From 858e63cab3b6a23692678d6eb03f9e48c3c08603 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 25 Apr 2000 14:04:06 +0000 Subject: split clientgen.c into several parts the next step is splitting out the auth code, to make adding lukes NTLMSSP support easier (This used to be commit 10c5470835b43116ed48b3137c3b9cc867a20989) --- source3/libsmb/cliconnect.c | 790 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 790 insertions(+) create mode 100644 source3/libsmb/cliconnect.c (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c new file mode 100644 index 0000000000..b546e1e4ec --- /dev/null +++ b/source3/libsmb/cliconnect.c @@ -0,0 +1,790 @@ +/* + Unix SMB/Netbios implementation. + Version 3.0 + client connect/disconnect routines + Copyright (C) Andrew Tridgell 1994-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#define NO_SYSLOG + +#include "includes.h" + + +static struct { + int prot; + char *name; + } +prots[] = + { + {PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"}, + {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"}, + {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"}, + {PROTOCOL_LANMAN1,"LANMAN1.0"}, + {PROTOCOL_LANMAN2,"LM1.2X002"}, + {PROTOCOL_LANMAN2,"Samba"}, + {PROTOCOL_NT1,"NT LANMAN 1.0"}, + {PROTOCOL_NT1,"NT LM 0.12"}, + {-1,NULL} + }; + + +/**************************************************************************** + Send a session setup. The username is in UNIX character format and must be + converted to DOS codepage format before sending. If the password is in + plaintext, the same should be done. +****************************************************************************/ + +BOOL cli_session_setup(struct cli_state *cli, + char *user, + char *pass, int passlen, + char *ntpass, int ntpasslen, + char *workgroup) +{ + char *p; + fstring pword, ntpword; + + if (cli->protocol < PROTOCOL_LANMAN1) + return True; + + if (passlen > sizeof(pword)-1 || ntpasslen > sizeof(ntpword)-1) { + return False; + } + + if (((passlen == 0) || (passlen == 1)) && (pass[0] == '\0')) { + /* Null session connect. */ + pword[0] = '\0'; + ntpword[0] = '\0'; + } else { + if ((cli->sec_mode & 2) && passlen != 24) { + /* + * Encrypted mode needed, and non encrypted password supplied. + */ + passlen = 24; + ntpasslen = 24; + fstrcpy(pword, pass); + unix_to_dos(pword,True); + fstrcpy(ntpword, ntpass);; + unix_to_dos(ntpword,True); + SMBencrypt((uchar *)pword,(uchar *)cli->cryptkey,(uchar *)pword); + SMBNTencrypt((uchar *)ntpword,(uchar *)cli->cryptkey,(uchar *)ntpword); + } else if ((cli->sec_mode & 2) && passlen == 24) { + /* + * Encrypted mode needed, and encrypted password supplied. + */ + memcpy(pword, pass, passlen); + if(ntpasslen == 24) { + memcpy(ntpword, ntpass, ntpasslen); + } else { + fstrcpy(ntpword, ""); + ntpasslen = 0; + } + } else { + /* + * Plaintext mode needed, assume plaintext supplied. + */ + fstrcpy(pword, pass); + unix_to_dos(pword,True); + fstrcpy(ntpword, ""); + ntpasslen = 0; + } + } + + /* if in share level security then don't send a password now */ + if (!(cli->sec_mode & 1)) { + fstrcpy(pword, ""); + passlen=1; + fstrcpy(ntpword, ""); + ntpasslen=1; + } + + /* send a session setup command */ + memset(cli->outbuf,'\0',smb_size); + + if (cli->protocol < PROTOCOL_NT1) + { + set_message(cli->outbuf,10,1 + strlen(user) + passlen,True); + CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + cli_setup_packet(cli); + + CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SSVAL(cli->outbuf,smb_vwv2,cli->max_xmit); + SSVAL(cli->outbuf,smb_vwv3,2); + SSVAL(cli->outbuf,smb_vwv4,1); + SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); + SSVAL(cli->outbuf,smb_vwv7,passlen); + p = smb_buf(cli->outbuf); + memcpy(p,pword,passlen); + p += passlen; + pstrcpy(p,user); + unix_to_dos(p,True); + strupper(p); + } + else + { + set_message(cli->outbuf,13,0,True); + CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + cli_setup_packet(cli); + + CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); + SSVAL(cli->outbuf,smb_vwv3,2); + SSVAL(cli->outbuf,smb_vwv4,cli->pid); + SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); + SSVAL(cli->outbuf,smb_vwv7,passlen); + SSVAL(cli->outbuf,smb_vwv8,ntpasslen); + SSVAL(cli->outbuf,smb_vwv11,0); + p = smb_buf(cli->outbuf); + memcpy(p,pword,passlen); + p += SVAL(cli->outbuf,smb_vwv7); + memcpy(p,ntpword,ntpasslen); + p += SVAL(cli->outbuf,smb_vwv8); + pstrcpy(p,user); + unix_to_dos(p,True); + strupper(p); + p = skip_string(p,1); + pstrcpy(p,workgroup); + strupper(p); + p = skip_string(p,1); + pstrcpy(p,"Unix");p = skip_string(p,1); + pstrcpy(p,"Samba");p = skip_string(p,1); + set_message(cli->outbuf,13,PTR_DIFF(p,smb_buf(cli->outbuf)),False); + } + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + show_msg(cli->inbuf); + + if (CVAL(cli->inbuf,smb_rcls) != 0) { + return False; + } + + /* use the returned vuid from now on */ + cli->vuid = SVAL(cli->inbuf,smb_uid); + + if (cli->protocol >= PROTOCOL_NT1) { + /* + * Save off some of the connected server + * info. + */ + char *server_domain,*server_os,*server_type; + server_os = smb_buf(cli->inbuf); + server_type = skip_string(server_os,1); + server_domain = skip_string(server_type,1); + fstrcpy(cli->server_os, server_os); + dos_to_unix(cli->server_os, True); + fstrcpy(cli->server_type, server_type); + dos_to_unix(cli->server_type, True); + fstrcpy(cli->server_domain, server_domain); + dos_to_unix(cli->server_domain, True); + } + + fstrcpy(cli->user_name, user); + dos_to_unix(cli->user_name, True); + + return True; +} + +/**************************************************************************** + Send a uloggoff. +*****************************************************************************/ + +BOOL cli_ulogoff(struct cli_state *cli) +{ + memset(cli->outbuf,'\0',smb_size); + set_message(cli->outbuf,2,0,True); + CVAL(cli->outbuf,smb_com) = SMBulogoffX; + cli_setup_packet(cli); + SSVAL(cli->outbuf,smb_vwv0,0xFF); + SSVAL(cli->outbuf,smb_vwv2,0); /* no additional info */ + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + return CVAL(cli->inbuf,smb_rcls) == 0; +} + +/**************************************************************************** +send a tconX +****************************************************************************/ +BOOL cli_send_tconX(struct cli_state *cli, + char *share, char *dev, char *pass, int passlen) +{ + fstring fullshare, pword, dos_pword; + char *p; + memset(cli->outbuf,'\0',smb_size); + memset(cli->inbuf,'\0',smb_size); + + fstrcpy(cli->share, share); + + /* in user level security don't send a password now */ + if (cli->sec_mode & 1) { + passlen = 1; + pass = ""; + } + + if ((cli->sec_mode & 2) && *pass && passlen != 24) { + /* + * Non-encrypted passwords - convert to DOS codepage before encryption. + */ + passlen = 24; + fstrcpy(dos_pword,pass); + unix_to_dos(dos_pword,True); + SMBencrypt((uchar *)dos_pword,(uchar *)cli->cryptkey,(uchar *)pword); + } else { + if(!(cli->sec_mode & 2)) { + /* + * Non-encrypted passwords - convert to DOS codepage before using. + */ + fstrcpy(pword,pass); + unix_to_dos(pword,True); + } else { + memcpy(pword, pass, passlen); + } + } + + slprintf(fullshare, sizeof(fullshare)-1, + "\\\\%s\\%s", cli->desthost, share); + unix_to_dos(fullshare, True); + strupper(fullshare); + + set_message(cli->outbuf,4, + 2 + strlen(fullshare) + passlen + strlen(dev),True); + CVAL(cli->outbuf,smb_com) = SMBtconX; + cli_setup_packet(cli); + + SSVAL(cli->outbuf,smb_vwv0,0xFF); + SSVAL(cli->outbuf,smb_vwv3,passlen); + + p = smb_buf(cli->outbuf); + memcpy(p,pword,passlen); + p += passlen; + fstrcpy(p,fullshare); + p = skip_string(p,1); + pstrcpy(p,dev); + unix_to_dos(p,True); + + SCVAL(cli->inbuf,smb_rcls, 1); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + if (CVAL(cli->inbuf,smb_rcls) != 0) { + return False; + } + + fstrcpy(cli->dev, "A:"); + + if (cli->protocol >= PROTOCOL_NT1) { + fstrcpy(cli->dev, smb_buf(cli->inbuf)); + } + + if (strcasecmp(share,"IPC$")==0) { + fstrcpy(cli->dev, "IPC"); + } + + /* only grab the device if we have a recent protocol level */ + if (cli->protocol >= PROTOCOL_NT1 && + smb_buflen(cli->inbuf) == 3) { + /* almost certainly win95 - enable bug fixes */ + cli->win95 = True; + } + + cli->cnum = SVAL(cli->inbuf,smb_tid); + return True; +} + + +/**************************************************************************** +send a tree disconnect +****************************************************************************/ +BOOL cli_tdis(struct cli_state *cli) +{ + memset(cli->outbuf,'\0',smb_size); + set_message(cli->outbuf,0,0,True); + CVAL(cli->outbuf,smb_com) = SMBtdis; + SSVAL(cli->outbuf,smb_tid,cli->cnum); + cli_setup_packet(cli); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + return CVAL(cli->inbuf,smb_rcls) == 0; +} + + +/**************************************************************************** +send a negprot command +****************************************************************************/ +BOOL cli_negprot(struct cli_state *cli) +{ + char *p; + int numprots; + int plength; + + memset(cli->outbuf,'\0',smb_size); + + /* setup the protocol strings */ + for (plength=0,numprots=0; + prots[numprots].name && prots[numprots].prot<=cli->protocol; + numprots++) + plength += strlen(prots[numprots].name)+2; + + set_message(cli->outbuf,0,plength,True); + + p = smb_buf(cli->outbuf); + for (numprots=0; + prots[numprots].name && prots[numprots].prot<=cli->protocol; + numprots++) { + *p++ = 2; + pstrcpy(p,prots[numprots].name); + unix_to_dos(p,True); + p += strlen(p) + 1; + } + + CVAL(cli->outbuf,smb_com) = SMBnegprot; + cli_setup_packet(cli); + + CVAL(smb_buf(cli->outbuf),0) = 2; + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + show_msg(cli->inbuf); + + if (CVAL(cli->inbuf,smb_rcls) != 0 || + ((int)SVAL(cli->inbuf,smb_vwv0) >= numprots)) { + return(False); + } + + cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; + + + if (cli->protocol >= PROTOCOL_NT1) { + /* NT protocol */ + cli->sec_mode = CVAL(cli->inbuf,smb_vwv1); + cli->max_mux = SVAL(cli->inbuf, smb_vwv1+1); + cli->max_xmit = IVAL(cli->inbuf,smb_vwv3+1); + cli->sesskey = IVAL(cli->inbuf,smb_vwv7+1); + cli->serverzone = SVALS(cli->inbuf,smb_vwv15+1); + cli->serverzone *= 60; + /* this time arrives in real GMT */ + cli->servertime = interpret_long_date(cli->inbuf+smb_vwv11+1); + memcpy(cli->cryptkey,smb_buf(cli->inbuf),8); + cli->capabilities = IVAL(cli->inbuf,smb_vwv9+1); + if (cli->capabilities & 1) { + cli->readbraw_supported = True; + cli->writebraw_supported = True; + } + } else if (cli->protocol >= PROTOCOL_LANMAN1) { + cli->sec_mode = SVAL(cli->inbuf,smb_vwv1); + cli->max_xmit = SVAL(cli->inbuf,smb_vwv2); + cli->sesskey = IVAL(cli->inbuf,smb_vwv6); + cli->serverzone = SVALS(cli->inbuf,smb_vwv10); + cli->serverzone *= 60; + /* this time is converted to GMT by make_unix_date */ + cli->servertime = make_unix_date(cli->inbuf+smb_vwv8); + cli->readbraw_supported = ((SVAL(cli->inbuf,smb_vwv5) & 0x1) != 0); + cli->writebraw_supported = ((SVAL(cli->inbuf,smb_vwv5) & 0x2) != 0); + memcpy(cli->cryptkey,smb_buf(cli->inbuf),8); + } else { + /* the old core protocol */ + cli->sec_mode = 0; + cli->serverzone = TimeDiff(time(NULL)); + } + + cli->max_xmit = MIN(cli->max_xmit, CLI_BUFFER_SIZE); + + return True; +} + + +/**************************************************************************** + send a session request. see rfc1002.txt 4.3 and 4.3.2 +****************************************************************************/ +BOOL cli_session_request(struct cli_state *cli, + struct nmb_name *calling, struct nmb_name *called) +{ + char *p; + int len = 4; + extern pstring user_socket_options; + + /* send a session request (RFC 1002) */ + + memcpy(&(cli->calling), calling, sizeof(*calling)); + memcpy(&(cli->called ), called , sizeof(*called )); + + /* put in the destination name */ + p = cli->outbuf+len; + name_mangle(cli->called .name, p, cli->called .name_type); + len += name_len(p); + + /* and my name */ + p = cli->outbuf+len; + name_mangle(cli->calling.name, p, cli->calling.name_type); + len += name_len(p); + + /* setup the packet length */ + _smb_setlen(cli->outbuf,len); + CVAL(cli->outbuf,0) = 0x81; + +#ifdef WITH_SSL +retry: +#endif /* WITH_SSL */ + + cli_send_smb(cli); + DEBUG(5,("Sent session request\n")); + + if (!cli_receive_smb(cli)) + return False; + + if (CVAL(cli->inbuf,0) == 0x84) { + /* C. Hoch 9/14/95 Start */ + /* For information, here is the response structure. + * We do the byte-twiddling to for portability. + struct RetargetResponse{ + unsigned char type; + unsigned char flags; + int16 length; + int32 ip_addr; + int16 port; + }; + */ + int port = (CVAL(cli->inbuf,8)<<8)+CVAL(cli->inbuf,9); + /* SESSION RETARGET */ + putip((char *)&cli->dest_ip,cli->inbuf+4); + + cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, port, LONG_CONNECT_TIMEOUT); + if (cli->fd == -1) + return False; + + DEBUG(3,("Retargeted\n")); + + set_socket_options(cli->fd,user_socket_options); + + /* Try again */ + { + static int depth; + BOOL ret; + if (depth > 4) { + DEBUG(0,("Retarget recursion - failing\n")); + return False; + } + depth++; + ret = cli_session_request(cli, calling, called); + depth--; + return ret; + } + } /* C. Hoch 9/14/95 End */ + +#ifdef WITH_SSL + if (CVAL(cli->inbuf,0) == 0x83 && CVAL(cli->inbuf,4) == 0x8e){ /* use ssl */ + if (!sslutil_fd_is_ssl(cli->fd)){ + if (sslutil_connect(cli->fd) == 0) + goto retry; + } + } +#endif /* WITH_SSL */ + + if (CVAL(cli->inbuf,0) != 0x82) { + /* This is the wrong place to put the error... JRA. */ + cli->rap_error = CVAL(cli->inbuf,4); + return False; + } + return(True); +} + + +/**************************************************************************** +open the client sockets +****************************************************************************/ +BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) +{ + extern struct in_addr ipzero; + extern pstring user_socket_options; + + fstrcpy(cli->desthost, host); + + if (!ip || ip_equal(*ip, ipzero)) { + if (!resolve_name( cli->desthost, &cli->dest_ip, 0x20)) { + return False; + } + if (ip) *ip = cli->dest_ip; + } else { + cli->dest_ip = *ip; + } + + if (cli->port == 0) cli->port = 139; /* Set to default */ + + cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, + cli->port, cli->timeout); + if (cli->fd == -1) + return False; + + set_socket_options(cli->fd,user_socket_options); + + return True; +} + +/**************************************************************************** +re-establishes a connection +****************************************************************************/ +BOOL cli_reestablish_connection(struct cli_state *cli) +{ + struct nmb_name calling; + struct nmb_name called; + fstring dest_host; + fstring share; + fstring dev; + BOOL do_tcon = False; + int oldfd = cli->fd; + + if (!cli->initialised || cli->fd == -1) + { + DEBUG(3,("cli_reestablish_connection: not connected\n")); + return False; + } + + /* copy the parameters necessary to re-establish the connection */ + + if (cli->cnum != 0) + { + fstrcpy(share, cli->share); + fstrcpy(dev , cli->dev); + do_tcon = True; + } + + memcpy(&called , &(cli->called ), sizeof(called )); + memcpy(&calling, &(cli->calling), sizeof(calling)); + fstrcpy(dest_host, cli->full_dest_host_name); + + DEBUG(5,("cli_reestablish_connection: %s connecting to %s (ip %s) - %s [%s]\n", + nmb_namestr(&calling), nmb_namestr(&called), + inet_ntoa(cli->dest_ip), + cli->user_name, cli->domain)); + + cli->fd = -1; + + if (cli_establish_connection(cli, + dest_host, &cli->dest_ip, + &calling, &called, + share, dev, False, do_tcon)) { + if (cli->fd != oldfd) { + if (dup2(cli->fd, oldfd) == oldfd) { + close(cli->fd); + } + } + return True; + } + return False; +} + +/**************************************************************************** +establishes a connection right up to doing tconX, reading in a password. +****************************************************************************/ +BOOL cli_establish_connection(struct cli_state *cli, + char *dest_host, struct in_addr *dest_ip, + struct nmb_name *calling, struct nmb_name *called, + char *service, char *service_type, + BOOL do_shutdown, BOOL do_tcon) +{ + DEBUG(5,("cli_establish_connection: %s connecting to %s (%s) - %s [%s]\n", + nmb_namestr(calling), nmb_namestr(called), inet_ntoa(*dest_ip), + cli->user_name, cli->domain)); + + /* establish connection */ + + if ((!cli->initialised)) + { + return False; + } + + if (cli->fd == -1) + { + if (!cli_connect(cli, dest_host, dest_ip)) + { + DEBUG(1,("cli_establish_connection: failed to connect to %s (%s)\n", + nmb_namestr(calling), inet_ntoa(*dest_ip))); + return False; + } + } + + if (!cli_session_request(cli, calling, called)) + { + DEBUG(1,("failed session request\n")); + if (do_shutdown) + cli_shutdown(cli); + return False; + } + + if (!cli_negprot(cli)) + { + DEBUG(1,("failed negprot\n")); + if (do_shutdown) + cli_shutdown(cli); + return False; + } + + if (cli->pwd.cleartext || cli->pwd.null_pwd) + { + fstring passwd; + int pass_len; + + if (cli->pwd.null_pwd) + { + /* attempt null session */ + passwd[0] = 0; + pass_len = 1; + } + else + { + /* attempt clear-text session */ + pwd_get_cleartext(&(cli->pwd), passwd); + pass_len = strlen(passwd); + } + + /* attempt clear-text session */ + if (!cli_session_setup(cli, cli->user_name, + passwd, pass_len, + NULL, 0, + cli->domain)) + { + DEBUG(1,("failed session setup\n")); + if (do_shutdown) + { + cli_shutdown(cli); + } + return False; + } + if (do_tcon) + { + if (!cli_send_tconX(cli, service, service_type, + (char*)passwd, strlen(passwd))) + { + DEBUG(1,("failed tcon_X\n")); + if (do_shutdown) + { + cli_shutdown(cli); + } + return False; + } + } + } + else + { + /* attempt encrypted session */ + unsigned char nt_sess_pwd[24]; + unsigned char lm_sess_pwd[24]; + + /* creates (storing a copy of) and then obtains a 24 byte password OWF */ + pwd_make_lm_nt_owf(&(cli->pwd), cli->cryptkey); + pwd_get_lm_nt_owf(&(cli->pwd), lm_sess_pwd, nt_sess_pwd); + + /* attempt encrypted session */ + if (!cli_session_setup(cli, cli->user_name, + (char*)lm_sess_pwd, sizeof(lm_sess_pwd), + (char*)nt_sess_pwd, sizeof(nt_sess_pwd), + cli->domain)) + { + DEBUG(1,("failed session setup\n")); + if (do_shutdown) + cli_shutdown(cli); + return False; + } + + if (do_tcon) + { + if (!cli_send_tconX(cli, service, service_type, + (char*)nt_sess_pwd, sizeof(nt_sess_pwd))) + { + DEBUG(1,("failed tcon_X\n")); + if (do_shutdown) + cli_shutdown(cli); + return False; + } + } + } + + if (do_shutdown) + cli_shutdown(cli); + + return True; +} + + +/**************************************************************************** + Attempt a NetBIOS session request, falling back to *SMBSERVER if needed. +****************************************************************************/ + +BOOL attempt_netbios_session_request(struct cli_state *cli, char *srchost, char *desthost, + struct in_addr *pdest_ip) +{ + struct nmb_name calling, called; + + make_nmb_name(&calling, srchost, 0x0); + + /* + * If the called name is an IP address + * then use *SMBSERVER immediately. + */ + + if(is_ipaddress(desthost)) + make_nmb_name(&called, "*SMBSERVER", 0x20); + else + make_nmb_name(&called, desthost, 0x20); + + if (!cli_session_request(cli, &calling, &called)) { + struct nmb_name smbservername; + + make_nmb_name(&smbservername , "*SMBSERVER", 0x20); + + /* + * If the name wasn't *SMBSERVER then + * try with *SMBSERVER if the first name fails. + */ + + if (nmb_name_equal(&called, &smbservername)) { + + /* + * The name used was *SMBSERVER, don't bother with another name. + */ + + DEBUG(0,("attempt_netbios_session_request: %s rejected the session for name *SMBSERVER \ +with error %s.\n", desthost, cli_errstr(cli) )); + cli_shutdown(cli); + return False; + } + + cli_shutdown(cli); + + if (!cli_initialise(cli) || + !cli_connect(cli, desthost, pdest_ip) || + !cli_session_request(cli, &calling, &smbservername)) { + DEBUG(0,("attempt_netbios_session_request: %s rejected the session for \ +name *SMBSERVER with error %s\n", desthost, cli_errstr(cli) )); + cli_shutdown(cli); + return False; + } + } + + return True; +} -- cgit From d2b40a7de259377d937492acedd39988ddd108a4 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 7 Jul 2000 06:20:46 +0000 Subject: More rpcclient merge issues: * fixes some readline bugs from the merge * first attempt at commands (spoolenum almost works) * no changes to existing functions in HEAD; only additions of new functions. I'll weed out what I can as I go. --jerry (This used to be commit 61d2aad5dc2b212b11c981f1eca47efa627e9fc8) --- source3/libsmb/cliconnect.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b546e1e4ec..b18b1276c0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -640,7 +640,7 @@ BOOL cli_establish_connection(struct cli_state *cli, { DEBUG(1,("failed negprot\n")); if (do_shutdown) - cli_shutdown(cli); + cli_shutdown(cli); return False; } @@ -707,10 +707,20 @@ BOOL cli_establish_connection(struct cli_state *cli, { DEBUG(1,("failed session setup\n")); if (do_shutdown) - cli_shutdown(cli); + cli_shutdown(cli); return False; } + DEBUG(1,("session setup ok\n")); + + if (*cli->server_domain || *cli->server_os || *cli->server_type) + { + DEBUG(1,("Domain=[%s] OS=[%s] Server=[%s]\n", + cli->server_domain, + cli->server_os, + cli->server_type)); + } + if (do_tcon) { if (!cli_send_tconX(cli, service, service_type, -- cgit From dda54bcd7d6f6d674f197abd323e102fdf7e8dc3 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Tue, 26 Sep 2000 05:44:42 +0000 Subject: added NEGNOWAIT. sent to secure@microsoft.com (This used to be commit b21179331802aace566671dcff6db22cdf4b3e81) --- source3/libsmb/cliconnect.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b18b1276c0..c4b491b056 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -331,6 +331,44 @@ BOOL cli_tdis(struct cli_state *cli) } +/**************************************************************************** +send a negprot command +****************************************************************************/ +void cli_negprot_send(struct cli_state *cli) +{ + char *p; + int numprots; + int plength; + + memset(cli->outbuf,'\0',smb_size); + + /* setup the protocol strings */ + for (plength=0,numprots=0; + prots[numprots].name && prots[numprots].prot<=cli->protocol; + numprots++) + plength += strlen(prots[numprots].name)+2; + + set_message(cli->outbuf,0,plength,True); + + p = smb_buf(cli->outbuf); + for (numprots=0; + prots[numprots].name && prots[numprots].prot<=cli->protocol; + numprots++) { + *p++ = 2; + pstrcpy(p,prots[numprots].name); + unix_to_dos(p,True); + p += strlen(p) + 1; + } + + CVAL(cli->outbuf,smb_com) = SMBnegprot; + cli_setup_packet(cli); + + CVAL(smb_buf(cli->outbuf),0) = 2; + + cli_send_smb(cli); +} + + /**************************************************************************** send a negprot command ****************************************************************************/ -- cgit From e2d1dd47d8f873a10d8f84253182059c50a229c8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 28 Oct 2000 20:54:45 +0000 Subject: Another patch to fix cli_reestablish_connection from Kenichi Okuyama@Tokyo Research Lab. IBM-Japan. Co. Jp. Jeremy. (This used to be commit 06f5da5d4bf044969364afe0298347811fb4ae91) --- source3/libsmb/cliconnect.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index c4b491b056..3292b9e1d6 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -626,10 +626,8 @@ BOOL cli_reestablish_connection(struct cli_state *cli) dest_host, &cli->dest_ip, &calling, &called, share, dev, False, do_tcon)) { - if (cli->fd != oldfd) { - if (dup2(cli->fd, oldfd) == oldfd) { - close(cli->fd); - } + if ((cli->fd != oldfd) && (oldfd != -1)) { + close( oldfd ); } return True; } -- cgit From 6f58dd587124c8b85fc62177b26129aaea5819b0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Nov 2000 00:59:18 +0000 Subject: Ok - fixed a bug in our levelII oplock code. We need to break a level II on a byte range lock (write lock only, but Win2k breaks on read lock also so I do the same) - if you think about why, this is obvious. Also fixed our client code to do level II oplocks, if requested, and fixed the code where we would assume the client wanted level II if it advertised itself as being level II capable - it may not want that. Jeremy. (This used to be commit 213cd0b5192307cd4b0026cae94b2f52fb1b0c02) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3292b9e1d6..ff81d886b0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -146,7 +146,7 @@ BOOL cli_session_setup(struct cli_state *cli, SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); SSVAL(cli->outbuf,smb_vwv7,passlen); SSVAL(cli->outbuf,smb_vwv8,ntpasslen); - SSVAL(cli->outbuf,smb_vwv11,0); + SSVAL(cli->outbuf,smb_vwv11,CAP_NT_SMBS|(cli->use_level_II_oplocks ? CAP_LEVEL_II_OPLOCKS : 0)); p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += SVAL(cli->outbuf,smb_vwv7); -- cgit From ca784bb0280205cdbacca704f0b4c94d8e79e621 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 4 Dec 2000 04:26:22 +0000 Subject: in cli_session_setup() accept usernames of the form DOMAIN/USER or DOMAIN\USER this means all our tools can now put the domain name in the -U option (This used to be commit bac1c76f03b6b848fa2e942b12c646aed58bee12) --- source3/libsmb/cliconnect.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ff81d886b0..8a7c6da1af 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -56,6 +56,15 @@ BOOL cli_session_setup(struct cli_state *cli, { char *p; fstring pword, ntpword; + fstring user2; + + /* allow for workgroups as part of the username */ + fstrcpy(user2, user); + if ((p=strchr(user2,'\\')) || (p=strchr(user2,'/'))) { + *p = 0; + user = p+1; + workgroup = user2; + } if (cli->protocol < PROTOCOL_LANMAN1) return True; -- cgit From b37ac378cff2b2cbc3266ca85ebd738694727526 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 21 Dec 2000 00:30:32 +0000 Subject: Replace magic number with constant. (This used to be commit 1a228868cf14418894b798f19955df3276bd1089) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8a7c6da1af..3e41ec8296 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -438,7 +438,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->servertime = interpret_long_date(cli->inbuf+smb_vwv11+1); memcpy(cli->cryptkey,smb_buf(cli->inbuf),8); cli->capabilities = IVAL(cli->inbuf,smb_vwv9+1); - if (cli->capabilities & 1) { + if (cli->capabilities & CAP_RAW_MODE) { cli->readbraw_supported = True; cli->writebraw_supported = True; } -- cgit From 64172d82fcf1762a8bc938282919f9e3bd39675d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 14 Feb 2001 05:34:50 +0000 Subject: Merge of i18n fixes from appliance branch. Samba can now talk to a network with a PDC that has international netbios name and domain name. There's still quite a bit of i18n stuff to fix though... (This used to be commit 79045bd72ace9144e7dd73785b1d10a71b0d15aa) --- source3/libsmb/cliconnect.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3e41ec8296..96bf06d0ac 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -43,9 +43,9 @@ prots[] = /**************************************************************************** - Send a session setup. The username is in UNIX character format and must be - converted to DOS codepage format before sending. If the password is in - plaintext, the same should be done. + Send a session setup. The username and workgroup is in UNIX character + format and must be converted to DOS codepage format before sending. If the + password is in plaintext, the same should be done. ****************************************************************************/ BOOL cli_session_setup(struct cli_state *cli, @@ -166,6 +166,7 @@ BOOL cli_session_setup(struct cli_state *cli, strupper(p); p = skip_string(p,1); pstrcpy(p,workgroup); + unix_to_dos(p,True); strupper(p); p = skip_string(p,1); pstrcpy(p,"Unix");p = skip_string(p,1); -- cgit From 7f9fbcd0eff68e7a27847dd56a0f17f9433af93f Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 15 Feb 2001 05:42:04 +0000 Subject: Merge of i18n password fix for smbclient. (This used to be commit ec217eb8fc2a9cf329a51c51ba08a04fa5b008c2) --- source3/libsmb/cliconnect.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 96bf06d0ac..8a56a08b1d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -87,7 +87,6 @@ BOOL cli_session_setup(struct cli_state *cli, fstrcpy(pword, pass); unix_to_dos(pword,True); fstrcpy(ntpword, ntpass);; - unix_to_dos(ntpword,True); SMBencrypt((uchar *)pword,(uchar *)cli->cryptkey,(uchar *)pword); SMBNTencrypt((uchar *)ntpword,(uchar *)cli->cryptkey,(uchar *)ntpword); } else if ((cli->sec_mode & 2) && passlen == 24) { -- cgit From 6492d6b2f6a2743f5e794447911cbbba7e031d5d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 20 Feb 2001 08:09:06 +0000 Subject: initial client side unicode support (needed for netapp filer) I've currently got this code disabled by default as it is incomplete. You enable it by setting a USE_UNICODE environment variable. Once the support is complete this check will be removed and the CAP_UNICODE capability bit will be the sole determination of whether the client library code uses unicode right now I have converted session_setup and tconx. I will do more fns over the next few days. see clistr.c for the new client side string interface. Luckily it tends to make the code smaller and neater while adding unicode support. (This used to be commit e1a04e621f1c28d8e6e543d43741ca0272e2237f) --- source3/libsmb/cliconnect.c | 75 +++++++++++++++++++++------------------------ 1 file changed, 35 insertions(+), 40 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8a56a08b1d..74a10ddf8b 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -104,8 +104,7 @@ BOOL cli_session_setup(struct cli_state *cli, /* * Plaintext mode needed, assume plaintext supplied. */ - fstrcpy(pword, pass); - unix_to_dos(pword,True); + passlen = clistr_push(cli, pword, pass, -1, CLISTR_CONVERT|CLISTR_TERMINATE); fstrcpy(ntpword, ""); ntpasslen = 0; } @@ -124,7 +123,10 @@ BOOL cli_session_setup(struct cli_state *cli, if (cli->protocol < PROTOCOL_NT1) { - set_message(cli->outbuf,10,1 + strlen(user) + passlen,True); + set_message(cli->outbuf,10, + clistr_align(cli, 1) + + clistr_push_size(cli, user, -1, CLISTR_TERMINATE|CLISTR_CONVERT) + + passlen,True); CVAL(cli->outbuf,smb_com) = SMBsesssetupX; cli_setup_packet(cli); @@ -135,11 +137,10 @@ BOOL cli_session_setup(struct cli_state *cli, SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); SSVAL(cli->outbuf,smb_vwv7,passlen); p = smb_buf(cli->outbuf); + p += clistr_align(cli, PTR_DIFF(p,cli->outbuf)); memcpy(p,pword,passlen); p += passlen; - pstrcpy(p,user); - unix_to_dos(p,True); - strupper(p); + clistr_push(cli, p, user, -1, CLISTR_CONVERT|CLISTR_UPPER|CLISTR_TERMINATE); } else { @@ -156,20 +157,15 @@ BOOL cli_session_setup(struct cli_state *cli, SSVAL(cli->outbuf,smb_vwv8,ntpasslen); SSVAL(cli->outbuf,smb_vwv11,CAP_NT_SMBS|(cli->use_level_II_oplocks ? CAP_LEVEL_II_OPLOCKS : 0)); p = smb_buf(cli->outbuf); + p += clistr_align(cli, PTR_DIFF(p,cli->outbuf)); memcpy(p,pword,passlen); p += SVAL(cli->outbuf,smb_vwv7); memcpy(p,ntpword,ntpasslen); p += SVAL(cli->outbuf,smb_vwv8); - pstrcpy(p,user); - unix_to_dos(p,True); - strupper(p); - p = skip_string(p,1); - pstrcpy(p,workgroup); - unix_to_dos(p,True); - strupper(p); - p = skip_string(p,1); - pstrcpy(p,"Unix");p = skip_string(p,1); - pstrcpy(p,"Samba");p = skip_string(p,1); + p += clistr_push(cli, p, user, -1, CLISTR_CONVERT|CLISTR_TERMINATE|CLISTR_UPPER); + p += clistr_push(cli, p, workgroup, -1, CLISTR_CONVERT|CLISTR_TERMINATE|CLISTR_UPPER); + p += clistr_push(cli, p, "Unix", -1, CLISTR_CONVERT|CLISTR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, CLISTR_CONVERT|CLISTR_TERMINATE); set_message(cli->outbuf,13,PTR_DIFF(p,smb_buf(cli->outbuf)),False); } @@ -187,24 +183,18 @@ BOOL cli_session_setup(struct cli_state *cli, cli->vuid = SVAL(cli->inbuf,smb_uid); if (cli->protocol >= PROTOCOL_NT1) { - /* - * Save off some of the connected server - * info. - */ - char *server_domain,*server_os,*server_type; - server_os = smb_buf(cli->inbuf); - server_type = skip_string(server_os,1); - server_domain = skip_string(server_type,1); - fstrcpy(cli->server_os, server_os); - dos_to_unix(cli->server_os, True); - fstrcpy(cli->server_type, server_type); - dos_to_unix(cli->server_type, True); - fstrcpy(cli->server_domain, server_domain); - dos_to_unix(cli->server_domain, True); + /* + * Save off some of the connected server + * info. + */ + char *p = smb_buf(cli->inbuf); + p += clistr_align(cli, PTR_DIFF(p,cli->outbuf)); + p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); + p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); + p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); } fstrcpy(cli->user_name, user); - dos_to_unix(cli->user_name, True); return True; } @@ -257,12 +247,11 @@ BOOL cli_send_tconX(struct cli_state *cli, unix_to_dos(dos_pword,True); SMBencrypt((uchar *)dos_pword,(uchar *)cli->cryptkey,(uchar *)pword); } else { - if(!(cli->sec_mode & 2)) { + if((cli->sec_mode & 3) == 0) { /* * Non-encrypted passwords - convert to DOS codepage before using. */ - fstrcpy(pword,pass); - unix_to_dos(pword,True); + passlen = clistr_push(cli, pword, pass, -1, CLISTR_CONVERT|CLISTR_TERMINATE); } else { memcpy(pword, pass, passlen); } @@ -274,7 +263,10 @@ BOOL cli_send_tconX(struct cli_state *cli, strupper(fullshare); set_message(cli->outbuf,4, - 2 + strlen(fullshare) + passlen + strlen(dev),True); + clistr_push_size(cli, fullshare, -1, CLISTR_TERMINATE | CLISTR_CONVERT) + + passlen + + 1+strlen(dev), + True); CVAL(cli->outbuf,smb_com) = SMBtconX; cli_setup_packet(cli); @@ -284,10 +276,10 @@ BOOL cli_send_tconX(struct cli_state *cli, p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += passlen; - fstrcpy(p,fullshare); - p = skip_string(p,1); - pstrcpy(p,dev); - unix_to_dos(p,True); + p += clistr_push(cli, p, fullshare, -1, CLISTR_CONVERT | CLISTR_TERMINATE); + fstrcpy(p, dev); p += strlen(dev)+1; + + set_message(cli->outbuf,4,PTR_DIFF(p,smb_buf(cli->outbuf)),False); SCVAL(cli->inbuf,smb_rcls, 1); @@ -302,7 +294,7 @@ BOOL cli_send_tconX(struct cli_state *cli, fstrcpy(cli->dev, "A:"); if (cli->protocol >= PROTOCOL_NT1) { - fstrcpy(cli->dev, smb_buf(cli->inbuf)); + clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, CLISTR_TERMINATE | CLISTR_CONVERT); } if (strcasecmp(share,"IPC$")==0) { @@ -461,6 +453,9 @@ BOOL cli_negprot(struct cli_state *cli) cli->max_xmit = MIN(cli->max_xmit, CLI_BUFFER_SIZE); + /* this ensures cli_use_unicode is setup - delete this call later (tridge) */ + cli_setup_packet(cli); + return True; } -- cgit From c565c98723f1fab04d47ae6076d742c8ee2dcb49 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 20 Feb 2001 10:11:40 +0000 Subject: pipe opening now works with unicode (This used to be commit ba3ce3404e1cd2e9da3ba1708f6fc8a12c085ef2) --- source3/libsmb/cliconnect.c | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 74a10ddf8b..4f9c5ad615 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -123,10 +123,7 @@ BOOL cli_session_setup(struct cli_state *cli, if (cli->protocol < PROTOCOL_NT1) { - set_message(cli->outbuf,10, - clistr_align(cli, 1) + - clistr_push_size(cli, user, -1, CLISTR_TERMINATE|CLISTR_CONVERT) + - passlen,True); + set_message(cli->outbuf,10, 0, True); CVAL(cli->outbuf,smb_com) = SMBsesssetupX; cli_setup_packet(cli); @@ -137,10 +134,10 @@ BOOL cli_session_setup(struct cli_state *cli, SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); SSVAL(cli->outbuf,smb_vwv7,passlen); p = smb_buf(cli->outbuf); - p += clistr_align(cli, PTR_DIFF(p,cli->outbuf)); memcpy(p,pword,passlen); p += passlen; - clistr_push(cli, p, user, -1, CLISTR_CONVERT|CLISTR_UPPER|CLISTR_TERMINATE); + p += clistr_push(cli, p, user, -1, CLISTR_CONVERT|CLISTR_UPPER|CLISTR_TERMINATE); + set_message(cli->outbuf,10,PTR_DIFF(p,smb_buf(cli->outbuf)),False); } else { @@ -157,7 +154,6 @@ BOOL cli_session_setup(struct cli_state *cli, SSVAL(cli->outbuf,smb_vwv8,ntpasslen); SSVAL(cli->outbuf,smb_vwv11,CAP_NT_SMBS|(cli->use_level_II_oplocks ? CAP_LEVEL_II_OPLOCKS : 0)); p = smb_buf(cli->outbuf); - p += clistr_align(cli, PTR_DIFF(p,cli->outbuf)); memcpy(p,pword,passlen); p += SVAL(cli->outbuf,smb_vwv7); memcpy(p,ntpword,ntpasslen); @@ -188,7 +184,6 @@ BOOL cli_session_setup(struct cli_state *cli, * info. */ char *p = smb_buf(cli->inbuf); - p += clistr_align(cli, PTR_DIFF(p,cli->outbuf)); p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); @@ -262,11 +257,7 @@ BOOL cli_send_tconX(struct cli_state *cli, unix_to_dos(fullshare, True); strupper(fullshare); - set_message(cli->outbuf,4, - clistr_push_size(cli, fullshare, -1, CLISTR_TERMINATE | CLISTR_CONVERT) + - passlen + - 1+strlen(dev), - True); + set_message(cli->outbuf,4, 0, True); CVAL(cli->outbuf,smb_com) = SMBtconX; cli_setup_packet(cli); -- cgit From c7c3db2f16e572e14c5d881b641271b2ab9aa4be Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 20 Feb 2001 12:22:30 +0000 Subject: converted cli_list() (This used to be commit bdce09b77807c80281c1e169b7c4813c9238fbe3) --- source3/libsmb/cliconnect.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4f9c5ad615..31bdfdca46 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -141,6 +141,15 @@ BOOL cli_session_setup(struct cli_state *cli, } else { + uint32 capabilities; + + capabilities = CAP_NT_SMBS; + if (cli->use_level_II_oplocks) + capabilities |= CAP_LEVEL_II_OPLOCKS; + if (getenv("USE_UNICODE") && + (cli->capabilities & CAP_UNICODE)) { + capabilities |= CAP_UNICODE; + } set_message(cli->outbuf,13,0,True); CVAL(cli->outbuf,smb_com) = SMBsesssetupX; cli_setup_packet(cli); @@ -152,7 +161,7 @@ BOOL cli_session_setup(struct cli_state *cli, SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); SSVAL(cli->outbuf,smb_vwv7,passlen); SSVAL(cli->outbuf,smb_vwv8,ntpasslen); - SSVAL(cli->outbuf,smb_vwv11,CAP_NT_SMBS|(cli->use_level_II_oplocks ? CAP_LEVEL_II_OPLOCKS : 0)); + SIVAL(cli->outbuf,smb_vwv11,capabilities); p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += SVAL(cli->outbuf,smb_vwv7); -- cgit From 8acf5e04482cb43734fbb786f8d363ee3bfff652 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 20 Feb 2001 12:45:50 +0000 Subject: - neater setting of bcc - converted cli_rename and cli_unlink (This used to be commit 0a8992e224b7a3d90d45b13d73fa8a6f155efa79) --- source3/libsmb/cliconnect.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 31bdfdca46..4a957a9ccd 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -137,7 +137,7 @@ BOOL cli_session_setup(struct cli_state *cli, memcpy(p,pword,passlen); p += passlen; p += clistr_push(cli, p, user, -1, CLISTR_CONVERT|CLISTR_UPPER|CLISTR_TERMINATE); - set_message(cli->outbuf,10,PTR_DIFF(p,smb_buf(cli->outbuf)),False); + cli_setup_bcc(cli, p); } else { @@ -171,7 +171,7 @@ BOOL cli_session_setup(struct cli_state *cli, p += clistr_push(cli, p, workgroup, -1, CLISTR_CONVERT|CLISTR_TERMINATE|CLISTR_UPPER); p += clistr_push(cli, p, "Unix", -1, CLISTR_CONVERT|CLISTR_TERMINATE); p += clistr_push(cli, p, "Samba", -1, CLISTR_CONVERT|CLISTR_TERMINATE); - set_message(cli->outbuf,13,PTR_DIFF(p,smb_buf(cli->outbuf)),False); + cli_setup_bcc(cli, p); } cli_send_smb(cli); @@ -279,7 +279,7 @@ BOOL cli_send_tconX(struct cli_state *cli, p += clistr_push(cli, p, fullshare, -1, CLISTR_CONVERT | CLISTR_TERMINATE); fstrcpy(p, dev); p += strlen(dev)+1; - set_message(cli->outbuf,4,PTR_DIFF(p,smb_buf(cli->outbuf)),False); + cli_setup_bcc(cli, p); SCVAL(cli->inbuf,smb_rcls, 1); -- cgit From a8ab9840786b8376283743de8eef861d382b3171 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 21 Feb 2001 03:40:20 +0000 Subject: the unicode conversion of our client code is complete enough to be enabled by default you can disable it by setting the environment variable CLI_FORCE_ASCII (This used to be commit 4d59c08c5e6f54c0d6ced7650750cb987e77b6c9) --- source3/libsmb/cliconnect.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4a957a9ccd..d572c0f7d7 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -144,10 +144,10 @@ BOOL cli_session_setup(struct cli_state *cli, uint32 capabilities; capabilities = CAP_NT_SMBS; - if (cli->use_level_II_oplocks) + if (cli->use_level_II_oplocks) { capabilities |= CAP_LEVEL_II_OPLOCKS; - if (getenv("USE_UNICODE") && - (cli->capabilities & CAP_UNICODE)) { + } + if (cli->capabilities & CAP_UNICODE) { capabilities |= CAP_UNICODE; } set_message(cli->outbuf,13,0,True); @@ -453,8 +453,10 @@ BOOL cli_negprot(struct cli_state *cli) cli->max_xmit = MIN(cli->max_xmit, CLI_BUFFER_SIZE); - /* this ensures cli_use_unicode is setup - delete this call later (tridge) */ - cli_setup_packet(cli); + /* a way to force ascii SMB */ + if (getenv("CLI_FORCE_ASCII")) { + cli->capabilities &= ~CAP_UNICODE; + } return True; } -- cgit From 57467a9f6002eafdb7d1395a50089c53c37335d9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 25 Feb 2001 23:46:02 +0000 Subject: neater negprot code using the new cli_setup_bcc() call (This used to be commit 5b1728426531785d37b4fac0684114f8a84dacb2) --- source3/libsmb/cliconnect.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index d572c0f7d7..fd0218b908 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -339,17 +339,11 @@ void cli_negprot_send(struct cli_state *cli) { char *p; int numprots; - int plength; memset(cli->outbuf,'\0',smb_size); /* setup the protocol strings */ - for (plength=0,numprots=0; - prots[numprots].name && prots[numprots].prot<=cli->protocol; - numprots++) - plength += strlen(prots[numprots].name)+2; - - set_message(cli->outbuf,0,plength,True); + set_message(cli->outbuf,0,0,True); p = smb_buf(cli->outbuf); for (numprots=0; @@ -362,6 +356,7 @@ void cli_negprot_send(struct cli_state *cli) } CVAL(cli->outbuf,smb_com) = SMBnegprot; + cli_setup_bcc(cli, p); cli_setup_packet(cli); CVAL(smb_buf(cli->outbuf),0) = 2; -- cgit From ff2616aaf90ceb744379a2c4a9f69edea6d720e2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 1 Mar 2001 06:36:57 +0000 Subject: Fixed compiler warning. (This used to be commit 33e5c56ab049fe5e156579dbf2f9cd54897f1dd3) --- source3/libsmb/cliconnect.