summaryrefslogtreecommitdiff
path: root/source4/rpc_server/netlogon
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r13583: Realise that the member server name appears in all calls that use theAndrew Bartlett1-97/+35
credentials. Consistantly rename these elements in the IDL to computer_name. Fix the server-side code to always lookup by this name. Add new, even nastier tests to RPC-SCHANNEL to prove this. Andrew Bartlett (This used to be commit 341a0abeb4a9f88d64ffd4681249cb1f643a7a5a)
2007-10-10r13480: Explain a little about how these credentials structures should be used.Andrew Bartlett1-1/+16
Andrew Bartlett (This used to be commit b90959f7968ebbfc82ac55d4775d5574b1fc6925)
2007-10-10r13402: Make Samba4 pass a nastier RPC-SCHANNEL test.Andrew Bartlett1-82/+139
The new RPC-SCHANNEL test shows that the full credentials state must be kept in some shared memory, for some length of time. In particular, clients will reconnect with SCHANNEL (after loosing all connections) and expect that the credentials chain will remain in the same place. To achive this, we do the server-side crypto in a transaction, including the fetch/store of the shared state. Andrew Bartlett (This used to be commit 982a6aa871c9fce17410a9712cd9fa726025ff90)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij1-2/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12599: This new LDB module (and associated changes) allows Samba4 to operateAndrew Bartlett1-5/+5
using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij1-0/+1
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r11402: In response to comments by volker, expand our Netlogon DsRGetDCNameAndrew Bartlett1-26/+61
IDL and testsuites. The server-side of this remains a stub, we should probably be doing ldb searches for the server reference record. Andrew Bartlett (This used to be commit 0141ed309a664e7a9893c95232c2dcb9768f9315)
2007-10-10r11370: Samba4 now passes it's own RPC-SAMLOGON test again.Andrew Bartlett1-0/+3
This avoids the nasty user@DOMAIN test for now, as it has very odd semantics with NTLMv2. Allow only user accounts to do an interactive login. Andrew Bartlett (This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
2007-10-10r11366: Pass around the flags which indicate if we should support plaintextAndrew Bartlett1-3/+5
logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
2007-10-10r11289: Fix comment.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit fc18276389d17684bd14a2012d18fb7a9695f69e)
2007-10-10r11195: Add a new helper function (needed by my kpasswdd work, but hooked inAndrew Bartlett1-168/+24
for netlogon as well) to change/set a user's password, given only their SID. This avoids the callers doing the lookups, and also performs the actual 'set', as these callers do not wish any further buisness with the entry. Andrew Bartlett (This used to be commit 060a2a7bcca6b58d50bc4e0930c13616742a55d3)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-10/+9
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r9391: Convert all the code to use struct ldb_dn to ohandle ldap like ↵Simo Sorce1-3/+6
distinguished names Provide more functions to handle DNs in this form (This used to be commit 692e35b7797e39533dd2a1c4b63d9da30f1eb5ba)
2007-10-10r9016: More work to avoid abuse of the "name" attribute, this time onAndrew Bartlett1-11/+27
NETLOGON. Andrew Bartlett (This used to be commit e9837d49bc8d784b365c0a7470ebfbd6f396464d)
2007-10-10r8998: More work on the RPC server code to avoid abusing the name attributeAndrew Bartlett1-21/+30
as a netbios name. Andrew Bartlett (This used to be commit 242db48b98a04eed46bb35946dcd68b579bffe00)
2007-10-10r8700: Propmted by tridge's need to do plaintext auth in ejs, rework theAndrew Bartlett1-20/+33
user_info strcture in auth/ This moves it to a pattern much like that found in ntvfs, with functions to migrate between PAIN, HASH and RESPONSE passwords. Instead of make_user_info*() functions, we simply fill in the control block in the callers, per recent dicussions on the lists. This removed a lot of data copies as well as error paths, as we can grab much of it with talloc. Andrew Bartlett (This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
2007-10-10r8226: w2k3 adds a '.' after the forest and domain dns names for the primary ↵Stefan Metzmacher1-10/+27
domain and NULL for the trusted domains forest dns name metze (This used to be commit 225fc1b8658f01217b55e2d1c6d5814ee5022559)
2007-10-10r7993: Further work on the Krb5 PAC.Andrew Bartlett1-63/+2
