summaryrefslogtreecommitdiff
path: root/source4/librpc/rpc/dcerpc_schannel.c
AgeCommit message (Collapse)AuthorFilesLines
2013-08-05s4:librpc: fix netlogon connections against servers without AES supportStefan Metzmacher1-2/+6
LogonGetCapabilities() only works on the credential chain if the server supports AES, so we need to work on a temporary copy until we know the server replied a valid return authenticator. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05libcli/auth: also set secure channel type in netlogon_creds_client_init().Günther Deschner1-0/+1
Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2012-07-17s4-librpc: Add capabilities check for AES encrypted connections.Andreas Schneider1-1/+110
Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc: add DCERPC_SCHANNEL_AES supportStefan Metzmacher1-2/+15
metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc/dcerpc_schannel: just append NETLOGON_NEG_RODC_PASSTHROUGH as rodcStefan Metzmacher1-4/+5
The RODC stuff doesn't depend on the schannel algorithm. metze Signed-off-by: Günther Deschner <gd@samba.org>
2012-07-17s4:librpc/rpc/dcerpc_schannel: rework downgrade logicStefan Metzmacher1-5/+38
metze Signed-off-by: Günther Deschner <gd@samba.org>
2011-12-22s4-librpc: Fix netlogon schannel client connect.Andreas Schneider1-0/+2
As a client we request as much flags as possible. The server checks which flags it supports and returns the same negotiation flags or less. So we need to store the negotiate flags from the server. We need them later if we have to call netr_LogonGetCapabilities.
2011-12-14s4-librpc: Fix NETLOGON credential chain with Windows 2008.Andreas Schneider1-9/+40
Windows Server 2008 returns NT_STATUS_DOWNGRADE_DETECTED if you call netrServerAuthenticate2 during a domain join without setting the strong keys flag (128bit crypto). Only for NT4 we need to do a downgrade to the returned negotiate flags. See also 0970369ca0cb9ae465cff40e5c75739824daf1d0.
2010-10-01s4-rpc: added target_principal binding handle optionAndrew Tridgell1-1/+1
this allows you to specify a target SPN for a connection Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15s4-auth: set the RODC bit for RODC schannelAndrew Tridgell1-1/+4
When we are using SEC_CHAN_RODC we need to set the NETLOGON_NEG_RODC_PASSTHROUGH bit in the negotiated flags in ServerAuthenticate2 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-15s4-schannel: fixed reference to context after freeAndrew Tridgell1-2/+3
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-1/+1
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-03-12s4:librpc/rpc/dcerpc_schannel.c: make use of use tevent_req based ↵Stefan Metzmacher1-16/+22
dcerpc_binding_handle stubs metze
2010-03-05s4-rpc: don't use s->credentials after it is freedAndrew Tridgell1-2/+1
2010-03-01s4:librpc/rpc: make use of explicit dcerpc_*_recv functionsStefan Metzmacher1-2/+2
metze
2009-04-14Rework Samba4 to use the new common libcli/auth codeAndrew Bartlett1-8/+10
In particular, this is the rename from creds_ to netlogon_creds_, as well as other links to use the new common crypto. Andrew Bartlett
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-1/+2
should in the future only contain some settings required for gensec.
2008-10-29s4-netlogon: merge netr_ServerReqChallenge from s3 idl.Günther Deschner1-1/+1
Guenther
2008-10-29s4-netlogon: merge netr_ServerAuthenticate{2,3} from s3 idl.Günther Deschner1-2/+2
Guenther
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-1/+2
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2007-12-21r26329: Fix more loadparm_context references. Only about a 100 left now.Jelmer Vernooij1-3/+5
(This used to be commit ddf233346d848e91bc6a6a572f0f6120540503b7)
2007-12-21r26327: Explicit loadparm_context for RPC client functions.Jelmer Vernooij1-1/+6
(This used to be commit eeb2251d22b3d6e0379444a73af69d1014692b07)
2007-10-10r24560: rename some DCERPC_ prefixes into NDR_Stefan Metzmacher1-1/+1
metze (This used to be commit f874eca5dab74e930d0ec52abeb06295d2d90476)
2007-10-10r24557: rename 'dcerpc_table_' -> 'ndr_table_'Stefan Metzmacher1-2/+2
metze (This used to be commit 84651aee81aaabbebf52ffc3fbcbabb2eec6eed5)
2007-10-10r24551: rename dcerpc_interface_table -> ndr_interface_tableStefan Metzmacher1-3/+3
rename dcerpc_interface_list -> ndr_interface_list and move them to libndr.h metze (This used to be commit 4adbebef5df2f833d2d4bfcdda72a34179d52f5c)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r22944: fix bug #4618:Stefan Metzmacher1-2/+2
rename private -> private_data metze (This used to be commit 58551f2f28fce8f1fcd04736c47ecd7458f32ea2)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-1/+1
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r17326: make better usage of the composite apiStefan Metzmacher1-9/+3
metze (This used to be commit 097c9f09f3b9b45f7b0386dfb02173c1515ed45c)
2007-10-10r17320: - print the debug message before the composite context get received ↵Stefan Metzmacher1-7/+6
by the caller - steal pipe2 to the state structure so we don't need to take about freeing is later metze (This used to be commit 4ba50fc29ec1949bb1b035ae3f2dc5f877ce581f)
2007-10-10r14464: Don't include ndr_BASENAME.h files unless strictly required, insteadJelmer Vernooij1-0/+1
