summaryrefslogtreecommitdiff
path: root/source4/rpc_server/dcesrv_auth.c
AgeCommit message (Collapse)AuthorFilesLines
2008-09-13rpc_server: don't send auth trailers in level connectStefan Metzmacher1-85/+73
Also ignore auth trailers in level connect on receive. This fixes [krb5,connect] against windows. TODO: maybe the gensec mech need to decide if signatures are needed in level connect. metze (This used to be commit 2e3629719790e7631d9de383b565dc8a0997bcfb)
2008-09-13rpc_server: correctly calculate the auth paddingStefan Metzmacher1-3/+8
metze (This used to be commit e82468a8f538aa0cf6d477fb54cc0178c0d64574)
2008-08-11rpc_server: correct the chunk_size depending on the signature sizeStefan Metzmacher1-4/+3
metze (This used to be commit 20fc0d7bfdaa60d6a8ac939dc64733a91652587e)
2008-08-07rpc_server: add support for DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGNStefan Metzmacher1-0/+5
you need "dcesrv:header signing=yes" to enable it. metze (This used to be commit bde2496e6b7034c99243b22434a97aebeb8f75b9)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-0/+2
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-02-21Remove more global_loadparm instance.sJelmer Vernooij1-1/+1
(This used to be commit a1280252ce924df69d911e597b7f65d8038abef9)
2008-01-01r26639: librpc: Pass iconv convenience on from RPC connection to NDR ↵Jelmer Vernooij1-3/+3
library, so it can be overridden by OpenChange. (This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
2007-12-21r26440: Remove more uses of global_loadparm.Jelmer Vernooij1-1/+1
(This used to be commit 8858cf39722f192865e531164c72039fd18d7a8d)
2007-12-21r26432: Require ndr_pull users to specify iconv_convenience.Jelmer Vernooij1-1/+1
(This used to be commit 28b1d36551b75241c1cf9fca5d74f45a6dc884ab)
2007-12-21r26431: Require ndr_push creators to specify a iconv_convenience context.Jelmer Vernooij1-1/+1
(This used to be commit 7352206f4450fdf881b95bda064cedd9d2477e4c)
2007-12-21r26430: require explicit specification of loadparm context.Jelmer Vernooij1-1/+1
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
2007-12-21r26296: Store loadparm context in DCE/RPC server context.Jelmer Vernooij1-2/+2
(This used to be commit fc1f4d2d65d4c983cba5421e7ffb64dd75482860)
2007-12-21r26260: Store loadparm context in gensec context.Jelmer Vernooij1-1/+1
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
2007-12-21r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)Stefan Metzmacher1-22/+26
lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
2007-10-10r25553: Convert to standard bool type.Jelmer Vernooij1-36/+36
(This used to be commit b7371f1a191fb86834c0d586d094f39f0b04544b)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-1/+2
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r24780: More work allowing libutil to be used by external users.Jelmer Vernooij1-2/+8
(This used to be commit 31993cf67b816a184a4a4e92ef8ca2532c797190)
2007-10-10r24504: Try to return more useful error information on why a bind failed.Andrew Bartlett1-13/+13
Note that the correct return for a failed alter_context is a fault, not a bind_nak. Andrew Bartlett (This used to be commit 52cce94532edf1dd7f26e39bf3377f0077ea6792)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+1
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19502: fixed the RPC-SECRETS test with kerberos. Andrew, can you look at thisAndrew Tridgell1-17/+6
as well? The server side change is needed to fix a valgrind error, which was possibly exploitable if the client sent deliberately bad data (This used to be commit e3c04cf165fe15739197b2713e78046399aa7653)
2007-10-10r19465: Rather than use the non-standard API for determining the signatureAndrew Bartlett1-8/+46
length, use the amount the wapped message expanded by. This works, because GSSAPI doesn't do AEAD (signing of headers), and so changing the signature length after the fact is valid. Andrew Bartlett (This used to be commit bd1e0f679c8f2b9755051b8d34114fa127a7cf26)
2007-10-10r17341: pass a messaging context to auth_context_create()Stefan Metzmacher1-1/+1
and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2007-10-10r12554: get rid of the pesky NTLMSSP warnings about being called after ↵Andrew Tridgell1-4/+5
processing is finished (This used to be commit ca6ae1afa0a8a105ab09199425f308c9ae85902f)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-0/+18
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10153: This patch adds a new parameter to gensec_sig_size(), the size of theAndrew Bartlett1-3/+4
data to be signed/sealed. We can use this to split the data from the signature portion of the resultant wrapped packet. This required merging the gsskrb5_wrap_size patch from lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no longer use a static 45 byte value). This fixes one of the krb5 issues in my list. Andrew Bartlett (This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
