Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit c910a3f9c8c657b290bc03a47a6b4cba20f02a55)
|
|
around the mess that is composite functions...
Async might be all the rage, but it's bloody painful to debug.
Andrew Bartlett
(This used to be commit 756e1dad7ce54b83f8170db3434bfcfc4afe7e65)
|
|
handle the NTLMSSP and wrong password fallbacks.
Andrew Bartlett
(This used to be commit dbf51ea985e0b300631e2070e91d4d901c784c44)
|
|
libraries.
This support requires that the bind_ack and alter_ack recv functions
also be send the DCE/RPC fault. This would be best done by having the
ack run as a normal RPC reply callback, but this isn't easily possible
for now.
Andrew Bartlett
(This used to be commit be6dde22fe728d64d47875699d3421c6d8d872a4)
|
|
this isn't supported, fallback to NTLM.
Also, where we get a failure as 'logon failure', try and do a '3
tries' for the password, like we already do for CIFS. (Incomplete:
needs a mapping between RPC errors and the logon failure NTSTATUS).
Because we don't yet support Kerberos sign/seal to win2k3 SP1 for
DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos
isn't demanded.
Andrew Bartlett
(This used to be commit b3212d1fb91b26c1d326a289560106dffe1d2e80)
|
|
(This used to be commit 5a8d13c4e67974d198d71823774950483ec42088)
|
|
(This used to be commit a316b33057f3ec8532677980e093cd327d33f257)
|
|
(This used to be commit f7312dab3b9aba2b2b82e8a6e0c483a32a03a63a)
|
|
(This used to be commit 7054ebf0249930843a2baf4d023ae8f62cedb109)
|
|
(This used to be commit 98c4c3051391c6f89df5d133665f51bef66b1563)
|
|
right after allocation.
rafal
(This used to be commit 87b31c51bbd1e8cb3616eb9d7dd2b7fc1a7f9c46)
|
|
rafal
(This used to be commit 9035de56a801f04436777b7faacf2f3b518b6942)
|
|
is passed to dcerpc_epm_map_binding_send.
2) Replace old dcerpc_epm_map_binding with the new function
based on async code, as the above problem is fixed.
rafal
(This used to be commit 85ecb07ab595073dd44c213075d33da07aa19277)
|
|
rafal
(This used to be commit 6b94e81e5a31bb413149d9328746b1fed65c7f3d)
|
|
rafal
(This used to be commit 036d35ff175b26dc1f55e6813f9a014a444d9af4)
|
|
others, probably). Funny thing, it didn't segfault on my laptop
and gcc4...
rafal
(This used to be commit 9e3321130e57daccd9649afc3af581a03655090e)
|
|
rafal
(This used to be commit 93358e7d9e08bb77641c1b9a47448eb0a4dac587)
|
|
asynchronous. Build is ok, and so are the tests.
More comments to follow.
rafal
(This used to be commit a74fb6c5a2f968c56aff8ce39ce2ce9375d19b81)
|
|
rafal
(This used to be commit cedaf08170fddc8e4a3f9e4aea0f2c7f08759061)
|
|
(This used to be commit 06ddac2bb1899937b79e3bf89cb84c750c3ce4c5)
|
|
Now, each rpc interface (named pipe, tcp/ip, lrpc and unix
socket) works asynchronously.
Comments to follow.
rafal
(This used to be commit 789f9d43db7ea59e79d5aa498e2e9fd077448825)
|
|
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous. This should better
function with servers that set restrict anonymous.
There are too many parts of Samba that get, parse and modify the
binding parameters. Avoid the extra work, and add a binding element
to the struct dcerpc_pipe
The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern. Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.
To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.
Andrew Bartlett
(This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
|
|
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
|
|
Be a bit more strict when checking for duplicate interfaces
(This used to be commit b1286a6d27e2b5aa26f288f6aff70601b0d8ae74)
|
|
Avoids converting a static string to GUID every time we check whether
a transfer syntax is equal to that of NDR.
