summaryrefslogtreecommitdiff
path: root/source4/torture/rpc/xplogin.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett1-10/+13
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5902: A rather large change...Andrew Bartlett1-37/+16
I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2007-10-10r5364: Rename string fields called 'domain' and 'name' to be 'domain_name'.Tim Potter1-2/+2
(This used to be commit 6749b9404d4e9876ecd964e038c608f05d2c0b69)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell1-19/+19
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r4951: some of the code dealing with libcli was getting too complex trying toAndrew Tridgell1-14/+3
handle the inverted memory hierarchy that a normal session establishment gave. The inverted hierarchy came from that fact that you first establish a socket, then a transport, then a session and finally a tree. That leads to the socket being at the top of the memory hierarchy and the tree at the bottom, which makes no sense from the users point of view, as they want to be able to free the tree and have everything disappear. The core problem was that the libcli interface didn't distinguish between establishing a primary context and a secondary context. If you establish a 2nd session on a transport then you want the transport to be referenced by the session, whereas if you establish a primary session then you want the transport to be a child of the session. To fix this I have added "parent_ctx" and "primary" arguments to the libcli intialisation functions. This makes using the library much easier, and gives us a memory hierarchy that makes much more sense. I was prompted to do this by a bug in the cifs backend, which was caused by the socket not being properly torn down on a disconnect due to the inverted memory hierarchy. (This used to be commit 5e8fd5f70178992e249805c2e1ddafaf6840739b)
2007-10-10r4938: allow the caller to supply an existing event_context if they want toAndrew Tridgell1-1/+1
in smb_composite_connect_send(). This makes doing parallel calls much easier. (This used to be commit 442308970c123b9fb25615673049e1c1c234a0b9)
2007-10-10r4891: - added a generic resolve_name() async interface in libcli/resolve/,Andrew Tridgell1-4/+7
which will eventually try all resolution methods setup in smb.conf - only resolution backend at the moment is bcast, which does a parallel broadcast to all configured network interfaces, and takes the first reply that comes in (this nicely demonstrates how to do parallel requests using the async APIs) - converted all the existing code to use the new resolve_name() api - removed all the old nmb code (yay!) (This used to be commit 239c310f255e43dd2d1c2433f666c9faaacbdce3)
2007-10-10r4777: added a smb_composite_sesssetup() async composite function. ThisAndrew Tridgell1-11/+11
encapsulates all the different session setup methods, including the multi-pass spnego code. I have hooked this into all the places that previously used the RAW_SESSSETUP_GENERIC method, and have removed the old RAW_SESSSETUP_GENERIC code from clisession.c and clitree.c. A nice side effect is that these two modules are now very simple again, back to being "raw" session setup handling, which was what was originally intended. I have also used this to replace the session setup code in the smb_composite_connect() code, and used that to build a very simple replacement for smbcli_tree_full_connection(). As a result, smbclient, smbtorture and all our other SMB connection code now goes via these composite async functions. That should give them a good workout! (This used to be commit 080d0518bc7d6fd4bc3ef783e7d4d2e3275d0799)
2007-10-10r4758: - added async support to the session request codeAndrew Tridgell1-1/+1
- added async support to the negprot client code - removed two unused parameters from smbcli_full_connection() code - converted smbclient to use smbcli_full_connection() rather than reinventing everything itself (This used to be commit 71cbe2873473e039b4511511302cb63f1c50bce8)
2007-10-10r4726: - use the name tcon and tid instead of conn and cnumStefan Metzmacher1-1/+1
- make use of talloc destructors metze (This used to be commit 8308da6ce4a95f8c10e22949ef00e9e64f2dbb85)
