| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
enabling of packet serialisation
(This used to be commit 6a47cd65a8b588f9ddd375c57caaba08281e7cbb)
|
|
and session
ntcancel also needs to have AS_USER
- move the SIGNING_NO_REPLY logic as global option, because this needs to be set
for the error replies too.
- as we currently don't know how to generate signatures for ntcancel replies
we just skip the sending of the reply
- w2k3 first checks the VUID and then the TID, so we do now
- ntcreateX also uses ERRbaduid when getting a wrong VUID
metze
(This used to be commit d677ebf43d0d7e679ff11862683c993d887d9441)
|
|
metze
(This used to be commit 0c520e19a0676c688341523add8a176c3aba8578)
|
|
metze
(This used to be commit 913d5356eb04d0fd02c36052b5cb6a2a5646473a)
|
|
metze
(This used to be commit 9399e4d260011ce59229086e39585e1e56bd79a5)
|
|
metze
(This used to be commit 5fb5d1a864d9df0ac82fca145b51fdb27406bc97)
|
|
metze
(This used to be commit 3389544c2b14a044aed4a6d0ff966c0a2d92a61a)
|
|
(This used to be commit 6ab808223475ba7c52dbe4d639af9a8e7f64b202)
|
|
(This used to be commit 9eee7bafa12553a894536db8ce5cc2d268e09ae6)
|
|
(This used to be commit 0fc496bb6f520ddf6d85cc2f3df80f93b871cfe9)
|
|
Andrew Bartlett
(This used to be commit abff53b6339b7924ff705c7e3685135e85d8ed7a)
|
|
(This used to be commit 24e10300906c380919d2d631bfb3b8fd6b3f54ba)
|
|
http://lists.samba.org/archive/samba-technical/2005-October/043443.html)
(This used to be commit 7fffc5c9178158249be632ac0ca179c13bd1f98f)
|
|
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
|
|
the right
talloc context.
Volker
(This used to be commit 256cf928d786b2533953505aea20ec80a25c6929)
|
|
Should fix a valgrind error volker is seeing.
Andrew Bartlett
(This used to be commit 11957c5f37fe0a0be465a9ce9d6d256724c5951c)
|
|
(This used to be commit d2f80c0457f7404b2cac9df59a400130e9ad025f)
|
|
then StaticLibrary()
(This used to be commit b53313dc517986c69a4e4cb8fe3885b696f8faa1)
|
|
use pstring is next_token() now.
(This used to be commit a5b88bcd420eb7ae42283293541519e142be36e3)
|
|
but final linking still fails (as does generating files asn1, et, idl and proto
files)
(This used to be commit 4f0d7f75b99c7f4388d8acb0838577d86baf68b5)
|
|
RAW_SEARCH_UNIX_INFO find_fill_info(), which I think is a bug.
(This used to be commit 5f1cd6382cd90b1b33f645b1b2a469f4de4f42b9)
|
|
we do pass it as size_t. In case src_len is negative, we need to register a failure and return to the caller
(This used to be commit 95d96c79a538814bb524d7905e1e8f64df6341ca)
|
|
(This used to be commit cf1a7bbe96e8e40ac4df3eaa3e5922a944b45579)
|
|
(This used to be commit fac77f5fa267da57a55e88cad8993897e80741a0)
|
|
we didn't cope with the 'anonymous NTLM under SPNEGO' login.
Andrew Bartlett
(This used to be commit c3cc14542e426b23e468a11803c1bab0f6fe290f)
|
|
user_info strcture in auth/
This moves it to a pattern much like that found in ntvfs, with
functions to migrate between PAIN, HASH and RESPONSE passwords.
Instead of make_user_info*() functions, we simply fill in the control
block in the callers, per recent dicussions on the lists. This
removed a lot of data copies as well as error paths, as we can grab
much of it with talloc.
Andrew Bartlett
(This used to be commit ecbd2235a3e2be937440fa1dc0aecc5a047eda88)
|
|
connection structure.
This massively reduces the number of lp_*() calls made
(This used to be commit b1d577f48d31c0c17ad0b6abd78120087408e58d)
|
|
setup. Andrew, please check over this.