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index fd0218b908..f2f9b89ea4 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -192,10 +192,10 @@ BOOL cli_session_setup(struct cli_state *cli, * Save off some of the connected server * info. */ - char *p = smb_buf(cli->inbuf); - p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); - p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); - p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); + char *q = smb_buf(cli->inbuf); + q += clistr_pull(cli, cli->server_os, q, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); + q += clistr_pull(cli, cli->server_type, q, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); + q += clistr_pull(cli, cli->server_domain, q, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); } fstrcpy(cli->user_name, user); -- cgit From 45c2ee3ff2d01fdd0a2db9fa90457cff4663c43d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 10 Mar 2001 11:35:25 +0000 Subject: to use the same macros in the client and server rename the CLISTR_ macros to STR_ (This used to be commit 95c9e4e0ba8f37f565aaf136f41eb76489441ff7) --- source3/libsmb/cliconnect.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f2f9b89ea4..46a63dc5f1 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -104,7 +104,7 @@ BOOL cli_session_setup(struct cli_state *cli, /* * Plaintext mode needed, assume plaintext supplied. */ - passlen = clistr_push(cli, pword, pass, -1, CLISTR_CONVERT|CLISTR_TERMINATE); + passlen = clistr_push(cli, pword, pass, -1, STR_CONVERT|STR_TERMINATE); fstrcpy(ntpword, ""); ntpasslen = 0; } @@ -136,7 +136,7 @@ BOOL cli_session_setup(struct cli_state *cli, p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += passlen; - p += clistr_push(cli, p, user, -1, CLISTR_CONVERT|CLISTR_UPPER|CLISTR_TERMINATE); + p += clistr_push(cli, p, user, -1, STR_CONVERT|STR_UPPER|STR_TERMINATE); cli_setup_bcc(cli, p); } else @@ -167,10 +167,10 @@ BOOL cli_session_setup(struct cli_state *cli, p += SVAL(cli->outbuf,smb_vwv7); memcpy(p,ntpword,ntpasslen); p += SVAL(cli->outbuf,smb_vwv8); - p += clistr_push(cli, p, user, -1, CLISTR_CONVERT|CLISTR_TERMINATE|CLISTR_UPPER); - p += clistr_push(cli, p, workgroup, -1, CLISTR_CONVERT|CLISTR_TERMINATE|CLISTR_UPPER); - p += clistr_push(cli, p, "Unix", -1, CLISTR_CONVERT|CLISTR_TERMINATE); - p += clistr_push(cli, p, "Samba", -1, CLISTR_CONVERT|CLISTR_TERMINATE); + p += clistr_push(cli, p, user, -1, STR_CONVERT|STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, workgroup, -1, STR_CONVERT|STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, "Unix", -1, STR_CONVERT|STR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, STR_CONVERT|STR_TERMINATE); cli_setup_bcc(cli, p); } @@ -193,9 +193,9 @@ BOOL cli_session_setup(struct cli_state *cli, * info. */ char *q = smb_buf(cli->inbuf); - q += clistr_pull(cli, cli->server_os, q, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); - q += clistr_pull(cli, cli->server_type, q, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); - q += clistr_pull(cli, cli->server_domain, q, sizeof(fstring), -1, CLISTR_TERMINATE|CLISTR_CONVERT); + q += clistr_pull(cli, cli->server_os, q, sizeof(fstring), -1, STR_TERMINATE|STR_CONVERT); + q += clistr_pull(cli, cli->server_type, q, sizeof(fstring), -1, STR_TERMINATE|STR_CONVERT); + q += clistr_pull(cli, cli->server_domain, q, sizeof(fstring), -1, STR_TERMINATE|STR_CONVERT); } fstrcpy(cli->user_name, user); @@ -255,7 +255,7 @@ BOOL cli_send_tconX(struct cli_state *cli, /* * Non-encrypted passwords - convert to DOS codepage before using. */ - passlen = clistr_push(cli, pword, pass, -1, CLISTR_CONVERT|CLISTR_TERMINATE); + passlen = clistr_push(cli, pword, pass, -1, STR_CONVERT|STR_TERMINATE); } else { memcpy(pword, pass, passlen); } @@ -276,7 +276,7 @@ BOOL cli_send_tconX(struct cli_state *cli, p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += passlen; - p += clistr_push(cli, p, fullshare, -1, CLISTR_CONVERT | CLISTR_TERMINATE); + p += clistr_push(cli, p, fullshare, -1, STR_CONVERT | STR_TERMINATE); fstrcpy(p, dev); p += strlen(dev)+1; cli_setup_bcc(cli, p); @@ -294,7 +294,7 @@ BOOL cli_send_tconX(struct cli_state *cli, fstrcpy(cli->dev, "A:"); if (cli->protocol >= PROTOCOL_NT1) { - clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, CLISTR_TERMINATE | CLISTR_CONVERT); + clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, STR_TERMINATE | STR_CONVERT); } if (strcasecmp(share,"IPC$")==0) { -- cgit From fb3d8452e5250973eae682dd4a13bf530ccfc56a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 14 Mar 2001 20:22:57 +0000 Subject: set of changes in the beginning of bringing rpcclient changes back to working order. The main change is that the cli_*() RPC functions from libsmb/*.c now should accept a struct cli_state*. The reason for this is that rpcclient should establish the connection to the server at startup so that it is not necessary to keep the clear test or password hash in memory for each command. enumports and enumprinters now works as well. lsa* functions have been tested. SAMR calls may or may not work (one of the core dumps I know), but it compiles :-) jerry (This used to be commit d98ac8852ae6b39b6fcff92c346ba56d9e63c518) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 46a63dc5f1..06f283c321 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -669,7 +669,7 @@ BOOL cli_establish_connection(struct cli_state *cli, { DEBUG(1,("failed session request\n")); if (do_shutdown) - cli_shutdown(cli); + cli_shutdown(cli); return False; } -- cgit From 4ff011d88ef5b79b92d2cea1abe32c93bc03f724 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 21 Jun 2001 05:38:28 +0000 Subject: Added STR_NOALIGN flags to clistr and srvstr fns. Yes, NT actually does send unaligned unicode strings sometimes! Fixed our handling of the workgroup name tacked on the end of the NT1 negprot response (a unaligned unicode) fixed a couple of places where we should be using the message_end fns instead of pre-calculated buffer lengths (This used to be commit 86613493a9b2e56523153486931d0bf8d39beb7a) --- source3/libsmb/cliconnect.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 06f283c321..529aa0fef9 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -429,6 +429,12 @@ BOOL cli_negprot(struct cli_state *cli) cli->readbraw_supported = True; cli->writebraw_supported = True; } + /* work out if they sent us a workgroup */ + if (smb_buflen(cli->inbuf) > 8) { + clistr_pull(cli, cli->server_domain, + smb_buf(cli->inbuf)+8, sizeof(cli->server_domain), + smb_buflen(cli->inbuf)-8, STR_CONVERT|STR_UNICODE|STR_NOALIGN); + } } else if (cli->protocol >= PROTOCOL_LANMAN1) { cli->sec_mode = SVAL(cli->inbuf,smb_vwv1); cli->max_xmit = SVAL(cli->inbuf,smb_vwv2); -- cgit From 868d010aa1b614109b54928e46eb626a1d320a2d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 22 Jun 2001 15:14:45 +0000 Subject: added the ability to test smbd safely as an ordinary user. The way it works is that libsmb/ creates a local tcp socket then launches smbd as a subprocess attached to that socket. smbd thinks it is being launched from inetd. to use it do the following: - compile with -DSMB_REGRESSION_TEST - run like this (also works with smbtorture etc) export SMBD_TEST=1 export LIBSMB_PROG=bin/smbd smbclient //server/share -Uuser%pass obviously you need to setup a smb.conf etc. Using --prefix to configure is useful. The aim of all this stuff is to add a decent set of regression tests to the build farm, so we know if smbd actually runs correctly on all the platforms, not just builds. We can run smbtorture, masktest, locktest etc, plus a bunch of smbclient scripts and any new tests we write. This doesn't help much with nmbd (at least not yet) but its a good start. (This used to be commit 7e8e6ae9a88c4d2587eb4e7f0501cd71bd36ebb2) --- source3/libsmb/cliconnect.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 529aa0fef9..034208f3b2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -558,7 +558,6 @@ retry: return(True); } - /**************************************************************************** open the client sockets ****************************************************************************/ @@ -580,8 +579,15 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) if (cli->port == 0) cli->port = 139; /* Set to default */ - cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, - cli->port, cli->timeout); +#ifdef SMB_REGRESSION_TEST + if (getenv("LIBSMB_PROG")) { + cli->fd = sock_exec(getenv("LIBSMB_PROG")); + } else +#endif + { + cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, + cli->port, cli->timeout); + } if (cli->fd == -1) return False; -- cgit From 8b79a473faf2ff25acb220500158920490c71576 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 25 Jun 2001 00:46:34 +0000 Subject: - make the regresison test mode code build in by default. This should allow us to have test targets without special configure options - fixed make proto so that it actually does something (This used to be commit 55109a752578e9389d853cb27ec17c2114ecff77) --- source3/libsmb/cliconnect.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 034208f3b2..67eef52583 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -579,12 +579,9 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) if (cli->port == 0) cli->port = 139; /* Set to default */ -#ifdef SMB_REGRESSION_TEST if (getenv("LIBSMB_PROG")) { cli->fd = sock_exec(getenv("LIBSMB_PROG")); - } else -#endif - { + } else { cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, cli->port, cli->timeout); } -- cgit From 87fbb7092b8f8b2f0db0f361c3d625e19de57cd9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 4 Jul 2001 07:15:53 +0000 Subject: The big character set handling changeover! This commit gets rid of all our old codepage handling and replaces it with iconv. All internal strings in Samba are now in "unix" charset, which may be multi-byte. See internals.doc and my posting to samba-technical for a more complete explanation. (This used to be commit debb471267960e56005a741817ebd227ecfc512a) --- source3/libsmb/cliconnect.c | 53 ++++++++++++++++++++------------------------- 1 file changed, 23 insertions(+), 30 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 67eef52583..7ec0627682 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -26,7 +26,7 @@ static struct { int prot; - char *name; + const char *name; } prots[] = { @@ -84,8 +84,7 @@ BOOL cli_session_setup(struct cli_state *cli, */ passlen = 24; ntpasslen = 24; - fstrcpy(pword, pass); - unix_to_dos(pword,True); + clistr_push(cli, pword, pass, -1, STR_TERMINATE); fstrcpy(ntpword, ntpass);; SMBencrypt((uchar *)pword,(uchar *)cli->cryptkey,(uchar *)pword); SMBNTencrypt((uchar *)ntpword,(uchar *)cli->cryptkey,(uchar *)ntpword); @@ -104,7 +103,7 @@ BOOL cli_session_setup(struct cli_state *cli, /* * Plaintext mode needed, assume plaintext supplied. */ - passlen = clistr_push(cli, pword, pass, -1, STR_CONVERT|STR_TERMINATE); + passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE); fstrcpy(ntpword, ""); ntpasslen = 0; } @@ -136,7 +135,7 @@ BOOL cli_session_setup(struct cli_state *cli, p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += passlen; - p += clistr_push(cli, p, user, -1, STR_CONVERT|STR_UPPER|STR_TERMINATE); + p += clistr_push(cli, p, user, -1, STR_UPPER|STR_TERMINATE); cli_setup_bcc(cli, p); } else @@ -167,10 +166,10 @@ BOOL cli_session_setup(struct cli_state *cli, p += SVAL(cli->outbuf,smb_vwv7); memcpy(p,ntpword,ntpasslen); p += SVAL(cli->outbuf,smb_vwv8); - p += clistr_push(cli, p, user, -1, STR_CONVERT|STR_TERMINATE|STR_UPPER); - p += clistr_push(cli, p, workgroup, -1, STR_CONVERT|STR_TERMINATE|STR_UPPER); - p += clistr_push(cli, p, "Unix", -1, STR_CONVERT|STR_TERMINATE); - p += clistr_push(cli, p, "Samba", -1, STR_CONVERT|STR_TERMINATE); + p += clistr_push(cli, p, user, -1, STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); } @@ -193,9 +192,9 @@ BOOL cli_session_setup(struct cli_state *cli, * info. */ char *q = smb_buf(cli->inbuf); - q += clistr_pull(cli, cli->server_os, q, sizeof(fstring), -1, STR_TERMINATE|STR_CONVERT); - q += clistr_pull(cli, cli->server_type, q, sizeof(fstring), -1, STR_TERMINATE|STR_CONVERT); - q += clistr_pull(cli, cli->server_domain, q, sizeof(fstring), -1, STR_TERMINATE|STR_CONVERT); + q += clistr_pull(cli, cli->server_os, q, sizeof(fstring), -1, STR_TERMINATE); + q += clistr_pull(cli, cli->server_type, q, sizeof(fstring), -1, STR_TERMINATE); + q += clistr_pull(cli, cli->server_domain, q, sizeof(fstring), -1, STR_TERMINATE); } fstrcpy(cli->user_name, user); @@ -227,7 +226,7 @@ BOOL cli_ulogoff(struct cli_state *cli) send a tconX ****************************************************************************/ BOOL cli_send_tconX(struct cli_state *cli, - char *share, char *dev, char *pass, int passlen) + const char *share, const char *dev, const char *pass, int passlen) { fstring fullshare, pword, dos_pword; char *p; @@ -247,15 +246,15 @@ BOOL cli_send_tconX(struct cli_state *cli, * Non-encrypted passwords - convert to DOS codepage before encryption. */ passlen = 24; - fstrcpy(dos_pword,pass); - unix_to_dos(dos_pword,True); + clistr_push(cli, dos_pword, pass, -1, STR_TERMINATE); + SMBencrypt((uchar *)dos_pword,(uchar *)cli->cryptkey,(uchar *)pword); } else { if((cli->sec_mode & 3) == 0) { /* * Non-encrypted passwords - convert to DOS codepage before using. */ - passlen = clistr_push(cli, pword, pass, -1, STR_CONVERT|STR_TERMINATE); + passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE); } else { memcpy(pword, pass, passlen); } @@ -263,8 +262,6 @@ BOOL cli_send_tconX(struct cli_state *cli, slprintf(fullshare, sizeof(fullshare)-1, "\\\\%s\\%s", cli->desthost, share); - unix_to_dos(fullshare, True); - strupper(fullshare); set_message(cli->outbuf,4, 0, True); CVAL(cli->outbuf,smb_com) = SMBtconX; @@ -276,7 +273,7 @@ BOOL cli_send_tconX(struct cli_state *cli, p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += passlen; - p += clistr_push(cli, p, fullshare, -1, STR_CONVERT | STR_TERMINATE); + p += clistr_push(cli, p, fullshare, -1, STR_TERMINATE |STR_UPPER); fstrcpy(p, dev); p += strlen(dev)+1; cli_setup_bcc(cli, p); @@ -294,7 +291,7 @@ BOOL cli_send_tconX(struct cli_state *cli, fstrcpy(cli->dev, "A:"); if (cli->protocol >= PROTOCOL_NT1) { - clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, STR_TERMINATE | STR_CONVERT); + clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, STR_TERMINATE); } if (strcasecmp(share,"IPC$")==0) { @@ -350,9 +347,7 @@ void cli_negprot_send(struct cli_state *cli) prots[numprots].name && prots[numprots].prot<=cli->protocol; numprots++) { *p++ = 2; - pstrcpy(p,prots[numprots].name); - unix_to_dos(p,True); - p += strlen(p) + 1; + p += clistr_push(cli, p, prots[numprots].name, -1, STR_TERMINATE); } CVAL(cli->outbuf,smb_com) = SMBnegprot; @@ -389,9 +384,7 @@ BOOL cli_negprot(struct cli_state *cli) prots[numprots].name && prots[numprots].prot<=cli->protocol; numprots++) { *p++ = 2; - pstrcpy(p,prots[numprots].name); - unix_to_dos(p,True); - p += strlen(p) + 1; + p += clistr_push(cli, p, prots[numprots].name, -1, STR_TERMINATE); } CVAL(cli->outbuf,smb_com) = SMBnegprot; @@ -433,7 +426,7 @@ BOOL cli_negprot(struct cli_state *cli) if (smb_buflen(cli->inbuf) > 8) { clistr_pull(cli, cli->server_domain, smb_buf(cli->inbuf)+8, sizeof(cli->server_domain), - smb_buflen(cli->inbuf)-8, STR_CONVERT|STR_UNICODE|STR_NOALIGN); + smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN); } } else if (cli->protocol >= PROTOCOL_LANMAN1) { cli->sec_mode = SVAL(cli->inbuf,smb_vwv1); @@ -762,9 +755,9 @@ BOOL cli_establish_connection(struct cli_state *cli, if (*cli->server_domain || *cli->server_os || *cli->server_type) { DEBUG(1,("Domain=[%s] OS=[%s] Server=[%s]\n", - cli->server_domain, - cli->server_os, - cli->server_type)); + cli->server_domain, + cli->server_os, + cli->server_type)); } if (do_tcon) -- cgit From 527e824293ee934ca5da0ef5424efe5ab7757248 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 4 Jul 2001 07:36:09 +0000 Subject: strchr and strrchr are macros when compiling with optimisation in gcc, so we can't redefine them. damn. (This used to be commit c41fc06376d1a2b83690612304e85010b5e5f3cf) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7ec0627682..9511a56e31 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -60,7 +60,7 @@ BOOL cli_session_setup(struct cli_state *cli, /* allow for workgroups as part of the username */ fstrcpy(user2, user); - if ((p=strchr(user2,'\\')) || (p=strchr(user2,'/'))) { + if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/'))) { *p = 0; user = p+1; workgroup = user2; -- cgit From 3ad0801dd3e8a937493ea9a7395b727e809b5824 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 8 Jul 2001 18:23:53 +0000 Subject: formatting fix (This used to be commit 3dc9fd076a2c4c352d51f7b9dfa8b570a231c9e2) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9511a56e31..9981672801 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -774,7 +774,7 @@ BOOL cli_establish_connection(struct cli_state *cli, } if (do_shutdown) - cli_shutdown(cli); + cli_shutdown(cli); return True; } -- cgit From 2ccfea3de7b2b7dc0be2438c3adb3f7be82a2dfc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 10 Aug 2001 06:00:33 +0000 Subject: A rewrite of the error handling in the libsmb client code. I've separated out the error handling into a bunch of separate functions rather than all being handled in one big function. Fetch error codes from the last received packet: void cli_dos_error(struct cli_state *cli, uint8 *eclass, uint32 *num); uint32 cli_nt_error(struct cli_state *); Convert errors to UNIX errno values: int cli_errno_from_dos(uint8 eclass, uint32 num); int cli_errno_from_nt(uint32 status); int cli_errno(struct cli_state *cli); Detect different kinds of errors: BOOL cli_is_dos_error(struct cli_state *cli); BOOL cli_is_nt_error(struct cli_state *cli); BOOL cli_is_error(struct cli_state *cli); This also means we now support CAP_STATUS32 as we can decode and understand NT errors instead of just DOS errors. Yay! Ported a whole bunch of files in libsmb to use this new API instead of the just the DOS error. (This used to be commit 6dbdb0d813f3c7ab20b38baa1223b0b479aadec9) --- source3/libsmb/cliconnect.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9981672801..dffff5e6ab 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -143,6 +143,15 @@ BOOL cli_session_setup(struct cli_state *cli, uint32 capabilities; capabilities = CAP_NT_SMBS; + + /* Set the CLI_FORCE_DOSERR environment variable to test + client routines using DOS errors instead of STATUS32 + ones. This intended only as a temporary hack. */ + + if (!getenv("CLI_FORCE_DOSERR")) { + capabilities |= CAP_STATUS32; + } + if (cli->use_level_II_oplocks) { capabilities |= CAP_LEVEL_II_OPLOCKS; } -- cgit From 11ce0f4d2d493702386c0bd49c8e2dd2aad84d56 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 20 Aug 2001 05:15:26 +0000 Subject: a bunch of fixes from the sflight to seattle in particular: - fixed NT status code for a bunch of ops - fixed handling of protocol levels in ms_fnmatch (This used to be commit 3eba9606f71f90bfd9820af26f8676277ed22390) --- source3/libsmb/cliconnect.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index dffff5e6ab..982ac544cf 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -414,7 +414,6 @@ BOOL cli_negprot(struct cli_state *cli) cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; - if (cli->protocol >= PROTOCOL_NT1) { /* NT protocol */ cli->sec_mode = CVAL(cli->inbuf,smb_vwv1); -- cgit From c5004cf0e6014fd8b1776c7d717560b347495bed Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 22 Aug 2001 22:39:39 +0000 Subject: added port 445 support to our client code (This used to be commit 0c3120ae475fb53662d6ab9f0d96a832c3c90625) --- source3/libsmb/cliconnect.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 982ac544cf..eb14f54b1a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -269,8 +269,13 @@ BOOL cli_send_tconX(struct cli_state *cli, } } - slprintf(fullshare, sizeof(fullshare)-1, - "\\\\%s\\%s", cli->desthost, share); + if (cli->port == 445) { + slprintf(fullshare, sizeof(fullshare)-1, + "%s", share); + } else { + slprintf(fullshare, sizeof(fullshare)-1, + "\\\\%s\\%s", "foo", share); + } set_message(cli->outbuf,4, 0, True); CVAL(cli->outbuf,smb_com) = SMBtconX; @@ -474,6 +479,9 @@ BOOL cli_session_request(struct cli_state *cli, int len = 4; extern pstring user_socket_options; + /* 445 doesn't have session request */ + if (cli->port == 445) return True; + /* send a session request (RFC 1002) */ memcpy(&(cli->calling), calling, sizeof(*calling)); @@ -578,13 +586,19 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) cli->dest_ip = *ip; } - if (cli->port == 0) cli->port = 139; /* Set to default */ - if (getenv("LIBSMB_PROG")) { cli->fd = sock_exec(getenv("LIBSMB_PROG")); } else { + /* try 445 first, then 139 */ + int port = cli->port?cli->port:445; cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, - cli->port, cli->timeout); + port, cli->timeout); + if (cli->fd == -1 && cli->port == 0) { + port = 139; + cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, + port, cli->timeout); + } + if (cli->fd != -1) cli->port = port; } if (cli->fd == -1) return False; -- cgit From c45fbe69f5b7a57fea9ba18cfa47e63b42de7992 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 23 Aug 2001 16:25:57 +0000 Subject: better error reporting for servers that don't do port 445 (This used to be commit a896dc299eba12886d800e6c88309d534232cabc) --- source3/libsmb/cliconnect.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index eb14f54b1a..31b3541376 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -600,8 +600,11 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) } if (cli->fd != -1) cli->port = port; } - if (cli->fd == -1) + if (cli->fd == -1) { + DEBUG(1,("Error connecting to %s (%s)\n", + inet_ntoa(*ip),strerror(errno))); return False; + } set_socket_options(cli->fd,user_socket_options); -- cgit From 705fb73e5083b40bee0d3428337051b689368337 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 24 Aug 2001 19:52:01 +0000 Subject: Fixed debug in cli_establish_connection() - print out the called name on connection failure rather than the calling name. (This used to be commit 946f6eb9320c9897942adee8b513d8caaa3232c0) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 31b3541376..1628139dd9 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -687,7 +687,7 @@ BOOL cli_establish_connection(struct cli_state *cli, if (!cli_connect(cli, dest_host, dest_ip)) { DEBUG(1,("cli_establish_connection: failed to connect to %s (%s)\n", - nmb_namestr(calling), inet_ntoa(*dest_ip))); + nmb_namestr(called), inet_ntoa(*dest_ip))); return False; } } -- cgit From 464237cdb8d4f4c4c93d9cf24f38f2720ea99b9c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 24 Aug 2001 20:11:09 +0000 Subject: fixed handling of 139/445 in clients (This used to be commit 22b372f8a7996a19bebb8cdb411df999cffa32a4) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1628139dd9..8230edbd63 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -274,7 +274,7 @@ BOOL cli_send_tconX(struct cli_state *cli, "%s", share); } else { slprintf(fullshare, sizeof(fullshare)-1, - "\\\\%s\\%s", "foo", share); + "\\\\%s\\%s", cli->desthost, share); } set_message(cli->outbuf,4, 0, True); -- cgit From d53d5beeb29c0024556aae2f66f1d5bfe63960e5 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 5 Sep 2001 11:32:59 +0000 Subject: use cli_is_error() instead of looking in smb_rcls, otherwise NT status codes don't work correctly (This used to be commit 55d5828e608671f070a9e96938be0d16d50aeb26) --- source3/libsmb/cliconnect.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8230edbd63..14faf6e8fe 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -188,7 +188,7 @@ BOOL cli_session_setup(struct cli_state *cli, show_msg(cli->inbuf); - if (CVAL(cli->inbuf,smb_rcls) != 0) { + if (cli_is_error(cli)) { return False; } @@ -228,7 +228,7 @@ BOOL cli_ulogoff(struct cli_state *cli) if (!cli_receive_smb(cli)) return False; - return CVAL(cli->inbuf,smb_rcls) == 0; + return !cli_is_error(cli); } /**************************************************************************** @@ -292,13 +292,11 @@ BOOL cli_send_tconX(struct cli_state *cli, cli_setup_bcc(cli, p); - SCVAL(cli->inbuf,smb_rcls, 1); - cli_send_smb(cli); if (!cli_receive_smb(cli)) return False; - if (CVAL(cli->inbuf,smb_rcls) != 0) { + if (cli_is_error(cli)) { return False; } @@ -339,7 +337,7 @@ BOOL cli_tdis(struct cli_state *cli) if (!cli_receive_smb(cli)) return False; - return CVAL(cli->inbuf,smb_rcls) == 0; + return !cli_is_error(cli); } @@ -412,7 +410,7 @@ BOOL cli_negprot(struct cli_state *cli) show_msg(cli->inbuf); - if (CVAL(cli->inbuf,smb_rcls) != 0 || + if (cli_is_error(cli) || ((int)SVAL(cli->inbuf,smb_vwv0) >= numprots)) { return(False); } -- cgit From 81f56139b6964ddbe2c03232475f87f474136490 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 11 Oct 2001 07:42:52 +0000 Subject: initial kerberos/ADS/SPNEGO support in libsmb and smbclient. To activate you need to: - install krb5 libraries - run configure - build smbclient - run kinit to get a TGT - run smbclient with the -k option to choose kerberos auth (This used to be commit d33057585644e1337bac743e25ed7653bfb39eef) --- source3/libsmb/cliconnect.c | 531 ++++++++++++++++++++++++++++++++------------ 1 file changed, 387 insertions(+), 144 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 14faf6e8fe..77a8232ed5 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -31,23 +31,365 @@ static struct { prots[] = { {PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"}, - {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"}, - {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"}, {PROTOCOL_LANMAN1,"LANMAN1.0"}, + {PROTOCOL_LANMAN1,"Windows for Workgroups 3.1a"}, {PROTOCOL_LANMAN2,"LM1.2X002"}, - {PROTOCOL_LANMAN2,"Samba"}, - {PROTOCOL_NT1,"NT LANMAN 1.0"}, + {PROTOCOL_NT1,"LANMAN2.1"}, {PROTOCOL_NT1,"NT LM 0.12"}, {-1,NULL} }; +/**************************************************************************** +do an old lanman2 style session setup +****************************************************************************/ +static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, + char *pass, int passlen) +{ + fstring pword; + char *p; + + if (passlen > sizeof(pword)-1) { + return False; + } + + /* if in share level security then don't send a password now */ + if (!(cli->sec_mode & 1)) { + passlen = 0; + } + + if (passlen > 0 && (cli->sec_mode & 2) && passlen != 24) { + /* Encrypted mode needed, and non encrypted password supplied. */ + passlen = 24; + clistr_push(cli, pword, pass, -1, STR_TERMINATE); + SMBencrypt((uchar *)pword,cli->secblob.data,(uchar *)pword); + } else if ((cli->sec_mode & 2) && passlen == 24) { + /* Encrypted mode needed, and encrypted password supplied. */ + memcpy(pword, pass, passlen); + } else if (passlen > 0) { + /* Plaintext mode needed, assume plaintext supplied. */ + passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE); + } + + /* send a session setup command */ + memset(cli->outbuf,'\0',smb_size); + set_message(cli->outbuf,10, 0, True); + CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + cli_setup_packet(cli); + + CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SSVAL(cli->outbuf,smb_vwv2,cli->max_xmit); + SSVAL(cli->outbuf,smb_vwv3,2); + SSVAL(cli->outbuf,smb_vwv4,1); + SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); + SSVAL(cli->outbuf,smb_vwv7,passlen); + + p = smb_buf(cli->outbuf); + memcpy(p,pword,passlen); + p += passlen; + p += clistr_push(cli, p, user, -1, STR_UPPER|STR_TERMINATE); + cli_setup_bcc(cli, p); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + show_msg(cli->inbuf); + + if (cli_is_error(cli)) { + return False; + } + + /* use the returned vuid from now on */ + cli->vuid = SVAL(cli->inbuf,smb_uid); + fstrcpy(cli->user_name, user); + + return True; +} + + +/**************************************************************************** +work out suitable capabilities to offer the server +****************************************************************************/ +static uint32 cli_session_setup_capabilities(struct cli_state *cli) +{ + uint32 capabilities = CAP_NT_SMBS; + + /* Set the CLI_FORCE_DOSERR environment variable to test + client routines using DOS errors instead of STATUS32 + ones. This intended only as a temporary hack. */ + if (!getenv("CLI_FORCE_DOSERR")) { + capabilities |= CAP_STATUS32; + } + + if (cli->use_level_II_oplocks) { + capabilities |= CAP_LEVEL_II_OPLOCKS; + } + + if (cli->capabilities & CAP_UNICODE) { + capabilities |= CAP_UNICODE; + } + + return capabilities; +} + + +/**************************************************************************** +do a NT1 guest session setup +****************************************************************************/ +static BOOL cli_session_setup_guest(struct cli_state *cli) +{ + char *p; + uint32 capabilities = cli_session_setup_capabilities(cli); + + set_message(cli->outbuf,13,0,True); + CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + cli_setup_packet(cli); + + CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); + SSVAL(cli->outbuf,smb_vwv3,2); + SSVAL(cli->outbuf,smb_vwv4,cli->pid); + SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); + SSVAL(cli->outbuf,smb_vwv7,0); + SSVAL(cli->outbuf,smb_vwv8,0); + SIVAL(cli->outbuf,smb_vwv11,capabilities); + p = smb_buf(cli->outbuf); + p += clistr_push(cli, p, "", -1, STR_TERMINATE); /* username */ + p += clistr_push(cli, p, "", -1, STR_TERMINATE); /* workgroup */ + p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); + cli_setup_bcc(cli, p); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + show_msg(cli->inbuf); + + if (cli_is_error(cli)) { + return False; + } + + cli->vuid = SVAL(cli->inbuf,smb_uid); + + p = smb_buf(cli->inbuf); + p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); + + fstrcpy(cli->user_name, ""); + + return True; +} + + +/**************************************************************************** +do a NT1 plaintext session setup +****************************************************************************/ +static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, + char *pass, char *workgroup) +{ + uint32 capabilities = cli_session_setup_capabilities(cli); + fstring pword; + int passlen; + char *p; + + passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); + + set_message(cli->outbuf,13,0,True); + CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + cli_setup_packet(cli); + + CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); + SSVAL(cli->outbuf,smb_vwv3,2); + SSVAL(cli->outbuf,smb_vwv4,cli->pid); + SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); + SSVAL(cli->outbuf,smb_vwv7,passlen); + SSVAL(cli->outbuf,smb_vwv8,0); + SIVAL(cli->outbuf,smb_vwv11,capabilities); + p = smb_buf(cli->outbuf); + memcpy(p, pword, passlen); + p += passlen; + p += clistr_push(cli, p, user, -1, STR_TERMINATE); /* username */ + p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); /* workgroup */ + p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); + cli_setup_bcc(cli, p); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + show_msg(cli->inbuf); + + if (cli_is_error(cli)) { + return False; + } + + cli->vuid = SVAL(cli->inbuf,smb_uid); + p = smb_buf(cli->inbuf); + p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); + fstrcpy(cli->user_name, user); + + return True; +} + + +/**************************************************************************** +do a NT1 NTLM/LM encrypted session setup +****************************************************************************/ +static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, + char *pass, int passlen, + char *ntpass, int ntpasslen, + char *workgroup) +{ + uint32 capabilities = cli_session_setup_capabilities(cli); + fstring pword, ntpword; + char *p; + + if (passlen > sizeof(pword)-1 || ntpasslen > sizeof(ntpword)-1) { + return False; + } + + if (passlen != 24) { + /* non encrypted password supplied. */ + passlen = 24; + ntpasslen = 24; + clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); + clistr_push(cli, ntpword, ntpass, sizeof(ntpword), STR_TERMINATE); + SMBencrypt((uchar *)pword,cli->secblob.data,(uchar *)pword); + SMBNTencrypt((uchar *)ntpword,cli->secblob.data,(uchar *)ntpword); + } else { + memcpy(pword, pass, passlen); + memcpy(ntpword, ntpass, ntpasslen); + } + + /* send a session setup command */ + memset(cli->outbuf,'\0',smb_size); + + set_message(cli->outbuf,13,0,True); + CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + cli_setup_packet(cli); + + CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); + SSVAL(cli->outbuf,smb_vwv3,2); + SSVAL(cli->outbuf,smb_vwv4,cli->pid); + SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); + SSVAL(cli->outbuf,smb_vwv7,passlen); + SSVAL(cli->outbuf,smb_vwv8,ntpasslen); + SIVAL(cli->outbuf,smb_vwv11,capabilities); + p = smb_buf(cli->outbuf); + memcpy(p,pword,passlen); p += passlen; + memcpy(p,ntpword,ntpasslen); p += ntpasslen; + p += clistr_push(cli, p, user, -1, STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); + cli_setup_bcc(cli, p); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + show_msg(cli->inbuf); + + if (cli_is_error(cli)) { + return False; + } + + /* use the returned vuid from now on */ + cli->vuid = SVAL(cli->inbuf,smb_uid); + + p = smb_buf(cli->inbuf); + p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); + + fstrcpy(cli->user_name, user); + + return True; +} + +#if HAVE_KRB5 +/**************************************************************************** +do a spnego encrypted session setup +****************************************************************************/ +static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, + char *pass, char *workgroup) +{ + uint32 capabilities = cli_session_setup_capabilities(cli); + char *p; + DATA_BLOB blob2, negTokenTarg; + + negTokenTarg = spnego_gen_negTokenTarg(cli); + + capabilities |= CAP_EXTENDED_SECURITY; + + /* send a session setup command */ + memset(cli->outbuf,'\0',smb_size); + + set_message(cli->outbuf,12,0,True); + CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + cli_setup_packet(cli); + + CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); + SSVAL(cli->outbuf,smb_vwv3,2); + SSVAL(cli->outbuf,smb_vwv4,0); + SIVAL(cli->outbuf,smb_vwv5,0); + SSVAL(cli->outbuf,smb_vwv7,negTokenTarg.length); + SIVAL(cli->outbuf,smb_vwv10,capabilities); + p = smb_buf(cli->outbuf); + memcpy(p, negTokenTarg.data, negTokenTarg.length); + p += negTokenTarg.length; + p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); + cli_setup_bcc(cli, p); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + show_msg(cli->inbuf); + + if (cli_is_error(cli)) { + return False; + } + + /* use the returned vuid from now on */ + cli->vuid = SVAL(cli->inbuf,smb_uid); + + p = smb_buf(cli->inbuf); + + blob2 = data_blob(p, SVAL(cli->inbuf, smb_vwv3)); + + p += blob2.length; + p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); + + fstrcpy(cli->user_name, user); + + data_blob_free(negTokenTarg); + + /* we don't need this blob until we do NTLMSSP */ + data_blob_free(blob2); + + return True; +} +#endif + + /**************************************************************************** Send a session setup. The username and workgroup is in UNIX character format and must be converted to DOS codepage format before sending. If the password is in plaintext, the same should be done. ****************************************************************************/ - BOOL cli_session_setup(struct cli_state *cli, char *user, char *pass, int passlen, @@ -55,7 +397,6 @@ BOOL cli_session_setup(struct cli_state *cli, char *workgroup) { char *p; - fstring pword, ntpword; fstring user2; /* allow for workgroups as part of the username */ @@ -69,146 +410,45 @@ BOOL cli_session_setup(struct cli_state *cli, if (cli->protocol < PROTOCOL_LANMAN1) return True; - if (passlen > sizeof(pword)-1 || ntpasslen > sizeof(ntpword)-1) { - return False; - } + /* now work out what sort of session setup we are going to + do. I have split this into separate functions to make the + flow a bit easier to understand (tridge) */ - if (((passlen == 0) || (passlen == 1)) && (pass[0] == '\0')) { - /* Null session connect. */ - pword[0] = '\0'; - ntpword[0] = '\0'; - } else { - if ((cli->sec_mode & 2) && passlen != 24) { - /* - * Encrypted mode needed, and non encrypted password supplied. - */ - passlen = 24; - ntpasslen = 24; - clistr_push(cli, pword, pass, -1, STR_TERMINATE); - fstrcpy(ntpword, ntpass);; - SMBencrypt((uchar *)pword,(uchar *)cli->cryptkey,(uchar *)pword); - SMBNTencrypt((uchar *)ntpword,(uchar *)cli->cryptkey,(uchar *)ntpword); - } else if ((cli->sec_mode & 2) && passlen == 24) { - /* - * Encrypted mode needed, and encrypted password supplied. - */ - memcpy(pword, pass, passlen); - if(ntpasslen == 24) { - memcpy(ntpword, ntpass, ntpasslen); - } else { - fstrcpy(ntpword, ""); - ntpasslen = 0; - } - } else { - /* - * Plaintext mode needed, assume plaintext supplied. - */ - passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE); - fstrcpy(ntpword, ""); - ntpasslen = 0; - } + /* if its an older server then we have to use the older request format */ + if (cli->protocol < PROTOCOL_NT1) { + return cli_session_setup_lanman2(cli, user, pass, passlen); } - /* if in share level security then don't send a password now */ - if (!(cli->sec_mode & 1)) { - fstrcpy(pword, ""); - passlen=1; - fstrcpy(ntpword, ""); - ntpasslen=1; - } - - /* send a session setup command */ - memset(cli->outbuf,'\0',smb_size); - - if (cli->protocol < PROTOCOL_NT1) - { - set_message(cli->outbuf,10, 0, True); - CVAL(cli->outbuf,smb_com) = SMBsesssetupX; - cli_setup_packet(cli); - - CVAL(cli->outbuf,smb_vwv0) = 0xFF; - SSVAL(cli->outbuf,smb_vwv2,cli->max_xmit); - SSVAL(cli->outbuf,smb_vwv3,2); - SSVAL(cli->outbuf,smb_vwv4,1); - SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); - SSVAL(cli->outbuf,smb_vwv7,passlen); - p = smb_buf(cli->outbuf); - memcpy(p,pword,passlen); - p += passlen; - p += clistr_push(cli, p, user, -1, STR_UPPER|STR_TERMINATE); - cli_setup_bcc(cli, p); + /* if no user is supplied then we have to do an anonymous connection. + passwords are ignored */ + if (!user || !