summaryrefslogtreecommitdiff
path: root/source4/libcli/raw/clisession.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r9223: Rename smb_raw_session_setup() to smb_raw_sesssetup().Tim Potter1-8/+9
(This used to be commit 5e6d330e7388e47e1b2bfc96fff07682e90f63a5)
2007-10-10r7569: Fix typo in comments.Tim Potter1-2/+2
(This used to be commit 64fb327ccf80d2d501ae559a6c4336a066191df0)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett1-2/+2
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5322: removed a whole bunch of #include lines that minimal_includes.plAndrew Tridgell1-1/+0
thinks are not needed. Now to see how this fares on the build farm :) (This used to be commit 80ffcc650c9c86141507edd8338b97814a85f868)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell1-0/+1
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r4951: some of the code dealing with libcli was getting too complex trying toAndrew Tridgell1-3/+8
handle the inverted memory hierarchy that a normal session establishment gave. The inverted hierarchy came from that fact that you first establish a socket, then a transport, then a session and finally a tree. That leads to the socket being at the top of the memory hierarchy and the tree at the bottom, which makes no sense from the users point of view, as they want to be able to free the tree and have everything disappear. The core problem was that the libcli interface didn't distinguish between establishing a primary context and a secondary context. If you establish a 2nd session on a transport then you want the transport to be referenced by the session, whereas if you establish a primary session then you want the transport to be a child of the session. To fix this I have added "parent_ctx" and "primary" arguments to the libcli intialisation functions. This makes using the library much easier, and gives us a memory hierarchy that makes much more sense. I was prompted to do this by a bug in the cifs backend, which was caused by the socket not being properly torn down on a disconnect due to the inverted memory hierarchy. (This used to be commit 5e8fd5f70178992e249805c2e1ddafaf6840739b)
2007-10-10r4777: added a smb_composite_sesssetup() async composite function. ThisAndrew Tridgell1-352/+6
encapsulates all the different session setup methods, including the multi-pass spnego code. I have hooked this into all the places that previously used the RAW_SESSSETUP_GENERIC method, and have removed the old RAW_SESSSETUP_GENERIC code from clisession.c and clitree.c. A nice side effect is that these two modules are now very simple again, back to being "raw" session setup handling, which was what was originally intended. I have also used this to replace the session setup code in the smb_composite_connect() code, and used that to build a very simple replacement for smbcli_tree_full_connection(). As a result, smbclient, smbtorture and all our other SMB connection code now goes via these composite async functions. That should give them a good workout! (This used to be commit 080d0518bc7d6fd4bc3ef783e7d4d2e3275d0799)
2007-10-10r4769: added a smb_composite_connect() function that provides a simple asyncAndrew Tridgell1-3/+3
interface to a complete SMB connection setup. Internally it does: - socket connection - session request (if needed) - negprot - session setup - tcon This is the first example of a composite function that builds on other composite components (the socket connection is a composite function, which is used as a building block for this function). I think this will be quite common in composite functions in the future, building up ever more complex composite functions from smaller building blocks, while hiding the details from the caller. There are two things missing from this now. The first is async name resolution routines (wins, bcast, DNS etc), and the second is that this code currently only does a NT1 style session setup. I'll work on adding spnego and old style session setup support next. (This used to be commit 6bc9e17f5c5236f662c7c8f308d03e6d97379b23)
2007-10-10r4758: - added async support to the session request codeAndrew Tridgell1-3/+1
- added async support to the negprot client code - removed two unused parameters from smbcli_full_connection() code - converted smbclient to use smbcli_full_connection() rather than reinventing everything itself (This used to be commit 71cbe2873473e039b4511511302cb63f1c50bce8)
2007-10-10r4361: fix the buildStefan Metzmacher1-2/+3
metze (This used to be commit 78b2af77e9e4b97c698d6d9e680207b1df289cb4)
2007-10-10r4173: - new t2open code, that can cope with "create with EAs". Many thanksAndrew Tridgell1-1/+1
to kukks on #samba-technical for the sniffs that allowed me to work this out - much simpler ntvfs open generic mapping code - added t2open create with EA torture test to RAW-OPEN test (This used to be commit a56d95ad89b4f32a05974c4fe9a816d67aa369e3)
2007-10-10r4080: missing file from the last commitStefan Metzmacher1-1/+1
