summaryrefslogtreecommitdiff
path: root/source4/libcli
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6078: Correctly fix the failures for NT1 (not SPNEGO) session setups in theAndrew Bartlett1-4/+0
client. The issue was actually a cut-and-paste bug, I was filling in the .old not the .nt1 part of the union. I've also removed the 'error checks' - I'll shortly document the API for the credentials code to clarify that it will always return a pointer here, except in cases of programmer error. Tridge: I hope this is OK. Andrew Bartlett (This used to be commit 6439de9ec8c8d24197ea69dc337473e54c8b36b8)
2007-10-10r6074: fixed non-spnego connections for new credentials codeAndrew Tridgell1-1/+5
(This used to be commit ff6663aac8ed475bf65d9c06d7f2447a9827898c)
2007-10-10r6030: Missing from previous commit, a small header file to linkAndrew Bartlett1-0/+35
libcli/auth/schannel.c and libcli/auth/schannel_sign.c Andrew Bartlett (This used to be commit 1e0e66d7202d3f0e7fb3c90f2ca608fa08a713a6)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett22-410/+431
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r6027: Add copyright, and add a useful debug message.Andrew Bartlett1-2/+3
Andrew Bartlett (This used to be commit b5260cf0d4c4f2e81a310d1c94160c9fbaaa331f)
2007-10-10r6026: Update the kerberos keytab code to match Samba3 again.Andrew Bartlett1-80/+122
(untested at this point). Andrew Bartlett (This used to be commit ef7f9a01b4f3fa41fd7981b260fa2fadc7ce10ad)
2007-10-10r6025: Remove unused variables. This code will be modified again for the newAndrew Bartlett1-6/+2
cli_credentials code shortly. Andrew Bartlett (This used to be commit 13d09c8e9a50ae265059e4a0d92a07c651018a6c)
2007-10-10r5992: Rename schannel.c -> schannel_sign.c. The rest of the schannel codeAndrew Bartlett2-1/+1
(from librpc) will be moved into schannel.c soon. Andrew Bartlett (This used to be commit d6c80ff74b0550641c253316b37f1050c207791c)
2007-10-10r5988: Fix the -P option (use machine account credentials) to use the Samba4Andrew Bartlett1-2/+2
secrets system, and not the old system from Samba3. This allowed the code from auth_domain to be shared - we now only lookup the secrets.ldb in lib/credentials.c. In order to link the resultant binary, samdb_search() has been moved from deep inside rpc_server into lib/gendb.c, along with the existing gendb_search_v(). The vast majority of this patch is the simple rename that followed, (Depending on the whole SAMDB for just this function seemed pointless, and brought in futher dependencies, such as smbencrypt.c). Andrew Bartlett (This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
2007-10-10r5941: Commit this patch much earlier than I would normally prefer, but ↵Andrew Bartlett2-11/+2
metze needs a working tree... The main volume of this patch was what I started working on today: - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context. - Uses sepereate inner loops for some of the DCE/RPC tests The other and more important part of this patch fixes issues surrounding the new credentials framwork: This makes the struct cli_credentials always a talloc() structure, rather than on the stack. Parts of the cli_credentials code already assumed this. There were other issues, particularly in the DCERPC over SMB handling, as well as little things that had to be tidied up before test_w2k3.sh would start to pass. Andrew Bartlett (This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
2007-10-10r5940: fix schannel against w2k, it skips the confounder in the signature ↵Stefan Metzmacher1-1/+2
(24 bytes) for singed packets but it accepts 32 bytes from the client. (w2k3 accept it the otherway arround too) metze (This used to be commit 08d4c3b9f8558ee40c73a22b3ec110b052f28110)
2007-10-10r5929: Use cli_credentials for the SMB functions as well.Jelmer Vernooij2-25/+12
Fix a couple of bugs in the new cli_credentials code (This used to be commit 4ad481cfe5cde514d2ef9646147239f3faaa6173)
2007-10-10r5928: Use cli_credentials in:Jelmer Vernooij1-59/+4
- gtk+ (returned by GtkHostBindingDialog as well now) - torture/ - librpc/ - lib/com/dcom/ (This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
2007-10-10r5917: First step in using the new cli_credentials structure. This patchJelmer Vernooij1-1/+1
puts support for it into popt_common, adds a few utility functions (in lib/credentials.c) and the callback functions for the command-line (lib/cmdline/credentials.c). Comments are welcome :-) (This used to be commit 1d49b57c50fe8c2683ea23e9df41ce8ad774db98)
