summaryrefslogtreecommitdiff
path: root/source4/rpc_server/dcesrv_auth.c
AgeCommit message (Collapse)AuthorFilesLines
2010-05-30Revert "s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with ↵Matthias Dieter Wallnöfer1-12/+2
Windows 2000" This reverts commit 1cf5be39e30f9478606a5525eb7beeb21ee83c24. My fix approach isn't such appreciated therefore revert this.
2010-05-30s4:rpc_server/dcesrv_auth.c - Fix a RPC issue in conjunction with Windows 2000Matthias Dieter Wallnöfer1-2/+12
Windows 2000 does strictly request header signing on some requests also if the server doesn't provide it. But there is a small trick (don't reset the actual session info) to make these special RPC operations work without a full header signing implementation. This fixes for example the list of domain groups in local groups when displayed sing the local user/group management tool. And this should finally fix bug #7113. The patch was inspired by another one by tridge and abartlet: http://gitweb.samba.org/samba.git/?p=tridge/samba.git;a=commitdiff;h=2dc19e2878371264606575d3fc09176776be7729
2010-05-18Finish removal of iconv_convenience in public API's.Jelmer Vernooij1-4/+4
2010-02-16s4-dcerpc: fixed auth padding to be relative to the stub, not packetAndrew Tridgell1-5/+10
The recent dcerpc padding changes made our padding relative to the packet header, instead of the start of the stub. Surprisingly, this broke w2k8r2 doing a dcpromo join to a s4 server. It seems that w2k8r2 is very fussy about the padding it gets in some circumstances.
2010-02-14s4-rpcserver: teach the rpc server to cope with bad sig_size estimatesAndrew Tridgell1-18/+14
2010-02-14a4-dcerpc: another attempt at dcerpc auth paddingAndrew Tridgell1-4/+4
The last change broke net vampire against w2k8r2
2010-02-13s4-rpc: be more careful about DCERPC auth paddingAndrew Tridgell1-55/+24
Cope with a wider range of auth padding in dcerpc bind_ack and alter_context packets. We now use a helper function that calculates the right auth padding.
2009-09-08s4: fixed a unsigned printf warningsAndrew Tridgell1-3/+3
2009-02-13Remove auth/ntlm as a dependency of GENSEC by means of function pointers.Andrew Bartlett1-9/+7
When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2008-11-02Add gensec_settings structure. This wraps loadparm_context for now, butJelmer Vernooij1-1/+3
should in the future only contain some settings required for gensec.
2008-10-06s4:rpc_server: tell the gensec layer that we want to do header signingStefan Metzmacher1-0/+4
Note: header signing is still off by default, as the gensec backends don't support it together with seal yet. metze
2008-09-30s4:rpc_server: correctly handle dcerpc requests with object uuidsStefan Metzmacher1-2/+8
metze
2008-09-13rpc_server: don't send auth trailers in level connectStefan Metzmacher1-85/+73
Also ignore auth trailers in level connect on receive. This fixes [krb5,connect] against windows. TODO: maybe the gensec mech need to decide if signatures are needed in level connect. metze (This used to be commit 2e3629719790e7631d9de383b565dc8a0997bcfb)
2008-09-13rpc_server: correctly calculate the auth paddingStefan Metzmacher1-3/+8
metze (This used to be commit e82468a8f538aa0cf6d477fb54cc0178c0d64574)
2008-08-11rpc_server: correct the chunk_size depending on the signature sizeStefan Metzmacher1-4/+3
metze (This used to be commit 20fc0d7bfdaa60d6a8ac939dc64733a91652587e)
2008-08-07rpc_server: add support for DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGNStefan Metzmacher1-0/+5
you need "dcesrv:header signing=yes" to enable it. metze (This used to be commit bde2496e6b7034c99243b22434a97aebeb8f75b9)
2008-04-02Install public header files again and include required prototypes.Jelmer Vernooij1-0/+2
(This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-02-21Remove more global_loadparm instance.sJelmer Vernooij1-1/+1
(This used to be commit a1280252ce924df69d911e597b7f65d8038abef9)
2008-01-01r26639: librpc: Pass iconv convenience on from RPC connection to NDR ↵Jelmer Vernooij1-3/+3
library, so it can be overridden by OpenChange. (This used to be commit 2f29f80e07adef1f020173f2cd6d947d0ef505ce)
2007-12-21r26440: Remove more uses of global_loadparm.Jelmer Vernooij1-1/+1
(This used to be commit 8858cf39722f192865e531164c72039fd18d7a8d)
2007-12-21r26432: Require ndr_pull users to specify iconv_convenience.Jelmer Vernooij1-1/+1
(This used to be commit 28b1d36551b75241c1cf9fca5d74f45a6dc884ab)
2007-12-21r26431: Require ndr_push creators to specify a iconv_convenience context.Jelmer Vernooij1-1/+1
(This used to be commit 7352206f4450fdf881b95bda064cedd9d2477e4c)
2007-12-21r26430: require explicit specification of loadparm context.Jelmer Vernooij1-1/+1
(This used to be commit 1b947fe0e6e16318e5a8127bb4932d6b5d20bcf6)
2007-12-21r26296: Store loadparm context in DCE/RPC server context.Jelmer Vernooij1-2/+2
(This used to be commit fc1f4d2d65d4c983cba5421e7ffb64dd75482860)
