| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
file dependencies
(This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
|
|
default.
(This used to be commit c80a8f1102caf744b66c13bebde38fba74983dc4)
|
|
metze
(This used to be commit 291da7bac3e8707009b239bd3c8b0a0d14f54481)
|
|
credentials.
Consistantly rename these elements in the IDL to computer_name.
Fix the server-side code to always lookup by this name.
Add new, even nastier tests to RPC-SCHANNEL to prove this.
Andrew Bartlett
(This used to be commit 341a0abeb4a9f88d64ffd4681249cb1f643a7a5a)
|
|
metze
(This used to be commit 67837dbd2bcff8ec1917ba02884ee2eaa0776b46)
|
|
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous. This should better
function with servers that set restrict anonymous.
There are too many parts of Samba that get, parse and modify the
binding parameters. Avoid the extra work, and add a binding element
to the struct dcerpc_pipe
The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern. Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.
To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.
Andrew Bartlett
(This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
|
|
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f)
|
|
(This used to be commit 61cabcd7f9010f708a55165f2ff855630f4b39df)
|
|
metze
(This used to be commit 5f45d070208eedaef59bff5f7e05f37719285d84)
|
|
Andrew Bartlett
(This used to be commit c0ba414a38de7ffa7b2a59c664598e64e911fe7c)
|
|
This avoids the nasty user@DOMAIN test for now, as it has very odd
semantics with NTLMv2.
Allow only user accounts to do an interactive login.
Andrew Bartlett
(This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
|
|
expect funny buisness.
Andrew Bartlett
(This used to be commit b2810bd702b14375ddc237ba39be0badbae20aa5)
|
|
'workstation for account on NTLM' flag.
Andrew Bartlett
(This used to be commit aa5b6cf7c4cabd25655dc11d90d00c5faec67d6c)
|
|
plaintext and machine account logins.
Update tests to confirm this behaviour.
Andrew Bartlett
(This used to be commit a0ed41d379f4b15a7f44ca93de9907f02bada163)
|
|
it in the RPC-SAMLOGON test.
Andrew Bartlett
(This used to be commit 675b7df2eedbcb7ea89c0411f76429d8e2357222)
|
|
Andrew Bartlett
(This used to be commit 0f994275ce5d84bdb746524c5da7d9661fbadb63)
|
|
SAMLOGON test.
The semantics for the user account are very odd, the old password is
still valid, but the session keys appear to be blanked out.
Andrew Bartlett
(This used to be commit bbfaf4821d81116efa91313655acb75d6f577953)
|
|
that is what most of the callers want anyway.
Remove and re-add the account for the torture case, rather than just
modify it.
Test with a user account (needs work to change the password).
Andrew Bartlett
(This used to be commit 38bebef02454164cbe882347d80e03abee656205)
|
|
seem to be able to handle incomplete enum types.
(This used to be commit 540155fad3c8e3d79fb631bb3f14273f82130a73)
|
|
(This used to be commit 03647e1321cf6c9bd6ced3945265f635e9468973)
|
|
described on the list. I probably need to write more specific NTLMv2
sucess and failure mode tests.
Andrew Bartlett
(This used to be commit c4d608734a98277b1f761142eb3f89086b539847)
|
|
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)
This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.
Also don't set the realm from a ccache, as then it overrides --option=realm=.
Andrew Bartlett
(This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
|
|
Kerberos CCACHE into the system.
This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.
It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.
Andrew Bartlett
(This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
|
|
Andrew Bartlett
(This used to be commit 1fa87223eb66825ef2dd93966652fa84de6b0b2f)
|
|
Use "" for the no domain case.
Andrew Bartlett
(This used to be commit 4989ffe870408e9d9a9427b3cc79d756c94ed803)
|
|
andrew, please check
(This used to be commit 0dda73add315e837defd7a705af988aca4cd4556)
|
|
I can't get a few of the session key values right (and these tests are
#if 0'ed out), but this expands the testing.
Andrew Bartlett
(This used to be commit e947c8a8f2a5cb458c708e902eabfca94d24d0f3)
|
|
Andrew Bartlett
(This used to be commit a1c1aecc7e4688cb377ca9322238c27de8fdc69c)
|
|
Session Setup code.
Add a mem_ctx argument to a few of the NTLMv2 support functions, and
add smb.conf options to control client NTLMv2 behaviour.
Andrew Bartlett
(This used to be commit 3f35cdb218a3dae08a05e77452ca9f73716ceb28)
|
|
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
|
|
Andrew Bartlett
(This used to be commit d74b7c20b6e547dba039992f69cea31b46d92286)
|
|
soon-to-be-depricated 'realm'.