2007-10-10r5902: A rather large change...Andrew Bartlett9-25/+60
I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2007-10-10r5877: It is not an error to have a zero-length secret, after decryption.Andrew Bartlett1-3/+5
Andrew Bartlett (This used to be commit b484776cc4d48690d45c668f9253015eb0d6207d)
2007-10-10r5866: Add InitShutdown IDL and torture test.Jelmer Vernooij1-0/+2
Implement push side of NDR_LEN4|NDR_NOTERM strings (pull side was already present) (This used to be commit ea61ec1122841716ed5d90085ba79e7bf691bd6a)
2007-10-10r5737: add some error codesStefan Metzmacher1-0/+2
metze (This used to be commit f543eb4ede54ac361017878574b3f4b6ffc9f2d5)
2007-10-10r5668: Add tests to RPC-SAMLOGON to test for user@REALM style logins. TheseAndrew Bartlett1-0/+8
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I need to look into it a bit more). Add support to the Samba4 server for these logins. This will need extension when we handle trusted domains as a DC, as it is a principal name, not just another format for the username. Andrew Bartlett (This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9)
2007-10-10r5667: Move schannel state into libcli/auth (as it belongs with schannel,Andrew Bartlett3-0/+236
which will move in with the rest of GENSEC shortly). Add the RID as another element in the schannel state. Andrew Bartlett (This used to be commit 69114b4a8e1c937ab5ff12ca91dd22bd83fd9a3b)
2007-10-10r5646: state->loadfile might be NULL after allocation so this is reallyAlexander Bokovoy1-1/+1
should be NT_STATUS_HAVE_NO_MEMORY(state->loadfile) instead of NT_STATUS_NOT_OK_RETURN(status). (This used to be commit eb57a587889611bcf39d75d4e15b627f36899a53)
2007-10-10r5601: add a gsskrb5 backend that uses lorikeet-heimdal's new gssapi withStefan Metzmacher3-0/+598
GSS_C_DCE_STYLE support, it's just a start and does work correctly yet metze (This used to be commit 87ff661703f467db3dfcb33084041c3e2951e0ee)
2007-10-10r5551: Protect against falling off the end of the name resolve order listTim Potter1-1/+1
if a name is not found. (This used to be commit c23f767a9f5dd2dcae31bded540263b08876ecc2)
2007-10-10r5550: Initialise retry count - valgrind was freaking out because this valueTim Potter1-0/+1
was not set. (This used to be commit 328f37a3e8d10f97f361fb041be24f1ac88b6b0a)
2007-10-10r5451: - added separate wrepl_associate(), wrepl_pull_table() and ↵Andrew Tridgell2-0/+313
wrepl_pull_names() functions, with reasonable parameters, so callers don't need to deal directly with wins replication packet structures - converted the NBT-WINSREPLICATION torture test to use the new APIs (This used to be commit cec1672662b7e5b1bdf843e9dee317aa4b03f719)
2007-10-10r5437: Allow Samba4 to be compiled by tcc (www.tinycc.org). It still crashes ↵Jelmer Vernooij1-46/+46
when linking though. (This used to be commit 2e1e8db6dc877eb32b51cfc3d9c8f463d14530ec)
2007-10-10r5414: - added libcli/wins/, a basic client library for WINS replicationAndrew Tridgell3-0/+510
- added a new IDL type "udlongr", which is like udlong, but with the two uint32 halves reversed - modified the winsrepl.idl to cope with a wider range of packets (This used to be commit bc8d60c918f2e268d591aac464fc6a78c38a4cf9)
2007-10-10r5405: try to use NBT name pointers when a netbios name is repeated in a NBTAndrew Tridgell1-7/+25
packet. This allows much longer names to fit within the limits of NBT name packets (rfc1002.txt also says this should be done, although Samba3 never generates them). The main reason for doing this is it means that our NBT name pointer decoding code is tested with the smbtorture tests (This used to be commit 6e2feef125daceb143c44c0c4ab73b010b311792)
2007-10-10r5404: allow spaces in the string representation of nbt namesAndrew Tridgell1-3/+4
(This used to be commit dd3d4ded21e50130243de3b35927368875620d47)
2007-10-10r5398: fixed encoding of *SMBSERVER name (thanks to Karl Melcher for ↵Andrew Tridgell1-1/+1
spotting this) (This used to be commit 76c49851b921c137c59c45084c5dab95f1c16f58)
2007-10-10r5396: fixed parsing of NBT type 0xc0 compressed name pointersAndrew Tridgell1-1/+2
(This used to be commit 666cc65d10012fa2a413dfa619fbc4599f752728)
2007-10-10r5392: added "secure" WINS server processing. Send a WACK on nameAndrew Tridgell1-1/+2
registrations from anyone who isn't a current owner, then query the owner addresses to see if they still want it. (This used to be commit 8dc2a028d3ca0115d3173df435d926d7b6a4d5d5)