2007-12-21r26260: Store loadparm context in gensec context.Jelmer Vernooij1-1/+1
(This used to be commit b9e3a4862e267be39d603fed8207a237c3d72081)
2007-12-21r25920: ndr: change NTSTAUS into enum ndr_err_code (samba4 callers)Stefan Metzmacher1-22/+26
lib/messaging/ lib/registry/ lib/ldb-samba/ librpc/rpc/ auth/auth_winbind.c auth/gensec/ auth/kerberos/ dsdb/repl/ dsdb/samdb/ dsdb/schema/ torture/ cluster/ctdb/ kdc/ ntvfs/ipc/ torture/rap/ ntvfs/ utils/getntacl.c ntptr/ smb_server/ libcli/wrepl/ wrepl_server/ libcli/cldap/ libcli/dgram/ libcli/ldap/ libcli/raw/ libcli/nbt/ libnet/ winbind/ rpc_server/ metze (This used to be commit 6223c7fddc972687eb577e04fc1c8e0604c35435)
2007-10-10r25553: Convert to standard bool type.Jelmer Vernooij1-36/+36
(This used to be commit b7371f1a191fb86834c0d586d094f39f0b04544b)
2007-10-10r25398: Parse loadparm context to all lp_*() functions.Jelmer Vernooij1-1/+2
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-10-10r24780: More work allowing libutil to be used by external users.Jelmer Vernooij1-2/+8
(This used to be commit 31993cf67b816a184a4a4e92ef8ca2532c797190)
2007-10-10r24504: Try to return more useful error information on why a bind failed.Andrew Bartlett1-13/+13
Note that the correct return for a failed alter_context is a fault, not a bind_nak. Andrew Bartlett (This used to be commit 52cce94532edf1dd7f26e39bf3377f0077ea6792)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell1-3/+2
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett1-0/+1
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19502: fixed the RPC-SECRETS test with kerberos. Andrew, can you look at thisAndrew Tridgell1-17/+6
as well? The server side change is needed to fix a valgrind error, which was possibly exploitable if the client sent deliberately bad data (This used to be commit e3c04cf165fe15739197b2713e78046399aa7653)
2007-10-10r19465: Rather than use the non-standard API for determining the signatureAndrew Bartlett1-8/+46
length, use the amount the wapped message expanded by. This works, because GSSAPI doesn't do AEAD (signing of headers), and so changing the signature length after the fact is valid. Andrew Bartlett (This used to be commit bd1e0f679c8f2b9755051b8d34114fa127a7cf26)
2007-10-10r17341: pass a messaging context to auth_context_create()Stefan Metzmacher1-1/+1
and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2007-10-10r12554: get rid of the pesky NTLMSSP warnings about being called after ↵Andrew Tridgell1-4/+5
processing is finished (This used to be commit ca6ae1afa0a8a105ab09199425f308c9ae85902f)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-0/+18
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r10153: This patch adds a new parameter to gensec_sig_size(), the size of theAndrew Bartlett1-3/+4
data to be signed/sealed. We can use this to split the data from the signature portion of the resultant wrapped packet. This required merging the gsskrb5_wrap_size patch from lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no longer use a static 45 byte value). This fixes one of the krb5 issues in my list. Andrew Bartlett (This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
2007-10-10r9490: Fix typoAndrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 093b98b5b51d21cce9b2fdeab3d4113bfd96da41)
2007-10-10r8811: Fix the build..Jelmer Vernooij1-0/+1
(This used to be commit fac77f5fa267da57a55e88cad8993897e80741a0)
2007-10-10r8109: Try to print out more helpful debug messages on DCERPC server-sideAndrew Bartlett1-2/+3
gensec failure to start. Andrew Bartlett (This used to be commit bc8f8d2dcfbcf06bb9c49981bc3811b252a4b9b0)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell1-1/+1
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r7313: Prefix a few functions with ncacn_ rather then dcerpc_ because they areJelmer Vernooij1-1/+1
ncacn_ specific (This used to be commit 875cce126878172eedb43b4ecab3970ea9d82e4a)
2007-10-10r7312: Add IDL for ncadg packets.Jelmer Vernooij1-8/+8
(This used to be commit 2009a430b03c685dd65bd573e70d3618f2e0dd0f)
2007-10-10r6457: Simply the RPC server code for the choice of GENSEC mech - it's justAndrew Bartlett1-46/+14
one function call now, so no need for a wrapper function. Andrew Bartlett (This used to be commit c023f5c5e8c0aec6317e49105b92bc9d186ce11e)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell1-2/+2
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4663: fixed SPNEGO auth in the rpc serverAndrew Tridgell1-3/+4
(This used to be commit 439cbb9ead2443513ecc84f5638924e056ebdc73)
2007-10-10r4642: added support for alter_context in the server for adding new ↵Andrew Tridgell1-3/+12
interfaces to an existing pipe (This used to be commit b6af57c86829aadc261cd7b79091cef17c15b967)
2007-10-10r4082: support alter_context requestsStefan Metzmacher1-0/+71
metze (This used to be commit ab6ec6b5f4e04322eb151b7bf9c530a0dc16bf89)