2007-10-10r4706: Fix the build, after I renamed these elements in the IDL.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8f47c7b02cc28eda022154796c7341fd63a87cc5)
2007-10-10r4616: the first phase in the addition of proper support forAndrew Tridgell1-32/+30
dcerpc_alter_context and multiple context_ids in the dcerpc client library. This stage does the following: - split "struct dcerpc_pipe" into two parts, the main part being "struct dcerpc_connection", which contains all the parts not dependent on the context, and "struct dcerpc_pipe" which has the context dependent part. This is similar to the layering in libcli_*() for SMB - disable the current dcerpc_alter code. I've used a #warning until i get the 2nd phase finished. I don't know how portable #warning is, but it won't be long before I add full alter context support anyway, so it won't last long - cleanup the allocation of dcerpc_pipe structures. The previous code was quite awkward. (This used to be commit 4004c69937be7e5dae56f9567ca607f982d395d3)
2007-10-10r4549: got rid of a lot more uses of plain talloc(), instead usingAndrew Tridgell1-2/+1
talloc_size() or talloc_array_p() where appropriate. also fixed a memory leak in pvfs_copy_file() (failed to free a memory context) (This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503)
2007-10-10r4392: Fix samr_GetAliasMembership idlVolker Lendecke1-2/+2
(This used to be commit b0b9332519ab6461967a5fe10698dcf4e9950834)
2007-10-10r4037: fixed a bunch of "might be uninitialised" warnings after enabling -O1 ↵Andrew Tridgell1-1/+1
in my compile (This used to be commit 0928b1f5b68c858922c3ea6c27ed03b5091c6221)
2007-10-10r4035: more effort on consistent naming of the access mask bits.Andrew Tridgell1-2/+2
This removes the duplicate named SEC_RIGHTS_MAXIMUM_ALLOWED and SEC_RIGHTS_FULL_CONTROL, which are just other names for SEC_FLAG_MAXIMUM_ALLOWED and SEC_RIGHTS_FILE_ALL. The latter names match the new naming conventions in security.idl Also added names for the generic->specific mappings for files are directories (This used to be commit 17a4e0b3aca227b40957ed1e0c57e498debc6ddf)
2007-10-10r3981: Use correct access-mask when querying aliases.Günther Deschner1-2/+2
Guenther (This used to be commit 5dde59be0995b9893ef476b06c259776c1115ae7)
2007-10-10r3913: fix the buildStefan Metzmacher1-2/+2
metze (This used to be commit ba67e98835095e940c23d095422e0cd72e105aee)
2007-10-10r3791: fixed declaration of torture_rpc_loginAndrew Tridgell1-1/+1
(This used to be commit fc9748841ec439a097e9713e1b60dbcd647469e2)
2007-10-10r3725: The new RPC-SAMSYNC test, complete with SAMR comparisons. This isAndrew Bartlett1-6/+6
certainly not complete, we need to verify all incoming data, not just accounts. This needs to be exercised against some 'intersting' users, but for now it shows that the IDL is already very accurate, particularly after the previous commits cleanups of names. Also commit the changes to keep RPC-LOGIN building. Andrew Bartlett (This used to be commit 87ec6834bc75012527454abc0e854b1cf2120088)
2007-10-10r3686: The results of some work on the NETLOGON pipe:Andrew Bartlett1-5/+10
Break out the samsync tests from RPC-NETLOGON into a new RPC-SAMSYNC, that will cross-verify all the values. Add support for the way netlogon credentials are shared between the pipe that sets up schannel and the pipe that is encrypted with it. Test this support, by calling both NETLOGON and SAMR operations in the RPC-SCHANNEL test. Move some of the Netlogon NEG flags into the .idl, now we have an idea what a few of them really are. Rename the sam_pwd_hash into a name that has meaning (all other crypto functions were renamed in Samba4 ages ago). Break out NTLMv2 functionality for operation on the NT hash - I intend to do NTLMv2 logins in the samsync test in future, and naturally I only have the hash. Andrew Bartlett (This used to be commit 6e6cc6fb9842113a1b0c7f6904dac709b320a6e5)
2007-10-10r3660: This simulates the logon sequence of a XP login session I'm currently ↵Volker Lendecke1-0/+1160
tuning Samba3/OpenLDAP for. For a concrete situation you have to adapt the domain, pdcname and usernames/passwords. Sorry, not parametrized yet, but this should be doable if necessary. Volker (This used to be commit 02f52058722fc1aea02d4fe237c97404d8e4f491)