summaryrefslogtreecommitdiff
path: root/source4/libcli
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6460: Push the client credentials into NTLMSSP, allowing logins of the formAndrew Bartlett1-1/+1
user@REALM for the first time. Fix the build for smbencrypt.c Andrew Bartlett (This used to be commit 5a6a57cd93e22e612bfbb8a8f7bc29269a9a3ac6)
2007-10-10r6352: Two new composite calls:Alexander Bokovoy5-4/+628
- qfsinfo (query file system information) - appendacl (append an ACL to existing file's security descriptor and get new full ACL) The second one also includes an improvement to security descriptor handling which allows to copy security descriptor. Written by Peter Novodvorsky <peter.novodvorsky@ru.ibm.com> Both functions have corresponding torture tests added. Tested under valgrind and work against Samba 4 and Windows XP. ToDo: document composite call creation process in prog_guide.txt (This used to be commit 441cff62ac75ed16851ce7b8daf9d03eb4c3ec79)
2007-10-10r6342: fixed a bad union assumption that caused ACLs to fail on 64 bit machinesAndrew Tridgell2-2/+2
Thanks to lars and agruen for finding this (This used to be commit 2acc06918574b1178eecf3d61026f84f85bb40e1)
2007-10-10r6338: ADS style GETDC response now works well enough that WinXP can joinAndrew Tridgell1-2/+10
Samba4 without Samba3 nmbd (This used to be commit f4d07d7d3b6973b503d8c98f177471dd6cebfa92)
2007-10-10r6335: at debug level 10, save netlogon and ntlogon packets that fail to parseAndrew Tridgell2-6/+6
(This used to be commit c29279355c679e821665d028f207ee9ed6f857ef)
2007-10-10r6333: removed an extraneous line (pointed out by metze)Andrew Tridgell1-1/+0
(This used to be commit 61d65d100d38529966f3f1803f66ed47540dc852)
2007-10-10r6331: added IDL and test suite for the ADS style response to a datagram ↵Andrew Tridgell1-78/+128
netlogon query. Note that this response is almost identical to the CLDAP netlogon response, so adding that will now be quite easy. (This used to be commit 1ea4ed4ad1d9336f8288283688fa2d7bebfa533c)
2007-10-10r6323: added server side support for dgram NTLOGON requests. NT4 ↵Andrew Tridgell4-9/+28
workstations can now login to a Samba4 domain. (This used to be commit df146d64ebce6b462c08a1f30919390fcf8196cb)
2007-10-10r6321: added IDL and test suite for NBT dgram 'sam logon' request (sent byAndrew Tridgell3-1/+134
clients when a user tries to login) (This used to be commit 08ded62156b387457bc56b5910e1ddc813b375bd)
2007-10-10r6320: some minor netlogon datagram fixes - NT4 can now join a Samba4 domain ↵Andrew Tridgell2-3/+8
without Samba3 nmbd (This used to be commit 4507bdc339505e91118d403948946f4a98a4f562)
2007-10-10r6288: the nbt dgram server now responds to GETDC requests. It works with ourAndrew Tridgell3-2/+44
test suite, but doesn't yet seem to satisfy a nt4 client. I'm investigating. (This used to be commit 406217262dff5adb5d0cb0028198e08f66cc85f4)
2007-10-10r6287: sorted out a small but surprisingly tricky dependency problem with theAndrew Tridgell2-32/+8
ndr code for handling sids and security descriptors now that we have a sid in the nbt IDL (This used to be commit f8e77fcdeac704aed5e501aa9108f3ed0ab26ca4)
2007-10-10r6248: added parsing of type 10 UAS announce netlogon packetsAndrew Tridgell1-0/+7
(This used to be commit d7e6e395cedef47dc182094c91f764e248b9b149)
2007-10-10r6247: added the server side code for receiving mailslot requests, andAndrew Tridgell2-2/+2
parsing incoming netlogon requests. No replies are sent yet. (This used to be commit 3b34df6a674cd2aeddc354cdadae3f0e1c000d45)
2007-10-10r6245: receive and parse the GETDC response in the NBT-DGRAM test. The testAndrew Tridgell3-2/+22
now tries to bind to port 138 if possible, so if you run it as root and smbd/nmbd is not running then it works against windows servers (This used to be commit 52ccdb79bc922be52c24dd393323dbbee83a2aea)
2007-10-10r6223: added a bit more datagram infrastructure and the beginnings of a testAndrew Tridgell4-6/+132
suite. The NBT-DGRAM test does a UDP/138 netlogon request, to which a windows server sends a reply, but the windows server sends the reply to the wrong port (it always sends to 138), so the test suite doesn't see it. (This used to be commit a7634625dbc944dd8256a822be290010f341a571)
2007-10-10r6209: started added code to support mailslot requests over UDP/138Andrew Tridgell4-7/+305
datagrams. This adds the IDL to parse mailslot packets, plus mailslot dispatch and listener registration code. mailslots are used for UDP/138 browse and netlogon packets (This used to be commit f20e7e5200de736b3451d748ed716be638f93502)
2007-10-10r6185: added LIBCLI_DGRAM to the list of libs to be built as part of LIBCLIAndrew Tridgell1-1/+7
(This used to be commit 47e1452da08d06b0b9f15545b3b2b0631f15bac2)