try to include just the BASENAME.h files (containing only structs) (This used to be commit 3dd477ca5147f28a962b8437e2611a8222d706bd)
2007-10-10r14402: Generate seperate headers for RPC client functions.Jelmer Vernooij1-0/+1
(This used to be commit 7054ebf0249930843a2baf4d023ae8f62cedb109)
2007-10-10r14380: Reduce the size of structs.hJelmer Vernooij1-1/+1
(This used to be commit 1a16a6f1dfa66499af43a6b88b3ea69a6a75f1fe)
2007-10-10r14175: More comments and my copyright.Rafal Szczesniak1-11/+74
rafal (This used to be commit 384d97e0b2e3c5980e2023cd511d7f84e64d6ffb)
2007-10-10r14137: move **p2 to the _recv function for setup the second pipeStefan Metzmacher1-2/+2
metze (This used to be commit 8b8d92beedd8848aa2c7f1443fa8e66e09c2e0bf)
2007-10-10r14123: Huge lump of code making all of our dcerpc connect codeRafal Szczesniak1-101/+284
asynchronous. Build is ok, and so are the tests. More comments to follow. rafal (This used to be commit a74fb6c5a2f968c56aff8ce39ce2ce9375d19b81)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+1
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r12865: Upgrade the librpc and libnet code.Andrew Bartlett1-8/+9
In librpc, always try SMB level authentication, even if trying schannel, but allow fallback to anonymous. This should better function with servers that set restrict anonymous. There are too many parts of Samba that get, parse and modify the binding parameters. Avoid the extra work, and add a binding element to the struct dcerpc_pipe The libnet vampire code has been refactored, to reduce extra layers and to better conform with the standard argument pattern. Also, take advantage of the new libnet_Lookup code, so we don't require the silly 'password server' smb.conf parameter. To better support forcing traffic to be sealed for the vampire operation, the dcerpc_bind_auth() function now takes an auth level parameter. Andrew Bartlett (This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-1/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12510: Change the DCE/RPC interfaces to take a pointer to aJelmer Vernooij1-6/+4
dcerpc_interface_table struct rather then a tuple of interface name, UUID and version. This removes the requirement for having a global list of DCE/RPC interfaces, except for these parts of the code that use that list explicitly (ndrdump and the scanner torture test). This should also allow us to remove the hack that put the authservice parameter in the dcerpc_binding struct as it can now be read directly from dcerpc_interface_table. I will now modify some of these functions to take a dcerpc_syntax_id structure rather then a full dcerpc_interface_table. (This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
2007-10-10r11809: Make dcerpc_bind_auth async.Volker Lendecke1-3/+3
This also removes dcerpc_bind_auth_password, the only user of dcerpc_bind_auth. And this was not only passwords anyway. Andrew Bartlett, as usual: Please take a close look. Thanks, Volker (This used to be commit 2ff2dae3d035af6cb0c131573cfd983fc9a58eee)
2007-10-10r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.Andrew Bartlett1-2/+2
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-2/+2
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r7690: Move the NT hash generation into the credentials system, rather thanAndrew Bartlett1-3/+4
in all the callers. This also allows us to be more flexible in the type of password we store. Andrew Bartlett (This used to be commit 00b8588c68526e1d86fda0bd81c0b86f690b62c3)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell1-1/+3
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r6565: Cludge, cludge, cludge...Andrew Bartlett1-14/+4
We need to pass the 'secure channel type' to the NETLOGON layer, which must match the account type. (Yes, jelmer objects to this inclusion of the kitchen sink ;-) Andrew Bartlett (This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
2007-10-10r6229: Back out these changes ...Richard Sharpe1-15/+1
(This used to be commit 321fbae51267153102e47845736f2c3a5abfe0be)
2007-10-10r6219: This change allows us to fall back to authenticating withoutRichard Sharpe1-1/+15
DCERPC_SCHANNEL_128 if we fail. Thus, it allows us to work with Windows NT DCs ... (This used to be commit 3034b226705c4736d57c9bf4e9470c4d44c72e8e)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett1-396/+17
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5941: Commit this patch much earlier than I would normally prefer, but ↵Andrew Bartlett1-18/+13
metze needs a working tree... The main volume of this patch was what I started working on today: - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context. - Uses sepereate inner loops for some of the DCE/RPC tests The other and more important part of this patch fixes issues surrounding the new credentials framwork: This makes the struct cli_credentials always a talloc() structure, rather than on the stack. Parts of the cli_credentials code already assumed this. There were other issues, particularly in the DCERPC over SMB handling, as well as little things that had to be tidied up before test_w2k3.sh would start to pass. Andrew Bartlett (This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)