2007-10-10r5391: cope with w2k3 getting the timeout wrong in wack repliesAndrew Tridgell1-3/+3
(This used to be commit 75766603e325d515a718b1d1ab0f08160ea1f790)
2007-10-10r5382: another place where we need to uppercase the called name for port 139 ↵Andrew Tridgell1-2/+4
connects (This used to be commit b13cea5b2b55ce3d4109666cf51af6ffd879d15d)
2007-10-10r5371: on port 139 the called name needs to be in uppercaseAndrew Tridgell1-2/+2
(This used to be commit c5aef260c4581bfc0d32ec09fac3414156c40230)
2007-10-10r5358: - added initial WINS server code. It passes most of the NBT-WINS ↵Andrew Tridgell1-2/+2
test, but doesn't yet do secure server WACK responses - added a ldap_string_to_time() function, for converting a LDAP formatted time to a time_t (This used to be commit 9aa3313b3f93e47e3f93028e072f6a23b3c22385)
2007-10-10r5356: fixed the hex coding for nbt namesAndrew Tridgell1-1/+1
(This used to be commit e467715c63624e165b79b37bd21b381d7a99d0fe)
2007-10-10r5352: added a function nbt_name_string() that formats a nbt_name structureAndrew Tridgell2-3/+59
as a human readable string. The format is designed to be able to be used as the DN for the WINS database as well, while coping with arbitrary bytes in the name (except nul bytes) (This used to be commit aac3090e3504ba07124a9d480322a98efb97175e)
2007-10-10r5330: Remove #include <sys/time.h> from includes.h.Andrew Bartlett3-0/+3
Add #include "system/time.h" back (it was removed in some of these places because the definitions were provided by <sys/time.h> on tridge's platform.) Andrew Bartlett (This used to be commit 34b1da730304bed7fee5bae7cbde7fbccecb6af5)
2007-10-10r5328: - allow case sensitive nbt name lookupsAndrew Tridgell2-6/+11
- added --case-sensitive option to nmblookup - added case sensitivity tests to the NBT-WINS test (This used to be commit 80a95d5688e055b36727e5c043cb36322d719763)
2007-10-10r5326: removed the charset conversion from the nbtname code, so we no longerAndrew Tridgell1-33/+4
convert from/to DOS strings in NBT names. This will allow us to support all foreign names as a WINS server, as long as they don't contain a 0 byte. (This used to be commit 8e5d3a74d341de086d850d823cf8a1bfc9387fe8)
2007-10-10r5325: - expanded the NBT-WINS test to include scopesAndrew Tridgell1-3/+6
- fixed the bugs that the new test found (This used to be commit 6d775f12168d51ce92a3f7e17f4bf06357d41a06)
2007-10-10r5322: removed a whole bunch of #include lines that minimal_includes.plAndrew Tridgell16-17/+0
thinks are not needed. Now to see how this fares on the build farm :) (This used to be commit 80ffcc650c9c86141507edd8338b97814a85f868)
2007-10-10r5309: removed ads.h from includes.hAndrew Tridgell1-1/+2
(This used to be commit 196c45b834c39f293b9533cec5cfe5a77382d4e2)
2007-10-10r5308: trimmed back a lot of the old macros from smb_macros.hAndrew Tridgell1-2/+2
(This used to be commit bf43c9bdcf9e654d123f6a2b29feb9189ca9e561)
2007-10-10r5305: removed libcli/ldap/ldap.h from includes.hAndrew Tridgell5-0/+63
(This used to be commit 0df3fdd8178085c40f9cd776cc3e1486ca559c8e)
2007-10-10r5304: removed lib/socket/socket.h from includes.hAndrew Tridgell3-0/+3
(This used to be commit b902ea546d2d1327b23f40ddaeeaa8e7e3662454)
2007-10-10r5300: more uint32 and system/filesys.h build fixes when developer mode is ↵Andrew Tridgell4-4/+6
enabled (This used to be commit 93931b1a741a3722c311ada80c4c9d3d670f91b2)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell11-5/+14
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r5294: - added a separate NBT-WINS test for WINS operations (register, ↵Andrew Tridgell5-8/+163
refresh, release and query) - change the iface_n_*() functions to return a "const char *" instead of a "struct ipv4_addr" I think that in general we should move towards "const char *" for all IP addresses, as this makes IPv6 much easier, and is also easier to debug. Andrew, when you get a chance, could you fix some of the auth code to use strings for IPs ? - return a NTSTATUS error on bad name queries and node status instead of using rcode. This makes the calling code simpler. - added low level name release code in libcli/nbt/ - use a real IP in the register and wins nbt torture tests, as w2k3 WINS server silently rejects some operations that don't come from the IP being used (eg. it says "yes" to a release, but does not in fact release the name) (This used to be commit bb1ab11d8e0ea0bd9ae34aebeb565d36fe4b495f)