*user) { + return cli_session_setup_guest(cli); } - else - { - uint32 capabilities; - - capabilities = CAP_NT_SMBS; - /* Set the CLI_FORCE_DOSERR environment variable to test - client routines using DOS errors instead of STATUS32 - ones. This intended only as a temporary hack. */ - - if (!getenv("CLI_FORCE_DOSERR")) { - capabilities |= CAP_STATUS32; - } - - if (cli->use_level_II_oplocks) { - capabilities |= CAP_LEVEL_II_OPLOCKS; - } - if (cli->capabilities & CAP_UNICODE) { - capabilities |= CAP_UNICODE; - } - set_message(cli->outbuf,13,0,True); - CVAL(cli->outbuf,smb_com) = SMBsesssetupX; - cli_setup_packet(cli); - - CVAL(cli->outbuf,smb_vwv0) = 0xFF; - SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); - SSVAL(cli->outbuf,smb_vwv3,2); - SSVAL(cli->outbuf,smb_vwv4,cli->pid); - SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); - SSVAL(cli->outbuf,smb_vwv7,passlen); - SSVAL(cli->outbuf,smb_vwv8,ntpasslen); - SIVAL(cli->outbuf,smb_vwv11,capabilities); - p = smb_buf(cli->outbuf); - memcpy(p,pword,passlen); - p += SVAL(cli->outbuf,smb_vwv7); - memcpy(p,ntpword,ntpasslen); - p += SVAL(cli->outbuf,smb_vwv8); - p += clistr_push(cli, p, user, -1, STR_TERMINATE|STR_UPPER); - p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER); - p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); - p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); - cli_setup_bcc(cli, p); - } - - cli_send_smb(cli); - if (!cli_receive_smb(cli)) - return False; - - show_msg(cli->inbuf); - - if (cli_is_error(cli)) { - return False; - } - - /* use the returned vuid from now on */ - cli->vuid = SVAL(cli->inbuf,smb_uid); + /* if the server is share level then send a plaintext null + password at this point. The password is sent in the tree + connect */ + if ((cli->sec_mode & 1) == 0) { + return cli_session_setup_plaintext(cli, user, "", workgroup); + } - if (cli->protocol >= PROTOCOL_NT1) { - /* - * Save off some of the connected server - * info. - */ - char *q = smb_buf(cli->inbuf); - q += clistr_pull(cli, cli->server_os, q, sizeof(fstring), -1, STR_TERMINATE); - q += clistr_pull(cli, cli->server_type, q, sizeof(fstring), -1, STR_TERMINATE); - q += clistr_pull(cli, cli->server_domain, q, sizeof(fstring), -1, STR_TERMINATE); - } + /* if the server doesn't support encryption then we have to use plaintext. The + second password is ignored */ + if ((cli->sec_mode & 2) == 0) { + return cli_session_setup_plaintext(cli, user, pass, workgroup); + } - fstrcpy(cli->user_name, user); +#if HAVE_KRB5 + /* if the server supports extended security then use SPNEGO */ + if (cli->capabilities & CAP_EXTENDED_SECURITY) { + return cli_session_setup_spnego(cli, user, pass, workgroup); + } +#endif - return True; + /* otherwise do a NT1 style session setup */ + return cli_session_setup_nt1(cli, user, + pass, passlen, ntpass, ntpasslen, + workgroup); } /**************************************************************************** @@ -256,8 +496,7 @@ BOOL cli_send_tconX(struct cli_state *cli, */ passlen = 24; clistr_push(cli, dos_pword, pass, -1, STR_TERMINATE); - - SMBencrypt((uchar *)dos_pword,(uchar *)cli->cryptkey,(uchar *)pword); + SMBencrypt((uchar *)dos_pword,cli->secblob.data,(uchar *)pword); } else { if((cli->sec_mode & 3) == 0) { /* @@ -404,6 +643,11 @@ BOOL cli_negprot(struct cli_state *cli) CVAL(smb_buf(cli->outbuf),0) = 2; + if (cli->use_spnego) { + SSVAL(cli->outbuf, smb_flg2, + SVAL(cli->outbuf, smb_flg2) | FLAGS2_EXTENDED_SECURITY); + } + cli_send_smb(cli); if (!cli_receive_smb(cli)) return False; @@ -427,7 +671,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->serverzone *= 60; /* this time arrives in real GMT */ cli->servertime = interpret_long_date(cli->inbuf+smb_vwv11+1); - memcpy(cli->cryptkey,smb_buf(cli->inbuf),8); + cli->secblob = data_blob(smb_buf(cli->inbuf),smb_buflen(cli->inbuf)); cli->capabilities = IVAL(cli->inbuf,smb_vwv9+1); if (cli->capabilities & CAP_RAW_MODE) { cli->readbraw_supported = True; @@ -449,7 +693,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->servertime = make_unix_date(cli->inbuf+smb_vwv8); cli->readbraw_supported = ((SVAL(cli->inbuf,smb_vwv5) & 0x1) != 0); cli->writebraw_supported = ((SVAL(cli->inbuf,smb_vwv5) & 0x2) != 0); - memcpy(cli->cryptkey,smb_buf(cli->inbuf),8); + cli->secblob = data_blob(smb_buf(cli->inbuf),smb_buflen(cli->inbuf)); } else { /* the old core protocol */ cli->sec_mode = 0; @@ -481,7 +725,6 @@ BOOL cli_session_request(struct cli_state *cli, if (cli->port == 445) return True; /* send a session request (RFC 1002) */ - memcpy(&(cli->calling), calling, sizeof(*calling)); memcpy(&(cli->called ), called , sizeof(*called )); @@ -758,7 +1001,7 @@ BOOL cli_establish_connection(struct cli_state *cli, unsigned char lm_sess_pwd[24]; /* creates (storing a copy of) and then obtains a 24 byte password OWF */ - pwd_make_lm_nt_owf(&(cli->pwd), cli->cryptkey); + pwd_make_lm_nt_owf(&(cli->pwd), cli->secblob.data); pwd_get_lm_nt_owf(&(cli->pwd), lm_sess_pwd, nt_sess_pwd); /* attempt encrypted session */ -- cgit From 7cd9c611e2a1e0028081863a3678c47bc8af7b55 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 11 Oct 2001 13:13:06 +0000 Subject: added a ASN.1 parser, so now I can properly parse the negTokenInit packet which means I can extract the service and realm, so we should now work with realms other than the local realm. it also means we now check the list of OIDs given by the server just in case it says that it doesn't support kerberos. In that case we should fall back to NTLMSSP but that isn't written yet. (This used to be commit 395cfeea94febb5280ea57027e8a8a3c7c3f9291) --- source3/libsmb/cliconnect.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 77a8232ed5..36aedf2d59 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -325,8 +325,39 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, uint32 capabilities = cli_session_setup_capabilities(cli); char *p; DATA_BLOB blob2, negTokenTarg; + char *principle; + char *OIDs[ASN1_MAX_OIDS]; + uint8 guid[16]; + int i; + BOOL got_kerberos_mechanism = False; + + /* the server sent us the first part of the SPNEGO exchange in the negprot + reply */ + if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principle)) { + return False; + } + + /* make sure the server understands kerberos */ + for (i=0;OIDs[i];i++) { + DEBUG(3,("got OID=%s\n", OIDs[i])); + if (strcmp(OIDs[i], "1 2 840 48018 1 2 2") == 0) { + got_kerberos_mechanism = True; + } + free(OIDs[i]); + } + DEBUG(3,("got principle=%s\n", principle)); + + if (!got_kerberos_mechanism) { + DEBUG(1,("Server didn't offer kerberos5 mechanism!?\n")); + return False; + } + + /* generate the encapsulated kerberos5 ticket */ + negTokenTarg = spnego_gen_negTokenTarg(cli, principle); + + free(principle); - negTokenTarg = spnego_gen_negTokenTarg(cli); + if (!negTokenTarg.data) return False; capabilities |= CAP_EXTENDED_SECURITY; -- cgit From 9f7cb41f11c0d2fc09104f6998f75c59bc363b26 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 12 Oct 2001 04:49:42 +0000 Subject: added NTLMSSP authentication to libsmb. It seems to work well so I have enabled it by default if the server supports it. Let me know if this breaks anything. Choose kerberos with the -k flag to smbclient, otherwise it will use SPNEGO/NTLMSSP/NTLM (This used to be commit 076aa97bee54d182288d9e93ae160ae22a5f7757) --- source3/libsmb/cliconnect.c | 206 +++++++++++++++++++++++++++++++++----------- 1 file changed, 154 insertions(+), 52 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 36aedf2d59..11852a09cc 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -34,6 +34,7 @@ prots[] = {PROTOCOL_LANMAN1,"LANMAN1.0"}, {PROTOCOL_LANMAN1,"Windows for Workgroups 3.1a"}, {PROTOCOL_LANMAN2,"LM1.2X002"}, + {PROTOCOL_NT1,"Samba"}, {PROTOCOL_NT1,"LANMAN2.1"}, {PROTOCOL_NT1,"NT LM 0.12"}, {-1,NULL} @@ -315,49 +316,17 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, return True; } -#if HAVE_KRB5 + /**************************************************************************** -do a spnego encrypted session setup +send a extended security session setup blob, returning a reply blob ****************************************************************************/ -static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, - char *pass, char *workgroup) +static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) { uint32 capabilities = cli_session_setup_capabilities(cli); char *p; - DATA_BLOB blob2, negTokenTarg; - char *principle; - char *OIDs[ASN1_MAX_OIDS]; - uint8 guid[16]; - int i; - BOOL got_kerberos_mechanism = False; - - /* the server sent us the first part of the SPNEGO exchange in the negprot - reply */ - if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principle)) { - return False; - } - - /* make sure the server understands kerberos */ - for (i=0;OIDs[i];i++) { - DEBUG(3,("got OID=%s\n", OIDs[i])); - if (strcmp(OIDs[i], "1 2 840 48018 1 2 2") == 0) { - got_kerberos_mechanism = True; - } - free(OIDs[i]); - } - DEBUG(3,("got principle=%s\n", principle)); - - if (!got_kerberos_mechanism) { - DEBUG(1,("Server didn't offer kerberos5 mechanism!?\n")); - return False; - } - - /* generate the encapsulated kerberos5 ticket */ - negTokenTarg = spnego_gen_negTokenTarg(cli, principle); - - free(principle); + DATA_BLOB blob2; - if (!negTokenTarg.data) return False; + blob2 = data_blob(NULL, 0); capabilities |= CAP_EXTENDED_SECURITY; @@ -373,23 +342,24 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,0); SIVAL(cli->outbuf,smb_vwv5,0); - SSVAL(cli->outbuf,smb_vwv7,negTokenTarg.length); + SSVAL(cli->outbuf,smb_vwv7,blob.length); SIVAL(cli->outbuf,smb_vwv10,capabilities); p = smb_buf(cli->outbuf); - memcpy(p, negTokenTarg.data, negTokenTarg.length); - p += negTokenTarg.length; + memcpy(p, blob.data, blob.length); + p += blob.length; p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); cli_send_smb(cli); if (!cli_receive_smb(cli)) - return False; + return blob2; show_msg(cli->inbuf); - if (cli_is_error(cli)) { - return False; + if (cli_is_error(cli) && !NT_STATUS_EQUAL(cli_nt_error(cli), + NT_STATUS_MORE_PROCESSING_REQUIRED)) { + return blob2; } /* use the returned vuid from now on */ @@ -404,17 +374,154 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); - fstrcpy(cli->user_name, user); + return blob2; +} - data_blob_free(negTokenTarg); - /* we don't need this blob until we do NTLMSSP */ +#if HAVE_KRB5 +/**************************************************************************** +do a spnego/kerberos encrypted session setup +****************************************************************************/ +static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, char *workgroup) +{ + DATA_BLOB blob2, negTokenTarg; + + /* generate the encapsulated kerberos5 ticket */ + negTokenTarg = spnego_gen_negTokenTarg(cli, principle); + + if (!negTokenTarg.data) return False; + + blob2 = cli_session_setup_blob(cli, negTokenTarg); + + /* we don't need this blob for kerberos */ data_blob_free(blob2); - return True; + return !cli_is_error(cli); } #endif +/**************************************************************************** +do a spnego/NTLMSSP encrypted session setup +****************************************************************************/ +static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, + char *pass, char *workgroup) +{ + const char *mechs[] = {"1 3 6 1 4 1 311 2 2 10", NULL}; + DATA_BLOB msg1; + DATA_BLOB blob, chal1, chal2, auth; + uint8 challenge[8]; + uint8 nthash[24], lmhash[24], sess_key[16]; + uint32 neg_flags; + + neg_flags = NTLMSSP_NEGOTIATE_UNICODE | + NTLMSSP_NEGOTIATE_LM_KEY | + NTLMSSP_NEGOTIATE_NTLM; + + memset(sess_key, 0, 16); + + /* generate the ntlmssp negotiate packet */ + msrpc_gen(&blob, "CddB", + "NTLMSSP", + NTLMSSP_NEGOTIATE, + neg_flags, + sess_key, 16); + + /* and wrap it in a SPNEGO wrapper */ + msg1 = gen_negTokenTarg(mechs, blob); + data_blob_free(blob); + + /* now send that blob on its way */ + blob = cli_session_setup_blob(cli, msg1); + + data_blob_free(msg1); + + if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) { + return False; + } + + /* the server gives us back two challenges */ + if (!spnego_parse_challenge(blob, &chal1, &chal2)) { + return False; + } + + data_blob_free(blob); + + /* encrypt the password with the challenge */ + memcpy(challenge, chal1.data + 24, 8); + SMBencrypt(pass, challenge,lmhash); + SMBNTencrypt(pass, challenge,nthash); + + data_blob_free(chal1); + data_blob_free(chal2); + + /* this generates the actual auth packet */ + msrpc_gen(&blob, "CdBBUUUBd", + "NTLMSSP", + NTLMSSP_AUTH, + lmhash, 24, + nthash, 24, + workgroup, + user, + cli->calling.name, + sess_key, 16, + neg_flags); + + /* wrap it in SPNEGO */ + auth = spnego_gen_auth(blob); + + data_blob_free(blob); + + /* now send the auth packet and we should be done */ + blob = cli_session_setup_blob(cli, auth); + + data_blob_free(auth); + data_blob_free(blob); + + return !cli_is_error(cli); +} + + +/**************************************************************************** +do a spnego encrypted session setup +****************************************************************************/ +static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, + char *pass, char *workgroup) +{ + char *principle; + char *OIDs[ASN1_MAX_OIDS]; + uint8 guid[16]; + int i; + BOOL got_kerberos_mechanism = False; + + /* the server sent us the first part of the SPNEGO exchange in the negprot + reply */ + if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principle)) { + return False; + } + + /* make sure the server understands kerberos */ + for (i=0;OIDs[i];i++) { + DEBUG(3,("got OID=%s\n", OIDs[i])); + if (strcmp(OIDs[i], "1 2 840 48018 1 2 2") == 0) { + got_kerberos_mechanism = True; + } + free(OIDs[i]); + } + DEBUG(3,("got principle=%s\n", principle)); + + fstrcpy(cli->user_name, user); + +#if HAVE_KRB5 + if (got_kerberos_mechanism && cli->use_kerberos) { + return cli_session_setup_kerberos(cli, principle, workgroup); + } +#endif + + free(principle); + + return cli_session_setup_ntlmssp(cli, user, pass, workgroup); +} + /**************************************************************************** Send a session setup. The username and workgroup is in UNIX character @@ -674,11 +781,6 @@ BOOL cli_negprot(struct cli_state *cli) CVAL(smb_buf(cli->outbuf),0) = 2; - if (cli->use_spnego) { - SSVAL(cli->outbuf, smb_flg2, - SVAL(cli->outbuf, smb_flg2) | FLAGS2_EXTENDED_SECURITY); - } - cli_send_smb(cli); if (!cli_receive_smb(cli)) return False; -- cgit From d726eb216ad431d2bbd4ee07f4098b72446cdca2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 12 Oct 2001 04:54:53 +0000 Subject: moved some OIDs to the ASN.1 header (This used to be commit 7092beef9d7a68018ede569883b22c822300c7ff) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 11852a09cc..9186208d62 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -406,7 +406,7 @@ do a spnego/NTLMSSP encrypted session setup static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, char *pass, char *workgroup) { - const char *mechs[] = {"1 3 6 1 4 1 311 2 2 10", NULL}; + const char *mechs[] = {OID_NTLMSSP, NULL}; DATA_BLOB msg1; DATA_BLOB blob, chal1, chal2, auth; uint8 challenge[8]; @@ -502,7 +502,7 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, /* make sure the server understands kerberos */ for (i=0;OIDs[i];i++) { DEBUG(3,("got OID=%s\n", OIDs[i])); - if (strcmp(OIDs[i], "1 2 840 48018 1 2 2") == 0) { + if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0) { got_kerberos_mechanism = True; } free(OIDs[i]); -- cgit From 81756ba7440e255f750d13858e1147d3976e70e2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 14 Oct 2001 05:42:28 +0000 Subject: fixed two bugs in the NTLMSSP code - handle servers that don't send a kerberos principle (non-member servers) - enable spnego without KRB5 (This used to be commit b218d465a1968a11d2d6a42afa7e552fea8b7f5e) --- source3/libsmb/cliconnect.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9186208d62..4a9d2fe59c 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -493,6 +493,12 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, int i; BOOL got_kerberos_mechanism = False; + /* the server might not even do spnego */ + if (cli->secblob.length == 16) { + DEBUG(3,("server didn't supply a full spnego negprot\n")); + goto ntlmssp; + } + /* the server sent us the first part of the SPNEGO exchange in the negprot reply */ if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principle)) { @@ -519,6 +525,8 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, free(principle); +ntlmssp: + return cli_session_setup_ntlmssp(cli, user, pass, workgroup); } @@ -576,12 +584,10 @@ BOOL cli_session_setup(struct cli_state *cli, return cli_session_setup_plaintext(cli, user, pass, workgroup); } -#if HAVE_KRB5 /* if the server supports extended security then use SPNEGO */ if (cli->capabilities & CAP_EXTENDED_SECURITY) { return cli_session_setup_spnego(cli, user, pass, workgroup); } -#endif /* otherwise do a NT1 style session setup */ return cli_session_setup_nt1(cli, user, -- cgit From b46f6d865efa6dd50ed8b83d498f9e04919c9bc9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 14 Oct 2001 06:14:11 +0000 Subject: fixed NTLMSSP with XP servers (who don't send the duplicate challenge in the asn1 spnego structures) (This used to be commit 131010e9fb842b4d5a8660c538a3313c95fadae7) --- source3/libsmb/cliconnect.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4a9d2fe59c..94eda90a3b 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -439,6 +439,10 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, return False; } +#if 0 + file_save("chal.dat", blob.data, blob.length); +#endif + /* the server gives us back two challenges */ if (!spnego_parse_challenge(blob, &chal1, &chal2)) { return False; @@ -499,6 +503,10 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, goto ntlmssp; } +#if 0 + file_save("negprot.dat", cli->secblob.data, cli->secblob.length); +#endif + /* the server sent us the first part of the SPNEGO exchange in the negprot reply */ if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principle)) { -- cgit From b728042334f67738fd1a6fdd03e619bdb78fe06a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 17 Oct 2001 08:54:19 +0000 Subject: added basic NTLMSSP support in smbd. This is still quite rough, and loses things like username mapping. I wanted to get this in then discuss it a bit to see how we want to split up the existing session setup code (This used to be commit b74fda69bf23207c26d8b2af23910d8f2eb89875) --- source3/libsmb/cliconnect.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 94eda90a3b..6a01744240 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -31,11 +31,12 @@ static struct { prots[] = { {PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"}, + {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"}, + {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"}, {PROTOCOL_LANMAN1,"LANMAN1.0"}, - {PROTOCOL_LANMAN1,"Windows for Workgroups 3.1a"}, {PROTOCOL_LANMAN2,"LM1.2X002"}, - {PROTOCOL_NT1,"Samba"}, - {PROTOCOL_NT1,"LANMAN2.1"}, + {PROTOCOL_LANMAN2,"Samba"}, + {PROTOCOL_NT1,"NT LANMAN 1.0"}, {PROTOCOL_NT1,"NT LM 0.12"}, {-1,NULL} }; @@ -394,7 +395,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, c blob2 = cli_session_setup_blob(cli, negTokenTarg); /* we don't need this blob for kerberos */ - data_blob_free(blob2); + data_blob_free(&blob2); return !cli_is_error(cli); } @@ -428,12 +429,12 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, /* and wrap it in a SPNEGO wrapper */ msg1 = gen_negTokenTarg(mechs, blob); - data_blob_free(blob); + data_blob_free(&blob); /* now send that blob on its way */ blob = cli_session_setup_blob(cli, msg1); - data_blob_free(msg1); + data_blob_free(&msg1); if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) { return False; @@ -445,18 +446,25 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, /* the server gives us back two challenges */ if (!spnego_parse_challenge(blob, &chal1, &chal2)) { + DEBUG(3,("Failed to parse challenges\n")); return False; } - data_blob_free(blob); + data_blob_free(&blob); /* encrypt the password with the challenge */ memcpy(challenge, chal1.data + 24, 8); SMBencrypt(pass, challenge,lmhash); SMBNTencrypt(pass, challenge,nthash); - data_blob_free(chal1); - data_blob_free(chal2); +#if 0 + file_save("nthash.dat", nthash, 24); + file_save("lmhash.dat", lmhash, 24); + file_save("chal1.dat", chal1.data, chal1.length); +#endif + + data_blob_free(&chal1); + data_blob_free(&chal2); /* this generates the actual auth packet */ msrpc_gen(&blob, "CdBBUUUBd", @@ -473,13 +481,13 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, /* wrap it in SPNEGO */ auth = spnego_gen_auth(blob); - data_blob_free(blob); + data_blob_free(&blob); /* now send the auth packet and we should be done */ blob = cli_session_setup_blob(cli, auth); - data_blob_free(auth); - data_blob_free(blob); + data_blob_free(&auth); + data_blob_free(&blob); return !cli_is_error(cli); } -- cgit From 5ad7448359c7bc1d3b1579f105b7324290bf21ec Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 18 Oct 2001 10:26:06 +0000 Subject: the beginnings of kerberos support in smbd. It doesn't work yet, but it should give something for others to hack on and possibly find what I'm doing wrong. (This used to be commit 353c290f059347265b9be2aa1010c2956da06485) --- source3/libsmb/cliconnect.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6a01744240..4fba54900d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -392,6 +392,10 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, c if (!negTokenTarg.data) return False; +#if 0 + file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); +#endif + blob2 = cli_session_setup_blob(cli, negTokenTarg); /* we don't need this blob for kerberos */ -- cgit From cbe31055f8deb5844b34e8f1b32e27c830d134ed Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 21 Oct 2001 00:11:22 +0000 Subject: support both old and new kerberos OIDs (This used to be commit eac164c7e650a8f855e7b662b126a5dfc5516927) --- source3/libsmb/cliconnect.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4fba54900d..e24f081c69 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -528,7 +528,8 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, /* make sure the server understands kerberos */ for (i=0;OIDs[i];i++) { DEBUG(3,("got OID=%s\n", OIDs[i])); - if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0) { + if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 || + strcmp(OIDs[i], OID_KERBEROS5) == 0) { got_kerberos_mechanism = True; } free(OIDs[i]); -- cgit From bbcd9deb07fe0cfcb2911093e1c99d30b210e7d2 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 21 Oct 2001 03:25:34 +0000 Subject: made smbclient cope better with arbitrary principle forms (This used to be commit d1341d74b7aa5f6b3f72e5409b245f87f1ad670b) --- source3/libsmb/cliconnect.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index e24f081c69..11825ab036 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -387,6 +387,8 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, c { DATA_BLOB blob2, negTokenTarg; + d_printf("Doing kerberos session setup\n"); + /* generate the encapsulated kerberos5 ticket */ negTokenTarg = spnego_gen_negTokenTarg(cli, principle); @@ -509,6 +511,8 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, int i; BOOL got_kerberos_mechanism = False; + d_printf("Doing spnego session setup\n"); + /* the server might not even do spnego */ if (cli->secblob.length == 16) { DEBUG(3,("server didn't supply a full spnego negprot\n")); -- cgit From cfd68eaac48a29dec245dc6de03aae0d58698862 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 21 Oct 2001 20:51:27 +0000 Subject: Ok, I know it's a language thing and it shouldn't matter.... but a kerberos name is a "principal", not a principle. English majors will complain :-). Jeremy. (This used to be commit b668d7d656cdd066820fb8044f24bcd4fda29524) --- source3/libsmb/cliconnect.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 11825ab036..dc8c7c2957 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -383,14 +383,14 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) /**************************************************************************** do a spnego/kerberos encrypted session setup ****************************************************************************/ -static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, char *workgroup) +static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, char *workgroup) { DATA_BLOB blob2, negTokenTarg; d_printf("Doing kerberos session setup\n"); /* generate the encapsulated kerberos5 ticket */ - negTokenTarg = spnego_gen_negTokenTarg(cli, principle); + negTokenTarg = spnego_gen_negTokenTarg(cli, principal); if (!negTokenTarg.data) return False; @@ -505,7 +505,7 @@ do a spnego encrypted session setup static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, char *pass, char *workgroup) { - char *principle; + char *principal; char *OIDs[ASN1_MAX_OIDS]; uint8 guid[16]; int i; @@ -525,7 +525,7 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, /* the server sent us the first part of the SPNEGO exchange in the negprot reply */ - if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principle)) { + if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principal)) { return False; } @@ -538,17 +538,17 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, } free(OIDs[i]); } - DEBUG(3,("got principle=%s\n", principle)); + DEBUG(3,("got principal=%s\n", principal)); fstrcpy(cli->user_name, user); #if HAVE_KRB5 if (got_kerberos_mechanism && cli->use_kerberos) { - return cli_session_setup_kerberos(cli, principle, workgroup); + return cli_session_setup_kerberos(cli, principal, workgroup); } #endif - free(principle); + free(principal); ntlmssp: -- cgit From 4ccdb15532ef707dea44e2c7316e2a3334abab86 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 22 Oct 2001 06:48:35 +0000 Subject: a quick fix to get rpcclient working again. This just disables NTLMSSP in cli_establish_connection() What we really need to do is kill off the pwd_cache code. It is horrible, and assumes the challenge comes in the negprot reply. (This used to be commit 3f919b4360b3bfcc133f7d88bc5177e9d93f2db2) --- source3/libsmb/cliconnect.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index dc8c7c2957..2dad0247b2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1087,6 +1087,10 @@ BOOL cli_establish_connection(struct cli_state *cli, return False; } + /* cli_establish_connection() can't handle spnego yet. Once we get rid of + pwd_cache and other horrors we can get rid of this */ + cli->use_spnego = False; + if (cli->fd == -1) { if (!cli_connect(cli, dest_host, dest_ip)) -- cgit From b8fe0f6711977412f8a7103022b01f3428d9c3a0 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Tue, 23 Oct 2001 20:39:38 +0000 Subject: more compiler warnings (This used to be commit 12c10e876ea528fdf33e8ecfe42ab0ebb346b143) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2dad0247b2..680f30900e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -460,8 +460,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, /* encrypt the password with the challenge */ memcpy(challenge, chal1.data + 24, 8); - SMBencrypt(pass, challenge,lmhash); - SMBNTencrypt(pass, challenge,nthash); + SMBencrypt((unsigned char *)pass, challenge,lmhash); + SMBNTencrypt((unsigned char *)pass, challenge,nthash); #if 0 file_save("nthash.dat", nthash, 24); -- cgit From fab88997b021ad66dd7f03220d95d1f7ee315140 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 29 Oct 2001 08:12:44 +0000 Subject: This patch applied, except without the structure changes to nmblib.c Andrew Bartlett. From kai@cmail.ru Mon Oct 29 18:50:42 2001 Date: Fri, 19 Oct 2001 17:26:06 +0300 From: Andrew V. Samoilov To: samba-technical@lists.samba.org Subject: [patch]: makes some arrays const to be shared between processes Hi! This patch makes some arrays const. So these arrays go to text/rodata segment and are shared between all of the processes which use shared library with these arrays. Regards, Andrew V. Samoilov. P.S. Please cc your answer to kai@cmail.ru, I don't subscribed to this list. ChangeLog: * cliconnect.c (prots): Make const. * clierror.c (rap_errmap): Likewise. * nmblib.c (nmb_header_opcode_names): Likewise. (lookup_opcode_name): Make opcode_namep const. Eliminate i. * nterr.c (nt_err_code_struct): Typedef const. * smberr.c (err_code_struct): Make const. (err_classes): Likewise. (This used to be commit cb84485a2b0e1fdcb6fa90e0bfb97e125ae1b3dd) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 680f30900e..aae21cb6d9 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -24,7 +24,7 @@ #include "includes.h" -static struct { +static const struct { int prot; const char *name; } -- cgit From b09c745991e133d455fd8db586729b7e82d92935 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 5 Nov 2001 05:41:32 +0000 Subject: merge from 2.2. Why is STR_CONVERT missing when comparing 2.2 to HEAD? (This used to be commit 4f47daf97b9e74ec75287f46e2c4aeddc944779e) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index aae21cb6d9..2a84b69faa 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -89,7 +89,7 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += passlen; - p += clistr_push(cli, p, user, -1, STR_UPPER|STR_TERMINATE); + p += clistr_push(cli, p, user, -1, STR_TERMINATE); cli_setup_bcc(cli, p); cli_send_smb(cli); -- cgit From 366026d2f46848152bb769181867f8cde2eaaf4e Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 5 Nov 2001 15:18:17 +0000 Subject: free the negTokenInit structure (This used to be commit 5b1c942a5cab828ebfcf2e8f5decb754c4cdb70e) --- source3/libsmb/cliconnect.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2a84b69faa..096d8cb24a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -403,6 +403,8 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, c /* we don't need this blob for kerberos */ data_blob_free(&blob2); + data_blob_free(&negTokenTarg); + return !cli_is_error(cli); } #endif -- cgit From 742dc2313c951f85ff66f0a8121790d0e291a19c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Nov 2001 04:15:36 +0000 Subject: Removed the "reestablish" code. Tridge - scream if this was needed.... Jeremy. (This used to be commit e6afe40f85d7dbe79322c82dac735d901e7e71df) --- source3/libsmb/cliconnect.c | 51 --------------------------------------------- 1 file changed, 51 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 096d8cb24a..a6632803b2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1018,57 +1018,6 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) return True; } -/**************************************************************************** -re-establishes a connection -****************************************************************************/ -BOOL cli_reestablish_connection(struct cli_state *cli) -{ - struct nmb_name calling; - struct nmb_name called; - fstring dest_host; - fstring share; - fstring dev; - BOOL do_tcon = False; - int oldfd = cli->fd; - - if (!cli->initialised || cli->fd == -1) - { - DEBUG(3,("cli_reestablish_connection: not connected\n")); - return False; - } - - /* copy the parameters necessary to re-establish the connection */ - - if (cli->cnum != 0) - { - fstrcpy(share, cli->share); - fstrcpy(dev , cli->dev); - do_tcon = True; - } - - memcpy(&called , &(cli->called ), sizeof(called )); - memcpy(&calling, &(cli->calling), sizeof(calling)); - fstrcpy(dest_host, cli->full_dest_host_name); - - DEBUG(5,("cli_reestablish_connection: %s connecting to %s (ip %s) - %s [%s]\n", - nmb_namestr(&calling), nmb_namestr(&called), - inet_ntoa(cli->dest_ip), - cli->user_name, cli->domain)); - - cli->fd = -1; - - if (cli_establish_connection(cli, - dest_host, &cli->dest_ip, - &calling, &called, - share, dev, False, do_tcon)) { - if ((cli->fd != oldfd) && (oldfd != -1)) { - close( oldfd ); - } - return True; - } - return False; -} - /**************************************************************************** establishes a connection right up to doing tconX, reading in a password. ****************************************************************************/ -- cgit From fcbcfb667feaa5f670d589d084aa85cdb66443e0 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 20 Nov 2001 08:45:22 +0000 Subject: - make sure we use a non-zero session id so we can have multiple conns open to w2k - fix the string handling in the device name to match NT and smbd - don't pull the domain from negprot if CAP_EXTENDED_SECURITY is set (This used to be commit 618989b386b5564ba140afdc17ce7a07040c3c4e) --- source3/libsmb/cliconnect.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index a6632803b2..f5d6c5a7f4 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -341,7 +341,7 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) CVAL(cli->outbuf,smb_vwv0) = 0xFF; SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); SSVAL(cli->outbuf,smb_vwv3,2); - SSVAL(cli->outbuf,smb_vwv4,0); + SSVAL(cli->outbuf,smb_vwv4,1); SIVAL(cli->outbuf,smb_vwv5,0); SSVAL(cli->outbuf,smb_vwv7,blob.length); SIVAL(cli->outbuf,smb_vwv10,capabilities); @@ -710,17 +710,12 @@ BOOL cli_send_tconX(struct cli_state *cli, return False; } - fstrcpy(cli->dev, "A:"); - - if (cli->protocol >= PROTOCOL_NT1) { - clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, STR_TERMINATE); - } + clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, STR_TERMINATE|STR_ASCII); if (strcasecmp(share,"IPC$")==0) { fstrcpy(cli->dev, "IPC"); } - /* only grab the device if we have a recent protocol level */ if (cli->protocol >= PROTOCOL_NT1 && smb_buflen(cli->inbuf) == 3) { /* almost certainly win95 - enable bug fixes */ @@ -844,7 +839,8 @@ BOOL cli_negprot(struct cli_state *cli) cli->writebraw_supported = True; } /* work out if they sent us a workgroup */ - if (smb_buflen(cli->inbuf) > 8) { + if (!(cli->capabilities & CAP_EXTENDED_SECURITY) && + smb_buflen(cli->inbuf) > 8) { clistr_pull(cli, cli->server_domain, smb_buf(cli->inbuf)+8, sizeof(cli->server_domain), smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN); -- cgit From d0a2faf78d316fec200497f5f7997df4c477a1e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 24 Nov 2001 12:12:38 +0000 Subject: This is another rather major change to the samba authenticaion subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f5d6c5a7f4..4ea19db9ec 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -197,7 +197,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, int passlen; char *p; - passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); + passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE|STR_ASCII); set_message(cli->outbuf,13,0,True); CVAL(cli->outbuf,smb_com) = SMBsesssetupX; -- cgit From a71f3f66a1b47a70e402c4d82736f376449b923c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 25 Nov 2001 02:35:37 +0000 Subject: Add a new torture test to extract a NT->DOS error map from an NT member of a samba domain. The PDC must be running a special authenticaion module that spits out NT errors based on username. Andrew Bartlett (This used to be commit adc7a6048c13342b79b6228beafb5142c50f318d) --- source3/libsmb/cliconnect.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4ea19db9ec..ed4bfcd9e3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -117,10 +117,7 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) { uint32 capabilities = CAP_NT_SMBS; - /* Set the CLI_FORCE_DOSERR environment variable to test - client routines using DOS errors instead of STATUS32 - ones. This intended only as a temporary hack. */ - if (!getenv("CLI_FORCE_DOSERR")) { + if (!cli->force_dos_errors) { capabilities |= CAP_STATUS32; } -- cgit From 26f1e3f83cb14c5edef081b6cb20d965bc6ba5b7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 26 Nov 2001 00:45:51 +0000 Subject: use DEBUG() not d_printf() in libraries (This used to be commit 5100ae4ae032545edaf525de1dfbe5dc9dafecfc) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ed4bfcd9e3..ffbc54ea5e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -384,7 +384,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, c { DATA_BLOB blob2, negTokenTarg; - d_printf("Doing kerberos session setup\n"); + DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ negTokenTarg = spnego_gen_negTokenTarg(cli, principal); @@ -510,7 +510,7 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, int i; BOOL got_kerberos_mechanism = False; - d_printf("Doing spnego session setup\n"); + DEBUG(2,("Doing spnego session setup (blob length=%d)\n", cli->secblob.length)); /* the server might not even do spnego */ if (cli->secblob.length == 16) { -- cgit From 585d0efbc6428e5876d354fee49c241c1bad809d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 26 Nov 2001 03:11:44 +0000 Subject: Got medieval on another pointless extern. Removed extern struct ipzero and replaced with two functions: void zero_ip(struct in_adder *ip); BOOL is_zero_ip(struct in_addr ip); (This used to be commit 778f5f77a66cda76348a7c6f64cd63afe2bfe077) --- source3/libsmb/cliconnect.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ffbc54ea5e..314ac6638a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -972,12 +972,11 @@ open the client sockets ****************************************************************************/ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) { - extern struct in_addr ipzero; extern pstring user_socket_options; fstrcpy(cli->desthost, host); - if (!ip || ip_equal(*ip, ipzero)) { + if (!ip || is_zero_ip(*ip)) { if (!resolve_name( cli->desthost, &cli->dest_ip, 0x20)) { return False; } -- cgit From eec9e8a052407611df223fec982588e7a2bd7f49 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 28 Nov 2001 03:56:30 +0000 Subject: fix a bunch of places where we can double-free a cli structure (This used to be commit e2ba2383c9f679c076749a8f4fccefc3559e37ec) --- source3/libsmb/cliconnect.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 314ac6638a..ba4bedf8ab 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1144,7 +1144,7 @@ BOOL cli_establish_connection(struct cli_state *cli, { DEBUG(1,("failed tcon_X\n")); if (do_shutdown) - cli_shutdown(cli); + cli_shutdown(cli); return False; } } @@ -1196,9 +1196,9 @@ BOOL attempt_netbios_session_request(struct cli_state *cli, char *srchost, char DEBUG(0,("attempt_netbios_session_request: %s rejected the session for name *SMBSERVER \ with error %s.\n", desthost, cli_errstr(cli) )); - cli_shutdown(cli); - return False; - } + cli_shutdown(cli); + return False; + } cli_shutdown(cli); -- cgit From b1ade347057438e05fcb412ba6d4c59d9ad0a4db Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 28 Nov 2001 05:49:36 +0000 Subject: fixed a core dump in server level security (This used to be commit e790bb21d3895bef97522b68c6f00812e6c286f2) --- source3/libsmb/cliconnect.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ba4bedf8ab..0fceac70e2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -258,8 +258,10 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, /* non encrypted password supplied. */ passlen = 24; ntpasslen = 24; - clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); - clistr_push(cli, ntpword, ntpass, sizeof(ntpword), STR_TERMINATE); + clistr_push(cli, pword, + pass?pass:"", sizeof(pword), STR_TERMINATE|STR_ASCII); + clistr_push(cli, ntpword, + ntpass?ntpass:"", sizeof(ntpword), STR_TERMINATE|STR_ASCII); SMBencrypt((uchar *)pword,cli->secblob.data,(uchar *)pword); SMBNTencrypt((uchar *)ntpword,cli->secblob.data,(uchar *)ntpword); } else { -- cgit From f6b962fba37a1ac105301d699708e541ce34d3b4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 28 Nov 2001 23:54:07 +0000 Subject: fixed some krb5 ifdefs (This used to be commit 23ef22f11700bbaa5778a9678a990a2b041fcefe) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 0fceac70e2..cfbb6d6222 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -378,7 +378,7 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) } -#if HAVE_KRB5 +#ifdef HAVE_KRB5 /**************************************************************************** do a spnego/kerberos encrypted session setup ****************************************************************************/ @@ -543,7 +543,7 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, fstrcpy(cli->user_name, user); -#if HAVE_KRB5 +#ifdef HAVE_KRB5 if (got_kerberos_mechanism && cli->use_kerberos) { return cli_session_setup_kerberos(cli, principal, workgroup); } -- cgit From 3ea7519b061a464ecec55341f218802ca0c2eb47 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 3 Dec 2001 07:42:18 +0000 Subject: This change reworkes the connection code for both rpcclient and net new 'net' untility. This should make it easier to port rpcclient code across to net. It also allows SPNEGO (the NTLMSSP subsystem in particular) to work, becouse it kills off the early destruction of the clear-text password. Andrew Bartlett (This used to be commit eee925861a3af3aa16efa3b1700a980c9510c14e) --- source3/libsmb/cliconnect.c | 114 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 113 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index cfbb6d6222..1494608f8d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1013,7 +1013,7 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) } /**************************************************************************** -establishes a connection right up to doing tconX, reading in a password. +establishes a connection right up to doing tconX, password in cache. ****************************************************************************/ BOOL cli_establish_connection(struct cli_state *cli, char *dest_host, struct in_addr *dest_ip, @@ -1158,6 +1158,118 @@ BOOL cli_establish_connection(struct cli_state *cli, return True; } +/* Initialise client credentials for authenticated pipe access */ + +static void init_creds(struct ntuser_creds *creds, char* username, + char* domain, char* password, int pass_len) +{ + ZERO_STRUCTP(creds); + + pwd_set_cleartext(&creds->pwd, password); + + fstrcpy(creds->user_name, username); + fstrcpy(creds->domain, domain); + + if (!*username) { + creds->pwd.null_pwd = True; + } +} + +/**************************************************************************** +establishes a connection right up to doing tconX, password specified. +****************************************************************************/ +NTSTATUS cli_full_connection(struct cli_state **output_cli, + const char *my_name, const char *dest_host, + struct in_addr *dest_ip, int port, + char *service, char *service_type, + char *user, char *domain, + char *password, int pass_len) +{ + struct ntuser_creds creds; + NTSTATUS nt_status; + struct nmb_name calling; + struct nmb_name called; + struct cli_state *cli; + struct in_addr ip; + + make_nmb_name(&calling, my_name, 0x0); + make_nmb_name(&called , dest_host, 0x20); + +again: + + if (!