* in the composite code. This removes two of the
void* pointers from the main composite structure.
(This used to be commit 5a89a5ed0fa022fb380bf72065904633270f34aa)
|
|
(This used to be commit 870af4e2f2055013424d9dbe2df2c51faa810eec)
|
|
encapsulates all the different session setup methods, including the
multi-pass spnego code.
I have hooked this into all the places that previously used the
RAW_SESSSETUP_GENERIC method, and have removed the old
RAW_SESSSETUP_GENERIC code from clisession.c and clitree.c. A nice
side effect is that these two modules are now very simple again, back
to being "raw" session setup handling, which was what was originally
intended.
I have also used this to replace the session setup code in the
smb_composite_connect() code, and used that to build a very simple
replacement for smbcli_tree_full_connection().
As a result, smbclient, smbtorture and all our other SMB connection
code now goes via these composite async functions. That should give
them a good workout!
(This used to be commit 080d0518bc7d6fd4bc3ef783e7d4d2e3275d0799)
|
|
interface to a complete SMB connection setup. Internally it does:
- socket connection
- session request (if needed)
- negprot
- session setup
- tcon
This is the first example of a composite function that builds on other
composite components (the socket connection is a composite function,
which is used as a building block for this function). I think this
will be quite common in composite functions in the future, building up
ever more complex composite functions from smaller building blocks,
while hiding the details from the caller.
There are two things missing from this now. The first is async name
resolution routines (wins, bcast, DNS etc), and the second is that
this code currently only does a NT1 style session setup. I'll work on
adding spnego and old style session setup support next.
(This used to be commit 6bc9e17f5c5236f662c7c8f308d03e6d97379b23)
|
|
have composite functions that are not made up of functions that
operate on smbcli_request structures.
(This used to be commit 4f6055b4fb7e287a29544ff1ca4e22f698efc478)
|
|
suite a little
(This used to be commit ef4dbc443dbdebc4160209ed3f23cbb97109c414)
|
|
which combineds ntcreatex, readx and close into a single call that
behaves just like a normal libcli async call.
(This used to be commit 516f68fb054f0717f0429e031aa820776ecc6597)
|