2007-10-10r6184: the beginnings of the libcli/dgram/ library, and the dgramAndrew Tridgell2-0/+194
server. Currently just listens on port 138 and parses the packets (using IDL like the rest of NBT). This allows me to develop the structures and test with real packets (This used to be commit 10d64a525349ff96695ad961a3cfeb5bc7c8844f)
2007-10-10r6113: Move GENSEC and the kerberos code out of libcli/auth, and intoAndrew Bartlett24-9464/+0
auth/gensec and auth/kerberos. This also pulls the kerberos configure code out of libads (which is otherwise dead), and into auth/kerberos/kerberos.m4 Andrew Bartlett (This used to be commit e074d63f3dcf4f84239a10879112ebaf1cfa6c4f)
2007-10-10r6094: Work on the Kerberos code recently merged from Samba 3.0. This fixesAndrew Bartlett3-31/+53
up issues I introduced during the merge, that caused a segfault. I've still not got the keytab code to work for me (using Samba3 to generate the keytab) so this is still not fully tested, but it's better than it was. To add debugging, I now use the krb5_get_error_message() function from Heimdal when present, to return the custom error string, which contains far, far more information than the simple error code does. (This last point may well be worth merging back into 3.0) Andrew Bartlett (This used to be commit ed5755d9d1e48df7ae77a9410d30e10cb8b0cbd7)
2007-10-10r6078: Correctly fix the failures for NT1 (not SPNEGO) session setups in theAndrew Bartlett1-4/+0
client. The issue was actually a cut-and-paste bug, I was filling in the .old not the .nt1 part of the union. I've also removed the 'error checks' - I'll shortly document the API for the credentials code to clarify that it will always return a pointer here, except in cases of programmer error. Tridge: I hope this is OK. Andrew Bartlett (This used to be commit 6439de9ec8c8d24197ea69dc337473e54c8b36b8)
2007-10-10r6074: fixed non-spnego connections for new credentials codeAndrew Tridgell1-1/+5
(This used to be commit ff6663aac8ed475bf65d9c06d7f2447a9827898c)
2007-10-10r6030: Missing from previous commit, a small header file to linkAndrew Bartlett1-0/+35
libcli/auth/schannel.c and libcli/auth/schannel_sign.c Andrew Bartlett (This used to be commit 1e0e66d7202d3f0e7fb3c90f2ca608fa08a713a6)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett22-410/+431
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r6027: Add copyright, and add a useful debug message.Andrew Bartlett1-2/+3
Andrew Bartlett (This used to be commit b5260cf0d4c4f2e81a310d1c94160c9fbaaa331f)
2007-10-10r6026: Update the kerberos keytab code to match Samba3 again.Andrew Bartlett1-80/+122
(untested at this point). Andrew Bartlett (This used to be commit ef7f9a01b4f3fa41fd7981b260fa2fadc7ce10ad)
2007-10-10r6025: Remove unused variables. This code will be modified again for the newAndrew Bartlett1-6/+2
cli_credentials code shortly. Andrew Bartlett (This used to be commit 13d09c8e9a50ae265059e4a0d92a07c651018a6c)
2007-10-10r5992: Rename schannel.c -> schannel_sign.c. The rest of the schannel codeAndrew Bartlett2-1/+1
(from librpc) will be moved into schannel.c soon. Andrew Bartlett (This used to be commit d6c80ff74b0550641c253316b37f1050c207791c)
2007-10-10r5988: Fix the -P option (use machine account credentials) to use the Samba4Andrew Bartlett1-2/+2
secrets system, and not the old system from Samba3. This allowed the code from auth_domain to be shared - we now only lookup the secrets.ldb in lib/credentials.c. In order to link the resultant binary, samdb_search() has been moved from deep inside rpc_server into lib/gendb.c, along with the existing gendb_search_v(). The vast majority of this patch is the simple rename that followed, (Depending on the whole SAMDB for just this function seemed pointless, and brought in futher dependencies, such as smbencrypt.c). Andrew Bartlett (This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
2007-10-10r5941: Commit this patch much earlier than I would normally prefer, but ↵Andrew Bartlett2-11/+2
metze needs a working tree... The main volume of this patch was what I started working on today: - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context. - Uses sepereate inner loops for some of the DCE/RPC tests The other and more important part of this patch fixes issues surrounding the new credentials framwork: This makes the struct cli_credentials always a talloc() structure, rather than on the stack. Parts of the cli_credentials code already assumed this. There were other issues, particularly in the DCERPC over SMB handling, as well as little things that had to be tidied up before test_w2k3.sh would start to pass. Andrew Bartlett (This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
2007-10-10r5940: fix schannel against w2k, it skips the confounder in the signature ↵Stefan Metzmacher1-1/+2