(cli = cli_initialise(NULL))) { + return NT_STATUS_NO_MEMORY; + } + + if (cli_set_port(cli, port) != port) { + return NT_STATUS_UNSUCCESSFUL; + } + + ip = *dest_ip; + + DEBUG(3,("Connecting to host=%s share=%s\n\n", + dest_host, service)); + + if (!cli_connect(cli, dest_host, &ip)) + { + DEBUG(1,("cli_establish_connection: failed to connect to %s (%s)\n", + nmb_namestr(&called), inet_ntoa(*dest_ip))); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!cli_session_request(cli, &calling, &called)) { + char *p; + DEBUG(1,("session request to %s failed (%s)\n", + called.name, cli_errstr(cli))); + cli_shutdown(cli); + if ((p=strchr(called.name, '.'))) { + *p = 0; + goto again; + } + if (strcmp(called.name, "*SMBSERVER")) { + make_nmb_name(&called , "*SMBSERVER", 0x20); + goto again; + } + return NT_STATUS_UNSUCCESSFUL; + } + + if (!cli_negprot(cli)) + { + DEBUG(1,("failed negprot\n")); + nt_status = cli_nt_error(cli); + cli_shutdown(cli); + return nt_status; + } + + if (!cli_session_setup(cli, user, + password, pass_len, + NULL, 0, + domain)) + { + DEBUG(1,("failed session setup\n")); + nt_status = cli_nt_error(cli); + cli_shutdown(cli); + return nt_status; + } + + if (service) + { + if (!cli_send_tconX(cli, service, service_type, + (char*)password, pass_len)) + { + DEBUG(1,("failed tcon_X\n")); + nt_status = cli_nt_error(cli); + cli_shutdown(cli); + return nt_status; + } + } + + init_creds(&creds, user, domain, password, pass_len); + cli_init_creds(cli, &creds); + + *output_cli = cli; + return NT_STATUS_OK; +} /**************************************************************************** Attempt a NetBIOS session request, falling back to *SMBSERVER if needed. -- cgit From 0dc386855fb341ee820be591d92300d7518f7a7b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Dec 2001 00:07:08 +0000 Subject: when using non-encrypted password ignore the ntpass variable to session setup (This used to be commit c7665706cd5633ede710afe41413624124038238) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1494608f8d..512607fc11 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -255,13 +255,13 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, } if (passlen != 24) { - /* non encrypted password supplied. */ + /* non encrypted password supplied. Ignore ntpass. */ passlen = 24; ntpasslen = 24; clistr_push(cli, pword, pass?pass:"", sizeof(pword), STR_TERMINATE|STR_ASCII); clistr_push(cli, ntpword, - ntpass?ntpass:"", sizeof(ntpword), STR_TERMINATE|STR_ASCII); + pass?pass:"", sizeof(ntpword), STR_TERMINATE|STR_ASCII); SMBencrypt((uchar *)pword,cli->secblob.data,(uchar *)pword); SMBNTencrypt((uchar *)ntpword,cli->secblob.data,(uchar *)ntpword); } else { -- cgit From 5ffe722a5585314cb1ba4533c0867c777e6b369b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 11 Dec 2001 05:16:48 +0000 Subject: detect attempts to connect to names of the type NAME#xx and do a netbios lookup for name NAME with node type xx. This affects all our client progs. Very useful :) (This used to be commit b4304c5231159fc6295c445f2eb4470c179b8d5e) --- source3/libsmb/cliconnect.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 512607fc11..27034b012d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -975,11 +975,19 @@ open the client sockets BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) { extern pstring user_socket_options; + int name_type = 0x20; + char *p; fstrcpy(cli->desthost, host); + + /* allow hostnames of the form NAME#xx and do a netbios lookup */ + if ((p = strchr(cli->desthost, '#'))) { + name_type = strtol(p+1, NULL, 16); + *p = 0; + } if (!ip || is_zero_ip(*ip)) { - if (!resolve_name( cli->desthost, &cli->dest_ip, 0x20)) { + if (!resolve_name(cli->desthost, &cli->dest_ip, name_type)) { return False; } if (ip) *ip = cli->dest_ip; @@ -1328,3 +1336,5 @@ name *SMBSERVER with error %s\n", desthost, cli_errstr(cli) )); return True; } + + -- cgit From 70095b09c3cede75fdda6f52823957fab5dd980d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 11 Dec 2001 05:48:27 +0000 Subject: handle a NULL hostname in cli_connect() (This used to be commit a181f49b4269baa1752ce6ed4f9093e38d2d3ce5) --- source3/libsmb/cliconnect.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 27034b012d..fc50e8e02f 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -978,6 +978,9 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) int name_type = 0x20; char *p; + /* reasonable default hostname */ + if (!host) host = "*SMBSERVER"; + fstrcpy(cli->desthost, host); /* allow hostnames of the form NAME#xx and do a netbios lookup */ -- cgit From 384ce26f5bdf27aadaea967b17ee6ca8549aca5a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 21 Dec 2001 11:58:30 +0000 Subject: try to handle end of packet for not null terminated domain strings (This used to be commit 1da988456dbd885820093ae43c74e0ac66f72802) --- source3/libsmb/cliconnect.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index fc50e8e02f..d636e7e839 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -372,7 +372,9 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) p += blob2.length; p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE); p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); - p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), + smb_buflen(cli->inbuf) - PTR_DIFF(p, smb_buf(cli->inbuf)), + 0); return blob2; } -- cgit From caaac2803a52969312a633c2f6e0c446a944dffe Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 21 Dec 2001 12:29:51 +0000 Subject: - handle kerberos session setup reply with broken null termination - don't display Domain=[] for auth protocols that don't give us a domain (This used to be commit 20368455ea59e6e9b85632848bbe92069e7b0f38) --- source3/libsmb/cliconnect.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index d636e7e839..75560da676 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -325,6 +325,7 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) uint32 capabilities = cli_session_setup_capabilities(cli); char *p; DATA_BLOB blob2; + uint32 len; blob2 = data_blob(NULL, 0); @@ -371,10 +372,10 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) p += blob2.length; p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE); - p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); - p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), - smb_buflen(cli->inbuf) - PTR_DIFF(p, smb_buf(cli->inbuf)), - 0); + + /* w2k with kerberos doesn't properly null terminate this field */ + len = smb_buflen(cli->inbuf) - PTR_DIFF(p, smb_buf(cli->inbuf)); + p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), len, 0); return blob2; } -- cgit From af7bd393dabc51cedafc1ea24cc9f7101c81f4bf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Dec 2001 13:06:10 +0000 Subject: Ensure the output cli can't have spurious values if the connection fails... (This used to be commit 2d1612dd3560bb5ef35fa1eeee00e3d7976bcd62) --- source3/libsmb/cliconnect.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 75560da676..bd79f23213 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1205,7 +1205,13 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct nmb_name called; struct cli_state *cli; struct in_addr ip; - + + if (!output_cli) { + DEBUG(0, ("output_cli is NULL!?!")); + } + + *output_cli = NULL; + make_nmb_name(&calling, my_name, 0x0); make_nmb_name(&called , dest_host, 0x20); -- cgit From 969d82ef25a7ae13cc1c7ba2a4f2f920e37b41be Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 6 Jan 2002 04:03:26 +0000 Subject: Check for winbind separator in user name for cli_session_setup() Patch from Alexander Bokovoy (This used to be commit 6c42bf208976ed3020e57efff6281f984d9fe893) --- source3/libsmb/cliconnect.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index bd79f23213..a3b22485cf 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -576,7 +576,8 @@ BOOL cli_session_setup(struct cli_state *cli, /* allow for workgroups as part of the username */ fstrcpy(user2, user); - if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/'))) { + if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) || + (p=strchr_m(user2,*lp_winbind_separator()))) { *p = 0; user = p+1; workgroup = user2; -- cgit From 4acb3125cd42728e2bb3f971bfb9373decc1d0fb Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Jan 2002 04:50:45 +0000 Subject: Fix up 'net ads join' to delete and rejoin if the account already exists. This fixes up a problem where a machine would join (or downgrade by trust password change) to NT4 membership and not be able to regain full ADS membership until a 'net ads leave'. Andrew Bartlett (This used to be commit ab8ff85f03b25a0dfe4ab63886a10da81207393c) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index a3b22485cf..7649a88ffd 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1257,7 +1257,7 @@ again: if (!cli_negprot(cli)) { DEBUG(1,("failed negprot\n")); - nt_status = cli_nt_error(cli); + nt_status = NT_STATUS_UNSUCCESSFUL; cli_shutdown(cli); return nt_status; } -- cgit From 27655be3c1708d447b046a2b0d8b2013eeb21835 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 11 Jan 2002 13:14:28 +0000 Subject: fixed a crash bug in domain auth caused by an uninitialised nt_status (This used to be commit 0b0b937b58f4bf4e005fb622f0db19175fc46a47) --- source3/libsmb/cliconnect.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7649a88ffd..1812416426 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1270,6 +1270,7 @@ again: DEBUG(1,("failed session setup\n")); nt_status = cli_nt_error(cli); cli_shutdown(cli); + if (NT_STATUS_IS_OK(nt_status)) nt_status = NT_STATUS_UNSUCCESSFUL; return nt_status; } @@ -1281,6 +1282,7 @@ again: DEBUG(1,("failed tcon_X\n")); nt_status = cli_nt_error(cli); cli_shutdown(cli); + if (NT_STATUS_IS_OK(nt_status)) nt_status = NT_STATUS_UNSUCCESSFUL; return nt_status; } } -- cgit From d6823366b881612234ab0655adb11c594f864c4a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 11 Jan 2002 19:10:25 +0000 Subject: Same fix as went into 2.2 (I'm waiting for jerry to finish some code). Jeremy. (This used to be commit 01ff6ce4963e1daff019f2b936cef218e1c93f67) --- source3/libsmb/cliconnect.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1812416426..08d9f3b382 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -76,10 +76,10 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); set_message(cli->outbuf,10, 0, True); - CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); - CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SCVAL(cli->outbuf,smb_vwv0,0xFF); SSVAL(cli->outbuf,smb_vwv2,cli->max_xmit); SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,1); @@ -142,10 +142,10 @@ static BOOL cli_session_setup_guest(struct cli_state *cli) uint32 capabilities = cli_session_setup_capabilities(cli); set_message(cli->outbuf,13,0,True); - CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); - CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SCVAL(cli->outbuf,smb_vwv0,0xFF); SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,cli->pid); @@ -197,10 +197,10 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE|STR_ASCII); set_message(cli->outbuf,13,0,True); - CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); - CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SCVAL(cli->outbuf,smb_vwv0,0xFF); SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,cli->pid); @@ -273,10 +273,10 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, memset(cli->outbuf,'\0',smb_size); set_message(cli->outbuf,13,0,True); - CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); - CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SCVAL(cli->outbuf,smb_vwv0,0xFF); SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,cli->pid); @@ -335,10 +335,10 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) memset(cli->outbuf,'\0',smb_size); set_message(cli->outbuf,12,0,True); - CVAL(cli->outbuf,smb_com) = SMBsesssetupX; + SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); - CVAL(cli->outbuf,smb_vwv0) = 0xFF; + SCVAL(cli->outbuf,smb_vwv0,0xFF); SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,1); @@ -633,7 +633,7 @@ BOOL cli_ulogoff(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); set_message(cli->outbuf,2,0,True); - CVAL(cli->outbuf,smb_com) = SMBulogoffX; + SCVAL(cli->outbuf,smb_com,SMBulogoffX); cli_setup_packet(cli); SSVAL(cli->outbuf,smb_vwv0,0xFF); SSVAL(cli->outbuf,smb_vwv2,0); /* no additional info */ @@ -691,7 +691,7 @@ BOOL cli_send_tconX(struct cli_state *cli, } set_message(cli->outbuf,4, 0, True); - CVAL(cli->outbuf,smb_com) = SMBtconX; + SCVAL(cli->outbuf,smb_com,SMBtconX); cli_setup_packet(cli); SSVAL(cli->outbuf,smb_vwv0,0xFF); @@ -737,7 +737,7 @@ BOOL cli_tdis(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); set_message(cli->outbuf,0,0,True); - CVAL(cli->outbuf,smb_com) = SMBtdis; + SCVAL(cli->outbuf,smb_com,SMBtdis); SSVAL(cli->outbuf,smb_tid,cli->cnum); cli_setup_packet(cli); @@ -770,11 +770,11 @@ void cli_negprot_send(struct cli_state *cli) p += clistr_push(cli, p, prots[numprots].name, -1, STR_TERMINATE); } - CVAL(cli->outbuf,smb_com) = SMBnegprot; + SCVAL(cli->outbuf,smb_com,SMBnegprot); cli_setup_bcc(cli, p); cli_setup_packet(cli); - CVAL(smb_buf(cli->outbuf),0) = 2; + SCVAL(smb_buf(cli->outbuf),0,2); cli_send_smb(cli); } @@ -807,10 +807,10 @@ BOOL cli_negprot(struct cli_state *cli) p += clistr_push(cli, p, prots[numprots].name, -1, STR_TERMINATE); } - CVAL(cli->outbuf,smb_com) = SMBnegprot; + SCVAL(cli->outbuf,smb_com,SMBnegprot); cli_setup_packet(cli); - CVAL(smb_buf(cli->outbuf),0) = 2; + SCVAL(smb_buf(cli->outbuf),0,2); cli_send_smb(cli); if (!cli_receive_smb(cli)) @@ -905,7 +905,7 @@ BOOL cli_session_request(struct cli_state *cli, /* setup the packet length */ _smb_setlen(cli->outbuf,len); - CVAL(cli->outbuf,0) = 0x81; + SCVAL(cli->outbuf,0,0x81); #ifdef WITH_SSL retry: -- cgit From 8d2d97b17647d4a9c6bc39cb87ae99dc3c86cc06 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 20 Jan 2002 07:13:05 +0000 Subject: Fix a couple of memory leaks in the cli_establish_connection() code's failure case. Thanks to Nigel Williams for spotting these! Andrew Bartlett (This used to be commit 20e0b562283f75606ac9a36f3f104c6aaa294c40) --- source3/libsmb/cliconnect.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 08d9f3b382..86ff6b5c92 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1223,6 +1223,7 @@ again: } if (cli_set_port(cli, port) != port) { + cli_shutdown(cli); return NT_STATUS_UNSUCCESSFUL; } @@ -1235,6 +1236,7 @@ again: { DEBUG(1,("cli_establish_connection: failed to connect to %s (%s)\n", nmb_namestr(&called), inet_ntoa(*dest_ip))); + cli_shutdown(cli); return NT_STATUS_UNSUCCESSFUL; } -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/libsmb/cliconnect.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 86ff6b5c92..b7828f4993 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 3.0 + Unix SMB/CIFS implementation. client connect/disconnect routines Copyright (C) Andrew Tridgell 1994-1998 -- cgit From 87a3a0952c36bed774bcad884d14d749f4bb491d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 6 Mar 2002 22:55:45 +0000 Subject: Removed duplicate \n from debug message. Small tidyups. (This used to be commit 252da94ebb279c47263dfae36fd016d0a29a6dbf) --- source3/libsmb/cliconnect.c | 34 +++++++++++++--------------------- 1 file changed, 13 insertions(+), 21 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b7828f4993..d9df1fa640 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1206,9 +1206,8 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct cli_state *cli; struct in_addr ip; - if (!output_cli) { + if (!output_cli) DEBUG(0, ("output_cli is NULL!?!")); - } *output_cli = NULL; @@ -1217,9 +1216,8 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, again: - if (!(cli = cli_initialise(NULL))) { + if (!(cli = cli_initialise(NULL))) return NT_STATUS_NO_MEMORY; - } if (cli_set_port(cli, port) != port) { cli_shutdown(cli); @@ -1228,11 +1226,9 @@ again: ip = *dest_ip; - DEBUG(3,("Connecting to host=%s share=%s\n\n", - dest_host, service)); + DEBUG(3,("Connecting to host=%s share=%s\n", dest_host, service)); - if (!cli_connect(cli, dest_host, &ip)) - { + if (!cli_connect(cli, dest_host, &ip)) { DEBUG(1,("cli_establish_connection: failed to connect to %s (%s)\n", nmb_namestr(&called), inet_ntoa(*dest_ip))); cli_shutdown(cli); @@ -1255,35 +1251,31 @@ again: return NT_STATUS_UNSUCCESSFUL; } - if (!cli_negprot(cli)) - { + if (!cli_negprot(cli)) { DEBUG(1,("failed negprot\n")); nt_status = NT_STATUS_UNSUCCESSFUL; cli_shutdown(cli); return nt_status; } - if (!cli_session_setup(cli, user, - password, pass_len, - NULL, 0, - domain)) - { + if (!cli_session_setup(cli, user, password, pass_len, NULL, 0, + domain)) { DEBUG(1,("failed session setup\n")); nt_status = cli_nt_error(cli); cli_shutdown(cli); - if (NT_STATUS_IS_OK(nt_status)) nt_status = NT_STATUS_UNSUCCESSFUL; + if (NT_STATUS_IS_OK(nt_status)) + nt_status = NT_STATUS_UNSUCCESSFUL; return nt_status; } - if (service) - { + if (service) { if (!cli_send_tconX(cli, service, service_type, - (char*)password, pass_len)) - { + (char*)password, pass_len)) { DEBUG(1,("failed tcon_X\n")); nt_status = cli_nt_error(cli); cli_shutdown(cli); - if (NT_STATUS_IS_OK(nt_status)) nt_status = NT_STATUS_UNSUCCESSFUL; + if (NT_STATUS_IS_OK(nt_status)) + nt_status = NT_STATUS_UNSUCCESSFUL; return nt_status; } } -- cgit From a9d328bb943de1414a7d1a5a24b9b1b47b879a75 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 6 Apr 2002 01:25:57 +0000 Subject: Always pass NT password as well as Lanman. Jeremy. (This used to be commit 146fb9d12bd3621087193f439e99c13d609ff658) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index d9df1fa640..8ddd116679 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1258,7 +1258,7 @@ again: return nt_status; } - if (!cli_session_setup(cli, user, password, pass_len, NULL, 0, + if (!cli_session_setup(cli, user, password, pass_len, password, pass_len, domain)) { DEBUG(1,("failed session setup\n")); nt_status = cli_nt_error(cli); -- cgit From a2c8ca186f7261fdab49ed40949320a45868d2b5 Mon Sep 17 00:00:00 2001 From: "Christopher R. Hertel" Date: Mon, 1 Jul 2002 03:42:28 +0000 Subject: The 17-bit length field in the header contains the number of bytes which follow the header, not the full packet size. [Yes, the length field is either 17-bits, or (per the RFCs) it is a 16-bit length field preceeded by an 8-bit flags field of which only the low-order bit may be used. If that bit is set, then add 65536 to the 16-bit length field. (In other words, it's a 17-bit unsigned length field.) ...unless, of course, the transport is native TCP [port 445] in which case the length field *might* be 24-bits wide.] Anyway, the change is a very minor one. We were including the four bytes of the header in the length count and, as a result, sending four bytes of garbage at the end of the SESSION REQUEST packet. Small fix in function cli_session_request(). (This used to be commit d08471688b65371eb3de73b03a8ffaee86659ba0) --- source3/libsmb/cliconnect.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8ddd116679..4be63b8f2e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -902,7 +902,14 @@ BOOL cli_session_request(struct cli_state *cli, name_mangle(cli->calling.name, p, cli->calling.name_type); len += name_len(p); - /* setup the packet length */ + /* setup the packet length + * Remove four bytes from the length count, since the length + * field in the NBT Session Service header counts the number + * of bytes which follow. The cli_send_smb() function knows + * about this and accounts for those four bytes. + * CRH. + */ + len -= 4; _smb_setlen(cli->outbuf,len); SCVAL(cli->outbuf,0,0x81); -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/libsmb/cliconnect.c | 528 +++++++++++++++++++------------------------- 1 file changed, 226 insertions(+), 302 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4be63b8f2e..f0b02b97b0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2,6 +2,7 @@ Unix SMB/CIFS implementation. client connect/disconnect routines Copyright (C) Andrew Tridgell 1994-1998 + Copyright (C) Andrew Barteltt 2001-2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -24,28 +25,27 @@ static const struct { - int prot; - const char *name; - } -prots[] = - { - {PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"}, - {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"}, - {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"}, - {PROTOCOL_LANMAN1,"LANMAN1.0"}, - {PROTOCOL_LANMAN2,"LM1.2X002"}, - {PROTOCOL_LANMAN2,"Samba"}, - {PROTOCOL_NT1,"NT LANMAN 1.0"}, - {PROTOCOL_NT1,"NT LM 0.12"}, - {-1,NULL} - }; - + int prot; + const char *name; +} prots[] = { + {PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"}, + {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"}, + {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"}, + {PROTOCOL_LANMAN1,"LANMAN1.0"}, + {PROTOCOL_LANMAN2,"LM1.2X002"}, + {PROTOCOL_LANMAN2,"DOS LANMAN2.1"}, + {PROTOCOL_LANMAN2,"Samba"}, + {PROTOCOL_NT1,"NT LANMAN 1.0"}, + {PROTOCOL_NT1,"NT LM 0.12"}, + {-1,NULL} +}; /**************************************************************************** -do an old lanman2 style session setup + Do an old lanman2 style session setup. ****************************************************************************/ + static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, - char *pass, int passlen) + char *pass, int passlen, const char *workgroup) { fstring pword; char *p; @@ -54,17 +54,19 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, return False; } + /* Lanman2 cannot use SMB signing. */ + cli->sign_info.use_smb_signing = False; + /* if in share level security then don't send a password now */ - if (!(cli->sec_mode & 1)) { + if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { passlen = 0; } - if (passlen > 0 && (cli->sec_mode & 2) && passlen != 24) { + if (passlen > 0 && (cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen != 24) { /* Encrypted mode needed, and non encrypted password supplied. */ passlen = 24; - clistr_push(cli, pword, pass, -1, STR_TERMINATE); - SMBencrypt((uchar *)pword,cli->secblob.data,(uchar *)pword); - } else if ((cli->sec_mode & 2) && passlen == 24) { + SMBencrypt(pass,cli->secblob.data,(uchar *)pword); + } else if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen == 24) { /* Encrypted mode needed, and encrypted password supplied. */ memcpy(pword, pass, passlen); } else if (passlen > 0) { @@ -88,7 +90,10 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += passlen; - p += clistr_push(cli, p, user, -1, STR_TERMINATE); + p += clistr_push(cli, p, user, -1, STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); cli_send_smb(cli); @@ -108,10 +113,10 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, return True; } - /**************************************************************************** -work out suitable capabilities to offer the server + Work out suitable capabilities to offer the server. ****************************************************************************/ + static uint32 cli_session_setup_capabilities(struct cli_state *cli) { uint32 capabilities = CAP_NT_SMBS; @@ -131,10 +136,10 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) return capabilities; } - /**************************************************************************** -do a NT1 guest session setup + Do a NT1 guest session setup. ****************************************************************************/ + static BOOL cli_session_setup_guest(struct cli_state *cli) { char *p; @@ -181,10 +186,10 @@ static BOOL cli_session_setup_guest(struct cli_state *cli) return True; } - /**************************************************************************** -do a NT1 plaintext session setup + Do a NT1 plaintext session setup. ****************************************************************************/ + static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, char *pass, char *workgroup) { @@ -237,9 +242,15 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, } -/**************************************************************************** -do a NT1 NTLM/LM encrypted session setup -****************************************************************************/ +/** + do a NT1 NTLM/LM encrypted session setup + @param cli client state to create do session setup on + @param user username + @param pass *either* cleartext password (passlen !=24) or LM response. + @param ntpass NT response, implies ntpasslen >=24, implies pass is not clear + @param workgroup The user's domain. +*/ + static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, char *pass, int passlen, char *ntpass, int ntpasslen, @@ -248,6 +259,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, uint32 capabilities = cli_session_setup_capabilities(cli); fstring pword, ntpword; char *p; + BOOL tried_signing = False; if (passlen > sizeof(pword)-1 || ntpasslen > sizeof(ntpword)-1) { return False; @@ -257,12 +269,12 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, /* non encrypted password supplied. Ignore ntpass. */ passlen = 24; ntpasslen = 24; - clistr_push(cli, pword, - pass?pass:"", sizeof(pword), STR_TERMINATE|STR_ASCII); - clistr_push(cli, ntpword, - pass?pass:"", sizeof(ntpword), STR_TERMINATE|STR_ASCII); - SMBencrypt((uchar *)pword,cli->secblob.data,(uchar *)pword); - SMBNTencrypt((uchar *)ntpword,cli->secblob.data,(uchar *)ntpword); + SMBencrypt((uchar *)pass,cli->secblob.data,(uchar *)pword); + SMBNTencrypt((uchar *)pass,cli->secblob.data,(uchar *)ntpword); + if (!cli->sign_info.use_smb_signing && cli->sign_info.negotiated_smb_signing) { + cli_calculate_mac_key(cli, (uchar *)pass, (uchar *)ntpword); + tried_signing = True; + } } else { memcpy(pword, pass, passlen); memcpy(ntpword, ntpass, ntpasslen); @@ -298,10 +310,15 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, show_msg(cli->inbuf); + if (tried_signing && (cli_is_error(cli) || SVAL(cli->inbuf,smb_vwv2) /* guest */)) { + /* We only use it if we have a successful non-guest connect */ + cli->sign_info.use_smb_signing = False; + } + if (cli_is_error(cli)) { return False; } - + /* use the returned vuid from now on */ cli->vuid = SVAL(cli->inbuf,smb_uid); @@ -315,10 +332,10 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, return True; } - /**************************************************************************** -send a extended security session setup blob, returning a reply blob + Send a extended security session setup blob, returning a reply blob. ****************************************************************************/ + static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) { uint32 capabilities = cli_session_setup_capabilities(cli); @@ -382,8 +399,9 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) #ifdef HAVE_KRB5 /**************************************************************************** -do a spnego/kerberos encrypted session setup + Do a spnego/kerberos encrypted session setup. ****************************************************************************/ + static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, char *workgroup) { DATA_BLOB blob2, negTokenTarg; @@ -411,8 +429,9 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, c #endif /**************************************************************************** -do a spnego/NTLMSSP encrypted session setup + Do a spnego/NTLMSSP encrypted session setup. ****************************************************************************/ + static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, char *pass, char *workgroup) { @@ -501,10 +520,10 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, return !cli_is_error(cli); } - /**************************************************************************** -do a spnego encrypted session setup + Do a spnego encrypted session setup. ****************************************************************************/ + static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, char *pass, char *workgroup) { @@ -514,6 +533,9 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, int i; BOOL got_kerberos_mechanism = False; + /* spnego security cannot use SMB signing (for now). */ + cli->sign_info.use_smb_signing = False; + DEBUG(2,("Doing spnego session setup (blob length=%d)\n", cli->secblob.length)); /* the server might not even do spnego */ @@ -558,12 +580,12 @@ ntlmssp: return cli_session_setup_ntlmssp(cli, user, pass, workgroup); } - /**************************************************************************** Send a session setup. The username and workgroup is in UNIX character format and must be converted to DOS codepage format before sending. If the password is in plaintext, the same should be done. ****************************************************************************/ + BOOL cli_session_setup(struct cli_state *cli, char *user, char *pass, int passlen, @@ -591,7 +613,7 @@ BOOL cli_session_setup(struct cli_state *cli, /* if its an older server then we have to use the older request format */ if (cli->protocol < PROTOCOL_NT1) { - return cli_session_setup_lanman2(cli, user, pass, passlen); + return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup); } /* if no user is supplied then we have to do an anonymous connection. @@ -603,13 +625,13 @@ BOOL cli_session_setup(struct cli_state *cli, /* if the server is share level then send a plaintext null password at this point. The password is sent in the tree connect */ - if ((cli->sec_mode & 1) == 0) { + if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) { return cli_session_setup_plaintext(cli, user, "", workgroup); } - /* if the server doesn't support encryption then we have to use plaintext. The - second password is ignored */ - if ((cli->sec_mode & 2) == 0) { + /* if the server doesn't support encryption then we have to use + plaintext. The second password is ignored */ + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { return cli_session_setup_plaintext(cli, user, pass, workgroup); } @@ -630,27 +652,28 @@ BOOL cli_session_setup(struct cli_state *cli, BOOL cli_ulogoff(struct cli_state *cli) { - memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,2,0,True); - SCVAL(cli->outbuf,smb_com,SMBulogoffX); - cli_setup_packet(cli); + memset(cli->outbuf,'\0',smb_size); + set_message(cli->outbuf,2,0,True); + SCVAL(cli->outbuf,smb_com,SMBulogoffX); + cli_setup_packet(cli); SSVAL(cli->outbuf,smb_vwv0,0xFF); SSVAL(cli->outbuf,smb_vwv2,0); /* no additional info */ - cli_send_smb(cli); - if (!cli_receive_smb(cli)) - return False; + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; - return !cli_is_error(cli); + return !cli_is_error(cli); } /**************************************************************************** -send a tconX + Send a tconX. ****************************************************************************/ + BOOL cli_send_tconX(struct cli_state *cli, const char *share, const char *dev, const char *pass, int passlen) { - fstring fullshare, pword, dos_pword; + fstring fullshare, pword; char *p; memset(cli->outbuf,'\0',smb_size); memset(cli->inbuf,'\0',smb_size); @@ -658,20 +681,19 @@ BOOL cli_send_tconX(struct cli_state *cli, fstrcpy(cli->share, share); /* in user level security don't send a password now */ - if (cli->sec_mode & 1) { + if (cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) { passlen = 1; pass = ""; } - if ((cli->sec_mode & 2) && *pass && passlen != 24) { + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) { /* * Non-encrypted passwords - convert to DOS codepage before encryption. */ passlen = 24; - clistr_push(cli, dos_pword, pass, -1, STR_TERMINATE); - SMBencrypt((uchar *)dos_pword,cli->secblob.data,(uchar *)pword); + SMBencrypt(pass,cli->secblob.data,(uchar *)pword); } else { - if((cli->sec_mode & 3) == 0) { + if((cli->sec_mode & (NEGOTIATE_SECURITY_USER_LEVEL|NEGOTIATE_SECURITY_CHALLENGE_RESPONSE)) == 0) { /* * Non-encrypted passwords - convert to DOS codepage before using. */ @@ -728,10 +750,10 @@ BOOL cli_send_tconX(struct cli_state *cli, return True; } - /**************************************************************************** -send a tree disconnect + Send a tree disconnect. ****************************************************************************/ + BOOL cli_tdis(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); @@ -747,15 +769,19 @@ BOOL cli_tdis(struct cli_state *cli) return !cli_is_error(cli); } - /**************************************************************************** -send a negprot command + Send a negprot command. ****************************************************************************/ + void cli_negprot_send(struct cli_state *cli) { char *p; int numprots; + if (cli->protocol < PROTOCOL_NT1) { + cli->use_spnego = False; + } + memset(cli->outbuf,'\0',smb_size); /* setup the protocol strings */ @@ -778,16 +804,25 @@ void cli_negprot_send(struct cli_state *cli) cli_send_smb(cli); } - /**************************************************************************** -send a negprot command + Send a negprot command. ****************************************************************************/ + BOOL cli_negprot(struct cli_state *cli) { char *p; int numprots; int plength; + if (cli->sign_info.use_smb_signing) { + DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n")); + return False; + } + + if (cli->protocol < PROTOCOL_NT1) { + cli->use_spnego = False; + } + memset(cli->outbuf,'\0',smb_size); /* setup the protocol strings */ @@ -822,7 +857,7 @@ BOOL cli_negprot(struct cli_state *cli) return(False); } - cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; + cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; if (cli->protocol >= PROTOCOL_NT1) { /* NT protocol */ @@ -847,7 +882,16 @@ BOOL cli_negprot(struct cli_state *cli) smb_buf(cli->inbuf)+8, sizeof(cli->server_domain), smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN); } + + /* A way to attempt to force SMB signing */ + if (getenv("CLI_FORCE_SMB_SIGNING")) + cli->sign_info.negotiated_smb_signing = True; + + if (cli->sign_info.negotiated_smb_signing && !(cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) + cli->sign_info.negotiated_smb_signing = False; + } else if (cli->protocol >= PROTOCOL_LANMAN1) { + cli->use_spnego = False; cli->sec_mode = SVAL(cli->inbuf,smb_vwv1); cli->max_xmit = SVAL(cli->inbuf,smb_vwv2); cli->sesskey = IVAL(cli->inbuf,smb_vwv6); @@ -860,6 +904,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->secblob = data_blob(smb_buf(cli->inbuf),smb_buflen(cli->inbuf)); } else { /* the old core protocol */ + cli->use_spnego = False; cli->sec_mode = 0; cli->serverzone = TimeDiff(time(NULL)); } @@ -874,10 +919,10 @@ BOOL cli_negprot(struct cli_state *cli) return True; } - /**************************************************************************** - send a session request. see rfc1002.txt 4.3 and 4.3.2 + Send a session request. See rfc1002.txt 4.3 and 4.3.2. ****************************************************************************/ + BOOL cli_session_request(struct cli_state *cli, struct nmb_name *calling, struct nmb_name *called) { @@ -888,6 +933,11 @@ BOOL cli_session_request(struct cli_state *cli, /* 445 doesn't have session request */ if (cli->port == 445) return True; + if (cli->sign_info.use_smb_signing) { + DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n")); + return False; + } + /* send a session request (RFC 1002) */ memcpy(&(cli->calling), calling, sizeof(*calling)); memcpy(&(cli->called ), called , sizeof(*called )); @@ -902,7 +952,7 @@ BOOL cli_session_request(struct cli_state *cli, name_mangle(cli->calling.name, p, cli->calling.name_type); len += name_len(p); - /* setup the packet length + /* setup the packet length * Remove four bytes from the length count, since the length * field in the NBT Session Service header counts the number * of bytes which follow. The cli_send_smb() function knows @@ -913,10 +963,6 @@ BOOL cli_session_request(struct cli_state *cli, _smb_setlen(cli->outbuf,len); SCVAL(cli->outbuf,0,0x81); -#ifdef WITH_SSL -retry: -#endif /* WITH_SSL */ - cli_send_smb(cli); DEBUG(5,("Sent session request\n")); @@ -962,15 +1008,6 @@ retry: } } /* C. Hoch 9/14/95 End */ -#ifdef WITH_SSL - if (CVAL(cli->inbuf,0) == 0x83 && CVAL(cli->inbuf,4) == 0x8e){ /* use ssl */ - if (!sslutil_fd_is_ssl(cli->fd)){ - if (sslutil_connect(cli->fd) == 0) - goto retry; - } - } -#endif /* WITH_SSL */ - if (CVAL(cli->inbuf,0) != 0x82) { /* This is the wrong place to put the error... JRA. */ cli->rap_error = CVAL(cli->inbuf,4); @@ -980,8 +1017,9 @@ retry: } /**************************************************************************** -open the client sockets + Open the client sockets. ****************************************************************************/ + BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) { extern pstring user_socket_options; @@ -1034,155 +1072,11 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) } /**************************************************************************** -establishes a connection right up to doing tconX, password in cache. + Initialise client credentials for authenticated pipe access. ****************************************************************************/ -BOOL cli_establish_connection(struct cli_state *cli, - char *dest_host, struct in_addr *dest_ip, - struct nmb_name *calling, struct nmb_name *called, - char *service, char *service_type, - BOOL do_shutdown, BOOL do_tcon) -{ - DEBUG(5,("cli_establish_connection: %s connecting to %s (%s) - %s [%s]\n", - nmb_namestr(calling), nmb_namestr(called), inet_ntoa(*dest_ip), - cli->user_name, cli->domain)); - - /* establish connection */ - - if ((!cli->initialised)) - { - return False; - } - - /* cli_establish_connection() can't handle spnego yet. Once we get rid of - pwd_cache and other horrors we can get rid of this */ - cli->use_spnego = False; - - if (cli->fd == -1) - { - if (!cli_connect(cli, dest_host, dest_ip)) - { - DEBUG(1,("cli_establish_connection: failed to connect to %s (%s)\n", - nmb_namestr(called), inet_ntoa(*dest_ip))); - return False; - } - } - - if (!cli_session_request(cli, calling, called)) - { - DEBUG(1,("failed session request\n")); - if (do_shutdown) - cli_shutdown(cli); - return False; - } - - if (!cli_negprot(cli)) - { - DEBUG(1,("failed negprot\n")); - if (do_shutdown) - cli_shutdown(cli); - return False; - } - - if (cli->pwd.cleartext || cli->pwd.null_pwd) - { - fstring passwd; - int pass_len; - - if (cli->pwd.null_pwd) - { - /* attempt null session */ - passwd[0] = 0; - pass_len = 1; - } - else - { - /* attempt clear-text session */ - pwd_get_cleartext(&(cli->pwd), passwd); - pass_len = strlen(passwd); - } - - /* attempt clear-text session */ - if (!cli_session_setup(cli, cli->user_name, - passwd, pass_len, - NULL, 0, - cli->domain)) - { - DEBUG(1,("failed session setup\n")); - if (do_shutdown) - { - cli_shutdown(cli); - } - return False; - } - if (do_tcon) - { - if (!cli_send_tconX(cli, service, service_type, - (char*)passwd, strlen(passwd))) - { - DEBUG(1,("failed tcon_X\n")); - if (do_shutdown) - { - cli_shutdown(cli); - } - return False; - } - } - } - else - { - /* attempt encrypted session */ - unsigned char nt_sess_pwd[24]; - unsigned char lm_sess_pwd[24]; - - /* creates (storing a copy of) and then obtains a 24 byte password OWF */ - pwd_make_lm_nt_owf(&(cli->pwd), cli->secblob.data); - pwd_get_lm_nt_owf(&(cli->pwd), lm_sess_pwd, nt_sess_pwd); - - /* attempt encrypted session */ - if (!cli_session_setup(cli, cli->user_name, - (char*)lm_sess_pwd, sizeof(lm_sess_pwd), - (char*)nt_sess_pwd, sizeof(nt_sess_pwd), - cli->domain)) - { - DEBUG(1,("failed session setup\n")); - if (do_shutdown) - cli_shutdown(cli); - return False; - } - - DEBUG(1,("session setup ok\n")); - - if (*cli->server_domain || *cli->server_os || *cli->server_type) - { - DEBUG(1,("Domain=[%s] OS=[%s] Server=[%s]\n", - cli->server_domain, - cli->server_os, - cli->server_type)); - } - - if (do_tcon) - { - if (!cli_send_tconX(cli, service, service_type, - (char*)nt_sess_pwd, sizeof(nt_sess_pwd))) - { - DEBUG(1,("failed tcon_X\n")); - if (do_shutdown) - cli_shutdown(cli); - return False; - } - } - } - - if (do_shutdown) - cli_shutdown(cli); - - return True; -} - -/* Initialise client credentials for authenticated pipe access */ static void init_creds(struct ntuser_creds *creds, char* username, - char* domain, char* password, int pass_len) + char* domain, char* password) { ZERO_STRUCTP(creds); @@ -1196,15 +1090,26 @@ static void init_creds(struct ntuser_creds *creds, char* username, } } -/**************************************************************************** -establishes a connection right up to doing tconX, password specified. -****************************************************************************/ +/** + establishes a connection right up to doing tconX, password specified. + @param output_cli A fully initialised cli structure, non-null only on success + @param dest_host The netbios name of the remote host + @param dest_ip (optional) The the destination IP, NULL for name based lookup + @param port (optional) The destination port (0 for default) + @param service (optional) The share to make the connection to. Should be 'unqualified' in any way. + @param service_type The 'type' of serivice. + @param user Username, unix string + @param domain User's domain + @param password User's password, unencrypted unix string. +*/ + NTSTATUS cli_full_connection(struct cli_state **output_cli, - const char *my_name, const char *dest_host, + const char *my_name, + const char *dest_host, struct in_addr *dest_ip, int port, char *service, char *service_type, char *user, char *domain, - char *password, int pass_len) + char *password, int flags) { struct ntuser_creds creds; NTSTATUS nt_status; @@ -1212,32 +1117,40 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct nmb_name called; struct cli_state *cli; struct in_addr ip; - - if (!output_cli) + extern pstring global_myname; + + if (!output_cli) { DEBUG(0, ("output_cli is NULL!?!")); + SMB_ASSERT("output_cli for cli_full_connection was NULL.\n"); + } - *output_cli = NULL; + if (!my_name) + my_name = global_myname; - make_nmb_name(&calling, my_name, 0x0); - make_nmb_name(&called , dest_host, 0x20); - -again: - if (!(cli = cli_initialise(NULL))) return NT_STATUS_NO_MEMORY; + make_nmb_name(&calling, my_name, 0x0); + make_nmb_name(&called , dest_host, 0x20); + if (cli_set_port(cli, port) != port) { cli_shutdown(cli); return NT_STATUS_UNSUCCESSFUL; } - ip = *dest_ip; - + if (dest_ip) { + ip = *dest_ip; + } else { + ZERO_STRUCT(ip); + } + +again: + DEBUG(3,("Connecting to host=%s share=%s\n", dest_host, service)); if (!cli_connect(cli, dest_host, &ip)) { - DEBUG(1,("cli_establish_connection: failed to connect to %s (%s)\n", - nmb_namestr(&called), inet_ntoa(*dest_ip))); + DEBUG(1,("cli_full_connection: failed to connect to %s (%s)\n", + nmb_namestr(&called), inet_ntoa(ip))); cli_shutdown(cli); return NT_STATUS_UNSUCCESSFUL; } @@ -1258,6 +1171,12 @@ again: return NT_STATUS_UNSUCCESSFUL; } + if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO) { + cli->use_spnego = False; + } else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { + cli->use_kerberos = True; + } + if (!cli_negprot(cli)) { DEBUG(1,("failed negprot\n")); nt_status = NT_STATUS_UNSUCCESSFUL; @@ -1265,29 +1184,36 @@ again: return nt_status; } - if (!cli_session_setup(cli, user, password, pass_len, password, pass_len, + if (!cli_session_setup(cli, user, password, strlen(password)+1, + password, strlen(password)+1, domain)) { - DEBUG(1,("failed session setup\n")); - nt_status = cli_nt_error(cli); - cli_shutdown(cli); - if (NT_STATUS_IS_OK(nt_status)) - nt_status = NT_STATUS_UNSUCCESSFUL; - return nt_status; + if (!(flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK) + || cli_session_setup(cli, "", "", 0, + "", 0, domain)) { + } else { + nt_status = cli_nt_error(cli); + DEBUG(1,("failed session setup with %s\n", nt_errstr(nt_status))); + cli_shutdown(cli); + if (NT_STATUS_IS_OK(nt_status)) + nt_status = NT_STATUS_UNSUCCESSFUL; + return nt_status; + } } if (service) { if (!cli_send_tconX(cli, service, service_type, - (char*)password, pass_len)) { - DEBUG(1,("failed tcon_X\n")); + (char*)password, strlen(password)+1)) { + DEBUG(1,("failed tcon_X with %s\n", nt_errstr(nt_status))); nt_status = cli_nt_error(cli); cli_shutdown(cli); - if (NT_STATUS_IS_OK(nt_status)) + if (NT_STATUS_IS_OK(nt_status)) { nt_status = NT_STATUS_UNSUCCESSFUL; + } return nt_status; } } - init_creds(&creds, user, domain, password, pass_len); + init_creds(&creds, user, domain, password); cli_init_creds(cli, &creds); *output_cli = cli; @@ -1301,55 +1227,53 @@ again: BOOL attempt_netbios_session_request(struct cli_state *cli, char *srchost, char *desthost, struct in_addr *pdest_ip) { - struct nmb_name calling, called; + struct nmb_name calling, called; - make_nmb_name(&calling, srchost, 0x0); + make_nmb_name(&calling, srchost, 0x0); - /* - * If the called name is an IP address - * then use *SMBSERVER immediately. - */ + /* + * If the called name is an IP address + * then use *SMBSERVER immediately. + */ - if(is_ipaddress(desthost)) - make_nmb_name(&called, "*SMBSERVER", 0x20); - else - make_nmb_name(&called, desthost, 0x20); + if(is_ipaddress(desthost)) + make_nmb_name(&called, "*SMBSERVER", 0x20); + else + make_nmb_name(&called, desthost, 0x20); - if (!cli_session_request(cli, &calling, &called)) { - struct nmb_name smbservername; + if (!cli_session_request(cli, &calling, &called)) { + struct nmb_name smbservername; - make_nmb_name(&smbservername , "*SMBSERVER", 0x20); + make_nmb_name(&smbservername , "*SMBSERVER", 0x20); - /* - * If the name wasn't *SMBSERVER then - * try with *SMBSERVER if the first name fails. - */ + /* + * If the name wasn't *SMBSERVER then + * try with *SMBSERVER if the first name fails. + */ - if (nmb_name_equal(&called, &smbservername)) { + if (nmb_name_equal(&called, &smbservername)) { - /* - * The name used was *SMBSERVER, don't bother with another name. - */ + /* + * The name used was *SMBSERVER, don't bother with another name. + */ - DEBUG(0,("attempt_netbios_session_request: %s rejected the session for name *SMBSERVER \ + DEBUG(0,("attempt_netbios_session_request: %s rejected the session for name *SMBSERVER \ with error %s.\n", desthost, cli_errstr(cli) )); - cli_shutdown(cli); - return False; - } + cli_shutdown(cli); + return False; + } - cli_shutdown(cli); + cli_shutdown(cli); - if (!cli_initialise(cli) || - !cli_connect(cli, desthost, pdest_ip) || - !cli_session_request(cli, &calling, &smbservername)) { - DEBUG(0,("attempt_netbios_session_request: %s rejected the session for \ + if (!cli_initialise(cli) || + !cli_connect(cli, desthost, pdest_ip) || + !cli_session_request(cli, &calling, &smbservername)) { + DEBUG(0,("attempt_netbios_session_request: %s rejected the session for \ name *SMBSERVER with error %s\n", desthost, cli_errstr(cli) )); - cli_shutdown(cli); - return False; - } - } + cli_shutdown(cli); + return False; + } + } - return True; + return True; } - - -- cgit From b0b28531c8cd76d3fcd95da08389d8a4d2e631a3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 11:16:26 +0000 Subject: more bug updates from head (This used to be commit 8b769bf5bbbe54b1a39fd85cc24db09c1ab7faab) --- source3/libsmb/cliconnect.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f0b02b97b0..472db69fd0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1119,11 +1119,6 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct in_addr ip; extern pstring global_myname; - if (!output_cli) { - DEBUG(0, ("output_cli is NULL!?!")); - SMB_ASSERT("output_cli for cli_full_connection was NULL.\n"); - } - if (!my_name) my_name = global_myname; -- cgit From b2edf254eda92f775e7d3d9b6793b4d77f9000b6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 17:00:51 +0000 Subject: sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290) --- source3/libsmb/cliconnect.c | 47 ++++++++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 20 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 472db69fd0..93cf3d95db 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -54,9 +54,6 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, return False; } - /* Lanman2 cannot use SMB signing. */ - cli->sign_info.use_smb_signing = False; - /* if in share level security then don't send a password now */ if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { passlen = 0; @@ -209,12 +206,11 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,cli->pid); SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); - SSVAL(cli->outbuf,smb_vwv7,passlen); SSVAL(cli->outbuf,smb_vwv8,0); SIVAL(cli->outbuf,smb_vwv11,capabilities); p = smb_buf(cli->outbuf); - memcpy(p, pword, passlen); - p += passlen; + p += clistr_push(cli, p, pword, -1, STR_TERMINATE); /* password */ + SSVAL(cli->outbuf,smb_vwv7,PTR_DIFF(p, smb_buf(cli->outbuf))); p += clistr_push(cli, p, user, -1, STR_TERMINATE); /* username */ p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); /* workgroup */ p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); @@ -257,11 +253,12 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, char *workgroup) { uint32 capabilities = cli_session_setup_capabilities(cli); - fstring pword, ntpword; + uchar pword[24]; + uchar ntpword[24]; char *p; BOOL tried_signing = False; - if (passlen > sizeof(pword)-1 || ntpasslen > sizeof(ntpword)-1) { + if (passlen > sizeof(pword) || ntpasslen > sizeof(ntpword)) { return False; } @@ -269,15 +266,21 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, /* non encrypted password supplied. Ignore ntpass. */ passlen = 24; ntpasslen = 24; - SMBencrypt((uchar *)pass,cli->secblob.data,(uchar *)pword); - SMBNTencrypt((uchar *)pass,cli->secblob.data,(uchar *)ntpword); + SMBencrypt(pass,cli->secblob.data,pword); + SMBNTencrypt(pass,cli->secblob.data,ntpword); if (!cli->sign_info.use_smb_signing && cli->sign_info.negotiated_smb_signing) { - cli_calculate_mac_key(cli, (uchar *)pass, (uchar *)ntpword); + cli_calculate_mac_key(cli, pass, ntpword); tried_signing = True; } } else { - memcpy(pword, pass, passlen); - memcpy(ntpword, ntpass, ntpasslen); + /* pre-encrypted password supplied. Only used for security=server, can't do + signing becouse we don't have oringial key */ + memcpy(pword, pass, 24); + if (ntpasslen == 24) { + memcpy(ntpword, ntpass, 24); + } else { + ZERO_STRUCT(ntpword); + } } /* send a session setup command */ @@ -305,8 +308,13 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, cli_setup_bcc(cli, p); cli_send_smb(cli); - if (!cli_receive_smb(cli)) + if (!cli_receive_smb(cli)) { + if (tried_signing) { + /* We only use it if we have a successful non-guest connect */ + cli->sign_info.use_smb_signing = False; + } return False; + } show_msg(cli->inbuf); @@ -482,8 +490,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, /* encrypt the password with the challenge */ memcpy(challenge, chal1.data + 24, 8); - SMBencrypt((unsigned char *)pass, challenge,lmhash); - SMBNTencrypt((unsigned char *)pass, challenge,nthash); + SMBencrypt(pass, challenge,lmhash); + SMBNTencrypt(pass, challenge,nthash); #if 0 file_save("nthash.dat", nthash, 24); @@ -1062,7 +1070,7 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) } if (cli->fd == -1) { DEBUG(1,("Error connecting to %s (%s)\n", - inet_ntoa(*ip),strerror(errno))); + ip?inet_ntoa(*ip):host,strerror(errno))); return False; } @@ -1182,9 +1190,8 @@ again: if (!cli_session_setup(cli, user, password, strlen(password)+1, password, strlen(password)+1, domain)) { - if (!(flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK) - || cli_session_setup(cli, "", "", 0, - "", 0, domain)) { + if ((flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK) + && cli_session_setup(cli, "", "", 0, "", 0, domain)) { } else { nt_status = cli_nt_error(cli); DEBUG(1,("failed session setup with %s\n", nt_errstr(nt_status))); -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/libsmb/cliconnect.c | 279 ++++++++++++++++++++++++++------------------ 1 file changed, 164 insertions(+), 115 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 93cf3d95db..62acccdfb7 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -50,14 +50,12 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, fstring pword; char *p; - if (passlen > sizeof(pword)-1) { + if (passlen > sizeof(pword)-1) return False; - } /* if in share level security then don't send a password now */ - if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { + if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) passlen = 0; - } if (passlen > 0 && (cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen != 24) { /* Encrypted mode needed, and non encrypted password supplied. */ @@ -99,9 +97,8 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, show_msg(cli->inbuf); - if (cli_is_error(cli)) { + if (cli_is_error(cli)) return False; - } /* use the returned vuid from now on */ cli->vuid = SVAL(cli->inbuf,smb_uid); @@ -118,17 +115,14 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) { uint32 capabilities = CAP_NT_SMBS; - if (!cli->force_dos_errors) { + if (!cli->force_dos_errors) capabilities |= CAP_STATUS32; - } - if (cli->use_level_II_oplocks) { + if (cli->use_level_II_oplocks) capabilities |= CAP_LEVEL_II_OPLOCKS; - } - if (cli->capabilities & CAP_UNICODE) { + if (cli->capabilities & CAP_UNICODE) capabilities |= CAP_UNICODE; - } return capabilities; } @@ -167,9 +161,8 @@ static BOOL cli_session_setup_guest(struct cli_state *cli) show_msg(cli->inbuf); - if (cli_is_error(cli)) { + if (cli_is_error(cli)) return False; - } cli->vuid = SVAL(cli->inbuf,smb_uid); @@ -223,9 +216,8 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, show_msg(cli->inbuf); - if (cli_is_error(cli)) { + if (cli_is_error(cli)) return False; - } cli->vuid = SVAL(cli->inbuf,smb_uid); p = smb_buf(cli->inbuf); @@ -237,15 +229,41 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, return True; } +static void set_signing_on_cli (struct cli_state *cli, char* pass, uint8 response[24]) +{ + uint8 zero_sig[8]; + ZERO_STRUCT(zero_sig); + + DEBUG(5, ("Server returned security sig:\n")); + dump_data(5, &cli->inbuf[smb_ss_field], 8); -/** + if (cli->sign_info.use_smb_signing) { + DEBUG(5, ("smb signing already active on connection\n")); + } else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) { + + DEBUG(3, ("smb signing enabled!\n")); + cli->sign_info.use_smb_signing = True; + cli_calculate_mac_key(cli, pass, response); + } else { + DEBUG(5, ("smb signing NOT enabled!\n")); + } +} + +static void set_temp_signing_on_cli(struct cli_state *cli) +{ + if (cli->sign_info.negotiated_smb_signing) + cli->sign_info.temp_smb_signing = True; +} + + +/**************************************************************************** do a NT1 NTLM/LM encrypted session setup @param cli client state to create do session setup on @param user username @param pass *either* cleartext password (passlen !=24) or LM response. @param ntpass NT response, implies ntpasslen >=24, implies pass is not clear @param workgroup The user's domain. -*/ +****************************************************************************/ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, char *pass, int passlen, @@ -256,11 +274,10 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, uchar pword[24]; uchar ntpword[24]; char *p; - BOOL tried_signing = False; + BOOL have_plaintext = False; - if (passlen > sizeof(pword) || ntpasslen > sizeof(ntpword)) { + if (passlen > sizeof(pword) || ntpasslen > sizeof(ntpword)) return False; - } if (passlen != 24) { /* non encrypted password supplied. Ignore ntpass. */ @@ -268,19 +285,18 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, ntpasslen = 24; SMBencrypt(pass,cli->secblob.data,pword); SMBNTencrypt(pass,cli->secblob.data,ntpword); - if (!cli->sign_info.use_smb_signing && cli->sign_info.negotiated_smb_signing) { - cli_calculate_mac_key(cli, pass, ntpword); - tried_signing = True; - } + + have_plaintext = True; + set_temp_signing_on_cli(cli); } else { - /* pre-encrypted password supplied. Only used for security=server, can't do + /* pre-encrypted password supplied. Only used for + security=server, can't do signing becouse we don't have oringial key */ memcpy(pword, pass, 24); - if (ntpasslen == 24) { + if (ntpasslen == 24) memcpy(ntpword, ntpass, 24); - } else { + else ZERO_STRUCT(ntpword); - } } /* send a session setup command */ @@ -301,31 +317,22 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, p = smb_buf(cli->outbuf); memcpy(p,pword,passlen); p += passlen; memcpy(p,ntpword,ntpasslen); p += ntpasslen; - p += clistr_push(cli, p, user, -1, STR_TERMINATE|STR_UPPER); - p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER); + p += clistr_push(cli, p, user, -1, STR_TERMINATE); + p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); - cli_send_smb(cli); - if (!cli_receive_smb(cli)) { - if (tried_signing) { - /* We only use it if we have a successful non-guest connect */ - cli->sign_info.use_smb_signing = False; - } + if (!cli_send_smb(cli)) return False; - } - show_msg(cli->inbuf); + if (!cli_receive_smb(cli)) + return False; - if (tried_signing && (cli_is_error(cli) || SVAL(cli->inbuf,smb_vwv2) /* guest */)) { - /* We only use it if we have a successful non-guest connect */ - cli->sign_info.use_smb_signing = False; - } + show_msg(cli->inbuf); - if (cli_is_error(cli)) { + if (cli_is_error(cli)) return False; - } /* use the returned vuid from now on */ cli->vuid = SVAL(cli->inbuf,smb_uid); @@ -337,6 +344,11 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, fstrcpy(cli->user_name, user); + if (have_plaintext) { + /* Have plaintext orginal */ + set_signing_on_cli(cli, pass, ntpword); + } + return True; } @@ -360,6 +372,9 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) set_message(cli->outbuf,12,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); + + set_temp_signing_on_cli(cli); + cli_setup_packet(cli); SCVAL(cli->outbuf,smb_vwv0,0xFF); @@ -375,8 +390,8 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); - cli_send_smb(cli); + if (!cli_receive_smb(cli)) return blob2; @@ -404,7 +419,6 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) return blob2; } - #ifdef HAVE_KRB5 /**************************************************************************** Do a spnego/kerberos encrypted session setup. @@ -417,7 +431,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, c DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - negTokenTarg = spnego_gen_negTokenTarg(cli, principal); + negTokenTarg = spnego_gen_negTokenTarg(principal, 0); if (!negTokenTarg.data) return False; @@ -443,28 +457,32 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, c static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, char *pass, char *workgroup) { - const char *mechs[] = {OID_NTLMSSP, NULL}; - DATA_BLOB msg1; - DATA_BLOB blob, chal1, chal2, auth; + DATA_BLOB msg1, struct_blob; + DATA_BLOB blob, chal1, chal2, auth, challenge_blob; uint8 challenge[8]; uint8 nthash[24], lmhash[24], sess_key[16]; - uint32 neg_flags; + uint32 neg_flags, chal_flags, ntlmssp_command, unkn1, unkn2; + pstring server_domain; /* FIX THIS, SHOULD be UCS2-LE */ neg_flags = NTLMSSP_NEGOTIATE_UNICODE | - NTLMSSP_NEGOTIATE_LM_KEY | + NTLMSSP_NEGOTIATE_128 | NTLMSSP_NEGOTIATE_NTLM; memset(sess_key, 0, 16); + DEBUG(10, ("sending NTLMSSP_NEGOTIATE\n")); + /* generate the ntlmssp negotiate packet */ - msrpc_gen(&blob, "CddB", + msrpc_gen(&blob, "CddAA", "NTLMSSP", NTLMSSP_NEGOTIATE, neg_flags, - sess_key, 16); - + workgroup, strlen(workgroup), + cli->calling.name, strlen(cli->calling.name) + 1); + DEBUG(10, ("neg_flags: %0X, workgroup: %s, calling name %s\n", + neg_flags, workgroup, cli->calling.name)); /* and wrap it in a SPNEGO wrapper */ - msg1 = gen_negTokenTarg(mechs, blob); + msg1 = gen_negTokenInit(OID_NTLMSSP, blob); data_blob_free(&blob); /* now send that blob on its way */ @@ -472,9 +490,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, data_blob_free(&msg1); - if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) { + if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) return False; - } #if 0 file_save("chal.dat", blob.data, blob.length); @@ -488,10 +505,38 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, data_blob_free(&blob); - /* encrypt the password with the challenge */ - memcpy(challenge, chal1.data + 24, 8); + /* + * Ok, chal1 and chal2 are actually two identical copies of + * the NTLMSSP Challenge BLOB, and they contain, encoded in them + * the challenge to use. + */ + + if (!msrpc_parse(&chal1, "CdUdbddB", + "NTLMSSP", + &ntlmssp_command, + &server_domain, + &chal_flags, + &challenge_blob, 8, + &unkn1, &unkn2, + &struct_blob)) { + DEBUG(0, ("Failed to parse the NTLMSSP Challenge\n")); + return False; + } + + if (ntlmssp_command != NTLMSSP_CHALLENGE) { + DEBUG(0, ("NTLMSSP Response != NTLMSSP_CHALLENGE. Got %0X\n", + ntlmssp_command)); + return False; + } + + DEBUG(10, ("Challenge:\n")); + dump_data(10, challenge_blob.data, 8); + + /* encrypt the password with the challenge which is in the blob */ + memcpy(challenge, challenge_blob.data, 8); SMBencrypt(pass, challenge,lmhash); SMBNTencrypt(pass, challenge,nthash); + data_blob_free(&challenge_blob); #if 0 file_save("nthash.dat", nthash, 24); @@ -511,7 +556,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, workgroup, user, cli->calling.name, - sess_key, 16, + sess_key, 0, neg_flags); /* wrap it in SPNEGO */ @@ -525,7 +570,12 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, data_blob_free(&auth); data_blob_free(&blob); - return !cli_is_error(cli); + if (cli_is_error(cli)) + return False; + + set_signing_on_cli(cli, pass, nthash); + + return True; } /**************************************************************************** @@ -537,17 +587,14 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, { char *principal; char *OIDs[ASN1_MAX_OIDS]; - uint8 guid[16]; int i; BOOL got_kerberos_mechanism = False; - - /* spnego security cannot use SMB signing (for now). */ - cli->sign_info.use_smb_signing = False; + DATA_BLOB blob; DEBUG(2,("Doing spnego session setup (blob length=%d)\n", cli->secblob.length)); /* the server might not even do spnego */ - if (cli->secblob.length == 16) { + if (cli->secblob.length <= 16) { DEBUG(3,("server didn't supply a full spnego negprot\n")); goto ntlmssp; } @@ -556,11 +603,16 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, file_save("negprot.dat", cli->secblob.data, cli->secblob.length); #endif + /* there is 16 bytes of GUID before the real spnego packet starts */ + blob = data_blob(cli->secblob.data+16, cli->secblob.length-16); + /* the server sent us the first part of the SPNEGO exchange in the negprot reply */ - if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principal)) { + if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { + data_blob_free(&blob); return False; } + data_blob_free(&blob); /* make sure the server understands kerberos */ for (i=0;OIDs[i];i++) { @@ -620,35 +672,38 @@ BOOL cli_session_setup(struct cli_state *cli, flow a bit easier to understand (tridge) */ /* if its an older server then we have to use the older request format */ - if (cli->protocol < PROTOCOL_NT1) { + + if (cli->protocol < PROTOCOL_NT1) return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup); - } /* if no user is supplied then we have to do an anonymous connection. passwords are ignored */ - if (!user || !*user) { + + if (!user || !*user) return cli_session_setup_guest(cli); - } /* if the server is share level then send a plaintext null password at this point. The password is sent in the tree connect */ - if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) { + + if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) return cli_session_setup_plaintext(cli, user, "", workgroup); - } /* if the server doesn't support encryption then we have to use plaintext. The second password is ignored */ - if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { + + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) return cli_session_setup_plaintext(cli, user, pass, workgroup); - } + /* Indidicate signing */ + /* if the server supports extended security then use SPNEGO */ - if (cli->capabilities & CAP_EXTENDED_SECURITY) { + + if (cli->capabilities & CAP_EXTENDED_SECURITY) return cli_session_setup_spnego(cli, user, pass, workgroup); - } /* otherwise do a NT1 style session setup */ + return cli_session_setup_nt1(cli, user, pass, passlen, ntpass, ntpasslen, workgroup); @@ -738,15 +793,13 @@ BOOL cli_send_tconX(struct cli_state *cli, if (!cli_receive_smb(cli)) return False; - if (cli_is_error(cli)) { + if (cli_is_error(cli)) return False; - } clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, STR_TERMINATE|STR_ASCII); - if (strcasecmp(share,"IPC$")==0) { + if (strcasecmp(share,"IPC$")==0) fstrcpy(cli->dev, "IPC"); - } if (cli->protocol >= PROTOCOL_NT1 && smb_buflen(cli->inbuf) == 3) { @@ -786,9 +839,8 @@ void cli_negprot_send(struct cli_state *cli) char *p; int numprots; - if (cli->protocol < PROTOCOL_NT1) { + if (cli->protocol < PROTOCOL_NT1) cli->use_spnego = False; - } memset(cli->outbuf,'\0',smb_size); @@ -827,9 +879,8 @@ BOOL cli_negprot(struct cli_state *cli) return False; } - if (cli->protocol < PROTOCOL_NT1) { + if (cli->protocol < PROTOCOL_NT1) cli->use_spnego = False; - } memset(cli->outbuf,'\0',smb_size); @@ -891,12 +942,8 @@ BOOL cli_negprot(struct cli_state *cli) smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN); } - /* A way to attempt to force SMB signing */ - if (getenv("CLI_FORCE_SMB_SIGNING")) + if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) cli->sign_info.negotiated_smb_signing = True; - - if (cli->sign_info.negotiated_smb_signing && !(cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) - cli->sign_info.negotiated_smb_signing = False; } else if (cli->protocol >= PROTOCOL_LANMAN1) { cli->use_spnego = False; @@ -920,9 +967,8 @@ BOOL cli_negprot(struct cli_state *cli) cli->max_xmit = MIN(cli->max_xmit, CLI_BUFFER_SIZE); /* a way to force ascii SMB */ - if (getenv("CLI_FORCE_ASCII")) { + if (getenv("CLI_FORCE_ASCII")) cli->capabilities &= ~CAP_UNICODE; - } return True; } @@ -938,15 +984,6 @@ BOOL cli_session_request(struct cli_state *cli, int len = 4; extern pstring user_socket_options; - /* 445 doesn't have session request */ - if (cli->port == 445) return True; - - if (cli->sign_info.use_smb_signing) { - DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n")); - return False; - } - - /* send a session request (RFC 1002) */ memcpy(&(cli->calling), calling, sizeof(*calling)); memcpy(&(cli->called ), called , sizeof(*called )); @@ -960,6 +997,16 @@ BOOL cli_session_request(struct cli_state *cli, name_mangle(cli->calling.name, p, cli->calling.name_type); len += name_len(p); + /* 445 doesn't have session request */ + if (cli->port == 445) + return True; + + if (cli->sign_info.use_smb_signing) { + DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n")); + return False; + } + + /* send a session request (RFC 1002) */ /* setup the packet length * Remove four bytes from the length count, since the length * field in the NBT Session Service header counts the number @@ -1066,7 +1113,8 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, port, cli->timeout); } - if (cli->fd != -1) cli->port = port; + if (cli->fd != -1) + cli->port = port; } if (cli->fd == -1) { DEBUG(1,("Error connecting to %s (%s)\n", @@ -1141,11 +1189,10 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, return NT_STATUS_UNSUCCESSFUL; } - if (dest_ip) { + if (dest_ip) ip = *dest_ip; - } else { + else ZERO_STRUCT(ip); - } again: @@ -1162,8 +1209,7 @@ again: char *p; DEBUG(1,("session request to %s failed (%s)\n", called.name, cli_errstr(cli))); - cli_shutdown(cli); - if ((p=strchr(called.name, '.'))) { + if ((p=strchr(called.name, '.')) && !is_ipaddress(called.name)) { *p = 0; goto again; } @@ -1174,11 +1220,10 @@ again: return NT_STATUS_UNSUCCESSFUL; } - if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO) { + if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO) cli->use_spnego = False; - } else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { + else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) cli->use_kerberos = True; - } if (!cli_negprot(cli)) { DEBUG(1,("failed negprot\n")); @@ -1261,18 +1306,22 @@ BOOL attempt_netbios_session_request(struct cli_state *cli, char *srchost, char DEBUG(0,("attempt_netbios_session_request: %s rejected the session for name *SMBSERVER \ with error %s.\n", desthost, cli_errstr(cli) )); - cli_shutdown(cli); return False; } - cli_shutdown(cli); + /* + * We need to close the connection here but can't call cli_shutdown as + * will free an allocated cli struct. cli_close_connection was invented + * for this purpose. JRA. Based on work by "Kim R. Pedersen" . + */ + + cli_close_connection(cli); if (!cli_initialise(cli) || !cli_connect(cli, desthost, pdest_ip) || !cli_session_request(cli, &calling, &smbservername)) { DEBUG(0,("attempt_netbios_session_request: %s rejected the session for \ name *SMBSERVER with error %s\n", desthost, cli_errstr(cli) )); - cli_shutdown(cli); return False; } } -- cgit From ad8a22e570c8970247dc76defc9be2b768bd102d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 Oct 2002 13:10:57 +0000 Subject: Updates from Samba HEAD: - Fix segfaults in the 'net ads' commands when no password is provided - Readd --with-ldapsam for 2.2 compatability. This conditionally compiles the old options, but the actual code is available on all ldap systems. - Fix shadow passwords (as per work with vl) - Fix sending plaintext passwords to unicode servers (again vl) - Add a bit of const to secrets.c functions - Fix some spelling and grammer by vance. - Document the -r option in smbgroupedit. There are more changes in HEAD, I'm only merging the changes I've been involved with. Andrew Bartlett (This used to be commit 83973c389355a5cc9ca74af467dfd8b5dabd2c8f) --- source3/libsmb/cliconnect.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 62acccdfb7..3951e3c776 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -184,12 +184,8 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, char *pass, char *workgroup) { uint32 capabilities = cli_session_setup_capabilities(cli); - fstring pword; - int passlen; char *p; - passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE|STR_ASCII); - set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -202,7 +198,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, SSVAL(cli->outbuf,smb_vwv8,0); SIVAL(cli->outbuf,smb_vwv11,capabilities); p = smb_buf(cli->outbuf); - p += clistr_push(cli, p, pword, -1, STR_TERMINATE); /* password */ + p += clistr_push(cli, p, pass, -1, STR_TERMINATE); /* password */ SSVAL(cli->outbuf,smb_vwv7,PTR_DIFF(p, smb_buf(cli->outbuf))); p += clistr_push(cli, p, user, -1, STR_TERMINATE); /* username */ p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); /* workgroup */ -- cgit From 9c1b62c0fd06cc65853269db3c63b169daa90664 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 4 Oct 2002 19:33:41 +0000 Subject: merge of working dsrolegetprimdominfo() client code from APP_HEAD (This used to be commit 028477e35208e76fedbc7c743426fd9be94b7cf0) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3951e3c776..f005ac21f3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -344,7 +344,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, /* Have plaintext orginal */ set_signing_on_cli(cli, pass, ntpword); } - + return True; } -- cgit From c53eb2ed540e79d6deae5f41e17febc5bf5dbf57 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 17 Oct 2002 17:10:24 +0000 Subject: Added new error codes. Fix up connection code to retry in the same way that app-head does. Jeremy. (This used to be commit ec7953f20145799f6286a295472df4826bfdfb8f) --- source3/libsmb/cliconnect.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f005ac21f3..6a21121f43 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1153,6 +1153,7 @@ static void init_creds(struct ntuser_creds *creds, char* username, @param user Username, unix string @param domain User's domain @param password User's password, unencrypted unix string. + @param retry BOOL. Did this connection fail with a retryable error ? */ NTSTATUS cli_full_connection(struct cli_state **output_cli, @@ -1161,7 +1162,8 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct in_addr *dest_ip, int port, char *service, char *service_type, char *user, char *domain, - char *password, int flags) + char *password, int flags, + BOOL *retry) { struct ntuser_creds creds; NTSTATUS nt_status; @@ -1171,6 +1173,9 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct in_addr ip; extern pstring global_myname; + if (retry) + *retry = False; + if (!my_name) my_name = global_myname; @@ -1185,6 +1190,8 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, return NT_STATUS_UNSUCCESSFUL; } + cli_set_timeout(cli, 10000); /* 10 seconds. */ + if (dest_ip) ip = *dest_ip; else @@ -1201,6 +1208,9 @@ again: return NT_STATUS_UNSUCCESSFUL; } + if (retry) + *retry = True; + if (!cli_session_request(cli, &calling, &called)) { char *p; DEBUG(1,("session request to %s failed (%s)\n", -- cgit From 698fe3f07ab059fc2b0a3bac47e36748704fde6d Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 8 Nov 2002 18:45:38 +0000 Subject: patches from Urban (This used to be commit 850b185a6e33fa924fa59cdd6316c9160ba65270) --- source3/libsmb/cliconnect.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6a21121f43..890dc4dc25 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -124,6 +124,9 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) if (cli->capabilities & CAP_UNICODE) capabilities |= CAP_UNICODE; + if (cli->capabilities & CAP_LARGE_FILES) + capabilities |= CAP_LARGE_FILES; + return capabilities; } -- cgit From c19598f2a6a3329e973e14e389e0577ebb914f3b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 8 Nov 2002 23:08:59 +0000 Subject: Merge from HEAD: - change auth_sam to use the initialisation flags to determine if the password attributes are set - add const to secrets.c, cliconnect.c - passdb: fix spelling in pdb_ldap, add group mapping back to smbpasswd - SAMR: add debugs to show what fails for group enum. Andrew Bartlett (This used to be commit 4e74d00b3634abf52aa24bfaa6dbe88202aa57a1) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 890dc4dc25..ee311932a7 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1280,7 +1280,7 @@ again: Attempt a NetBIOS session request, falling back to *SMBSERVER if needed. ****************************************************************************/ -BOOL attempt_netbios_session_request(struct cli_state *cli, char *srchost, char *desthost, +BOOL attempt_netbios_session_request(struct cli_state *cli, const char *srchost, const char *desthost, struct in_addr *pdest_ip) { struct nmb_name calling, called; -- cgit From 2f194322d419350f35a48dff750066894d68eccf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:20:50 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89) --- source3/libsmb/cliconnect.c | 51 ++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 26 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ee311932a7..584ad15174 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -44,8 +44,8 @@ static const struct { Do an old lanman2 style session setup. ****************************************************************************/ -static BOOL cli_session_setup_lanman2(struct cli_state *cli, char *user, - char *pass, int passlen, const char *workgroup) +static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, + const char *pass, int passlen, const char *workgroup) { fstring pword; char *p; @@ -183,8 +183,8 @@ static BOOL cli_session_setup_guest(struct cli_state *cli) Do a NT1 plaintext session setup. ****************************************************************************/ -static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, - char *pass, char *workgroup) +static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, + const char *pass, const char *workgroup) { uint32 capabilities = cli_session_setup_capabilities(cli); char *p; @@ -228,7 +228,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, char *user, return True; } -static void set_signing_on_cli (struct cli_state *cli, char* pass, uint8 response[24]) +static void set_signing_on_cli (struct cli_state *cli, const char* pass, uint8 response[24]) { uint8 zero_sig[8]; ZERO_STRUCT(zero_sig); @@ -264,10 +264,10 @@ static void set_temp_signing_on_cli(struct cli_state *cli) @param workgroup The user's domain. ****************************************************************************/ -static BOOL cli_session_setup_nt1(struct cli_state *cli, char *user, - char *pass, int passlen, - char *ntpass, int ntpasslen, - char *workgroup) +static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, + const char *pass, int passlen, + const char *ntpass, int ntpasslen, + const char *workgroup) { uint32 capabilities = cli_session_setup_capabilities(cli); uchar pword[24]; @@ -423,7 +423,7 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) Do a spnego/kerberos encrypted session setup. ****************************************************************************/ -static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, char *workgroup) +static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup) { DATA_BLOB blob2, negTokenTarg; @@ -453,8 +453,8 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, c Do a spnego/NTLMSSP encrypted session setup. ****************************************************************************/ -static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, - char *pass, char *workgroup) +static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, + const char *pass, const char *workgroup) { DATA_BLOB msg1, struct_blob; DATA_BLOB blob, chal1, chal2, auth, challenge_blob; @@ -581,8 +581,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user, Do a spnego encrypted session setup. ****************************************************************************/ -static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, - char *pass, char *workgroup) +static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, + const char *pass, const char *workgroup) { char *principal; char *OIDs[ASN1_MAX_OIDS]; @@ -646,10 +646,10 @@ ntlmssp: ****************************************************************************/ BOOL cli_session_setup(struct cli_state *cli, - char *user, - char *pass, int passlen, - char *ntpass, int ntpasslen, - char *workgroup) + const char *user, + const char *pass, int passlen, + const char *ntpass, int ntpasslen, + const char *workgroup) { char *p; fstring user2; @@ -1130,8 +1130,8 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) Initialise client credentials for authenticated pipe access. ****************************************************************************/ -static void init_creds(struct ntuser_creds *creds, char* username, - char* domain, char* password) +static void init_creds(struct ntuser_creds *creds, const char* username, + const char* domain, const char* password) { ZERO_STRUCTP(creds); @@ -1163,9 +1163,9 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, const char *my_name, const char *dest_host, struct in_addr *dest_ip, int port, - char *service, char *service_type, - char *user, char *domain, - char *password, int flags, + const char *service, const char *service_type, + const char *user, const char *domain, + const char *password, int flags, BOOL *retry) { struct ntuser_creds creds; @@ -1174,13 +1174,12 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct nmb_name called; struct cli_state *cli; struct in_addr ip; - extern pstring global_myname; if (retry) *retry = False; if (!my_name) - my_name = global_myname; + my_name = global_myname(); if (!(cli = cli_initialise(NULL))) return NT_STATUS_NO_MEMORY; @@ -1258,7 +1257,7 @@ again: if (service) { if (!cli_send_tconX(cli, service, service_type, - (char*)password, strlen(password)+1)) { + password, strlen(password)+1)) { DEBUG(1,("failed tcon_X with %s\n", nt_errstr(nt_status))); nt_status = cli_nt_error(cli); cli_shutdown(cli); -- cgit From 9de96c6f24cfa58db7a229c2a902406402cdf4f0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Jan 2003 09:01:19 +0000 Subject: Merge from HEAD - do an nt_errstr(nt_status) *after* assiging nt_status with the actual error value :-) Andrew Bartlett (This used to be commit 123ae99c7d51c62e9f765cd41018dcc1a70cdd22) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 584ad15174..b758af41c4 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1258,8 +1258,8 @@ again: if (service) { if (!cli_send_tconX(cli, service, service_type, password, strlen(password)+1)) { - DEBUG(1,("failed tcon_X with %s\n", nt_errstr(nt_status))); nt_status = cli_nt_error(cli); + DEBUG(1,("failed tcon_X with %s\n", nt_errstr(nt_status))); cli_shutdown(cli); if (NT_STATUS_IS_OK(nt_status)) { nt_status = NT_STATUS_UNSUCCESSFUL; -- cgit From 1cba0a757970ffd8b81d61c88965010968ab3eff Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 28 Jan 2003 12:07:02 +0000 Subject: Merge from HEAD: - NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e) --- source3/libsmb/cliconnect.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b758af41c4..389b7a1733 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -465,7 +465,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, neg_flags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_128 | - NTLMSSP_NEGOTIATE_NTLM; + NTLMSSP_NEGOTIATE_NTLM | + NTLMSSP_REQUEST_TARGET; memset(sess_key, 0, 16); @@ -476,8 +477,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, "NTLMSSP", NTLMSSP_NEGOTIATE, neg_flags, - workgroup, strlen(workgroup), - cli->calling.name, strlen(cli->calling.name) + 1); + workgroup, + cli->calling.name); DEBUG(10, ("neg_flags: %0X, workgroup: %s, calling name %s\n", neg_flags, workgroup, cli->calling.name)); /* and wrap it in a SPNEGO wrapper */ -- cgit From d1221c9b6c369113a531063737890b58d89bf6fe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Feb 2003 02:55:00 +0000 Subject: Merge from HEAD client-side authentication changes: - new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett (This used to be commit 837680ca517982f2e5944730581a83012d4181ae) --- source3/libsmb/cliconnect.c | 313 +++++++++++++++++++++++--------------------- 1 file changed, 165 insertions(+), 148 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 389b7a1733..4962ffa3c9 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2,7 +2,7 @@ Unix SMB/CIFS implementation. client connect/disconnect routines Copyright (C) Andrew Tridgell 1994-1998 - Copyright (C) Andrew Barteltt 2001-2002 + Copyright (C) Andrew Bartlett 2001-2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -45,7 +45,7 @@ static const struct { ****************************************************************************/ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, - const char *pass, int passlen, const char *workgroup) + const char *pass, size_t passlen, const char *workgroup) { fstring pword; char *p; @@ -228,7 +228,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, return True; } -static void set_signing_on_cli (struct cli_state *cli, const char* pass, uint8 response[24]) +static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response) { uint8 zero_sig[8]; ZERO_STRUCT(zero_sig); @@ -242,12 +242,18 @@ static void set_signing_on_cli (struct cli_state *cli, const char* pass, uint8 r DEBUG(3, ("smb signing enabled!\n")); cli->sign_info.use_smb_signing = True; - cli_calculate_mac_key(cli, pass, response); + cli_calculate_mac_key(cli, user_session_key, response); } else { DEBUG(5, ("smb signing NOT enabled!