Age | Commit message (Collapse) | Author | Files | Lines |
|
test suite, but doesn't yet seem to satisfy a nt4 client. I'm
investigating.
(This used to be commit 406217262dff5adb5d0cb0028198e08f66cc85f4)
|
|
ndr code for handling sids and security descriptors now that we have a
sid in the nbt IDL
(This used to be commit f8e77fcdeac704aed5e501aa9108f3ed0ab26ca4)
|
|
(This used to be commit d7e6e395cedef47dc182094c91f764e248b9b149)
|
|
parsing incoming netlogon requests. No replies are sent yet.
(This used to be commit 3b34df6a674cd2aeddc354cdadae3f0e1c000d45)
|
|
now tries to bind to port 138 if possible, so if you run it as root
and smbd/nmbd is not running then it works against windows servers
(This used to be commit 52ccdb79bc922be52c24dd393323dbbee83a2aea)
|
|
suite. The NBT-DGRAM test does a UDP/138 netlogon request, to which a
windows server sends a reply, but the windows server sends the reply
to the wrong port (it always sends to 138), so the test suite doesn't
see it.
(This used to be commit a7634625dbc944dd8256a822be290010f341a571)
|
|
datagrams. This adds the IDL to parse mailslot packets, plus mailslot
dispatch and listener registration code.
mailslots are used for UDP/138 browse and netlogon packets
(This used to be commit f20e7e5200de736b3451d748ed716be638f93502)
|
|
(This used to be commit 47e1452da08d06b0b9f15545b3b2b0631f15bac2)
|
|
server. Currently just listens on port 138 and parses the packets
(using IDL like the rest of NBT). This allows me to develop the
structures and test with real packets
(This used to be commit 10d64a525349ff96695ad961a3cfeb5bc7c8844f)
|
|
auth/gensec and auth/kerberos.
This also pulls the kerberos configure code out of libads (which is
otherwise dead), and into auth/kerberos/kerberos.m4
Andrew Bartlett
(This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
|
|
up issues I introduced during the merge, that caused a segfault.
I've still not got the keytab code to work for me (using Samba3 to
generate the keytab) so this is still not fully tested, but it's
better than it was.
To add debugging, I now use the krb5_get_error_message() function from
Heimdal when present, to return the custom error string, which
contains far, far more information than the simple error code does.
(This last point may well be worth merging back into 3.0)
Andrew Bartlett
(This used to be commit ed5755d9d1e48df7ae77a9410d30e10cb8b0cbd7)
|
|
client. The issue was actually a cut-and-paste bug, I was filling in
the .old not the .nt1 part of the union.
I've also removed the 'error checks' - I'll shortly document the API
for the credentials code to clarify that it will always return a
pointer here, except in cases of programmer error.
Tridge: I hope this is OK.
Andrew Bartlett
(This used to be commit 6439de9ec8c8d24197ea69dc337473e54c8b36b8)
|
|
(This used to be commit ff6663aac8ed475bf65d9c06d7f2447a9827898c)
|
|
libcli/auth/schannel.c and libcli/auth/schannel_sign.c
Andrew Bartlett
(This used to be commit 1e0e66d7202d3f0e7fb3c90f2ca608fa08a713a6)
|
|
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
|
|
Andrew Bartlett
(This used to be commit b5260cf0d4c4f2e81a310d1c94160c9fbaaa331f)
|
|
(untested at this point).
Andrew Bartlett
(This used to be commit ef7f9a01b4f3fa41fd7981b260fa2fadc7ce10ad)
|
|
cli_credentials code shortly.
Andrew Bartlett
(This used to be commit 13d09c8e9a50ae265059e4a0d92a07c651018a6c)
|
|
(from librpc) will be moved into schannel.c soon.
Andrew Bartlett
(This used to be commit d6c80ff74b0550641c253316b37f1050c207791c)
|
|
secrets system, and not the old system from Samba3.
This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.
In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v(). The vast majority of this patch is the simple
rename that followed,
(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).
Andrew Bartlett
(This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
|
|
metze needs a working tree...
The main volume of this patch was what I started working on today:
- Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
- Uses sepereate inner loops for some of the DCE/RPC tests
The other and more important part of this patch fixes issues
surrounding the new credentials framwork:
This makes the struct cli_credentials always a talloc() structure,
rather than on the stack. Parts of the cli_credentials code already
assumed this.
There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.
Andrew Bartlett
(This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
|
|
(24 bytes) for singed packets
but it accepts 32 bytes from the client.
