From 02bb4e1b8ae931d9eefa2fbd4a6f5456aca99b2b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 4 Apr 2003 15:21:04 +0000 Subject: This is a merge of the NETLOGON schannel server code from Samba TNG. Actually, it exists in the main Samba cvs tree in APPLIANCE_TNG as I found out later :-) It adds a new parameter: server schannel = yes/auto/no defaulting to auto. What does this mean to the user: No requireSignOrSeal registry patch for XP anymore. Many thanks for this code to Luke Leighton, Elrond and anybody else I forgot to mention. My next thing will be to see if this applies cleanly to 3_0. Please test and comment! Volker (This used to be commit e1f953241eb020f19fe657f29afdae28dcf5a03b) --- source3/include/ntdomain.h | 7 +++++++ source3/include/rpc_dce.h | 39 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) (limited to 'source3/include') diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index cf5bb5046c..d02195b378 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -192,6 +192,13 @@ typedef struct pipes_struct uint32 ntlmssp_seq_num; struct dcinfo dc; /* Keeps the creds data. */ + /* Hmm. In my understanding the authentication happens + implicitly later, so there are no two stages for + schannel. */ + + BOOL netsec_auth_validated; + struct netsec_auth_struct netsec_auth; + /* * Windows user info. */ diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h index 6a8c650650..7e8bc3949e 100644 --- a/source3/include/rpc_dce.h +++ b/source3/include/rpc_dce.h @@ -55,6 +55,13 @@ enum RPC_PKT_TYPE #define NTLMSSP_AUTH_TYPE 0xa #define NTLMSSP_AUTH_LEVEL 0x6 +/* Netlogon schannel auth type and level */ +#define NETSEC_AUTH_TYPE 0x44 +#define NETSEC_AUTH_LEVEL 0x6 +#define NETSEC_SIGNATURE { 0x77, 0x00, 0x7a, 0x00, 0xff, 0xff, 0x00, 0x00 } +#define RPC_AUTH_NETSEC_CHK_LEN 0x20 +#define NETLOGON_NEG_SCHANNEL 0x40000000 + /* Maximum PDU fragment size. */ #define MAX_PDU_FRAG_LEN 0x1630 /* #define MAX_PDU_FRAG_LEN 0x10b8 this is what w2k sets */ @@ -199,6 +206,34 @@ typedef struct rpc_hdr_auth_info #define RPC_HDR_AUTH_LEN 8 +/* this is TEMPORARILY coded up as a specific structure */ +/* this structure comes after the bind request */ +/* RPC_AUTH_NETSEC_NEG */ +typedef struct rpc_auth_netsec_neg_info +{ + uint32 unknown1; + uint32 unknown2; + fstring domain; /* calling workstations's domain */ + fstring myname; /* calling workstation's name */ +} RPC_AUTH_NETSEC_NEG; + +/* attached to the end of encrypted rpc requests and responses */ +/* RPC_AUTH_NETSEC_CHK */ +typedef struct rpc_auth_netsec_chk_info +{ + uint8 sig [8]; /* 77 00 7a 00 ff ff 00 00 */ + uint8 data1[8]; + uint8 data3[8]; /* verifier, seq num */ + uint8 data8[8]; /* random 8-byte nonce */ +} RPC_AUTH_NETSEC_CHK; + +struct netsec_auth_struct +{ + RPC_AUTH_NETSEC_NEG netsec_neg; + uchar sess_key[16]; + uint32 seq_num; +}; + /* RPC_BIND_REQ - ms req bind */ typedef struct rpc_bind_req_info { @@ -248,8 +283,8 @@ typedef struct rpc_hdr_ba_info /* RPC_AUTH_VERIFIER */ typedef struct rpc_auth_verif_info { - fstring signature; /* "NTLMSSP" */ - uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) */ + fstring signature; /* "NTLMSSP".. Ok, not quite anymore */ + uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) and 5 for schannel */ } RPC_AUTH_VERIFIER; -- cgit From 0ac2b380018bd50eaaf6d6bcfbb6e949b85a6601 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 6 Apr 2003 09:35:16 +0000 Subject: This commit make winbindd copy winbindd_idmap.tdb into idmap.tdb on the first run if idmap.tdb is not found, and then eventually convert it to the new format. This is done to unify winbind and idmap databases and to make a backup of winbindd_idmap.tdb in case you want to downgrade (of course it will not be updated). This is needed because idmap.tdb contains also local mappings, not only foreign domains mappings. Added some other fixes/improvements Simo. (This used to be commit cf17261519fd8775500f9b9d6caa2bc462e04633) --- source3/include/idmap.