\n")); } } +static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) +{ + memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key))); +} + + static void set_temp_signing_on_cli(struct cli_state *cli) { if (cli->sign_info.negotiated_smb_signing) @@ -265,37 +271,54 @@ static void set_temp_signing_on_cli(struct cli_state *cli) ****************************************************************************/ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, - const char *pass, int passlen, - const char *ntpass, int ntpasslen, + const char *pass, size_t passlen, + const char *ntpass, size_t ntpasslen, const char *workgroup) { uint32 capabilities = cli_session_setup_capabilities(cli); - uchar pword[24]; - uchar ntpword[24]; + DATA_BLOB lm_response = data_blob(NULL, 0); + DATA_BLOB nt_response = data_blob(NULL, 0); + DATA_BLOB session_key = data_blob(NULL, 0); + BOOL ret = False; char *p; - BOOL have_plaintext = False; - - if (passlen > sizeof(pword) || ntpasslen > sizeof(ntpword)) - return False; if (passlen != 24) { - /* non encrypted password supplied. Ignore ntpass. */ - passlen = 24; - ntpasslen = 24; - SMBencrypt(pass,cli->secblob.data,pword); - SMBNTencrypt(pass,cli->secblob.data,ntpword); + if (lp_client_ntlmv2_auth()) { + DATA_BLOB server_chal; + + server_chal = data_blob(cli->secblob.data, MIN(cli->secblob.length, 8)); + + if (!SMBNTLMv2encrypt(user, workgroup, pass, server_chal, + &lm_response, &nt_response, &session_key)) { + data_blob_free(&server_chal); + return False; + } + data_blob_free(&server_chal); + + } else { + uchar nt_hash[16]; + E_md4hash(pass, nt_hash); + + /* non encrypted password supplied. Ignore ntpass. */ + if (lp_client_lanman_auth()) { + lm_response = data_blob(NULL, 24); + SMBencrypt(pass,cli->secblob.data,lm_response.data); + } + + nt_response = data_blob(NULL, 24); + SMBNTencrypt(pass,cli->secblob.data,nt_response.data); + session_key = data_blob(NULL, 16); + SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); + } - have_plaintext = True; set_temp_signing_on_cli(cli); } else { /* pre-encrypted password supplied. Only used for security=server, can't do signing becouse we don't have oringial key */ - memcpy(pword, pass, 24); - if (ntpasslen == 24) - memcpy(ntpword, ntpass, 24); - else - ZERO_STRUCT(ntpword); + + lm_response = data_blob(pass, passlen); + nt_response = data_blob(ntpass, ntpasslen); } /* send a session setup command */ @@ -310,28 +333,33 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,cli->pid); SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); - SSVAL(cli->outbuf,smb_vwv7,passlen); - SSVAL(cli->outbuf,smb_vwv8,ntpasslen); + SSVAL(cli->outbuf,smb_vwv7,lm_response.length); + SSVAL(cli->outbuf,smb_vwv8,nt_response.length); SIVAL(cli->outbuf,smb_vwv11,capabilities); p = smb_buf(cli->outbuf); - memcpy(p,pword,passlen); p += passlen; - memcpy(p,ntpword,ntpasslen); p += ntpasslen; + if (lm_response.length) { + memcpy(p,lm_response.data, lm_response.length); p += lm_response.length; + } + if (nt_response.length) { + memcpy(p,nt_response.data, nt_response.length); p += nt_response.length; + } p += clistr_push(cli, p, user, -1, STR_TERMINATE); p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); - if (!cli_send_smb(cli)) - return False; - - if (!cli_receive_smb(cli)) - return False; + if (!cli_send_smb(cli) || !cli_receive_smb(cli)) { + ret = False; + goto end; + } show_msg(cli->inbuf); - if (cli_is_error(cli)) - return False; + if (cli_is_error(cli)) { + ret = False; + goto end; + } /* use the returned vuid from now on */ cli->vuid = SVAL(cli->inbuf,smb_uid); @@ -343,11 +371,16 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, fstrcpy(cli->user_name, user); - if (have_plaintext) { + if (session_key.data) { /* Have plaintext orginal */ - set_signing_on_cli(cli, pass, ntpword); + set_cli_session_key(cli, session_key); + set_signing_on_cli(cli, session_key.data, nt_response); } - + +end: + data_blob_free(&lm_response); + data_blob_free(&nt_response); + data_blob_free(&session_key); return True; } @@ -359,11 +392,9 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) { uint32 capabilities = cli_session_setup_capabilities(cli); char *p; - DATA_BLOB blob2; + DATA_BLOB blob2 = data_blob(NULL, 0); uint32 len; - blob2 = data_blob(NULL, 0); - capabilities |= CAP_EXTENDED_SECURITY; /* send a session setup command */ @@ -419,6 +450,13 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) } #ifdef HAVE_KRB5 +/**************************************************************************** + Use in-memory credentials cache +****************************************************************************/ +static void use_in_memory_ccache(void) { + setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1); +} + /**************************************************************************** Do a spnego/kerberos encrypted session setup. ****************************************************************************/ @@ -456,126 +494,87 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *princi static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, const char *pass, const char *workgroup) { - DATA_BLOB msg1, struct_blob; - DATA_BLOB blob, chal1, chal2, auth, challenge_blob; - uint8 challenge[8]; - uint8 nthash[24], lmhash[24], sess_key[16]; - uint32 neg_flags, chal_flags, ntlmssp_command, unkn1, unkn2; - pstring server_domain; /* FIX THIS, SHOULD be UCS2-LE */ - - neg_flags = NTLMSSP_NEGOTIATE_UNICODE | - NTLMSSP_NEGOTIATE_128 | - NTLMSSP_NEGOTIATE_NTLM | - NTLMSSP_REQUEST_TARGET; - - memset(sess_key, 0, 16); - - DEBUG(10, ("sending NTLMSSP_NEGOTIATE\n")); - - /* generate the ntlmssp negotiate packet */ - msrpc_gen(&blob, "CddAA", - "NTLMSSP", - NTLMSSP_NEGOTIATE, - neg_flags, - workgroup, - cli->calling.name); - DEBUG(10, ("neg_flags: %0X, workgroup: %s, calling name %s\n", - neg_flags, workgroup, cli->calling.name)); - /* and wrap it in a SPNEGO wrapper */ - msg1 = gen_negTokenInit(OID_NTLMSSP, blob); - data_blob_free(&blob); - - /* now send that blob on its way */ - blob = cli_session_setup_blob(cli, msg1); - - data_blob_free(&msg1); + struct ntlmssp_client_state *ntlmssp_state; + NTSTATUS nt_status; + int turn = 1; + DATA_BLOB msg1; + DATA_BLOB blob; + DATA_BLOB blob_in = data_blob(NULL, 0); + DATA_BLOB blob_out; - if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) + if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) { return False; + } -#if 0 - file_save("chal.dat", blob.data, blob.length); -#endif - - /* the server gives us back two challenges */ - if (!spnego_parse_challenge(blob, &chal1, &chal2)) { - DEBUG(3,("Failed to parse challenges\n")); + if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) { return False; } - - data_blob_free(&blob); - - /* - * Ok, chal1 and chal2 are actually two identical copies of - * the NTLMSSP Challenge BLOB, and they contain, encoded in them - * the challenge to use. - */ - - if (!msrpc_parse(&chal1, "CdUdbddB", - "NTLMSSP", - &ntlmssp_command, - &server_domain, - &chal_flags, - &challenge_blob, 8, - &unkn1, &unkn2, - &struct_blob)) { - DEBUG(0, ("Failed to parse the NTLMSSP Challenge\n")); - return False; + if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, workgroup))) { + return False; } - - if (ntlmssp_command != NTLMSSP_CHALLENGE) { - DEBUG(0, ("NTLMSSP Response != NTLMSSP_CHALLENGE. Got %0X\n", - ntlmssp_command)); + if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_password(ntlmssp_state, pass))) { return False; } - - DEBUG(10, ("Challenge:\n")); - dump_data(10, challenge_blob.data, 8); - - /* encrypt the password with the challenge which is in the blob */ - memcpy(challenge, challenge_blob.data, 8); - SMBencrypt(pass, challenge,lmhash); - SMBNTencrypt(pass, challenge,nthash); - data_blob_free(&challenge_blob); - -#if 0 - file_save("nthash.dat", nthash, 24); - file_save("lmhash.dat", lmhash, 24); - file_save("chal1.dat", chal1.data, chal1.length); -#endif - - data_blob_free(&chal1); - data_blob_free(&chal2); - /* this generates the actual auth packet */ - msrpc_gen(&blob, "CdBBUUUBd", - "NTLMSSP", - NTLMSSP_AUTH, - lmhash, 24, - nthash, 24, - workgroup, - user, - cli->calling.name, - sess_key, 0, - neg_flags); - - /* wrap it in SPNEGO */ - auth = spnego_gen_auth(blob); - - data_blob_free(&blob); - - /* now send the auth packet and we should be done */ - blob = cli_session_setup_blob(cli, auth); + ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); + + do { + nt_status = ntlmssp_client_update(ntlmssp_state, + blob_in, &blob_out); + data_blob_free(&blob_in); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + if (turn == 1) { + /* and wrap it in a SPNEGO wrapper */ + msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out); + } else { + /* wrap it in SPNEGO */ + msg1 = spnego_gen_auth(blob_out); + } + + /* now send that blob on its way */ + blob = cli_session_setup_blob(cli, msg1); + data_blob_free(&msg1); + nt_status = cli_nt_error(cli); + } + + if (!blob.length) { + if (NT_STATUS_IS_OK(nt_status)) { + nt_status = NT_STATUS_UNSUCCESSFUL; + } + } else if ((turn == 1) && + NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DATA_BLOB tmp_blob = data_blob(NULL, 0); + /* the server might give us back two challenges */ + if (!spnego_parse_challenge(blob, &blob_in, + &tmp_blob)) { + DEBUG(3,("Failed to parse challenges\n")); + nt_status = NT_STATUS_INVALID_PARAMETER; + } + data_blob_free(&tmp_blob); + } else { + /* the server might give us back two challenges */ + if (!spnego_parse_auth_response(blob, nt_status, + &blob_in)) { + DEBUG(3,("Failed to parse auth response\n")); + if (NT_STATUS_IS_OK(nt_status) + || NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) + nt_status = NT_STATUS_INVALID_PARAMETER; + } + } + data_blob_free(&blob); + data_blob_free(&blob_out); + turn++; + } while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)); - data_blob_free(&auth); - data_blob_free(&blob); + if (NT_STATUS_IS_OK(nt_status)) { + set_cli_session_key(cli, ntlmssp_state->session_key); + } - if (cli_is_error(cli)) + if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) { return False; + } - set_signing_on_cli(cli, pass, nthash); - - return True; + return (NT_STATUS_IS_OK(nt_status)); } /**************************************************************************** @@ -628,7 +627,22 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 + /* If password is set we reauthenticate to kerberos server + * and do not store results */ + if (got_kerberos_mechanism && cli->use_kerberos) { + if (*pass) { + int ret; + + use_in_memory_ccache(); + ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */); + + if (ret){ + DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); + return False; + } + } + return cli_session_setup_kerberos(cli, principal, workgroup); } #endif @@ -942,7 +956,10 @@ BOOL cli_negprot(struct cli_state *cli) smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN); } - if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) + if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) + cli->sign_info.negotiated_smb_signing = True; + + if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing) cli->sign_info.negotiated_smb_signing = True; } else if (cli->protocol >= PROTOCOL_LANMAN1) { -- cgit From 6f4aee34d9ba6c1e397192941e2c08cff2737455 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 5 Mar 2003 00:54:16 +0000 Subject: Connectathon fix. W2K -> W2K over port 445 doing a tconX does the full \\server\share syntax, not just a "share" tconX syntax. This broke interop with a vendor. Jeremy. (This used to be commit 3cc2ace7718ac1162494b81fa21d4cc9de021d1c) --- source3/libsmb/cliconnect.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4962ffa3c9..49b0004ac2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -780,13 +780,8 @@ BOOL cli_send_tconX(struct cli_state *cli, } } - if (cli->port == 445) { - slprintf(fullshare, sizeof(fullshare)-1, - "%s", share); - } else { - slprintf(fullshare, sizeof(fullshare)-1, - "\\\\%s\\%s", cli->desthost, share); - } + slprintf(fullshare, sizeof(fullshare)-1, + "\\\\%s\\%s", cli->desthost, share); set_message(cli->outbuf,4, 0, True); SCVAL(cli->outbuf,smb_com,SMBtconX); -- cgit From d5ee9b2f480ddbda0b8f69409698d27c99384f9c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 18 Mar 2003 11:22:52 +0000 Subject: Jeremy merged across my string parinoia fixes, but forgot to enable them! :-) This patch catches up on the rest of the work - as much string checking as is possible is done at compile time, and the rest at runtime. Lots of code converted to pstrcpy() etc, and other code reworked to correctly call sizeof(). Andrew Bartlett (This used to be commit c5b604e2ee67d74241ae2fa07ae904647d35a2be) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 49b0004ac2..54a282e805 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -66,7 +66,7 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, memcpy(pword, pass, passlen); } else if (passlen > 0) { /* Plaintext mode needed, assume plaintext supplied. */ - passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE); + passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); } /* send a session setup command */ @@ -774,7 +774,7 @@ BOOL cli_send_tconX(struct cli_state *cli, /* * Non-encrypted passwords - convert to DOS codepage before using. */ - passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE); + passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); } else { memcpy(pword, pass, passlen); } -- cgit From 892599fb92b6158e86a3934c8f2045ee457f38e3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 18 Mar 2003 12:01:47 +0000 Subject: Merge from HEAD: A much better SMB signing module, that allows for mulitple signing algorithms and correctly backs down from signing when the server cannot sign the reply. This also attempts to enable SMB signing on NTLMSSP connections, but I don't know what NTLMSSP flags to set yet. This would allow 'client use signing' to be set by default, for server compatability. (A seperate option value should be provided for mandetory signing, which would not back down). Andrew Bartlett (This used to be commit 1c87be7a3d127201a6ab78d22d17c971af16b86b) --- source3/libsmb/cliconnect.c | 94 +++++++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 50 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 54a282e805..763878f9b3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -228,39 +228,11 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, return True; } -static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response) -{ - uint8 zero_sig[8]; - ZERO_STRUCT(zero_sig); - - DEBUG(5, ("Server returned security sig:\n")); - dump_data(5, &cli->inbuf[smb_ss_field], 8); - - if (cli->sign_info.use_smb_signing) { - DEBUG(5, ("smb signing already active on connection\n")); - } else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) { - - DEBUG(3, ("smb signing enabled!\n")); - cli->sign_info.use_smb_signing = True; - cli_calculate_mac_key(cli, user_session_key, response); - } else { - DEBUG(5, ("smb signing NOT enabled!\n")); - } -} - static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) { memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key))); } - -static void set_temp_signing_on_cli(struct cli_state *cli) -{ - if (cli->sign_info.negotiated_smb_signing) - cli->sign_info.temp_smb_signing = True; -} - - /**************************************************************************** do a NT1 NTLM/LM encrypted session setup @param cli client state to create do session setup on @@ -310,8 +282,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } - - set_temp_signing_on_cli(cli); + cli_simple_set_signing(cli, session_key.data, nt_response); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -374,26 +345,24 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, if (session_key.data) { /* Have plaintext orginal */ set_cli_session_key(cli, session_key); - set_signing_on_cli(cli, session_key.data, nt_response); } + ret = True; end: data_blob_free(&lm_response); data_blob_free(&nt_response); data_blob_free(&session_key); - return True; + return ret; } /**************************************************************************** - Send a extended security session setup blob, returning a reply blob. + Send a extended security session setup blob ****************************************************************************/ -static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) +static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) { uint32 capabilities = cli_session_setup_capabilities(cli); char *p; - DATA_BLOB blob2 = data_blob(NULL, 0); - uint32 len; capabilities |= CAP_EXTENDED_SECURITY; @@ -403,8 +372,6 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) set_message(cli->outbuf,12,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); - set_temp_signing_on_cli(cli); - cli_setup_packet(cli); SCVAL(cli->outbuf,smb_vwv0,0xFF); @@ -420,7 +387,18 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); - cli_send_smb(cli); + return cli_send_smb(cli); +} + +/**************************************************************************** + Send a extended security session setup blob, returning a reply blob. +****************************************************************************/ + +static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli) +{ + DATA_BLOB blob2 = data_blob(NULL, 0); + char *p; + size_t len; if (!cli_receive_smb(cli)) return blob2; @@ -449,6 +427,20 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) return blob2; } +/**************************************************************************** + Send a extended security session setup blob, returning a reply blob. +****************************************************************************/ + +static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) +{ + DATA_BLOB blob2 = data_blob(NULL, 0); + if (!cli_session_setup_blob_send(cli, blob)) { + return blob2; + } + + return cli_session_setup_blob_receive(cli); +} + #ifdef HAVE_KRB5 /**************************************************************************** Use in-memory credentials cache @@ -502,6 +494,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, DATA_BLOB blob_in = data_blob(NULL, 0); DATA_BLOB blob_out; + cli_temp_set_signing(cli); + if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) { return False; } @@ -532,8 +526,15 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, } /* now send that blob on its way */ - blob = cli_session_setup_blob(cli, msg1); + if (!cli_session_setup_blob_send(cli, msg1)) { + return False; + } data_blob_free(&msg1); + + cli_ntlmssp_set_signing(cli, ntlmssp_state); + + blob = cli_session_setup_blob_receive(cli); + nt_status = cli_nt_error(cli); } @@ -570,6 +571,9 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, set_cli_session_key(cli, ntlmssp_state->session_key); } + /* we have a reference conter on ntlmssp_state, if we are signing + then the state will be kept by the signing engine */ + if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) { return False; } @@ -883,11 +887,6 @@ BOOL cli_negprot(struct cli_state *cli) int numprots; int plength; - if (cli->sign_info.use_smb_signing) { - DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n")); - return False; - } - if (cli->protocol < PROTOCOL_NT1) cli->use_spnego = False; @@ -1013,11 +1012,6 @@ BOOL cli_session_request(struct cli_state *cli, if (cli->port == 445) return True; - if (cli->sign_info.use_smb_signing) { - DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n")); - return False; - } - /* send a session request (RFC 1002) */ /* setup the packet length * Remove four bytes from the length count, since the length -- cgit From 19cda0035e5e056595ac9a96bfb3b029b76eb4d2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 14 Apr 2003 04:15:24 +0000 Subject: Merge cliconnect.c so smbtree builds. (This used to be commit 5df53e9d8a8b1861d9997a775cfd6d8fe472bdc4) --- source3/libsmb/cliconnect.c | 114 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 113 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 763878f9b3..4bfa694e63 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -750,7 +750,6 @@ BOOL cli_ulogoff(struct cli_state *cli) /**************************************************************************** Send a tconX. ****************************************************************************/ - BOOL cli_send_tconX(struct cli_state *cli, const char *share, const char *dev, const char *pass, int passlen) { @@ -1343,3 +1342,116 @@ name *SMBSERVER with error %s\n", desthost, cli_errstr(cli) )); return True; } + + + + + +/**************************************************************************** + Send an old style tcon. +****************************************************************************/ +NTSTATUS cli_raw_tcon(struct cli_state *cli, + const char *service, const char *pass, const char *dev, + uint16 *max_xmit, uint16 *tid) +{ + char *p; + + memset(cli->outbuf,'\0',smb_size); + memset(cli->inbuf,'\0',smb_size); + + set_message(cli->outbuf, 0, 0, True); + SCVAL(cli->outbuf,smb_com,SMBtcon); + cli_setup_packet(cli); + + p = smb_buf(cli->outbuf); + *p++ = 4; p += clistr_push(cli, p, service, -1, STR_TERMINATE | STR_NOALIGN); + *p++ = 4; p += clistr_push(cli, p, pass, -1, STR_TERMINATE | STR_NOALIGN); + *p++ = 4; p += clistr_push(cli, p, dev, -1, STR_TERMINATE | STR_NOALIGN); + + cli_setup_bcc(cli, p); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) { + return NT_STATUS_UNEXPECTED_NETWORK_ERROR; + } + + if (cli_is_error(cli)) { + return cli_nt_error(cli); + } + + *max_xmit = SVAL(cli->inbuf, smb_vwv0); + *tid = SVAL(cli->inbuf, smb_vwv1); + + return NT_STATUS_OK; +} + +/* Return a cli_state pointing at the IPC$ share for the given server */ + +struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, + struct user_auth_info *user_info) +{ + struct cli_state *cli; + pstring myname; + NTSTATUS nt_status; + + get_myname(myname); + + nt_status = cli_full_connection(&cli, myname, server, server_ip, 0, "IPC$", "IPC", + user_info->username, lp_workgroup(), user_info->password, + CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, NULL); + + if (NT_STATUS_IS_OK(nt_status)) { + return cli; + } else if (is_ipaddress(server)) { + /* windows 9* needs a correct NMB name for connections */ + fstring remote_name; + + if (name_status_find("*", 0, 0, *server_ip, remote_name)) { + cli = get_ipc_connect(remote_name, server_ip, user_info); + if (cli) + return cli; + } + } + return NULL; +} + +/* Return the IP address and workgroup of a master browser on the + network. */ + +struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user_auth_info *user_info) +{ + struct in_addr *ip_list; + struct cli_state *cli; + int i, count; + struct in_addr server_ip; + + /* Go looking for workgroups by broadcasting on the local network */ + + if (!name_resolve_bcast(MSBROWSE, 1, &ip_list, &count)) { + return False; + } + + for (i = 0; i < count; i++) { + static fstring name; + + if (!name_status_find("*", 0, 0x1d, ip_list[i], name)) + continue; + + if (!find_master_ip(name, &server_ip)) + continue; + + pstrcpy(workgroup, name); + + DEBUG(4, ("found master browser %s, %s\n", + name, inet_ntoa(ip_list[i]))); + + cli = get_ipc_connect(inet_ntoa(server_ip), &server_ip, user_info); + + if (!cli) + continue; + + return cli; + } + + return NULL; +} -- cgit From 2e9c2084a640fd9940bc3f17c42e9edc1f015152 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Apr 2003 09:26:07 +0000 Subject: Add a check to ensure that the server returns the correct device type, not just the correct error. This should help us avoid breaking NT4 IPC$ connections, for example. This has required that we don't overwrite the device type for IPC$ in our tcon&X code, but only smbwrapper even uses it, and a server that doesn't send a correct dev type breaks other things pretty badly. In any case, I'll 'fix' smbwrapper :-). Andrew Bartlett (This used to be commit a93057efcb6e639be05b7bdcb9729ed8f39f5f62) --- source3/libsmb/cliconnect.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4bfa694e63..9dddb6a163 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -810,9 +810,6 @@ BOOL cli_send_tconX(struct cli_state *cli, clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, STR_TERMINATE|STR_ASCII); - if (strcasecmp(share,"IPC$")==0) - fstrcpy(cli->dev, "IPC"); - if (cli->protocol >= PROTOCOL_NT1 && smb_buflen(cli->inbuf) == 3) { /* almost certainly win95 - enable bug fixes */ -- cgit From 423bd582f4f0f03ff086054060954e8e23cd02cd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 May 2003 05:15:54 +0000 Subject: Allow the NTLMv2 functions to spit out both possible varients on the session key, so we can test it in ntlm_auth. I suspect the 'lm' version doesn't exist, but it's easy to change back. Andrew Bartlett (This used to be commit 5efd95622c411f123660b6613b86c7a68bba68e8) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9dddb6a163..982cbfff06 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -261,7 +261,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, server_chal = data_blob(cli->secblob.data, MIN(cli->secblob.length, 8)); if (!SMBNTLMv2encrypt(user, workgroup, pass, server_chal, - &lm_response, &nt_response, &session_key)) { + &lm_response, &nt_response, NULL, &session_key)) { data_blob_free(&server_chal); return False; } -- cgit From d06f95ca78834403a602e4c1d64e13e059f3017e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 9 May 2003 14:42:20 +0000 Subject: Finally get NTLMv2 working on the client! With big thanks to tpot for the ethereal disector, and for the base code behind this, we now fully support NTLMv2 as a client. In particular, we support it with direct domain logons (tested with ntlm_auth --diagnostics), with 'old style' session setups, and with NTLMSSP. In fact, for NTLMSSP we recycle one of the parts of the server's reply directly... (we might need to parse for unicode issues later). In particular, a Win2k domain controller now supplies us with a session key for this password, which means that doman joins, and non-spnego SMB signing are now supported with NTLMv2! Andrew Bartlett (This used to be commit 9f6a26769d345d319ec167cd0e82a45e1207ed81) --- source3/libsmb/cliconnect.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 982cbfff06..f58a458aba 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -257,14 +257,23 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, if (passlen != 24) { if (lp_client_ntlmv2_auth()) { DATA_BLOB server_chal; - + DATA_BLOB names_blob; server_chal = data_blob(cli->secblob.data, MIN(cli->secblob.length, 8)); - if (!SMBNTLMv2encrypt(user, workgroup, pass, server_chal, - &lm_response, &nt_response, NULL, &session_key)) { + /* note that the 'workgroup' here is a best guess - we don't know + the server's domain at this point. The 'server name' is also + dodgy... + */ + names_blob = NTLMv2_generate_names_blob(cli->called.name, workgroup); + + if (!SMBNTLMv2encrypt(user, workgroup, pass, &server_chal, + &names_blob, + &lm_response, &nt_response, &session_key)) { + data_blob_free(&names_blob); data_blob_free(&server_chal); return False; } + data_blob_free(&names_blob); data_blob_free(&server_chal); } else { -- cgit From 402fbc518a5489b33f1c5eafb8e6acb9ee5addbd Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 14 May 2003 00:46:43 +0000 Subject: spelling (This used to be commit 865c11275685c85124b506c9bbd2a8bde2e760b9) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f58a458aba..154a7cae58 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -295,7 +295,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, } else { /* pre-encrypted password supplied. Only used for security=server, can't do - signing becouse we don't have oringial key */ + signing because we don't have original key */ lm_response = data_blob(pass, passlen); nt_response = data_blob(ntpass, ntpasslen); -- cgit From c52ee09afe06dce29118356078cc4c26b126afc6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 21 May 2003 16:12:07 +0000 Subject: fix for UNICODE plaintext passwords (bug #59) and fix smbclient to send the unicode plain text password if negoitated (This used to be commit e7d635af80c844f17ff9f34c26c1e9c978951ce1) --- source3/libsmb/cliconnect.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 154a7cae58..8ebac7bae7 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -188,6 +188,9 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, { uint32 capabilities = cli_session_setup_capabilities(cli); char *p; + fstring lanman; + + snprintf( lanman, sizeof(lanman), "Samba %s", VERSION ); set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); @@ -201,12 +204,22 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, SSVAL(cli->outbuf,smb_vwv8,0); SIVAL(cli->outbuf,smb_vwv11,capabilities); p = smb_buf(cli->outbuf); - p += clistr_push(cli, p, pass, -1, STR_TERMINATE); /* password */ - SSVAL(cli->outbuf,smb_vwv7,PTR_DIFF(p, smb_buf(cli->outbuf))); + + /* check wether to send the ASCII or UNICODE version of the password */ + + if ( (capabilities & CAP_UNICODE) == 0 ) { + p += clistr_push(cli, p, pass, -1, STR_TERMINATE); /* password */ + SSVAL(cli->outbuf,smb_vwv7,PTR_DIFF(p, smb_buf(cli->outbuf))); + } + else { + p += clistr_push(cli, p, pass, -1, STR_UNICODE|STR_TERMINATE); /* unicode password */ + SSVAL(cli->outbuf,smb_vwv8,PTR_DIFF(p, smb_buf(cli->outbuf))); + } + p += clistr_push(cli, p, user, -1, STR_TERMINATE); /* username */ p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); /* workgroup */ p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); - p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); + p += clistr_push(cli, p, lanman, -1, STR_TERMINATE); cli_setup_bcc(cli, p); cli_send_smb(cli); -- cgit From e4bc8f08c35aeff9aa430058a82a16a515ef474d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 8 Jun 2003 12:49:31 +0000 Subject: Enforce 'client plaintext auth', 'client lanman auth' and 'client ntlmv2 auth'. (this now causes things like the LANMAN protocol and contacting servers with 'encrypt passwords = no' set to fail, if configured) 'client ntlmv2 auth' (a BOOL) forces both plaintext and lanman off, and is the most secure setting for compatible hosts. Perhaps we should change this to 'client minimum auth'? Andrew Bartlett (This used to be commit e1fb681e4c921456fde154b87687722a18ed4aac) --- source3/libsmb/cliconnect.c | 58 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 49 insertions(+), 9 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8ebac7bae7..ffacc3af9a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -293,14 +293,18 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, uchar nt_hash[16]; E_md4hash(pass, nt_hash); + nt_response = data_blob(NULL, 24); + SMBNTencrypt(pass,cli->secblob.data,nt_response.data); + /* non encrypted password supplied. Ignore ntpass. */ if (lp_client_lanman_auth()) { lm_response = data_blob(NULL, 24); - SMBencrypt(pass,cli->secblob.data,lm_response.data); + SMBencrypt(pass,cli->secblob.data, lm_response.data); + } else { + /* LM disabled, place NT# in LM feild instead */ + lm_response = data_blob(nt_response.data, nt_response.length); } - nt_response = data_blob(NULL, 24); - SMBNTencrypt(pass,cli->secblob.data,nt_response.data); session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } @@ -575,7 +579,6 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, } data_blob_free(&tmp_blob); } else { - /* the server might give us back two challenges */ if (!spnego_parse_auth_response(blob, nt_status, &blob_in)) { DEBUG(3,("Failed to parse auth response\n")); @@ -713,8 +716,22 @@ BOOL cli_session_setup(struct cli_state *cli, /* if its an older server then we have to use the older request format */ - if (cli->protocol < PROTOCOL_NT1) + if (cli->protocol < PROTOCOL_NT1) { + if (!lp_client_lanman_auth() && passlen != 24 && (*pass)) { + DEBUG(1, ("Server requested LM password but 'client lanman auth'" + " is disabled\n")); + return False; + } + + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0 && + !lp_client_plaintext_auth() && (*pass)) { + DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" + " is disabled\n")); + return False; + } + return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup); + } /* if no user is supplied then we have to do an anonymous connection. passwords are ignored */ @@ -726,17 +743,21 @@ BOOL cli_session_setup(struct cli_state *cli, password at this point. The password is sent in the tree connect */ - if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) + if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) return cli_session_setup_plaintext(cli, user, "", workgroup); /* if the server doesn't support encryption then we have to use plaintext. The second password is ignored */ - if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { + if (!lp_client_plaintext_auth() && (*pass)) { + DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" + " is disabled\n")); + return False; + } return cli_session_setup_plaintext(cli, user, pass, workgroup); + } - /* Indidicate signing */ - /* if the server supports extended security then use SPNEGO */ if (cli->capabilities & CAP_EXTENDED_SECURITY) @@ -789,6 +810,12 @@ BOOL cli_send_tconX(struct cli_state *cli, } if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) { + if (!lp_client_lanman_auth()) { + DEBUG(1, ("Server requested LANMAN password but 'client use lanman auth'" + " is disabled\n")); + return False; + } + /* * Non-encrypted passwords - convert to DOS codepage before encryption. */ @@ -796,10 +823,17 @@ BOOL cli_send_tconX(struct cli_state *cli, SMBencrypt(pass,cli->secblob.data,(uchar *)pword); } else { if((cli->sec_mode & (NEGOTIATE_SECURITY_USER_LEVEL|NEGOTIATE_SECURITY_CHALLENGE_RESPONSE)) == 0) { + if (!lp_client_plaintext_auth() && (*pass)) { + DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" + " is disabled\n")); + return False; + } + /* * Non-encrypted passwords - convert to DOS codepage before using. */ passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); + } else { memcpy(pword, pass, passlen); } @@ -1375,6 +1409,12 @@ NTSTATUS cli_raw_tcon(struct cli_state *cli, { char *p; + if (!lp_client_plaintext_auth() && (*pass)) { + DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" + " is disabled\n")); + return NT_STATUS_ACCESS_DENIED; + } + memset(cli->outbuf,'\0',smb_size); memset(cli->inbuf,'\0',smb_size); -- cgit From f51d769dd303027a3dbf46fc89a482933988e866 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Jun 2003 17:41:05 +0000 Subject: large change: *) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091) --- source3/libsmb/cliconnect.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ffacc3af9a..122cc56e45 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1479,7 +1479,7 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user_auth_info *user_info) { - struct in_addr *ip_list; + struct ip_service *ip_list; struct cli_state *cli; int i, count; struct in_addr server_ip; @@ -1493,7 +1493,7 @@ struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user for (i = 0; i < count; i++) { static fstring name; - if (!name_status_find("*", 0, 0x1d, ip_list[i], name)) + if (!name_status_find("*", 0, 0x1d, ip_list[i].ip, name)) continue; if (!find_master_ip(name, &server_ip)) @@ -1502,7 +1502,7 @@ struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user pstrcpy(workgroup, name); DEBUG(4, ("found master browser %s, %s\n", - name, inet_ntoa(ip_list[i]))); + name, inet_ntoa(ip_list[i].ip))); cli = get_ipc_connect(inet_ntoa(server_ip), &server_ip, user_info); -- cgit From 7a4e38155deda998947f8ea3ef966c4c4fe0a055 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 26 Jun 2003 05:26:20 +0000 Subject: cleaning up more build issues. Tested "--with-ads=no --with-ldap=yes" and "--with-ads=yes && make everything" (This used to be commit 3e9e4bb7d1a2f5a95539f415aa101f033b67932a) --- source3/libsmb/cliconnect.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 122cc56e45..18125e26c3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -453,6 +453,8 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli) return blob2; } +#ifdef HAVE_KRB5 + /**************************************************************************** Send a extended security session setup blob, returning a reply blob. ****************************************************************************/ @@ -467,7 +469,6 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) return cli_session_setup_blob_receive(cli); } -#ifdef HAVE_KRB5 /**************************************************************************** Use in-memory credentials cache ****************************************************************************/ @@ -503,7 +504,8 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *princi return !cli_is_error(cli); } -#endif +#endif /* HAVE_KRB5 */ + /**************************************************************************** Do a spnego/NTLMSSP encrypted session setup. -- cgit From 456f51bcbe04ccbb37a27b6e115a851cc134adcd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 14 Jul 2003 08:46:32 +0000 Subject: Jeremy requested that I get my NTLMSSP patch into CVS. He didn't request the schannel code, but I've included that anyway. :-) This patch revives the client-side NTLMSSP support for RPC named pipes in Samba, and cleans up the client and server schannel code. The use of the new code is enabled by the 'sign', 'seal' and 'schannel' commands in rpcclient. The aim was to prove that our separate NTLMSSP client library actually implements NTLMSSP signing and sealing as per Microsoft's NTLMv1 implementation, in the hope that knowing this will assist us in correctly implementing NTLMSSP signing for SMB packets. (Still not yet functional) This patch replaces the NTLMSSP implementation in rpc_client/cli_pipe.c with calls to libsmb/ntlmssp.c. In the process, we have gained the ability to use the more secure NT password, and the ability to sign-only, instead of having to seal the pipe connection. (Previously we were limited to sealing, and could only use the LM-password derived key). Our new client-side NTLMSSP code also needed alteration to cope with our comparatively simple server-side implementation. A future step is to replace it with calls to the same NTLMSSP library. Also included in this patch is the schannel 'sign only' patch I submitted to the team earlier. While not enabled (and not functional, at this stage) the work in this patch makes the code paths *much* easier to follow. I have also included similar hooks in rpccleint to allow the use of schannel on *any* pipe. rpcclient now defaults to not using schannel (or any other extra per-pipe authenticiation) for any connection. The 'schannel' command enables schannel for all pipes until disabled. This code is also much more secure than the previous code, as changes to our cli_pipe routines ensure that the authentication footer cannot be removed by an attacker, and more error states are correctly handled. (The same needs to be done to our server) Andrew Bartlett (This used to be commit 5472ddc9eaf4e79c5b2e1c8ee8c7f190dc285f19) --- source3/libsmb/cliconnect.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 18125e26c3..cdd80b7f0c 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -540,6 +540,12 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); + if (cli->sign_info.negotiated_smb_signing + || cli->sign_info.mandetory_signing) { + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; + } + do { nt_status = ntlmssp_client_update(ntlmssp_state, blob_in, &blob_out); -- cgit From 236702e15c26432fd09888658fd66f318d03e3f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 14 Jul 2003 10:38:23 +0000 Subject: Fix SMB signing when using NTLMSSP... It's so simple now I know how it works - and it has nothing to do with NTLMSSP (it's just a slightly different use of the old algorithm). :-). Note: This is actually less secure then the non-NTLMSSP code, as there is no per-session random data included for NTLM logins. (NTLMv2 is better, fortunetly). Andrew Bartlett (This used to be commit 95ec8317d4c6817d192bcd52eec44a22286e10ee) --- source3/libsmb/cliconnect.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index cdd80b7f0c..8c02c4fdfe 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -551,6 +551,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, blob_in, &blob_out); data_blob_free(&blob_in); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DATA_BLOB null = data_blob(NULL, 0); if (turn == 1) { /* and wrap it in a SPNEGO wrapper */ msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out); @@ -559,14 +560,16 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, msg1 = spnego_gen_auth(blob_out); } + cli_simple_set_signing(cli, + ntlmssp_state->session_key.data, + null); + /* now send that blob on its way */ if (!cli_session_setup_blob_send(cli, msg1)) { return False; } data_blob_free(&msg1); - cli_ntlmssp_set_signing(cli, ntlmssp_state); - blob = cli_session_setup_blob_receive(cli); nt_status = cli_nt_error(cli); -- cgit From c44a9d25a2bfff9d5ebede80f30e13e41aca797c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 15 Jul 2003 23:05:57 +0000 Subject: Added the "required" keyword to the "client signing" parameter to force it on. Fail if missmatch. Small format tidyups in smbd/sesssetup.c. Preparing to add signing on server side. Jeremy. (This used to be commit c390b3e4cd68cfc233ddf14d139e25d40f050f27) --- source3/libsmb/cliconnect.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8c02c4fdfe..fa9af19bf5 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -541,7 +541,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); if (cli->sign_info.negotiated_smb_signing - || cli->sign_info.mandetory_signing) { + || cli->sign_info.mandatory_signing) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } @@ -1013,12 +1013,24 @@ BOOL cli_negprot(struct cli_state *cli) smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN); } - if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) + if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) { + /* Fail if signing is mandatory and we don't want to support it. */ + if (!lp_client_signing()) { + DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); + return False; + } cli->sign_info.negotiated_smb_signing = True; + } if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing) cli->sign_info.negotiated_smb_signing = True; + /* Fail if signing is mandatory and the server doesn't support it. */ + if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) { + DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n")); + return False; + } + } else if (cli->protocol >= PROTOCOL_LANMAN1) { cli->use_spnego = False; cli->sec_mode = SVAL(cli->inbuf,smb_vwv1); -- cgit From aed434ea9baf430bf7513ca3fb1f7b2f01792341 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 16 Jul 2003 05:51:10 +0000 Subject: Spelling. (This used to be commit 2750418752e491c5e87f0f2adf253291e31ee4c2) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index fa9af19bf5..0dcc9e2845 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -301,7 +301,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, lm_response = data_blob(NULL, 24); SMBencrypt(pass,cli->secblob.data, lm_response.data); } else { - /* LM disabled, place NT# in LM feild instead */ + /* LM disabled, place NT# in LM field instead */ lm_response = data_blob(nt_response.data, nt_response.length); } -- cgit From 6ab5e14494ed6b579658f4fe3410759582d909cd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 Jul 2003 22:57:56 +0000 Subject: Refactor signing code to remove most dependencies on 'struct cli'. Ensure a server can't do a downgrade attack if client signing is mandatory. Add a lp_server_signing() function and a 'server signing' parameter that will act as the client one does. Jeremy (This used to be commit 203e4bf0bfb66fd9239e9a0656438a71280113cb) --- source3/libsmb/cliconnect.