metze (This used to be commit ea7b496995573426486b7eab5de822d5602d7368)
2007-10-10r4070: move some defines from asn_1.h to the places they belong toStefan Metzmacher1-3/+2
metze (This used to be commit ab2c2f27e1c61516e885f02bf26350f97209057a)
2007-10-10r4063: - change char * -> uint8_t in struct request_bufferStefan Metzmacher1-1/+1
- change smbcli_read/write to take void * for the buffers to match read(2)/write(2) all this fixes a lot of gcc-4 warnings metze (This used to be commit b94f92bc6637f748d6f7049f4f9a30b0b8d18a7a)
2007-10-10r4037: fixed a bunch of "might be uninitialised" warnings after enabling -O1 ↵Andrew Tridgell1-1/+1
in my compile (This used to be commit 0928b1f5b68c858922c3ea6c27ed03b5091c6221)
2007-10-10r3463: separated out some more headers (asn_1.h, messages.h, dlinklist.h and ↵Andrew Tridgell1-0/+1
ioctl.h) (This used to be commit b97e395c814762024336c1cf4d7c25be8da5813a)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell1-0/+1
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
2007-10-10r3419: moved the libcli/raw structures into libcli/raw/libcliraw.hAndrew Tridgell1-0/+1
and made them private (This used to be commit 386ac565c452ede1d74e06acb401ca9db99d3ff3)
2007-10-10r3400: - allow callers to control the flags2 field in raw packetsAndrew Tridgell1-0/+22
- added testing of the FLAGS2_READ_PERMIT_EXECUTE bit in the ntdeny tests (This used to be commit adf4a682705871186f3b77ea6d417942445fc5d3)
2007-10-10r3354: honor "max xmit" and "max mux" from smb.conf in our client code. ThisAndrew Tridgell1-6/+6
is important as it allows the test suite to exercise the multiple reply logic in smbd for trans2 search replies. (This used to be commit 865159016ab1e806465a55697444228fb3fa286e)
2007-10-10r2680: switched the libcli/raw/ code over to use talloc_reference(), which ↵Andrew Tridgell1-13/+1
simplifies things quite a bit (This used to be commit c82a9cf750829c4f6982ca3133295c8599023c4e)
2007-10-10r2660: - converted the libcli/raw/ library to use talloc_increase_ref_count()Andrew Tridgell1-19/+31
rather than manual reference counts - properly support SMBexit in the cifs and posix backends - added a logoff method to all backends With these changes the RAW-CONTEXT test now passes against the posix backend (This used to be commit c315d6ac1cc40546fde1474702a6d66d07ee13c8)
2007-10-10r2655: fixed an error in the shutdown of the sock->transport->session->treeAndrew Tridgell1-1/+0
smbcli raw context handling (This used to be commit d5fd6388751944f11c34e5124d403d57c8670e3b)
2007-10-10r2654: fixed some more server memory leaks. We are now down to a single leakAndrew Tridgell1-1/+1
of 16 bytes, caused by the 16 byte data_blob in the smb_signing code. (This used to be commit 2f1b788e09686e065d22f621f5c0c585192c6740)
2007-10-10r2629: convert gensec to the new talloc modelAndrew Tridgell1-1/+1
by making our gensec structures a talloc child of the open connection we can be sure that it will be destroyed when the connection is dropped. (This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
2007-10-10r2587: fixed a couple of authentication memory leaks. There are more to beAndrew Tridgell1-2/+3
fixed - I'll commit a little test suite soon. (This used to be commit 5b967c1cbb9831f7f2c6c6187f9e8e6dcc284497)
2007-10-10r2497: fixed an uninitialised 4 bytes in old style session setup (found with ↵Andrew Tridgell1-0/+1
valgrind) (This used to be commit b2bb41721817256618124907a6922a00d50643dc)
2007-10-10r2307: Fix the use of 'raw' NTLMSSP to hosts that support extended security,Andrew Bartlett1-10/+19
but do not support SPNEGO (such as XP, when not joined to a domain). This is triggered by the presense or lack of a security blob in the negprot reply. Andrew Bartlett (This used to be commit 99f7a38c077725b22475f2ba68d0955114879c24)
2007-10-10r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.Andrew Bartlett1-0/+2
The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
2007-10-10r1985: take advantage of the new talloc in a few more placesAndrew Tridgell1-9/+4
(This used to be commit 6ffdfd779936ce8c5ca49c5f444e8da2bbeee0a8)
2007-10-10r1983: a completely new implementation of tallocAndrew Tridgell1-1/+1
This version does the following: 1) talloc_free(), talloc_realloc() and talloc_steal() lose their (redundent) first arguments 2) you can use _any_ talloc pointer as a talloc context to allocate more memory. This allows you to create complex data structures where the top level structure is the logical parent of the next level down, and those are the parents of the level below that. Then destroy either the lot with a single talloc_free() or destroy any sub-part with a talloc_free() of that part 3) you can name any pointer. Use talloc_named() which is just like talloc() but takes the printf style name argument as well as the parent context and the size. The whole thing ends up being a very simple piece of code, although some of the pointer walking gets hairy. So far, I'm just using the new talloc() like the old one. The next step is to actually take advantage of the new interface properly. Expect some new commits soon that simplify some common coding styles in samba4 by using the new talloc(). (This used to be commit e35bb094c52e550b3105dd1638d8d90de71d854f)