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/include') diff --git a/source3/include/idmap.h b/source3/include/idmap.h index 2cc31e9ed2..a7cab74149 100644 --- a/source3/include/idmap.h +++ b/source3/include/idmap.h @@ -41,7 +41,7 @@ typedef union unid_t { struct idmap_methods { /* Called when backend is first loaded */ - NTSTATUS (*init)(const char *init_str); + NTSTATUS (*init)(void); NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type); NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid); -- cgit From 88ed48d0f935db136318fafe6e541cf7cbaed5e2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 6 Apr 2003 13:08:07 +0000 Subject: SMB signing updates - this gets NTLMSSP signing workin to the point where I just need to get the verifiction code working - we get back a signiture from the server, and just can't verify it yet. This also brings the short-packet checks into common code, and breaks the connection if the server sends a signed reply, on an established connection, that fails the test. This breaks our read/write code at the moment, as we need to keep a list of outstanding packets. (signing is not enabled by default, unless the server demands it) Not for 3.0 till I fix the outstanding packet list. Andrew Barlett (This used to be commit 808d1fcf20153970d587cb631a08607beb09703a) --- source3/include/smb.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/include') diff --git a/source3/include/smb.h b/source3/include/smb.h index 4f37c38413..3bb6bf9237 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -78,6 +78,10 @@ typedef int BOOL; #define READ_EOF 2 #define READ_ERROR 3 +/* This error code can go into the client smb_rw_error. */ +#define WRITE_ERROR 4 +#define READ_BAD_SIG 5 + #define DIR_STRUCT_SIZE 43 /* these define the attribute byte as seen by DOS */ @@ -161,9 +165,6 @@ typedef uint16 smb_ucs2_t; typedef smb_ucs2_t wpstring[PSTRING_LEN]; typedef smb_ucs2_t wfstring[FSTRING_LEN]; -/* This error code can go into the client smb_rw_error. */ -#define WRITE_ERROR 4 - #ifdef WORDS_BIGENDIAN #define UCS2_SHIFT 8 #else -- cgit From df883f35b28a4991470bd081f63a378225bdf827 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 6 Apr 2003 16:01:18 +0000 Subject: fix commit (This used to be commit ad1a2ab0d6330a0b0fbce7b30ec5f6f502133921) --- source3/include/idmap.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/include') diff --git a/source3/include/idmap.h b/source3/include/idmap.h index a7cab74149..1e56519453 100644 --- a/source3/include/idmap.h +++ b/source3/include/idmap.h @@ -45,7 +45,7 @@ struct idmap_methods { NTSTATUS (*get_sid_from_id)(DOM_SID *sid, unid_t id, int id_type); NTSTATUS (*get_id_from_sid)(unid_t *id, int *id_type, const DOM_SID *sid); - NTSTATUS (*set_mapping)(DOM_SID *sid, unid_t id, int id_type); + NTSTATUS (*set_mapping)(const DOM_SID *sid, unid_t id, int id_type); /* Called when backend is unloaded */ NTSTATUS (*close)(void); -- cgit From 25b1c37f6f67570dcfaff6081a74114d172dde1b Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 7 Apr 2003 06:13:36 +0000 Subject: Remove duplicate "tallocdump" message from tdb messaging system. The same functionality exists as "pool-usage". Move initialisation of this and dmalloc messages inside message_init(). (This used to be commit af6ecafcbbf65dbedc49b3a86da39ce608bdadac) --- source3/include/messages.h | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source3/include') diff --git a/source3/include/messages.h b/source3/include/messages.h index ce167a772d..37e9372cda 100644 --- a/source3/include/messages.h +++ b/source3/include/messages.h @@ -43,10 +43,6 @@ #define MSG_SHUTDOWN 13 -/* Dump out the talloc useage. */ -#define MSG_REQ_TALLOC_USAGE 14 -#define MSG_TALLOC_USAGE 15 - /* nmbd messages */ #define MSG_FORCE_ELECTION 1001 #define MSG_WINS_NEW_ENTRY 1002 -- cgit