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 0dcc9e2845..49430616b3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -989,6 +989,11 @@ BOOL cli_negprot(struct cli_state *cli) cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; + if ((cli->protocol < PROTOCOL_NT1) && (lp_client_signing() == Required)) { + DEBUG(1,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n")); + return False; + } + if (cli->protocol >= PROTOCOL_NT1) { /* NT protocol */ cli->sec_mode = CVAL(cli->inbuf,smb_vwv1); -- cgit From 3a5dc7c2ecacecf7dd0cfd71ff1bb298d70b391b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 23 Jul 2003 12:33:59 +0000 Subject: convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 49430616b3..2188db2a62 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -190,7 +190,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, char *p; fstring lanman; - snprintf( lanman, sizeof(lanman), "Samba %s", VERSION ); + fstr_sprintf( lanman, "Samba %s", VERSION ); set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); -- cgit From 77373f1f8e3b2f61e9bbcd9fadfb83257d390cf2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 24 Jul 2003 23:46:27 +0000 Subject: More printf fixes - size_t is long on some architectures. (This used to be commit ba4d334b822248d8ab929c9568533431603d967e) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2188db2a62..71e80b5dbe 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -630,7 +630,7 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, BOOL got_kerberos_mechanism = False; DATA_BLOB blob; - DEBUG(2,("Doing spnego session setup (blob length=%d)\n", cli->secblob.length)); + DEBUG(2,("Doing spnego session setup (blob length=%l)\n", cli->secblob.length)); /* the server might not even do spnego */ if (cli->secblob.length <= 16) { -- cgit From 7d833de662b83f026b54a236588da27dd8899630 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Jul 2003 04:24:40 +0000 Subject: More printf portability fixes. Got caught out by some gcc'isms last time. )-: (This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 71e80b5dbe..eceeb96309 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -630,7 +630,7 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, BOOL got_kerberos_mechanism = False; DATA_BLOB blob; - DEBUG(2,("Doing spnego session setup (blob length=%l)\n", cli->secblob.length)); + DEBUG(2,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length)); /* the server might not even do spnego */ if (cli->secblob.length <= 16) { -- cgit From 4632786cfb193dd80ce04206912297186e871814 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 25 Jul 2003 23:15:30 +0000 Subject: W00t! Client smb signing is now working correctly with krb5 and w2k server. Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy. (This used to be commit 3f9e3b60709df5ab755045a093e642510d4cde00) --- source3/libsmb/cliconnect.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index eceeb96309..8873c1fdc8 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -472,6 +472,7 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) /**************************************************************************** Use in-memory credentials cache ****************************************************************************/ + static void use_in_memory_ccache(void) { setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1); } @@ -483,18 +484,23 @@ static void use_in_memory_ccache(void) { static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup) { DATA_BLOB blob2, negTokenTarg; - + unsigned char session_key_krb5[16]; + DATA_BLOB null_blob = data_blob(NULL, 0); + DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - negTokenTarg = spnego_gen_negTokenTarg(principal, 0); + negTokenTarg = spnego_gen_negTokenTarg(principal, 0, session_key_krb5); - if (!negTokenTarg.data) return False; + if (!negTokenTarg.data) + return False; #if 0 file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); #endif + cli_simple_set_signing(cli, session_key_krb5, null_blob); + blob2 = cli_session_setup_blob(cli, negTokenTarg); /* we don't need this blob for kerberos */ @@ -551,7 +557,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, blob_in, &blob_out); data_blob_free(&blob_in); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DATA_BLOB null = data_blob(NULL, 0); + DATA_BLOB null_blob = data_blob(NULL, 0); if (turn == 1) { /* and wrap it in a SPNEGO wrapper */ msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out); @@ -562,7 +568,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, cli_simple_set_signing(cli, ntlmssp_state->session_key.data, - null); + null_blob); /* now send that blob on its way */ if (!cli_session_setup_blob_send(cli, msg1)) { -- cgit From 29ca70cd34d3ba927ea1a9915ebd247f64965bd5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 30 Jul 2003 23:49:29 +0000 Subject: Add a command line option (-S on|off|required) to enable signing on client connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307) --- source3/libsmb/cliconnect.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8873c1fdc8..94fe04a480 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -995,7 +995,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; - if ((cli->protocol < PROTOCOL_NT1) && (lp_client_signing() == Required)) { + if ((cli->protocol < PROTOCOL_NT1) && cli->sign_info.mandatory_signing) { DEBUG(1,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n")); return False; } @@ -1026,7 +1026,7 @@ BOOL cli_negprot(struct cli_state *cli) if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) { /* Fail if signing is mandatory and we don't want to support it. */ - if (!lp_client_signing()) { + if (!cli->sign_info.allow_smb_signing) { DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); return False; } @@ -1259,6 +1259,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, const char *service, const char *service_type, const char *user, const char *domain, const char *password, int flags, + int signing_state, BOOL *retry) { struct ntuser_creds creds; @@ -1321,6 +1322,8 @@ again: return NT_STATUS_UNSUCCESSFUL; } + cli_setup_signing_state(cli, signing_state); + if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO) cli->use_spnego = False; else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) @@ -1491,7 +1494,7 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, nt_status = cli_full_connection(&cli, myname, server, server_ip, 0, "IPC$", "IPC", user_info->username, lp_workgroup(), user_info->password, - CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, NULL); + CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { return cli; -- cgit From 94bbd5c93a777ad1a6b3951358306e29e6277251 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 10 Aug 2003 20:18:05 +0000 Subject: Store the server domain from the ntlmssp challenge in the client struct to be able to ask a LMB for the servers in its workgroup. Against W2k this only works on port 139.... Volker (This used to be commit 62b04d7776852098dd768268500f36c3a362f688) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 94fe04a480..a1a207d197 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -610,6 +610,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, } while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)); if (NT_STATUS_IS_OK(nt_status)) { + fstrcpy(cli->server_domain, ntlmssp_state->server_domain); set_cli_session_key(cli, ntlmssp_state->session_key); } -- cgit From 102de75a7ca4055dee21610061429e100cfc5699 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 11 Aug 2003 21:44:19 +0000 Subject: Fallback to not using NTLMv2 is extended security not supported. Jeremy. (This used to be commit ba075ff03af06dfc2f4bcb952508bbc4a6967d85) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index a1a207d197..1f06ebf66f 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -268,7 +268,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, char *p; if (passlen != 24) { - if (lp_client_ntlmv2_auth()) { + if ((cli->capabilities & CAP_EXTENDED_SECURITY) && lp_client_ntlmv2_auth()) { DATA_BLOB server_chal; DATA_BLOB names_blob; server_chal = data_blob(cli->secblob.data, MIN(cli->secblob.length, 8)); -- cgit From 46e0d25b7f3e570daffe73bad5d883f617ea291e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 12 Aug 2003 01:15:23 +0000 Subject: Fix client autonegotiate signing. Jeremy. (This used to be commit a4d2dd1d40f6b1322e69d430023aa89dac86fda3) --- source3/libsmb/cliconnect.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1f06ebf66f..82d6fc7cef 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1025,22 +1025,27 @@ BOOL cli_negprot(struct cli_state *cli) smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN); } - if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)) { - /* Fail if signing is mandatory and we don't want to support it. */ + /* + * As signing is slow we only turn it on if either the client or + * the server require it. JRA. + */ + + if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) { + /* Fail if server says signing is mandatory and we don't want to support it. */ if (!cli->sign_info.allow_smb_signing) { DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); return False; } cli->sign_info.negotiated_smb_signing = True; - } - - if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing) + cli->sign_info.mandatory_signing = True; + } else if (cli->sign_info.mandatory_signing && cli->sign_info.allow_smb_signing) { + /* Fail if client says signing is mandatory and the server doesn't support it. */ + if (!(cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) { + DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n")); + return False; + } cli->sign_info.negotiated_smb_signing = True; - - /* Fail if signing is mandatory and the server doesn't support it. */ - if (cli->sign_info.mandatory_signing && !(cli->sign_info.negotiated_smb_signing)) { - DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n")); - return False; + cli->sign_info.mandatory_signing = True; } } else if (cli->protocol >= PROTOCOL_LANMAN1) { -- cgit From 172766eea7a374e910ea91c857fcce45996783a2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 14 Aug 2003 01:08:00 +0000 Subject: Change Samba to always use extended security for it's guest logins, (ie, NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to all of Samba's clients. When connecting to an Active Directory DC, you must initiate the CIFS level session setup with Kerberos, not a guest login. If you don't, your machine account is demoted to NT4. Andrew Bartlett (This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77) --- source3/libsmb/cliconnect.c | 72 ++++++++++----------------------------------- 1 file changed, 15 insertions(+), 57 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 82d6fc7cef..010aa4d1bb 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -130,55 +130,6 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) return capabilities; } -/**************************************************************************** - Do a NT1 guest session setup. -****************************************************************************/ - -static BOOL cli_session_setup_guest(struct cli_state *cli) -{ - char *p; - uint32 capabilities = cli_session_setup_capabilities(cli); - - set_message(cli->outbuf,13,0,True); - SCVAL(cli->outbuf,smb_com,SMBsesssetupX); - cli_setup_packet(cli); - - SCVAL(cli->outbuf,smb_vwv0,0xFF); - SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); - SSVAL(cli->outbuf,smb_vwv3,2); - SSVAL(cli->outbuf,smb_vwv4,cli->pid); - SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); - SSVAL(cli->outbuf,smb_vwv7,0); - SSVAL(cli->outbuf,smb_vwv8,0); - SIVAL(cli->outbuf,smb_vwv11,capabilities); - p = smb_buf(cli->outbuf); - p += clistr_push(cli, p, "", -1, STR_TERMINATE); /* username */ - p += clistr_push(cli, p, "", -1, STR_TERMINATE); /* workgroup */ - p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); - p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); - cli_setup_bcc(cli, p); - - cli_send_smb(cli); - if (!cli_receive_smb(cli)) - return False; - - show_msg(cli->inbuf); - - if (cli_is_error(cli)) - return False; - - cli->vuid = SVAL(cli->inbuf,smb_uid); - - p = smb_buf(cli->inbuf); - p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE); - p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); - p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); - - fstrcpy(cli->user_name, ""); - - return True; -} - /**************************************************************************** Do a NT1 plaintext session setup. ****************************************************************************/ @@ -267,7 +218,9 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, BOOL ret = False; char *p; - if (passlen != 24) { + if (passlen == 0) { + /* do nothing - guest login */ + } else if (passlen != 24) { if ((cli->capabilities & CAP_EXTENDED_SECURITY) && lp_client_ntlmv2_auth()) { DATA_BLOB server_chal; DATA_BLOB names_blob; @@ -678,7 +631,7 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, * and do not store results */ if (got_kerberos_mechanism && cli->use_kerberos) { - if (*pass) { + if (pass && *pass) { int ret; use_in_memory_ccache(); @@ -751,12 +704,6 @@ BOOL cli_session_setup(struct cli_state *cli, return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup); } - /* if no user is supplied then we have to do an anonymous connection. - passwords are ignored */ - - if (!user || !*user) - return cli_session_setup_guest(cli); - /* if the server is share level then send a plaintext null password at this point. The password is sent in the tree connect */ @@ -764,6 +711,17 @@ BOOL cli_session_setup(struct cli_state *cli, if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) return cli_session_setup_plaintext(cli, user, "", workgroup); + /* if no user is supplied then we have to do an anonymous connection. + passwords are ignored */ + + if (!user || !*user) { + user = ""; + pass = NULL; + ntpass = NULL; + passlen = 0; + ntpasslen = 0; + } + /* if the server doesn't support encryption then we have to use plaintext. The second password is ignored */ -- cgit From 83e576c09f7f08406cb3f360a13537e536ce5547 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 19 Aug 2003 17:47:44 +0000 Subject: Break up 'cli_full_connection' to allow for the session setups to be done elsewhere in the code. This will allow us to try kerberos, then another user then guest in the winbindd code. Also, re-introduce the seperate, NT1 'guest' session setup code, as I found some problems with doing guest under NTLMSSP. Andrew Bartlett (This used to be commit 33109fefe7d306a97ac48a75e3e67c166daff4ea) --- source3/libsmb/cliconnect.c | 149 +++++++++++++++++++++++++++++++++----------- 1 file changed, 114 insertions(+), 35 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 010aa4d1bb..ca492e0a1c 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -130,6 +130,55 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) return capabilities; } +/**************************************************************************** + Do a NT1 guest session setup. +****************************************************************************/ + +static BOOL cli_session_setup_guest(struct cli_state *cli) +{ + char *p; + uint32 capabilities = cli_session_setup_capabilities(cli); + + set_message(cli->outbuf,13,0,True); + SCVAL(cli->outbuf,smb_com,SMBsesssetupX); + cli_setup_packet(cli); + + SCVAL(cli->outbuf,smb_vwv0,0xFF); + SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE); + SSVAL(cli->outbuf,smb_vwv3,2); + SSVAL(cli->outbuf,smb_vwv4,cli->pid); + SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); + SSVAL(cli->outbuf,smb_vwv7,0); + SSVAL(cli->outbuf,smb_vwv8,0); + SIVAL(cli->outbuf,smb_vwv11,capabilities); + p = smb_buf(cli->outbuf); + p += clistr_push(cli, p, "", -1, STR_TERMINATE); /* username */ + p += clistr_push(cli, p, "", -1, STR_TERMINATE); /* workgroup */ + p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); + p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); + cli_setup_bcc(cli, p); + + cli_send_smb(cli); + if (!cli_receive_smb(cli)) + return False; + + show_msg(cli->inbuf); + + if (cli_is_error(cli)) + return False; + + cli->vuid = SVAL(cli->inbuf,smb_uid); + + p = smb_buf(cli->inbuf); + p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); + p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); + + fstrcpy(cli->user_name, ""); + + return True; +} + /**************************************************************************** Do a NT1 plaintext session setup. ****************************************************************************/ @@ -198,7 +247,8 @@ static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) } /**************************************************************************** - do a NT1 NTLM/LM encrypted session setup + do a NT1 NTLM/LM encrypted session setup - for when extended security + is not negotiated. @param cli client state to create do session setup on @param user username @param pass *either* cleartext password (passlen !=24) or LM response. @@ -221,7 +271,10 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, if (passlen == 0) { /* do nothing - guest login */ } else if (passlen != 24) { - if ((cli->capabilities & CAP_EXTENDED_SECURITY) && lp_client_ntlmv2_auth()) { + /* if client ntlmv2 auth is set, then don't use it on a + connection without extended security. This isn't a very + good check, but it is a start */ + if (lp_client_ntlmv2_auth()) { DATA_BLOB server_chal; DATA_BLOB names_blob; server_chal = data_blob(cli->secblob.data, MIN(cli->secblob.length, 8)); @@ -573,7 +626,7 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) { return False; } - + return (NT_STATUS_IS_OK(nt_status)); } @@ -581,8 +634,8 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, Do a spnego encrypted session setup. ****************************************************************************/ -static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, - const char *pass, const char *workgroup) +BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, + const char *pass, const char *workgroup) { char *principal; char *OIDs[ASN1_MAX_OIDS]; @@ -704,6 +757,12 @@ BOOL cli_session_setup(struct cli_state *cli, return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup); } + /* if no user is supplied then we have to do an anonymous connection. + passwords are ignored */ + + if (!user || !*user) + return cli_session_setup_guest(cli); + /* if the server is share level then send a plaintext null password at this point. The password is sent in the tree connect */ @@ -711,17 +770,6 @@ BOOL cli_session_setup(struct cli_state *cli, if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) return cli_session_setup_plaintext(cli, user, "", workgroup); - /* if no user is supplied then we have to do an anonymous connection. - passwords are ignored */ - - if (!user || !*user) { - user = ""; - pass = NULL; - ntpass = NULL; - passlen = 0; - ntpasslen = 0; - } - /* if the server doesn't support encryption then we have to use plaintext. The second password is ignored */ @@ -1187,7 +1235,7 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) Initialise client credentials for authenticated pipe access. ****************************************************************************/ -static void init_creds(struct ntuser_creds *creds, const char* username, +void init_creds(struct ntuser_creds *creds, const char* username, const char* domain, const char* password) { ZERO_STRUCTP(creds); @@ -1203,30 +1251,21 @@ static void init_creds(struct ntuser_creds *creds, const char* username, } /** - establishes a connection right up to doing tconX, password specified. + establishes a connection to after the negprot. @param output_cli A fully initialised cli structure, non-null only on success @param dest_host The netbios name of the remote host @param dest_ip (optional) The the destination IP, NULL for name based lookup @param port (optional) The destination port (0 for default) - @param service (optional) The share to make the connection to. Should be 'unqualified' in any way. - @param service_type The 'type' of serivice. - @param user Username, unix string - @param domain User's domain - @param password User's password, unencrypted unix string. @param retry BOOL. Did this connection fail with a retryable error ? -*/ -NTSTATUS cli_full_connection(struct cli_state **output_cli, - const char *my_name, - const char *dest_host, - struct in_addr *dest_ip, int port, - const char *service, const char *service_type, - const char *user, const char *domain, - const char *password, int flags, - int signing_state, - BOOL *retry) +*/ +NTSTATUS cli_start_connection(struct cli_state **output_cli, + const char *my_name, + const char *dest_host, + struct in_addr *dest_ip, int port, + int signing_state, int flags, + BOOL *retry) { - struct ntuser_creds creds; NTSTATUS nt_status; struct nmb_name calling; struct nmb_name called; @@ -1259,7 +1298,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, again: - DEBUG(3,("Connecting to host=%s share=%s\n", dest_host, service)); + DEBUG(3,("Connecting to host=%s\n", dest_host)); if (!cli_connect(cli, dest_host, &ip)) { DEBUG(1,("cli_full_connection: failed to connect to %s (%s)\n", @@ -1300,6 +1339,46 @@ again: return nt_status; } + *output_cli = cli; + return NT_STATUS_OK; +} + + +/** + establishes a connection right up to doing tconX, password specified. + @param output_cli A fully initialised cli structure, non-null only on success + @param dest_host The netbios name of the remote host + @param dest_ip (optional) The the destination IP, NULL for name based lookup + @param port (optional) The destination port (0 for default) + @param service (optional) The share to make the connection to. Should be 'unqualified' in any way. + @param service_type The 'type' of serivice. + @param user Username, unix string + @param domain User's domain + @param password User's password, unencrypted unix string. + @param retry BOOL. Did this connection fail with a retryable error ? +*/ + +NTSTATUS cli_full_connection(struct cli_state **output_cli, + const char *my_name, + const char *dest_host, + struct in_addr *dest_ip, int port, + const char *service, const char *service_type, + const char *user, const char *domain, + const char *password, int flags, + int signing_state, + BOOL *retry) +{ + struct ntuser_creds creds; + NTSTATUS nt_status; + struct cli_state *cli = NULL; + + nt_status = cli_start_connection(&cli, my_name, dest_host, + dest_ip, port, signing_state, flags, retry); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + if (!cli_session_setup(cli, user, password, strlen(password)+1, password, strlen(password)+1, domain)) { -- cgit From 8bfe26b62db2e671b143d93a5428f8fb64a9df05 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 20 Aug 2003 17:13:38 +0000 Subject: metze's autogenerate patch for version.h (This used to be commit ae452e51b02672a56adf18aa7a7e365eeaba9272) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ca492e0a1c..bb0712d989 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -190,7 +190,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, char *p; fstring lanman; - fstr_sprintf( lanman, "Samba %s", VERSION ); + fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING); set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); -- cgit From ac5665f2046d9cf079e6eeddd6dc92b720ddc69f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 22 Aug 2003 14:24:38 +0000 Subject: revert abartet's change that removed the check for CAP_EXTENDED_SECURITY when decidiing whether or not use ntlmv2 in client connections (This used to be commit 6e82c9fdf9c1db6feec319b4550b07cbfad4defb) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index bb0712d989..63db6b1aea 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -274,7 +274,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, /* if client ntlmv2 auth is set, then don't use it on a connection without extended security. This isn't a very good check, but it is a start */ - if (lp_client_ntlmv2_auth()) { + if ((cli->capabilities & CAP_EXTENDED_SECURITY) && lp_client_ntlmv2_auth()) { DATA_BLOB server_chal; DATA_BLOB names_blob; server_chal = data_blob(cli->secblob.data, MIN(cli->secblob.length, 8)); @@ -357,7 +357,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, goto end; } - show_msg(cli->inbuf); + /* show_msg(cli->inbuf); */ if (cli_is_error(cli)) { ret = False; -- cgit From c913fc058113b3a3a193f7b98459679945afcf03 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 6 Sep 2003 19:23:24 +0000 Subject: address bug #359. Andrew B's patch for implementing client portion of NTLMv2 key exchange. Also revert the default for 'client ntlmv2 auth' to no. This caused no ends of grief in different cases. And based on abartlet's mail.... > All I care about at this point is that we use NTLMv2 > in our client code when connecting to a server that > supports it. There is *no* way to tell this. The server can't tell us, because it doesn't know what it's DC supports. The DC can't tell us, because it doesn't know what the trusted DC supports. One DC might be Win2k, and the PDC could be an older NT4. (This used to be commit fe585d49cc3df0d71314ff43d3271d276d7d4503) --- source3/libsmb/cliconnect.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 63db6b1aea..48bcb61f92 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -271,10 +271,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, if (passlen == 0) { /* do nothing - guest login */ } else if (passlen != 24) { - /* if client ntlmv2 auth is set, then don't use it on a - connection without extended security. This isn't a very - good check, but it is a start */ - if ((cli->capabilities & CAP_EXTENDED_SECURITY) && lp_client_ntlmv2_auth()) { + if (lp_client_ntlmv2_auth()) { DATA_BLOB server_chal; DATA_BLOB names_blob; server_chal = data_blob(cli->secblob.data, MIN(cli->secblob.length, 8)); -- cgit From 1555cacd7c7814571ed8bb91a0d3a722cf7dc30b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 16 Sep 2003 01:27:46 +0000 Subject: Fix #442 which Alexander considered a showstopper. Allow us to join mixed mode domains. Jeremy. (This used to be commit c816aacefb6621533194a374251835f186ca838f) --- source3/libsmb/cliconnect.c | 8 -------- 1 file changed, 8 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 48bcb61f92..b5f7b97ae8 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -547,14 +547,6 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, return False; } - ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(); - - if (cli->sign_info.negotiated_smb_signing - || cli->sign_info.mandatory_signing) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; - } - do { nt_status = ntlmssp_client_update(ntlmssp_state, blob_in, &blob_out); -- cgit From fcbfc7ad0669009957c65fa61bb20df75a9701b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 22 Nov 2003 13:19:38 +0000 Subject: Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc) --- source3/libsmb/cliconnect.c | 99 +++++++++++++++++++++++++++++---------------- 1 file changed, 64 insertions(+), 35 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b5f7b97ae8..a920a1b7ff 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -241,9 +241,16 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, return True; } -static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) +/** + * Set the user session key for a connection + * @param cli The cli structure to add it too + * @param session_key The session key used. (A copy of this is taken for the cli struct) + * + */ + +static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_key) { - memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key))); + cli->user_session_key = data_blob(session_key.data, session_key.length); } /**************************************************************************** @@ -311,7 +318,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } - cli_simple_set_signing(cli, session_key.data, nt_response); + cli_simple_set_signing(cli, session_key, nt_response); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -373,14 +380,16 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, if (session_key.data) { /* Have plaintext orginal */ - set_cli_session_key(cli, session_key); + cli_set_session_key(cli, session_key); } ret = True; end: data_blob_free(&lm_response); data_blob_free(&nt_response); - data_blob_free(&session_key); + + if (!ret) + data_blob_free(&session_key); return ret; } @@ -484,19 +493,19 @@ static void use_in_memory_ccache(void) { Do a spnego/kerberos encrypted session setup. ****************************************************************************/ -static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup) +static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup) { DATA_BLOB blob2, negTokenTarg; - unsigned char session_key_krb5[16]; + DATA_BLOB session_key_krb5; DATA_BLOB null_blob = data_blob(NULL, 0); DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - negTokenTarg = spnego_gen_negTokenTarg(principal, 0, session_key_krb5); + negTokenTarg = spnego_gen_negTokenTarg(principal, 0, &session_key_krb5); if (!negTokenTarg.data) - return False; + return NT_STATUS_UNSUCCESSFUL; #if 0 file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); @@ -509,9 +518,16 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *princi /* we don't need this blob for kerberos */ data_blob_free(&blob2); + cli_set_session_key(cli, session_key_krb5); + data_blob_free(&negTokenTarg); - return !cli_is_error(cli); + if (cli_is_error(cli)) { + if (NT_STATUS_IS_OK(cli_nt_error(cli))) { + return NT_STATUS_UNSUCCESSFUL; + } + } + return NT_STATUS_OK; } #endif /* HAVE_KRB5 */ @@ -520,10 +536,10 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *princi Do a spnego/NTLMSSP encrypted session setup. ****************************************************************************/ -static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, +static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, const char *pass, const char *workgroup) { - struct ntlmssp_client_state *ntlmssp_state; + struct ntlmssp_state *ntlmssp_state; NTSTATUS nt_status; int turn = 1; DATA_BLOB msg1; @@ -534,21 +550,21 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, cli_temp_set_signing(cli); if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) { - return False; + return nt_status; } if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) { - return False; + return nt_status; } if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, workgroup))) { - return False; + return nt_status; } if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_password(ntlmssp_state, pass))) { - return False; + return nt_status; } do { - nt_status = ntlmssp_client_update(ntlmssp_state, + nt_status = ntlmssp_update(ntlmssp_state, blob_in, &blob_out); data_blob_free(&blob_in); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { @@ -562,18 +578,27 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, } cli_simple_set_signing(cli, - ntlmssp_state->session_key.data, + data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length), null_blob); /* now send that blob on its way */ if (!cli_session_setup_blob_send(cli, msg1)) { - return False; + DEBUG(3, ("Failed to send NTLMSSP/SPENGO blob to server!\n")); + nt_status = NT_STATUS_UNSUCCESSFUL; + } else { + data_blob_free(&msg1); + + blob = cli_session_setup_blob_receive(cli); + + nt_status = cli_nt_error(cli); + if (cli_is_error(cli) && NT_STATUS_IS_OK(nt_status)) { + if (cli->smb_rw_error == READ_BAD_SIG) { + nt_status = NT_STATUS_ACCESS_DENIED; + } else { + nt_status = NT_STATUS_UNSUCCESSFUL; + } + } } - data_blob_free(&msg1); - - blob = cli_session_setup_blob_receive(cli); - - nt_status = cli_nt_error(cli); } if (!blob.length) { @@ -606,24 +631,22 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, if (NT_STATUS_IS_OK(nt_status)) { fstrcpy(cli->server_domain, ntlmssp_state->server_domain); - set_cli_session_key(cli, ntlmssp_state->session_key); + cli_set_session_key(cli, ntlmssp_state->session_key); } /* we have a reference conter on ntlmssp_state, if we are signing then the state will be kept by the signing engine */ - if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) { - return False; - } - - return (NT_STATUS_IS_OK(nt_status)); + ntlmssp_end(&ntlmssp_state); + + return nt_status; } /**************************************************************************** Do a spnego encrypted session setup. ****************************************************************************/ -BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, +NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, const char *pass, const char *workgroup) { char *principal; @@ -651,7 +674,7 @@ BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, reply */ if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { data_blob_free(&blob); - return False; + return NT_STATUS_INVALID_PARAMETER; } data_blob_free(&blob); @@ -681,7 +704,7 @@ BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user, if (ret){ DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); - return False; + return NT_STATUS_LOGON_FAILURE; } } @@ -773,8 +796,14 @@ BOOL cli_session_setup(struct cli_state *cli, /* if the server supports extended security then use SPNEGO */ - if (cli->capabilities & CAP_EXTENDED_SECURITY) - return cli_session_setup_spnego(cli, user, pass, workgroup); + if (cli->capabilities & CAP_EXTENDED_SECURITY) { + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = cli_session_setup_spnego(cli, user, pass, workgroup))) { + DEBUG(3, ("SPENGO login failed: %s\n", get_friendly_nt_error_msg(nt_status))); + return False; + } + return True; + } /* otherwise do a NT1 style session setup */ -- cgit From 026e4762585328ae7a9a5d23b01a074646e65bf3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 1 Dec 2003 22:55:43 +0000 Subject: Client connect signing error messages should be level zero else they're easy to miss. Jeremy. (This used to be commit 7fa89b093709053650d197d2d0f091b9a1cd8218) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index a920a1b7ff..f6dfd40006 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1021,7 +1021,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot; if ((cli->protocol < PROTOCOL_NT1) && cli->sign_info.mandatory_signing) { - DEBUG(1,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n")); + DEBUG(0,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n")); return False; } @@ -1057,7 +1057,7 @@ BOOL cli_negprot(struct cli_state *cli) if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) { /* Fail if server says signing is mandatory and we don't want to support it. */ if (!cli->sign_info.allow_smb_signing) { - DEBUG(1,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); + DEBUG(0,("cli_negprot: SMB signing is mandatory and we have disabled it.\n")); return False; } cli->sign_info.negotiated_smb_signing = True; -- cgit From 1f761ad3959cca29583844ac2f94b34a34bc2ec2 Mon Sep 17 00:00:00 2001 From: Steve French Date: Thu, 4 Dec 2003 21:26:14 +0000 Subject: Fix incorrect smb flags2 for connections to pre-NT servers (causes smbclient to fail to OS2 for example) (This used to be commit 54e2fcb8f4a9d603b3210baa014b3f5f15070a22) --- source3/libsmb/cliconnect.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f6dfd40006..6e95944f92 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -53,6 +53,13 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, if (passlen > sizeof(pword)-1) return False; + /* LANMAN servers predate NT status codes and Unicode and ignore those + smb flags so we must disable the corresponding default capabilities + that would otherwise cause the Unicode and NT Status flags to be + set (and even returned by the server) */ + + cli->capabilities &= ~(CAP_UNICODE | CAP_STATUS32); + /* if in share level security then don't send a password now */ if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) passlen = 0; -- cgit From 82027c1ea2e44f51fa3a622af54736bac2e754a3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 27 Dec 2003 10:11:26 +0000 Subject: Preliminary fix for our signing problem with failed NTLMSSP logins. This patch solves the problem for me here, I can still successfully set up signing using NTLMSSP against w2k3 and it does not show a signing error anymoe when the password was wrong. Jeremy, you might want to take a further look at it as this is not particularly elegant. Volker (This used to be commit f5afaafd61dc7bd191225ffa8eee184125dd97c3) --- source3/libsmb/cliconnect.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6e95944f92..2aeac7273e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -325,7 +325,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } - cli_simple_set_signing(cli, session_key, nt_response); + cli_simple_set_signing(cli, session_key, nt_response, 0); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -518,7 +518,7 @@ static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *pr file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); #endif - cli_simple_set_signing(cli, session_key_krb5, null_blob); + cli_simple_set_signing(cli, session_key_krb5, null_blob, 0); blob2 = cli_session_setup_blob(cli, negTokenTarg); @@ -575,7 +575,6 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use blob_in, &blob_out); data_blob_free(&blob_in); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DATA_BLOB null_blob = data_blob(NULL, 0); if (turn == 1) { /* and wrap it in a SPNEGO wrapper */ msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out); @@ -584,10 +583,6 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use msg1 = spnego_gen_auth(blob_out); } - cli_simple_set_signing(cli, - data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length), - null_blob); - /* now send that blob on its way */ if (!cli_session_setup_blob_send(cli, msg1)) { DEBUG(3, ("Failed to send NTLMSSP/SPENGO blob to server!\n")); @@ -637,8 +632,21 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)); if (NT_STATUS_IS_OK(nt_status)) { + + DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, + ntlmssp_state->session_key.length); + DATA_BLOB null_blob = data_blob(NULL, 0); + fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); + + /* Using NTLMSSP session setup, signing on the net only starts + * after a successful authentication and the session key has + * been determined, but with a sequence number of 2. This + * assumes that NTLMSSP needs exactly 2 roundtrips, for any + * other SPNEGO mechanism it needs adapting. */ + + cli_simple_set_signing(cli, key, null_blob, 2); } /* we have a reference conter on ntlmssp_state, if we are signing -- cgit From cc02d8690c94620a4a026e70b70ae776c370f9f6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 4 Jan 2004 11:05:30 +0000 Subject: Even if the 'device type' is always an ascii string, use push_string to get it out onto the wire. Avoids valgrind warnings because the fstrcpy() causes part of the wire buffer to be 'marked'. Andrew Bartlett (This used to be commit 53d802c72aa712e099dc8de666ab66a21e18fae1) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2aeac7273e..f466b665eb 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -910,7 +910,7 @@ BOOL cli_send_tconX(struct cli_state *cli, memcpy(p,pword,passlen); p += passlen; p += clistr_push(cli, p, fullshare, -1, STR_TERMINATE |STR_UPPER); - fstrcpy(p, dev); p += strlen(dev)+1; + p += clistr_push(cli, p, dev, -1, STR_TERMINATE |STR_UPPER | STR_ASCII); cli_setup_bcc(cli, p); -- cgit From e0ec9d2d5697bf95626da736f6f9552e10e52ffc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 8 Jan 2004 02:57:42 +0000 Subject: Make it clearer that the domain here is the domain of the user for authentication. Andrew Bartlett (This used to be commit 7e6cc8f0037f9948230a1e1bd380f30cec5d511e) --- source3/libsmb/cliconnect.