Add torture test for this behaviour.
Andrew Bartlet
(This used to be commit 6b9020661a13fd5ec6c5d1e21344d9f654978987)
|
|
We need to pass the 'secure channel type' to the NETLOGON layer, which
must match the account type.
(Yes, jelmer objects to this inclusion of the kitchen sink ;-)
Andrew Bartlett
(This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
|
|
metze needs a working tree...
The main volume of this patch was what I started working on today:
- Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
- Uses sepereate inner loops for some of the DCE/RPC tests
The other and more important part of this patch fixes issues
surrounding the new credentials framwork:
This makes the struct cli_credentials always a talloc() structure,
rather than on the stack. Parts of the cli_credentials code already
assumed this.
There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.
Andrew Bartlett
(This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
|
|
- gtk+ (returned by GtkHostBindingDialog as well now)
- torture/
- librpc/
- lib/com/dcom/
(This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
|
|
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
|
|
need a NULL domain (or a "" domain, except this breaks NTLMv2, and I
need to look into it a bit more).
Add support to the Samba4 server for these logins. This will need
extension when we handle trusted domains as a DC, as it is a principal
name, not just another format for the username.
Andrew Bartlett
(This used to be commit de02c7c222a32d2b3fb8ee8b715749b96cb647f9)
|
|
less likely that anyone will use pstring for new code
- got rid of winbind_client.h from includes.h. This one triggered a
huge change, as winbind_client.h was including system/filesys.h and
defining the old uint32 and uint16 types, as well as its own
pstring and fstring.
(This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
|
|
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
|
|
testsuite for all the different flag types. (We really only need to
know if we are getting the session key crypto stuff right, and one
call can tell us that).
Andrew Bartlett
(This used to be commit 8807498f6d3ff248c4d42bf18db45cfe25bd3b2f)
|
|
dcerpc_alter_context and multiple context_ids in the dcerpc client
library.
This stage does the following:
- split "struct dcerpc_pipe" into two parts, the main part being "struct dcerpc_connection", which
contains all the parts not dependent on the context, and "struct dcerpc_pipe" which has
the context dependent part. This is similar to the layering in libcli_*() for SMB
- disable the current dcerpc_alter code. I've used a #warning until i
get the 2nd phase finished. I don't know how portable #warning is, but
it won't be long before I add full alter context support anyway, so it won't last long
- cleanup the allocation of dcerpc_pipe structures. The previous code
was quite awkward.
(This used to be commit 4004c69937be7e5dae56f9567ca607f982d395d3)
|
|
replace).
Andrew Bartlett
(This used to be commit ddb54d4ea1610b38e011e2f217ded7b6278d5290)
|
|
only needs WS privilages anyway.
Andrew Bartlett
(This used to be commit a093c4f98e833198ee59064b2cb9b9b45a188a59)
|
|
Include RPC-SAMLOGON in the list of tests expected to pass
Remove silly extra loops from the RPC-SAMLOGON test, which mostly just
slowed htings down.
Andrew Bartlett
(This used to be commit 518ca9fb695b0f9d480122a74a2159f7f17a3219)
|
|
combine the NTLM and LMv2 responses, for maximum compatability from a
client perspective, allowing access to servers that require NTLMv2, as
well as those that don't support it.
Currently, this is unfortunetly not possible against Win2k3 (and Samba
is being coded to match that behaviour at this point).
Andrew Bartlett
(This used to be commit 93b46ebe0f3cccd26b5ddd213553667e612c3701)
|
|
I just need to fix a couple of NTLMv2 issues before we can fully pass,
and put this in test_rpc.sh, as a 'should pass' test.
Andrew Bartlett
(This used to be commit 4b52409e385366d87724bb79f4fad4803e8ecfec)
|
|
in my compile
(This used to be commit 0928b1f5b68c858922c3ea6c27ed03b5091c6221)
|
|
metze
(This used to be commit e28351f710525ca9863210974544a8b1a537e63a)
|
|
that works only on SCHANNEL secured connections (as it needs the
implicit credentials).
Fix some of the IDL.
Andrew Bartlett
(This used to be commit 90cd7b34cc18e758e939e0183281b7a517d728f0)
|
|
* Add new tests for ACCOUNTs in SamSync
* Clean up names in NETLOGON and LSA
* Verify Security Descriptors against LSA, as well as SamR
Andrew Bartlett
(This used to be commit 7094502fe0346255a89667f702289b4c8dc9fa08)
|