2007-10-10r1769: Add a new torture test to check vuid properties, and ↵Andrew Bartlett1-1/+1
SPNEGO/non-SPNEGO games. Andrew Bartlett (This used to be commit 90d70a63ee6d44172cec99a9115817f666b5d06d)
2007-10-10r1654: rename cli_ -> smbcli_Stefan Metzmacher1-70/+70
rename CLI_ -> SMBCLI_ metze (This used to be commit 8441750fd9427dd6fe477f27e603821b4026f038)
2007-10-10r1602: make sure we honor the use_spnego flagAndrew Tridgell1-1/+2
(This used to be commit de764d9004a0d90479158e78e30b1266eb529e3e)
2007-10-10r1521: Updates to our SMB signing code.Andrew Bartlett1-14/+29
- This causes our client and server code to use the same core code, with the same debugs etc. - In turn, this will allow the 'mandetory/fallback' signing algorithms to be shared, and only written once. Updates to the SPNEGO code - Don't wrap an empty token to the server, if we are actually already finished. Andrew Bartlett (This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353)
2007-10-10r1475: More kerberos workAndrew Bartlett1-0/+7
- We can now connect to hosts that follow the SPNEGO RFC, and *do not* give us their principal name in the mechListMIC. - The client code now remembers the hostname it connects to - We now kinit for a user, if there is not valid ticket already - Re-introduce clock skew compensation TODO: - See if the username in the ccache matches the username specified - Use a private ccache, rather then the global one, for a 'new' kinit - Determine 'default' usernames. - The default for Krb5 is the one in the ccache, then $USER - For NTLMSSP, it's just $USER Andrew Bartlett (This used to be commit de5da669397db4ac87c6da08d3533ca3030da2b0)
2007-10-10r1462: GENSEC Kerberos and SPENGO work:Andrew Bartlett1-13/+17
- Spelling - it's SPNEGO, not SPENGO - SMB signing - Krb5 logins are now correctly signed - SPNEGO - Changes to always tell GENSEC about incoming packets, empty or not. Andrew Bartlett (This used to be commit cea578d6f39a2ea4a24e7a0064c95193ab6f6df7)
2007-10-10r1409: if we have no user name don't use extended securityStefan Metzmacher1-1/+1
the capabilities in the union smb_sesssetup should be used to decide if we can use extented security metze (This used to be commit e3760fcc17cc645d942f0fc7f7325976391309ea)
2007-10-10r1406: I got spnego in the smb client workingStefan Metzmacher1-0/+3
so I set 'use spnego = True' metze (This used to be commit e06898f88c82c286574f9d73de1a9de829b1ded8)
2007-10-10r1348: get gensec backend by OID instead of nameStefan Metzmacher1-1/+1
metze (This used to be commit 38e00f87191b86901b603e66aec1e7e71f74c29f)
2007-10-10r1345: add extended security spnego support to the smb clientStefan Metzmacher1-4/+107
code set lp_use_spnego = False, because I can't get it working yet but I commit it so others can help me metze (This used to be commit 2445cceba9ab9bd928c8bc50927a39509e4526b0)
2007-10-10r1268: varient -> variantTim Potter1-1/+1
(This used to be commit de5984c95602ca67e8ac3139c3aa4330b74266e0)
2007-10-10r961: convert 'uchar' to 'uint8_t'Stefan Metzmacher1-1/+1
metze (This used to be commit 9f914e4af99e18b469d4cf9d8b1514a2bd28ddec)
2007-10-10r889: convert samba4 to use [u]int16_t instead of [u]int16Stefan Metzmacher1-2/+2
metze (This used to be commit af6f1f8a01bebbecd99bc8c066519e89966e65e3)
2007-10-10r610: - Merge the Samba3 'ntlm_auth --diagnostics' testsuite to Samba4.Andrew Bartlett1-8/+21
- This required using NETLOGON_NEG_AUTH2_FLAGS for the SetupCredentials2 negotiation flags, which is what Samba3 does, because otherwise the server uses different crypto. - This tests the returned session keys, which we decrypt. - Update the Samba4 notion of a 'session key' to be a DATA_BLOB in most places. - Fix session key code to return NT_STATUS_NO_SESSION_KEY if none is available. - Remove a useless argument to SMBsesskeygen_ntv1 - move netr_CredentialState from the .idl to the new credentials.h Andrew Bartlett (This used to be commit 44f8b5b53e6abd4de8a676f78d729988fadff320)
2007-10-10r100: remember the user session key during session setup so it can be used ↵Andrew Tridgell1-0/+2
in various crypto routines (This used to be commit f6cf9020c8899e784385ea0e14fa465685441ee6)
2004-01-15* fixed a segv when -U is not used in smbtorture.Andrew Tridgell1-3/+9
* fixed the handling of anonymous logins (This used to be commit 7cbc4ad8710ad33387145bfc9974d0ed4b0fb231)
2003-11-03a major revamp of the low level dcerpc code in samba4, We can now do aAndrew Tridgell1-2/+2
successful LSA OpenPolicy using smbtorture (This used to be commit e925c315f55905060fcca1b188ae1f7e40baf514)
2003-08-13first public release of samba4 codeAndrew Tridgell1-0/+444
(This used to be commit b0510b5428b3461aeb9bbe3cc95f62fc73e2b97f)