(24 bytes) for singed packets but it accepts 32 bytes from the client. (w2k3 accept it the otherway arround too) metze (This used to be commit 08d4c3b9f8558ee40c73a22b3ec110b052f28110)
2007-10-10r5929: Use cli_credentials for the SMB functions as well.Jelmer Vernooij2-25/+12
Fix a couple of bugs in the new cli_credentials code (This used to be commit 4ad481cfe5cde514d2ef9646147239f3faaa6173)
2007-10-10r5928: Use cli_credentials in:Jelmer Vernooij1-59/+4
- gtk+ (returned by GtkHostBindingDialog as well now) - torture/ - librpc/ - lib/com/dcom/ (This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
2007-10-10r5917: First step in using the new cli_credentials structure. This patchJelmer Vernooij1-1/+1
puts support for it into popt_common, adds a few utility functions (in lib/credentials.c) and the callback functions for the command-line (lib/cmdline/credentials.c). Comments are welcome :-) (This used to be commit 1d49b57c50fe8c2683ea23e9df41ce8ad774db98)
2007-10-10r5902: A rather large change...Andrew Bartlett9-25/+60
I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2007-10-10r5877: It is not an error to have a zero-length secret, after decryption.Andrew Bartlett1-3/+5
Andrew Bartlett (This used to be commit b484776cc4d48690d45c668f9253015eb0d6207d)
2007-10-10r5866: Add InitShutdown IDL and torture test.Jelmer Vernooij1-0/+2
Implement push side of NDR_LEN4|NDR_NOTERM strings (pull side was already present) (This used to be commit ea61ec1122841716ed5d90085ba79e7bf691bd6a)
2007-10-10r5737: add some error codesStefan Metzmacher1-0/+2
metze (This used to be commit f543eb4ede54ac361017878574b3f4b6ffc9f2d5)
2007-10-10r5668: Add tests to RPC-SAMLOGON to test for user@REALM style logins. TheseAndrew Bartlett1-0/+8
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I need to look into it a bit more). Add support to the Samba4 server for these logins. This will need extension when we handle trusted domains as a DC, as it is a principal name, not just another format for the username. Andrew Bartlett (This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9)
2007-10-10r5667: Move schannel state into libcli/auth (as it belongs with schannel,Andrew Bartlett3-0/+236
which will move in with the rest of GENSEC shortly). Add the RID as another element in the schannel state. Andrew Bartlett (This used to be commit 69114b4a8e1c937ab5ff12ca91dd22bd83fd9a3b)
2007-10-10r5646: state->loadfile might be NULL after allocation so this is reallyAlexander Bokovoy1-1/+1
should be NT_STATUS_HAVE_NO_MEMORY(state->loadfile) instead of NT_STATUS_NOT_OK_RETURN(status). (This used to be commit eb57a587889611bcf39d75d4e15b627f36899a53)
2007-10-10r5601: add a gsskrb5 backend that uses lorikeet-heimdal's new gssapi withStefan Metzmacher3-0/+598
GSS_C_DCE_STYLE support, it's just a start and does work correctly yet metze (This used to be commit 87ff661703f467db3dfcb33084041c3e2951e0ee)
2007-10-10r5551: Protect against falling off the end of the name resolve order listTim Potter1-1/+1
if a name is not found. (This used to be commit c23f767a9f5dd2dcae31bded540263b08876ecc2)
2007-10-10r5550: Initialise retry count - valgrind was freaking out because this valueTim Potter1-0/+1
was not set. (This used to be commit 328f37a3e8d10f97f361fb041be24f1ac88b6b0a)
2007-10-10r5451: - added separate wrepl_associate(), wrepl_pull_table() and ↵Andrew Tridgell2-0/+313
wrepl_pull_names() functions, with reasonable parameters, so callers don't need to deal directly with wins replication packet structures - converted the NBT-WINSREPLICATION torture test to use the new APIs (This used to be commit cec1672662b7e5b1bdf843e9dee317aa4b03f719)
2007-10-10r5437: Allow Samba4 to be compiled by tcc (www.tinycc.org). It still crashes ↵Jelmer Vernooij1-46/+46
when linking though. (This used to be commit 2e1e8db6dc877eb32b51cfc3d9c8f463d14530ec)
2007-10-10r5414: - added libcli/wins/, a basic client library for WINS replicationAndrew Tridgell3-0/+510
- added a new IDL type "udlongr", which is like udlong, but with the two uint32 halves reversed - modified the winsrepl.idl to cope with a wider range of packets (This used to be commit bc8d60c918f2e268d591aac464fc6a78c38a4cf9)
2007-10-10r5405: try to use NBT name pointers when a netbios name is repeated in a NBTAndrew Tridgell1-7/+25
packet. This allows much longer names to fit within the limits of NBT name packets (rfc1002.txt also says this should be done, although Samba3 never generates them). The main reason for doing this is it means that our NBT name pointer decoding code is tested with the smbtorture tests (This used to be commit 6e2feef125daceb143c44c0c4ab73b010b311792)
2007-10-10r5404: allow spaces in the string representation of nbt namesAndrew Tridgell1-3/+4
(This used to be commit dd3d4ded21e50130243de3b35927368875620d47)