We now generate the PAC, and can verifiy both our own PAC and the PAC from Win2k3. This commit adds the PAC generation code, spits out the code to get the information we need from the NETLOGON server back into a auth/ helper function, and adds a number of glue functions. In the process of building the PAC generation code, some hints in the Microsoft PAC specification shed light on other parts of the code, and the updates to samr.idl and netlogon.idl come from those hints. Also in this commit: The Heimdal build package has been split up, so as to only link the KDC with smbd, not the client utils. To enable the PAC to be veified with gensec_krb5 (which isn't quite dead yet), the keyblock has been passed back to the calling layer. Andrew Bartlett (This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
2007-10-10r7860: switch our ldb storage format to use a NDR encoded objectSid. This isAndrew Tridgell1-8/+9
quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell1-2/+4
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r6544: Use common structures between SAMR, NETLGON and the Krb5 PAC.Andrew Bartlett1-2/+22
Fill out the group list for the SamLogon reply, so clients get the supplementary groups. Andrew Bartlett (This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c)
2007-10-10r6032: Fix up SetServerPassword2 on NETLOGON for [bigendian]. Clearly nobodyAndrew Bartlett1-3/+7
has the patience to run test_w2k3.sh to completion :-) It looks to me that the Windows server runs the RC4 over the C struct, not the NDR data. Andrew Bartlett (This used to be commit c324d974134c35b4c50c91d5a932a63c78b67046)
2007-10-10r5988: Fix the -P option (use machine account credentials) to use the Samba4Andrew Bartlett1-9/+9
secrets system, and not the old system from Samba3. This allowed the code from auth_domain to be shared - we now only lookup the secrets.ldb in lib/credentials.c. In order to link the resultant binary, samdb_search() has been moved from deep inside rpc_server into lib/gendb.c, along with the existing gendb_search_v(). The vast majority of this patch is the simple rename that followed, (Depending on the whole SAMDB for just this function seemed pointless, and brought in futher dependencies, such as smbencrypt.c). Andrew Bartlett (This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
2007-10-10r5902: A rather large change...Andrew Bartlett1-0/+3
I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2007-10-10r5667: Move schannel state into libcli/auth (as it belongs with schannel,Andrew Bartlett2-222/+3
which will move in with the rest of GENSEC shortly). Add the RID as another element in the schannel state. Andrew Bartlett (This used to be commit 69114b4a8e1c937ab5ff12ca91dd22bd83fd9a3b)
2007-10-10r5585: LDB interfaces change:Simo Sorce1-15/+15
changes: - ldb_wrap disappears from code and become a private structure of db_wrap.c thanks to our move to talloc in ldb code, we do not need to expose it anymore - removal of ldb_close() function form the code thanks to our move to talloc in ldb code, we do not need it anymore use talloc_free() to close and free an ldb database - some minor updates to ldb modules code to cope with the change and fix some bugs I found out during the process (This used to be commit d58be9e74b786a11a57e89df36081d55730dfe0a)
2007-10-10r5308: trimmed back a lot of the old macros from smb_macros.hAndrew Tridgell1-2/+2
(This used to be commit bf43c9bdcf9e654d123f6a2b29feb9189ca9e561)
2007-10-10r5307: removed db_wrap.h from includes.hAndrew Tridgell1-0/+1
(This used to be commit 826baec7b348814a7bbdcdbec8c8526514f25da1)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell1-2/+2
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r5090: Fix up the IDL for LogonGetDomainInfo in NETLOGON.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit e5afc3609382a7b534c9d845e809d135a0d4eb3a)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell2-8/+8
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4707: w2k3 don't restict passwords onStefan Metzmacher1-2/+4
netr_ServerPasswordSet and netr_ServerPasswordSet2 so we do now I also add a torture test for this metze (This used to be commit d896ac603a5cf387a10b21e64e2c92ff2626bc4d)
2007-10-10r4702: implment idl, torture test and server code for netr_ServerPasswordSet2()Stefan Metzmacher1-5/+108
metze (This used to be commit 7d8ba92da2b8babe7165f105591fd3e5738b2319)
2007-10-10r4648: fix netr_ServerPasswordSet() bugsStefan Metzmacher1-22/+18
metze (This used to be commit 7feface9b77f2be4f592d04a6131348af761a8e8)
2007-10-10r4647: - use talloc_zero() instead of ZERO_STRUCTP()Stefan Metzmacher1-23/+20
- fix uninitialized memory bug found by valgrind metze (This used to be commit 1118a1b1bb09c9a369bb9600fbe8ad3523b7e36f)