What happens is this:
- run the BASE-SECLEAK test
- with each failed session setup using spnego a gensec ctx is leaked into the smb_conn structure
- after the client disconnects these are finally cleaned up as they
are all children of the connection structure
- the cleanup of the millions of memory objects takes long enough
that the next operation in test_posix.sh sometimes fails with a timeout
Andrew, can you also look at the talloc_reference() on line 332 of
sesssetup.c ? I suspect it isn't needed (I don't think it does any
actual harm though)
(This used to be commit b40fb6a4569ccc1fa1750a1e534e18a020764b4c)
|
|
(This used to be commit 658befc1e4df44bee1f365a730951001f0f36640)
|
|
(This used to be commit 391cfe3c9645a19f8f5ff5c11b1ac03ee0b10f8f)
|
|
(This used to be commit 9eebd240d8ed9a634307ce31696d817f78f503b2)
|
|
(This used to be commit adae47c829fd157afa0011d29e5969d883a0956e)
|
|
be able to send a message to the "ldap_server" task without having to
know its task ID.
(This used to be commit 8f69867867857e0c9a9246c2dec9612ccc234724)
|
|
torture code that can tell the difference between dos and ntstatus
codes without mapping
(This used to be commit 5521060c089c2181a2f3c7aeabd2f3ba813c6e60)
|
|
metze
(This used to be commit a2e34475d723eb74fc58b9afa9f4a863b1277b0d)
|
|
(This used to be commit 6ee98c5f6505824826955f9d60a7964471fa6c26)
|
|
"sam database"
set to the internal ldap server over loopback. The following happened:
- DCERPC_AUTH3 request
- auth requests calls ldb
- ldb calls ldap
- ldap calls our internal ldap server, triggering events
- samrConnect from client
- connect refused
- SMBclose from client
- causes dcerpc_pipe to be destroyed
- AUTH3 continues
- dies on freed pipe
I chose this solution as it provides a guarantee that backends only have to think about
async issues when they mark a request async. When they don't, this code guarantees that
a second request won't happen on the same connection while processing the first one
(This used to be commit 45487e8a1402c64d1c314befe8bd9f65587fd0d6)
|
|
replay attacks under SMB signing, where the session key is a fixed
derivitive of the user's password.
This removes the VID offset, but I'm not worried about random client
bytes mattering here, given the space (and the fact that it applies to
very, very old clients).
Andrew Bartlett
(This used to be commit eb1d37c5a91a6bc4515469e1ae026d28c12d7149)
|
|
(no need for it to hang around forever).
Add test for this behaviour.
Andrew Bartlett
(This used to be commit 36dc2491d778fbbff32c4abdf95faa9f83024e12)
|
|
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
|
|
old style
auto homedir share stuff
- add TODO: for checking the password on share mode security
metze
(This used to be commit d9a0c61801f19e55a41c573ea96565946314ecb3)
|
|
the error code for an invalid tid depends on the command
(This used to be commit 9dab036fbe50d84cb79d7a103c454a1c0c90a48a)
|
|
amazingly, I have seen w2k do a session setup followed by an immediate
attempted opening of \netlogon, with no tconx to ipc$ first. So this
error code can matter.
(This used to be commit 79112d81cb9ea3fc7e94be1af282ab4247170532)
|
|
cut&paste error
(This used to be commit 615618f192a05b95ab0e0fba68e339a6df1a3363)
|
|
Thanks to lars and agruen for finding this
(This used to be commit 2acc06918574b1178eecf3d61026f84f85bb40e1)
|
|
segfault). This should fix another of the issues that Richard came up
with last week.
Andrew Bartlett
(This used to be commit c2c8b6abf3ffa39c8677cab4fda415d66df0c4ff)
|
|
Andrew Bartlett
(This used to be commit c67a9370c4e8f94aad68abba073779bb0edf742b)
|
|
outstanding sessions, as we don't use it.
Andrew Bartlett
(This used to be commit 0cbd11a0f2448f2021fa1d8ad85a0a6f52192ee8)
|
|
renaming password.c over the top, as it deals with sessions, not
passwords).
Andrew Bartlett
(This used to be commit 0bba8da460f77946ba9ee5db58ae2329e9e57e1a)
|
|
behaviour on session setups, and because we no longer need do deal
with the linked list as much, the code is much simpiler too.
We may be able to compleatly remove the tid and vuid linked lists, but
I need to check.
This patch also tries to clean up the VUID handling and session setups
in general. To avoid security issues, we now have a distinction
between VUIDs allocated for the session setup (to tie togeather the
multiple round trips) and those used after authentication.
Andrew Bartlett
(This used to be commit 3e5775146d9ce6f0ac43aecae7e899b5324399ad)
|