(w2k3 accept it the otherway arround too)
metze
(This used to be commit 08d4c3b9f8558ee40c73a22b3ec110b052f28110)
|
|
Fix a couple of bugs in the new cli_credentials code
(This used to be commit 4ad481cfe5cde514d2ef9646147239f3faaa6173)
|
|
- gtk+ (returned by GtkHostBindingDialog as well now)
- torture/
- librpc/
- lib/com/dcom/
(This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
|
|
puts support for it into popt_common, adds a few utility functions
(in lib/credentials.c) and the callback functions for the command-line
(lib/cmdline/credentials.c). Comments are welcome :-)
(This used to be commit 1d49b57c50fe8c2683ea23e9df41ce8ad774db98)
|
|
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
|
|
Andrew Bartlett
(This used to be commit b484776cc4d48690d45c668f9253015eb0d6207d)
|
|
Implement push side of NDR_LEN4|NDR_NOTERM strings (pull side was already present)
(This used to be commit ea61ec1122841716ed5d90085ba79e7bf691bd6a)
|
|
metze
(This used to be commit f543eb4ede54ac361017878574b3f4b6ffc9f2d5)
|
|
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I
need to look into it a bit more).
Add support to the Samba4 server for these logins. This will need
extension when we handle trusted domains as a DC, as it is a principal
name, not just another format for the username.
Andrew Bartlett
(This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9)
|
|
which will move in with the rest of GENSEC shortly).
Add the RID as another element in the schannel state.
Andrew Bartlett
(This used to be commit 69114b4a8e1c937ab5ff12ca91dd22bd83fd9a3b)
|
|
should be NT_STATUS_HAVE_NO_MEMORY(state->loadfile) instead of
NT_STATUS_NOT_OK_RETURN(status).
(This used to be commit eb57a587889611bcf39d75d4e15b627f36899a53)
|
|
GSS_C_DCE_STYLE support, it's just a start and does work correctly yet
metze
(This used to be commit 87ff661703f467db3dfcb33084041c3e2951e0ee)
|
|
if a name is not found.
(This used to be commit c23f767a9f5dd2dcae31bded540263b08876ecc2)
|
|
was not set.
(This used to be commit 328f37a3e8d10f97f361fb041be24f1ac88b6b0a)
|
|
wrepl_pull_names() functions, with reasonable
parameters, so callers don't need to deal directly with wins replication packet structures
- converted the NBT-WINSREPLICATION torture test to use the new APIs
(This used to be commit cec1672662b7e5b1bdf843e9dee317aa4b03f719)
|
|
when linking though.
(This used to be commit 2e1e8db6dc877eb32b51cfc3d9c8f463d14530ec)
|
|
- added a new IDL type "udlongr", which is like udlong, but with the
two uint32 halves reversed
- modified the winsrepl.idl to cope with a wider range of packets
(This used to be commit bc8d60c918f2e268d591aac464fc6a78c38a4cf9)
|
|
packet. This allows much longer names to fit within the limits of NBT
name packets (rfc1002.txt also says this should be done, although
Samba3 never generates them).
The main reason for doing this is it means that our NBT name pointer
decoding code is tested with the smbtorture tests
(This used to be commit 6e2feef125daceb143c44c0c4ab73b010b311792)
|
|
(This used to be commit dd3d4ded21e50130243de3b35927368875620d47)
|
|
spotting this)
(This used to be commit 76c49851b921c137c59c45084c5dab95f1c16f58)
|
|
(This used to be commit 666cc65d10012fa2a413dfa619fbc4599f752728)
|
|
registrations from anyone who isn't a current owner, then query the
owner addresses to see if they still want it.
(This used to be commit 8dc2a028d3ca0115d3173df435d926d7b6a4d5d5)
|
|
(This used to be commit 75766603e325d515a718b1d1ab0f08160ea1f790)
|
|
connects
(This used to be commit b13cea5b2b55ce3d4109666cf51af6ffd879d15d)
|
|
(This used to be commit c5aef260c4581bfc0d32ec09fac3414156c40230)
|
|
test, but doesn't yet
do secure server WACK responses
- added a ldap_string_to_time() function, for converting a LDAP
formatted time to a time_t
(This used to be commit 9aa3313b3f93e47e3f93028e072f6a23b3c22385)
|
|
(This used to be commit e467715c63624e165b79b37bd21b381d7a99d0fe)
|
|
as a human readable string. The format is designed to be able to be
used as the DN for the WINS database as well, while coping with
arbitrary bytes in the name (except nul bytes)
(This used to be commit aac3090e3504ba07124a9d480322a98efb97175e)
|
|
Add #include "system/time.h" back (it was removed in some of these
places because the definitions were provided by <sys/time.h> on tridge's
platform.)
Andrew Bartlett
(This used to be commit 34b1da730304bed7fee5bae7cbde7fbccecb6af5)
|