2007-10-10r9490: Fix typoAndrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 093b98b5b51d21cce9b2fdeab3d4113bfd96da41)
2007-10-10r8811: Fix the build..Jelmer Vernooij1-0/+1
(This used to be commit fac77f5fa267da57a55e88cad8993897e80741a0)
2007-10-10r8109: Try to print out more helpful debug messages on DCERPC server-sideAndrew Bartlett1-2/+3
gensec failure to start. Andrew Bartlett (This used to be commit bc8f8d2dcfbcf06bb9c49981bc3811b252a4b9b0)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell1-1/+1
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r7313: Prefix a few functions with ncacn_ rather then dcerpc_ because they areJelmer Vernooij1-1/+1
ncacn_ specific (This used to be commit 875cce126878172eedb43b4ecab3970ea9d82e4a)
2007-10-10r7312: Add IDL for ncadg packets.Jelmer Vernooij1-8/+8
(This used to be commit 2009a430b03c685dd65bd573e70d3618f2e0dd0f)
2007-10-10r6457: Simply the RPC server code for the choice of GENSEC mech - it's justAndrew Bartlett1-46/+14
one function call now, so no need for a wrapper function. Andrew Bartlett (This used to be commit c023f5c5e8c0aec6317e49105b92bc9d186ce11e)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell1-2/+2
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4663: fixed SPNEGO auth in the rpc serverAndrew Tridgell1-3/+4
(This used to be commit 439cbb9ead2443513ecc84f5638924e056ebdc73)
2007-10-10r4642: added support for alter_context in the server for adding new ↵Andrew Tridgell1-3/+12
interfaces to an existing pipe (This used to be commit b6af57c86829aadc261cd7b79091cef17c15b967)
2007-10-10r4082: support alter_context requestsStefan Metzmacher1-0/+71
metze (This used to be commit ab6ec6b5f4e04322eb151b7bf9c530a0dc16bf89)
2007-10-10r4081: use clearer namesStefan Metzmacher1-2/+2
metze (This used to be commit 5d7d6f02cf1aa731d371c97054480d83d85102cb)
2007-10-10r3468: split out dcerpc_server.hAndrew Tridgell1-0/+1
(This used to be commit 729e0026e4408f74f140375537d4fe48c1fc3242)
2007-10-10r2629: convert gensec to the new talloc modelAndrew Tridgell1-1/+1
by making our gensec structures a talloc child of the open connection we can be sure that it will be destroyed when the connection is dropped. (This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
2007-10-10r2627: use the new talloc capabilities in a bunch more places in the rpcAndrew Tridgell1-14/+17
server code. This fixes a number of memory leaks I found when testing with valgrind and smbtorture, as the cascading effect of a talloc_free() ensures that anything derived from the top level object is destroyed on disconnect. (This used to be commit 76d0b8206ce64d6ff4a192979c43dddbec726d6e)
2007-10-10r2615: fixed a bug in the server side support for CONNECT level securityAndrew Tridgell1-6/+12
(This used to be commit fee98137ad6358195b80c97cd6cc8f82ac53f870)
2007-10-10r2614: support CONNECT level DCE/RPC security in both client andAndrew Tridgell1-2/+41
server. CONNECT security uses NTLMSSP, but does not do any signing or sealing (or equivalently, its like signing, but with a zero filled checksum). (This used to be commit f4660857bc708db7f5aa7487bf7ab04bffe68928)
2007-10-10r2294: this fixes the NTLM2 sign+seal combination. I have now tested:Andrew Tridgell1-1/+4
NTLM sign NTLM sign+seal NTLM2 sign NTLM2 sign+seal and all of the above both with and without key exchange the NTLM2 seal case is ugly and involves an extra data copy, which some API changes in gensec or the ndr layer might avoid in future. (This used to be commit fce7a4218b3136d880dd1a123e8525e3091bbed8)
2007-10-10r2293: fixed older NTLM sign/seal in the serverAndrew Tridgell1-2/+4
(This used to be commit d8825b69aca5f4d0edf70945d64b4d1780e121c4)
2007-10-10r2290: Fix 'lsakey' for the server-side, it is static forAndrew Bartlett1-0/+5
'authenticated' connections. Fix kerberos session key issues - we need to call the routine for extracting the session key, not just read the cache. Andrew Bartlett (This used to be commit b80d849b6b586869fc7d3d4153db1a316f2867a9)
2007-10-10r2284: Thanks to some great detective work by tridge, NTLM2 signing now works.Andrew Bartlett1-21/+37
This means that 'require NTLMv2 session security' now works for RPC pipe signing. We don't yet have sealing, but it can't be much further. This is almost all tridge's code, munged into a form that can work with the GENSEC API. This commit also includes more lsakey fixes - that key is used for all DCE-RPC level authenticated connections, even over CIFS/ncacn_np. No doubt I missed something, but I'm going to get some sleep :-) Andrew Bartlett (This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
2007-10-10r2281: Add a few comments.Andrew Bartlett1-0/+2
(This used to be commit 7be16e503616d9b339390a253357114c510729d0)
2007-10-10r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.Andrew Bartlett1-1/+2
The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)