(This used to be commit 8dcfcaf75ab8cf4a54cf5e56f6be25acc68e3989)
|
|
back and
forth between GUID structs and strings in several places.
(This used to be commit 3564e2f967ef72d6301b4f7e9a311cebcded4d75)
|
|
(This used to be commit 2188168209f07bd87d90d7ff94e8b542ced68249)
|
|
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
|
|
Completely untested, it's a bit difficult without having vista
around (yet), so - Andrew, please test it and let me know what's
wrong.
rafal
(This used to be commit b9e7522bd4b626402c51a69695bea0928f5baef7)
|
|
and move migrated (async) code to a new file.
rafal
(This used to be commit 79b231bc534e10149d86a2c647a27c27ce524949)
|
|
in sync version. This step makes it easer to move further to async
dcerpc connect routine.
rafal
(This used to be commit 87b016d55315190fa3f6083c75cb783ad45ddd0b)
|
|
flag 'smb2' in the dcerpc binding string. This gives a pretty good
test to the new SMB2 trans call.
(This used to be commit f99bef585d4c1e52becc06b581bd5aaa62cf9dd7)
|
|
ncacn_ip_tcp/ncalrpc. The problem was that svn revision 11809 removed
the logic that forced the CONNECT auth type for authenticated binds
which don't have an explicit SIGN or SEAL flag set.
(This used to be commit e7a1f11e8bcba3839f74c7303bd82533a6acfbcd)
|
|
This also removes dcerpc_bind_auth_password, the only user of
dcerpc_bind_auth. And this was not only passwords anyway.
Andrew Bartlett, as usual: Please take a close look.
Thanks,
Volker
(This used to be commit 2ff2dae3d035af6cb0c131573cfd983fc9a58eee)
|
|
consistancy.
Andrew Bartlett
(This used to be commit 8787eb982f899c68a490fb9c71c21ec1d9ec0308)
|
|
field, instead put a zero address. Note that zero is correct (ie. we
shouldn't do the lookup) as in the client we want to send a zero for
the server to fill in. When we make this call from the server we fill
in a real IP.
(This used to be commit e54c8b5658761c33d50a1a557d2ec77229b07b47)
|
|
(This used to be commit aeb42a446b3c28c5cf6800606b3f9b70c49cb94b)
|
|
Use talloc_steal() rather than talloc_reference().
Andrew Bartlett
(This used to be commit 8774f971f3926c5c37aad1e8dfeafa394de87d63)
|
|
(This used to be commit fac77f5fa267da57a55e88cad8993897e80741a0)
|
|
the ejs_echo.c code is the stuff that needs to be auto-generated by
pidl. It only does echo_AddOne so far.
We also need a table for registering these calls. The code is
hard-wired for echo_AddOne for now.
(This used to be commit b1ea58ddc482c373783d16331dd07378010ba39a)
|
|
(This used to be commit 4c5974fc3dabd090284b2ed455a0af114ddbec1d)
|
|
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
|
|
seconds. This should prevent the problem I am seeing on a solaris box
where a rpc request gets stuck forever
(This used to be commit c24ab34813d675b9b81f3062fb6f30aae5697805)
|
|
ncacn_ specific
(This used to be commit 875cce126878172eedb43b4ecab3970ea9d82e4a)
|
|
(This used to be commit 2009a430b03c685dd65bd573e70d3618f2e0dd0f)
|
|
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
|
|
We need to pass the 'secure channel type' to the NETLOGON layer, which
must match the account type.
(Yes, jelmer objects to this inclusion of the kitchen sink ;-)
Andrew Bartlett
(This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
|
|
cli_credentials_set_conf(), not cli_credentials_guess().
Also, clarify why for particular flags, we don't do a DCERPC-level
authentication.
Andrew Bartlett
(This used to be commit 838925761d004a1426107f4c5c84d0276fddb2c0)
|
|
metze
(This used to be commit d92100fcc2066454df441a1ea2c7b9940fa19fa1)
|
|
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
|