2007-10-10r4641: Push a few more details into the schannel ldb, and into theAndrew Bartlett2-47/+37
credentials struct it maintains. Clearly much of this will be replaced with some system to pass and store the session_info, as that is the 'right way' to handle this. Andrew Bartlett (This used to be commit c6fcb33a887fbf0c0b42c3bc331df942a985128c)
2007-10-10r4640: first stage in the server side support for multiple context_ids on ↵Andrew Tridgell1-20/+16
one pipe this stage does the following: - simplifies the dcerpc_handle handling, and all the callers of it - split out the context_id depenent state into a linked list of established contexts - fixed some talloc handling in several rpc servers that i noticed while doing the above (This used to be commit fde042b3fc609c94e2c7eedcdd72ecdf489cf63b)
2007-10-10r4639: initialize all struct members!Stefan Metzmacher1-8/+7
tridge: sorry for making you such a pain... could you check if that fixes your bugs metze (This used to be commit c215372eb0916df1e532b77c8365f401a8c32a38)
2007-10-10r4620: - add interface functions to the auth subsystem so that callers ↵Stefan Metzmacher1-48/+41
doesn't need to use function pointers anymore - make the module init much easier - a lot of cleanups don't try to read the diff in auth/ better read the new files it passes test_echo.sh and test_rpc.sh abartlet: please fix spelling fixes metze (This used to be commit 3c0d16b8236451f2cfd38fc3db8ae2906106d847)
2007-10-10r4499: Almost make our Samba4 server pass the RPC-SAMLOGON torture test.Andrew Bartlett2-57/+96
I just need to fix a couple of NTLMv2 issues before we can fully pass, and put this in test_rpc.sh, as a 'should pass' test. Andrew Bartlett (This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec)
2007-10-10r4475: fixed smbd to work with the small changes in the ldb API (the most ↵Andrew Tridgell1-12/+17
important change was in the ldb_msg_add_*() routines, which now use the msg as a context, and thus it needs to be a talloc ptr) (This used to be commit 1a4713bfd0e519f3eb7b3241121ff914a6eeef18)
2007-10-10r4321: objectClass trustedDomain uses "securityIdentifier" for the sidStefan Metzmacher1-11/+13
also explicit tell the fill_info code what kind of object the current result is. metze (This used to be commit 6d74d31e50cd8f9d37fca53ef32bd50952a3a759)
2007-10-10r4041: fix cut-n-paste typoStefan Metzmacher1-1/+1
metze (This used to be commit 54398aa889b5954c7c387b252dd1a9173eac36f0)
2007-10-10r3922: Add yet another NETLOGON RPC. This is another varient of SamLogon,Andrew Bartlett1-3/+3
that works only on SCHANNEL secured connections (as it needs the implicit credentials). Fix some of the IDL. Andrew Bartlett (This used to be commit 90cd7b34cc18e758e939e0183281b7a517d728f0)
2007-10-10r3914: add idl, torture test and simple server for netr_DrsGetDCNameEx2()Stefan Metzmacher1-4/+41
metze (This used to be commit 1ffabbaa667c7dec6657ec523f92f072a2a47a95)
2007-10-10r3783: - don't use make proto for ldb anymoreStefan Metzmacher2-0/+2
- split ldh.h out of samba's includes.h - make ldb_context and ldb_module private to the subsystem - use ltdb_ prefix for all ldb_tdb functions metze (This used to be commit f5ee40d6ce8224e280070975efc9911558fe675c)
2007-10-10r3686: The results of some work on the NETLOGON pipe:Andrew Bartlett1-4/+7
Break out the samsync tests from RPC-NETLOGON into a new RPC-SAMSYNC, that will cross-verify all the values. Add support for the way netlogon credentials are shared between the pipe that sets up schannel and the pipe that is encrypted with it. Test this support, by calling both NETLOGON and SAMR operations in the RPC-SCHANNEL test. Move some of the Netlogon NEG flags into the .idl, now we have an idea what a few of them really are. Rename the sam_pwd_hash into a name that has meaning (all other crypto functions were renamed in Samba4 ages ago). Break out NTLMv2 functionality for operation on the NT hash - I intend to do NTLMv2 logins in the samsync test in future, and naturally I only have the hash. Andrew Bartlett (This used to be commit 6e6cc6fb9842113a1b0c7f6904dac709b320a6e5)
2007-10-10r3599: fixed a couple of memory errors in the rpc netlogon serverAndrew Tridgell1-2/+3
(found with valgrind) (This used to be commit 151dd4593d30c703b70099cd240784134fdb4e0f)
2007-10-10r3468: split out dcerpc_server.hAndrew Tridgell1-0/+1
(This used to be commit 729e0026e4408f74f140375537d4fe48c1fc3242)
2007-10-10r3453: - split out the auth and popt includesAndrew Tridgell2-0/+3
- tidied up some of the system includes - moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl knows about inter-IDL dependencies (This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)