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f466b665eb..1dc46ab0e6 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -544,7 +544,7 @@ static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *pr ****************************************************************************/ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, - const char *pass, const char *workgroup) + const char *pass, const char *domain) { struct ntlmssp_state *ntlmssp_state; NTSTATUS nt_status; @@ -563,7 +563,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) { return nt_status; } - if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, workgroup))) { + if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, domain))) { return nt_status; } if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_password(ntlmssp_state, pass))) { @@ -662,7 +662,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use ****************************************************************************/ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, - const char *pass, const char *workgroup) + const char *pass, const char *domain) { char *principal; char *OIDs[ASN1_MAX_OIDS]; @@ -723,7 +723,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, } } - return cli_session_setup_kerberos(cli, principal, workgroup); + return cli_session_setup_kerberos(cli, principal, domain); } #endif @@ -731,7 +731,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - return cli_session_setup_ntlmssp(cli, user, pass, workgroup); + return cli_session_setup_ntlmssp(cli, user, pass, domain); } /**************************************************************************** -- cgit From 7d068355aae99060acac03c6633509545aa782a4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 8 Jan 2004 08:19:18 +0000 Subject: This merges in my 'always use ADS' patch. Tested on a mix of NT and ADS domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d) --- source3/libsmb/cliconnect.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1dc46ab0e6..707a33881d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -500,19 +500,22 @@ static void use_in_memory_ccache(void) { Do a spnego/kerberos encrypted session setup. ****************************************************************************/ -static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup) +static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup) { DATA_BLOB blob2, negTokenTarg; DATA_BLOB session_key_krb5; DATA_BLOB null_blob = data_blob(NULL, 0); - + int rc; + DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - negTokenTarg = spnego_gen_negTokenTarg(principal, 0, &session_key_krb5); + rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5); - if (!negTokenTarg.data) - return NT_STATUS_UNSUCCESSFUL; + if (rc) { + DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc))); + return ADS_ERROR_KRB5(rc); + } #if 0 file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); @@ -531,10 +534,10 @@ static NTSTATUS cli_session_setup_kerberos(struct cli_state *cli, const char *pr if (cli_is_error(cli)) { if (NT_STATUS_IS_OK(cli_nt_error(cli))) { - return NT_STATUS_UNSUCCESSFUL; + return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); } } - return NT_STATUS_OK; + return ADS_ERROR_NT(cli_nt_error(cli)); } #endif /* HAVE_KRB5 */ @@ -661,7 +664,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use Do a spnego encrypted session setup. ****************************************************************************/ -NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, +ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, const char *pass, const char *domain) { char *principal; @@ -689,7 +692,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, reply */ if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { data_blob_free(&blob); - return NT_STATUS_INVALID_PARAMETER; + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } data_blob_free(&blob); @@ -719,7 +722,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, if (ret){ DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); - return NT_STATUS_LOGON_FAILURE; + return ADS_ERROR_KRB5(ret); } } @@ -731,7 +734,7 @@ NTSTATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - return cli_session_setup_ntlmssp(cli, user, pass, domain); + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); } /**************************************************************************** @@ -812,9 +815,9 @@ BOOL cli_session_setup(struct cli_state *cli, /* if the server supports extended security then use SPNEGO */ if (cli->capabilities & CAP_EXTENDED_SECURITY) { - NTSTATUS nt_status; - if (!NT_STATUS_IS_OK(nt_status = cli_session_setup_spnego(cli, user, pass, workgroup))) { - DEBUG(3, ("SPENGO login failed: %s\n", get_friendly_nt_error_msg(nt_status))); + ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup); + if (!ADS_ERR_OK(status)) { + DEBUG(3, ("SPENGO login failed: %s\n", ads_errstr(status))); return False; } return True; -- cgit From b20f1a95a90033f711a26fdeeb49eaf3059ad91d Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 15 Jan 2004 19:03:18 +0000 Subject: * BUG 446 - setup_logging() in smbclient to be interactive (remove the timestamps) - Fix bad return value in pull_ucs2( needs more testing to make sure this didn't break something else) that caused clistr_pull() to always read the same string from the buffer (pull_usc2() could return -1 if the original source length was given as -1) - increment some debugging messages to avoid printing them out so often (This used to be commit 79fe75dcdf6cc38e18ca1231e4357893db4d4a08) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 707a33881d..84159e5d62 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -673,7 +673,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, BOOL got_kerberos_mechanism = False; DATA_BLOB blob; - DEBUG(2,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length)); + DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length)); /* the server might not even do spnego */ if (cli->secblob.length <= 16) { -- cgit From 56ce6136792478c63d371a7b187c1318043e081f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 19 Mar 2004 16:22:47 +0000 Subject: updating release notes & merging Derrel Lipman's libsmbclient patch from HEAD (This used to be commit 5fbfaa687a3674287eeadd205f56b2b253a9e2a9) --- source3/libsmb/cliconnect.c | 86 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 66 insertions(+), 20 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 84159e5d62..e75a361e25 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1590,42 +1590,88 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, return NULL; } -/* Return the IP address and workgroup of a master browser on the - network. */ +/* + * Given the IP address of a master browser on the network, return its + * workgroup and connect to it. + * + * This function is provided to allow additional processing beyond what + * get_ipc_connect_master_ip_bcast() does, e.g. to retrieve the list of master + * browsers and obtain each master browsers' list of domains (in case the + * first master browser is recently on the network and has not yet + * synchronized with other master browsers and therefore does not yet have the + * entire network browse list) + */ -struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user_auth_info *user_info) +struct cli_state *get_ipc_connect_master_ip(struct ip_service * mb_ip, pstring workgroup, struct user_auth_info *user_info) { - struct ip_service *ip_list; + static fstring name; struct cli_state *cli; - int i, count; struct in_addr server_ip; - /* Go looking for workgroups by broadcasting on the local network */ + DEBUG(99, ("Looking up name of master browser %s\n", + inet_ntoa(mb_ip->ip))); + + /* + * Do a name status query to find out the name of the master browser. + * We use <01><02>__MSBROWSE__<02>#01 if *#00 fails because a domain + * master browser will not respond to a wildcard query (or, at least, + * an NT4 server acting as the domain master browser will not). + * + * We might be able to use ONLY the query on MSBROWSE, but that's not + * yet been tested with all Windows versions, so until it is, leave + * the original wildcard query as the first choice and fall back to + * MSBROWSE if the wildcard query fails. + */ + if (!name_status_find("*", 0, 0x1d, mb_ip->ip, name) && + !name_status_find(MSBROWSE, 1, 0x1d, mb_ip->ip, name)) { - if (!name_resolve_bcast(MSBROWSE, 1, &ip_list, &count)) { - return False; + DEBUG(99, ("Could not retrieve name status for %s\n", + inet_ntoa(mb_ip->ip))); + return NULL; } - for (i = 0; i < count; i++) { - static fstring name; - - if (!name_status_find("*", 0, 0x1d, ip_list[i].ip, name)) - continue; - - if (!find_master_ip(name, &server_ip)) - continue; + if (!find_master_ip(name, &server_ip)) { + DEBUG(99, ("Could not find master ip for %s\n", name)); + return NULL; + } pstrcpy(workgroup, name); DEBUG(4, ("found master browser %s, %s\n", - name, inet_ntoa(ip_list[i].ip))); + name, inet_ntoa(mb_ip->ip))); cli = get_ipc_connect(inet_ntoa(server_ip), &server_ip, user_info); - if (!cli) - continue; - return cli; + +} + +/* + * Return the IP address and workgroup of a master browser on the network, and + * connect to it. + */ + +struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user_auth_info *user_info) +{ + struct ip_service *ip_list; + struct cli_state *cli; + int i, count; + + DEBUG(99, ("Do broadcast lookup for workgroups on local network\n")); + + /* Go looking for workgroups by broadcasting on the local network */ + + if (!name_resolve_bcast(MSBROWSE, 1, &ip_list, &count)) { + DEBUG(99, ("No master browsers responded\n")); + return False; + } + + for (i = 0; i < count; i++) { + DEBUG(99, ("Found master browser %s\n", inet_ntoa(ip_list[i].ip))); + + cli = get_ipc_connect_master_ip(&ip_list[i], workgroup, user_info); + if (cli) + return(cli); } return NULL; -- cgit From 9a8e30d04b1cfc53e8c8949a56d4f1cf5aa26501 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 24 Mar 2004 17:32:55 +0000 Subject: Fix bugzilla # 1208 Winbind tickets expired. We now check the expiration time, and acquire new tickets. We couln't rely on renewing them, because if we didn't get a request before they expired, we wouldn't have renewed them. Also, there is a one-week limit in MS on renewal life, so new tickets would have been needed after a week anyway. Default is 10 hours, so we should only be acquiring them that often, unless the configuration on the DC is changed (and the minimum is 1 hour). (This used to be commit c2436c433afaab4006554a86307f76b6689d6929) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index e75a361e25..3f87119ce2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -718,7 +718,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, int ret; use_in_memory_ccache(); - ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */); + ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL); if (ret){ DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); -- cgit From e9a7e67e01c115328f95690cbf63ca1ef0b4d408 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 27 Mar 2004 07:33:59 +0000 Subject: Merge from HEAD the SMB signing patch that I developed a couple of weeks ago. This patch re-adds support for 'optional' SMB signing. It also ensures that we are much more careful about when we enable signing, particularly with on-the-fly smb.conf reloads. The client code will now attempt to use smb signing by default, and disable it if the server doesn't correctly support it. Andrew Bartlett (This used to be commit e27b5cbe75d89ec839dafd52dd33101885a4c263) --- source3/libsmb/cliconnect.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3f87119ce2..63541e18b5 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -325,7 +325,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, session_key = data_blob(NULL, 16); SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); } - cli_simple_set_signing(cli, session_key, nt_response, 0); + cli_simple_set_signing(cli, session_key, nt_response); } else { /* pre-encrypted password supplied. Only used for security=server, can't do @@ -521,7 +521,7 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); #endif - cli_simple_set_signing(cli, session_key_krb5, null_blob, 0); + cli_simple_set_signing(cli, session_key_krb5, null_blob); blob2 = cli_session_setup_blob(cli, negTokenTarg); @@ -643,13 +643,16 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); - /* Using NTLMSSP session setup, signing on the net only starts - * after a successful authentication and the session key has - * been determined, but with a sequence number of 2. This - * assumes that NTLMSSP needs exactly 2 roundtrips, for any - * other SPNEGO mechanism it needs adapting. */ - - cli_simple_set_signing(cli, key, null_blob, 2); + if (cli_simple_set_signing(cli, key, null_blob)) { + + /* 'resign' the last message, so we get the right sequence numbers + for checking the first reply from the server */ + cli_calculate_sign_mac(cli); + + if (!cli_check_sign_mac(cli, True)) { + nt_status = NT_STATUS_ACCESS_DENIED; + } + } } /* we have a reference conter on ntlmssp_state, if we are signing @@ -1088,6 +1091,8 @@ BOOL cli_negprot(struct cli_state *cli) } cli->sign_info.negotiated_smb_signing = True; cli->sign_info.mandatory_signing = True; + } else if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) { + cli->sign_info.negotiated_smb_signing = True; } } else if (cli->protocol >= PROTOCOL_LANMAN1) { -- cgit From 873db3f5fd3fbfcf290cea61d7e9f58bf28b3983 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 27 Mar 2004 07:53:47 +0000 Subject: Based on the detective work of Jianliang Lu , allow yet another NTLMv2 combination. We should allow the NTLMv2 response to be calculated with either the domain as supplied, or the domain in UPPER case (as we always did in the past). As a client, we always UPPER case it (as per the spec), but we also make sure to UPPER case the domain, when we send it. This should give us maximum compatability. Andrew Bartlett (This used to be commit 1e91cd0cf87b29899641585f46b0dcecaefd848e) --- source3/libsmb/cliconnect.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 63541e18b5..adfeec2290 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -358,7 +358,9 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, memcpy(p,nt_response.data, nt_response.length); p += nt_response.length; } p += clistr_push(cli, p, user, -1, STR_TERMINATE); - p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); + + /* Upper case here might help some NTLMv2 implementations */ + p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER); p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); @@ -649,7 +651,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use for checking the first reply from the server */ cli_calculate_sign_mac(cli); - if (!cli_check_sign_mac(cli, True)) { + if (!cli_check_sign_mac(cli, False)) { nt_status = NT_STATUS_ACCESS_DENIED; } } @@ -874,7 +876,7 @@ BOOL cli_send_tconX(struct cli_state *cli, if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) { if (!lp_client_lanman_auth()) { - DEBUG(1, ("Server requested LANMAN password but 'client use lanman auth'" + DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'" " is disabled\n")); return False; } -- cgit From b65d7d59c2e93e32225805389176751c9ffdafee Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 27 Mar 2004 08:51:04 +0000 Subject: Revert bogus part of smb signing commit - when Win2k supports singing/SPNEGO, it does sign the first packet. Andrew Bartlett (This used to be commit 4b9c50db853eaf9eb8c68b85760c40c1a8f9bd94) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index adfeec2290..63c91469e3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -651,7 +651,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use for checking the first reply from the server */ cli_calculate_sign_mac(cli); - if (!cli_check_sign_mac(cli, False)) { + if (!cli_check_sign_mac(cli, True)) { nt_status = NT_STATUS_ACCESS_DENIED; } } -- cgit From 70227784ba773eefe658ceaaf506f63509d5f5d1 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Wed, 31 Mar 2004 20:24:10 +0000 Subject: fix typo (This used to be commit 4b737b51a5cf0a862f4c1bd67d9d3dd49cc81b65) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 63c91469e3..cdf58c5b91 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -590,7 +590,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use /* now send that blob on its way */ if (!cli_session_setup_blob_send(cli, msg1)) { - DEBUG(3, ("Failed to send NTLMSSP/SPENGO blob to server!\n")); + DEBUG(3, ("Failed to send NTLMSSP/SPNEGO blob to server!\n")); nt_status = NT_STATUS_UNSUCCESSFUL; } else { data_blob_free(&msg1); @@ -822,7 +822,7 @@ BOOL cli_session_setup(struct cli_state *cli, if (cli->capabilities & CAP_EXTENDED_SECURITY) { ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup); if (!ADS_ERR_OK(status)) { - DEBUG(3, ("SPENGO login failed: %s\n", ads_errstr(status))); + DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); return False; } return True; -- cgit From 85a307bb3ea102be24fb1f0ecdc27c9eb08c9ce9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 12 Apr 2004 11:18:32 +0000 Subject: r176: Improve our fallback code for password changes - this would be better with more correct NTLMSSP support in client and server, but it will do for now. Also implement LANMAN password only in the classical session setup code, but #ifdef'ed out. In Samba4, I'll make this run-time so we can torture it. Lanman passwords over 14 dos characters long could be considered 'invalid' (they are truncated) - so SMBencrypt now returns 'False' if it generates such a password. Andrew Bartlett (This used to be commit 565305f7bb30c08120c3def5367adfd6f5dd84df) --- source3/libsmb/cliconnect.c | 63 +++++++++++++++++++++++++++++++-------------- 1 file changed, 44 insertions(+), 19 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index cdf58c5b91..06c9b5ea91 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -40,6 +40,18 @@ static const struct { {-1,NULL} }; +/** + * Set the user session key for a connection + * @param cli The cli structure to add it too + * @param session_key The session key used. (A copy of this is taken for the cli struct) + * + */ + +static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_key) +{ + cli->user_session_key = data_blob(session_key.data, session_key.length); +} + /**************************************************************************** Do an old lanman2 style session setup. ****************************************************************************/ @@ -47,6 +59,8 @@ static const struct { static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, const char *pass, size_t passlen, const char *workgroup) { + DATA_BLOB session_key = data_blob(NULL, 0); + DATA_BLOB lm_response = data_blob(NULL, 0); fstring pword; char *p; @@ -66,14 +80,15 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, if (passlen > 0 && (cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen != 24) { /* Encrypted mode needed, and non encrypted password supplied. */ - passlen = 24; - SMBencrypt(pass,cli->secblob.data,(uchar *)pword); + lm_response = data_blob(NULL, 24); + SMBencrypt(pass, cli->secblob.data,(uchar *)lm_response.data); } else if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen == 24) { /* Encrypted mode needed, and encrypted password supplied. */ - memcpy(pword, pass, passlen); + lm_response = data_blob(pass, passlen); } else if (passlen > 0) { /* Plaintext mode needed, assume plaintext supplied. */ passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); + lm_response = data_blob(pass, passlen); } /* send a session setup command */ @@ -87,10 +102,10 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, SSVAL(cli->outbuf,smb_vwv3,2); SSVAL(cli->outbuf,smb_vwv4,1); SIVAL(cli->outbuf,smb_vwv5,cli->sesskey); - SSVAL(cli->outbuf,smb_vwv7,passlen); + SSVAL(cli->outbuf,smb_vwv7,lm_response.length); p = smb_buf(cli->outbuf); - memcpy(p,pword,passlen); + memcpy(p,lm_response.data,lm_response.length); p += passlen; p += clistr_push(cli, p, user, -1, STR_TERMINATE|STR_UPPER); p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER); @@ -111,6 +126,11 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, cli->vuid = SVAL(cli->inbuf,smb_uid); fstrcpy(cli->user_name, user); + if (session_key.data) { + /* Have plaintext orginal */ + cli_set_session_key(cli, session_key); + } + return True; } @@ -248,18 +268,6 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, return True; } -/** - * Set the user session key for a connection - * @param cli The cli structure to add it too - * @param session_key The session key used. (A copy of this is taken for the cli struct) - * - */ - -static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_key) -{ - cli->user_session_key = data_blob(session_key.data, session_key.length); -} - /**************************************************************************** do a NT1 NTLM/LM encrypted session setup - for when extended security is not negotiated. @@ -310,22 +318,39 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, uchar nt_hash[16]; E_md4hash(pass, nt_hash); +#ifdef LANMAN_ONLY + nt_response = data_blob(NULL, 0); +#else nt_response = data_blob(NULL, 24); SMBNTencrypt(pass,cli->secblob.data,nt_response.data); - +#endif /* non encrypted password supplied. Ignore ntpass. */ if (lp_client_lanman_auth()) { lm_response = data_blob(NULL, 24); - SMBencrypt(pass,cli->secblob.data, lm_response.data); + if (!SMBencrypt(pass,cli->secblob.data, lm_response.data)) { + /* Oops, the LM response is invalid, just put + the NT response there instead */ + data_blob_free(&lm_response); + lm_response = data_blob(nt_response.data, nt_response.length); + } } else { /* LM disabled, place NT# in LM field instead */ lm_response = data_blob(nt_response.data, nt_response.length); } session_key = data_blob(NULL, 16); +#ifdef LANMAN_ONLY + E_deshash(pass, session_key.data); + memset(&session_key.data[8], '\0', 8); +#else SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data); +#endif } +#ifdef LANMAN_ONLY + cli_simple_set_signing(cli, session_key, lm_response); +#else cli_simple_set_signing(cli, session_key, nt_response); +#endif } else { /* pre-encrypted password supplied. Only used for security=server, can't do -- cgit From ff343c516c02d4764935d0d38c8c87f8fc967780 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 6 May 2004 17:39:36 +0000 Subject: r523: Fix from kawasa_r@itg.hitachi.co.jp to initialise blob structs. Jeremy. (This used to be commit 6d0bdccaa67a2965fde5f9dff6cdc4059b8fbc90) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 06c9b5ea91..e345dbe479 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -580,9 +580,9 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use NTSTATUS nt_status; int turn = 1; DATA_BLOB msg1; - DATA_BLOB blob; + DATA_BLOB blob = data_blob(NULL, 0); DATA_BLOB blob_in = data_blob(NULL, 0); - DATA_BLOB blob_out; + DATA_BLOB blob_out = data_blob(NULL, 0); cli_temp_set_signing(cli); -- cgit From 309bbba38b82013f0a4e7e638d6ff3235f9966aa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 6 May 2004 17:48:45 +0000 Subject: r525: More memory leak fixes from kawasa_r@itg.hitachi.co.jp in error code paths. Jeremy. (This used to be commit 88a97beac4f445f2a472167b3e5c0e8e1d019d17) --- source3/libsmb/cliconnect.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index e345dbe479..afbd2079ea 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -421,9 +421,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, end: data_blob_free(&lm_response); data_blob_free(&nt_response); - - if (!ret) - data_blob_free(&session_key); + data_blob_free(&session_key); return ret; } @@ -558,6 +556,7 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * cli_set_session_key(cli, session_key_krb5); data_blob_free(&negTokenTarg); + data_blob_free(&session_key_krb5); if (cli_is_error(cli)) { if (NT_STATUS_IS_OK(cli_nt_error(cli))) { @@ -744,6 +743,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, * and do not store results */ if (got_kerberos_mechanism && cli->use_kerberos) { + ADS_STATUS rc; + if (pass && *pass) { int ret; @@ -751,16 +752,19 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL); if (ret){ + SAFE_FREE(principal); DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); return ADS_ERROR_KRB5(ret); } } - return cli_session_setup_kerberos(cli, principal, domain); + rc = cli_session_setup_kerberos(cli, principal, domain); + SAFE_FREE(principal); + return rc; } #endif - free(principal); + SAFE_FREE(principal); ntlmssp: -- cgit From 8f93b500320d7d4341dfea37fd1f82d02b1ce980 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 14 Jul 2004 01:20:50 +0000 Subject: r1487: Remove unused parameter for the client-side signing functions. Andrew Bartlett (This used to be commit 6d594d5bb119b6bc3f4c7699752666ac24d04745) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index afbd2079ea..ce404e1b9e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -675,7 +675,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use for checking the first reply from the server */ cli_calculate_sign_mac(cli); - if (!cli_check_sign_mac(cli, True)) { + if (!cli_check_sign_mac(cli)) { nt_status = NT_STATUS_ACCESS_DENIED; } } -- cgit From 748e7e4a923ee89b94f376066b1778cce5a58dfe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 30 Jul 2004 11:14:47 +0000 Subject: r1612: Fix bug #1571 found by Guenter Kukkukk (Botched LANMAN2 session setup code) Andrew Bartlett (This used to be commit 3baa4ef6c58eb13bec1a8ddb1561a504f4a16107) --- source3/libsmb/cliconnect.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ce404e1b9e..559538aac9 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -81,7 +81,10 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, if (passlen > 0 && (cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen != 24) { /* Encrypted mode needed, and non encrypted password supplied. */ lm_response = data_blob(NULL, 24); - SMBencrypt(pass, cli->secblob.data,(uchar *)lm_response.data); + if (!SMBencrypt(pass, cli->secblob.data,(uchar *)lm_response.data)) { + DEBUG(1, ("Password is > 14 chars in length, and is therefore incompatible with Lanman authentication\n")); + return False; + } } else if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen == 24) { /* Encrypted mode needed, and encrypted password supplied. */ lm_response = data_blob(pass, passlen); @@ -106,7 +109,7 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, p = smb_buf(cli->outbuf); memcpy(p,lm_response.data,lm_response.length); - p += passlen; + p += lm_response.length; p += clistr_push(cli, p, user, -1, STR_TERMINATE|STR_UPPER); p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER); p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE); -- cgit From 41b37207139b3cbfa293a84ab92113db8007afed Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 17 Sep 2004 00:49:41 +0000 Subject: r2371: Fix for talking to OS/2 clients (max_mux ignored) by Guenter Kukkukk . Bugid #1590. Jeremy. (This used to be commit 330025d1a669de927a3879a9c3a9fc20e1be464f) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 559538aac9..98656c119d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1133,6 +1133,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->use_spnego = False; cli->sec_mode = SVAL(cli->inbuf,smb_vwv1); cli->max_xmit = SVAL(cli->inbuf,smb_vwv2); + cli->max_mux = SVAL(cli->inbuf, smb_vwv3); cli->sesskey = IVAL(cli->inbuf,smb_vwv6); cli->serverzone = SVALS(cli->inbuf,smb_vwv10); cli->serverzone *= 60; -- cgit From 0b9e4a98c821424fb12a71bfdf5f66ab98b780d4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 21 Sep 2004 07:55:49 +0000 Subject: r2466: Fix memleak found by sean.chandler@verizon.net. Thanks! Volker (This used to be commit 587d863ae87042e0193b8d27b52ab3f75c58974b) --- source3/libsmb/cliconnect.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 98656c119d..4ff60c1b1c 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -668,11 +668,16 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length); DATA_BLOB null_blob = data_blob(NULL, 0); + BOOL res; fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); - if (cli_simple_set_signing(cli, key, null_blob)) { + res = cli_simple_set_signing(cli, key, null_blob); + + data_blob_free(&key); + + if (res) { /* 'resign' the last message, so we get the right sequence numbers for checking the first reply from the server */ -- cgit From 0772ddbae1be394c538f1d3529ea84434eadcf97 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 29 Oct 2004 22:38:10 +0000 Subject: r3377: Merge in first part of modified patch from Nalin Dahyabhai for bug #1717.The rest of the code needed to call this patch has not yet been checked in (that's my next task). This has not yet been tested - I'll do this once the rest of the patch is integrated. Jeremy. (This used to be commit 7565019286cf44f43c8066c005b1cd5c1556435f) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4ff60c1b1c..60691287e6 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -757,7 +757,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, int ret; use_in_memory_ccache(); - ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL); + ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL); if (ret){ SAFE_FREE(principal); -- cgit From 5b713a206bf9c05faad750512886f4bbeebb21f8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 14 Dec 2004 00:25:11 +0000 Subject: r4186: Fix client & server to allow 127k READX calls. Jeremy. (This used to be commit 831cb21a874601e4536c2cf76c5351e1d0defcb5) --- source3/libsmb/cliconnect.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 60691287e6..29a9533bd2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -151,12 +151,7 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) if (cli->use_level_II_oplocks) capabilities |= CAP_LEVEL_II_OPLOCKS; - if (cli->capabilities & CAP_UNICODE) - capabilities |= CAP_UNICODE; - - if (cli->capabilities & CAP_LARGE_FILES) - capabilities |= CAP_LARGE_FILES; - + capabilities |= (cli->capabilities & (CAP_UNICODE|CAP_LARGE_FILES|CAP_LARGE_READX|CAP_LARGE_WRITEX)); return capabilities; } @@ -1134,6 +1129,14 @@ BOOL cli_negprot(struct cli_state *cli) cli->sign_info.negotiated_smb_signing = True; } + if (cli->capabilities & (CAP_LARGE_READX|CAP_LARGE_WRITEX)) { + SAFE_FREE(cli->outbuf); + SAFE_FREE(cli->inbuf); + cli->outbuf = (char *)SMB_MALLOC(CLI_MAX_LARGE_READX_SIZE+SAFETY_MARGIN); + cli->inbuf = (char *)SMB_MALLOC(CLI_MAX_LARGE_READX_SIZE+SAFETY_MARGIN); + cli->bufsize = CLI_MAX_LARGE_READX_SIZE; + } + } else if (cli->protocol >= PROTOCOL_LANMAN1) { cli->use_spnego = False; cli->sec_mode = SVAL(cli->inbuf,smb_vwv1); -- cgit From 6f56a5be2e7e9259f020dd20c37d79f8f95c3815 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 22 Jan 2005 01:22:39 +0000 Subject: r4917: Merge some of Derrell.Lipman@UnwiredUniverse.com obvious fixes. Added text explaining units in pdbedit time fields. Jeremy. (This used to be commit 3d09c15d8f06ad06fae362291a6c986f7b6107e6) --- source3/libsmb/cliconnect.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 29a9533bd2..659e124292 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -989,7 +989,12 @@ BOOL cli_tdis(struct cli_state *cli) if (!cli_receive_smb(cli)) return False; - return !cli_is_error(cli); + if (cli_is_error(cli)) { + return False; + } + + cli->cnum = -1; + return True; } /**************************************************************************** -- cgit From c24c328a9e006473f4dba49fdf1842fb28952ec7 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 24 Jan 2005 20:21:15 +0000 Subject: r4970: Fix for bug 2092, allowing fallback after kerberos and allow gnome vfs to prevent auto-anonymous logon. Jeremy. (This used to be commit 843e85bcd978d025964c4d45d9a3886c7cf7f63c) --- source3/libsmb/cliconnect.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 659e124292..bffe9dfe8a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -757,13 +757,17 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, if (ret){ SAFE_FREE(principal); DEBUG(0, ("Kinit failed: %s\n", error_message(ret))); + if (cli->fallback_after_kerberos) + goto ntlmssp; return ADS_ERROR_KRB5(ret); } } rc = cli_session_setup_kerberos(cli, principal, domain); - SAFE_FREE(principal); - return rc; + if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) { + SAFE_FREE(principal); + return rc; + } } #endif -- cgit From 37ea9da1fdf7eac31bb0d7ced407d49e3f5900bc Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Feb 2005 03:31:22 +0000 Subject: r5495: * add in some code from Mike Nix for the SMBsplopen and SMBsplclose commands (BUG 2010) * clarify some debug messages in smbspool (also from Mike) my changes: * start adding msdfs client routines * enable smbclient to maintain multiple connections * set the CAP_DFS flag for our internal clienht routines. I actualy have a dfs referral working in do_cd() but that code is too ugly to live so I'm not checking it in just yet. Further work is to merge with vl's changes in trunk to support multiple TIDs per cli_state *. (This used to be commit 0449756309812d854037ba0af631abad678e670e) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index bffe9dfe8a..fa98d55f25 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -151,7 +151,7 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) if (cli->use_level_II_oplocks) capabilities |= CAP_LEVEL_II_OPLOCKS; - capabilities |= (cli->capabilities & (CAP_UNICODE|CAP_LARGE_FILES|CAP_LARGE_READX|CAP_LARGE_WRITEX)); + capabilities |= (cli->capabilities & (CAP_UNICODE|CAP_LARGE_FILES|CAP_LARGE_READX|CAP_LARGE_WRITEX|CAP_DFS)); return capabilities; } -- cgit From 01b87c63c90083dbb7a56d038f714bde1a49fb2a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 23 Feb 2005 17:29:28 +0000 Subject: r5518: Add initial msdfs support to smbclient. Currently I can only cd up and down the tree and get directory listings. Still have to figure out how to get a directory listing on a 2k dfs root. Also have to work out some issues with relative paths that cross dfs mount points. We're protected from the new code paths when connecting to a non-dfs root share ( the flag from the tcon&X is stored in the struct cli_state* ) (This used to be commit e57fd2c5f00de2b11a2b44374830e89a90bc0022) --- source3/libsmb/cliconnect.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index fa98d55f25..01a92a89ba 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -972,6 +972,9 @@ BOOL cli_send_tconX(struct cli_state *cli, /* almost certainly win95 - enable bug fixes */ cli->win95 = True; } + + if ( cli->protocol >= PROTOCOL_LANMAN2 ) + cli->dfsroot = (SVAL( cli->inbuf, smb_vwv2 ) & SMB_SHARE_IN_DFS); cli->cnum = SVAL(cli->inbuf,smb_tid); return True; -- cgit From 82379c7bd1827601630da120f5b5ebb9061ce2b5 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 10 Mar 2005 20:14:24 +0000 Subject: r5729: partial fixes for BUG 2308; libsmbclient patches from Derrell Lipman (This used to be commit 88678bc05c3018eb181f97523a0b84b60e3c358d) --- source3/libsmb/cliconnect.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 01a92a89ba..aa37a29391 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -888,7 +888,12 @@ BOOL cli_ulogoff(struct cli_state *cli) if (!cli_receive_smb(cli)) return False; - return !cli_is_error(cli); + if (cli_is_error(cli)) { + return False; + } + + cli->cnum = -1; + return True; } /**************************************************************************** -- cgit From 4b831f8e16d305666b0f2b018c35f5427efc21cc Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Mar 2005 15:12:50 +0000 Subject: r5952: BUG 2469: patch from Jason Mader to cleanup compiler warning when not using krb5 (This used to be commit 19a639ac468237b22f16d917c0150fbf10c9623e) --- source3/libsmb/cliconnect.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index aa37a29391..c5154827c6 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -702,7 +702,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, char *principal; char *OIDs[ASN1_MAX_OIDS]; int i; +#ifdef HAVE_KRB5 BOOL got_kerberos_mechanism = False; +#endif DATA_BLOB blob; DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length)); @@ -731,10 +733,12 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, /* make sure the server understands kerberos */ for (i=0;OIDs[i];i++) { DEBUG(3,("got OID=%s\n", OIDs[i])); +#ifdef HAVE_KRB5 if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 || strcmp(OIDs[i], OID_KERBEROS5) == 0) { got_kerberos_mechanism = True; } +#endif free(OIDs[i]); } DEBUG(3,("got principal=%s\n", principal)); -- cgit From 97978aa86577375ab035ce76b4af6a1acb13f78e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 23 Mar 2005 15:36:48 +0000 Subject: r5994: proper fix for smbclient and win98 file servers; check the WCT value in the tcon&X reply before setting the cli_state->dfsroot flag (This used to be commit d3822d889dbc0812335e9242566256a0f88bc00d) --- source3/libsmb/cliconnect.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index c5154827c6..4208d6378d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -982,8 +982,12 @@ BOOL cli_send_tconX(struct cli_state *cli, cli->win95 = True; } - if ( cli->protocol >= PROTOCOL_LANMAN2 ) - cli->dfsroot = (SVAL( cli->inbuf, smb_vwv2 ) & SMB_SHARE_IN_DFS); + /* Make sure that we have the optional support 16-bit field. WCT > 2 */ + /* Avoids issues when connecting to Win9x boxes sharing files */ + + cli->dfsroot = False; + if ( (CVAL(cli->inbuf, smb_wct))>2 && cli->protocol >= PROTOCOL_LANMAN2 ) + cli->dfsroot = (SVAL( cli->inbuf, smb_vwv2 ) & SMB_SHARE_IN_DFS) ? True : False; cli->cnum = SVAL(cli->inbuf,smb_tid); return True; -- cgit From 978ca8486031e43754a3c23757f361bf3a85f335 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Wed, 6 Apr 2005 16:28:04 +0000 Subject: r6225: get rid of warnings from my compiler about nested externs (This used to be commit efea76ac71412f8622cd233912309e91b9ea52da) --- source3/libsmb/cliconnect.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4208d6378d..5a9992d4e0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -23,6 +23,7 @@ #include "includes.h" +extern pstring user_socket_options; static const struct { int prot; @@ -1200,7 +1201,6 @@ BOOL cli_session_request(struct cli_state *cli, { char *p; int len = 4; - extern pstring user_socket_options; memcpy(&(cli->calling), calling, sizeof(*calling)); memcpy(&(cli->called ), called , sizeof(*called )); @@ -1290,7 +1290,6 @@ BOOL cli_session_request(struct cli_state *cli, BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) { - extern pstring user_socket_options; int name_type = 0x20; char *p; -- cgit From ab398643a4e44211696ef5ce72b62ab7ecee7bc9 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 19 Jul 2005 02:37:04 +0000 Subject: r8572: Remove crufty #define NO_SYSLOG as it's not used at all anymore. (This used to be commit 985dbb47d925e79c1195ca219f7ab5d6648b22b8) --- source3/libsmb/cliconnect.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 5a9992d4e0..3d8e36c493 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -19,8 +19,6 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -#define NO_SYSLOG - #include "includes.h" extern pstring user_socket_options; -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/libsmb/cliconnect.c | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3d8e36c493..7ecc769517 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -532,7 +532,7 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5); + rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5, 0); if (rc) { DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc))); @@ -600,7 +600,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use nt_status = ntlmssp_update(ntlmssp_state, blob_in, &blob_out); data_blob_free(&blob_in); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(nt_status)) { if (turn == 1) { /* and wrap it in a SPNEGO wrapper */ msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out); @@ -1337,25 +1337,6 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) return True; } -/**************************************************************************** - Initialise client credentials for authenticated pipe access. -****************************************************************************/ - -void init_creds(struct ntuser_creds *creds, const char* username, - const char* domain, const char* password) -{ - ZERO_STRUCTP(creds); - - pwd_set_cleartext(&creds->pwd, password); - - fstrcpy(creds->user_name, username); - fstrcpy(creds->domain, domain); - - if (!*username) { - creds->pwd.null_pwd = True; - } -} - /** establishes a connection to after the negprot. @param output_cli A fully initialised cli structure, non-null only on success @@ -1474,7 +1455,6 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, int signing_state, BOOL *retry) { - struct ntuser_creds creds; NTSTATUS nt_status; struct cli_state *cli = NULL; @@ -1513,8 +1493,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, } } - init_creds(&creds, user, domain, password); - cli_init_creds(cli, &creds); + cli_init_creds(cli, user, domain, password); *output_cli = cli; return NT_STATUS_OK; -- cgit From cd310c19cefddc799ec5f8b374bc9c5ea9dec5f1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 21 Oct 2005 02:14:23 +0000 Subject: r11240: * fix invalid read reported by valgrind in the spoolss backchannel connection by rewriting spoolss_connect_to_client(). Ensure that we save the cli_state* in the rpc_pipe_client struct. * fix typo in debug message in cli_start_connection" (This used to be commit 18400f96628ffdd332c2fb2aa52b5e9aee5cb3ce) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7ecc769517..8118f073df 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1388,7 +1388,7 @@ again: DEBUG(3,("Connecting to host=%s\n", dest_host)); if (!cli_connect(cli, dest_host, &ip)) { - DEBUG(1,("cli_full_connection: failed to connect to %s (%s)\n", + DEBUG(1,("cli_start_connection: failed to connect to %s (%s)\n", nmb_namestr(&called), inet_ntoa(ip))); cli_shutdown(cli); return NT_STATUS_UNSUCCESSFUL; -- cgit From 6d5757395a0e54245543794d0d6d6d6a32cd857a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 5 Nov 2005 04:21:55 +0000 Subject: r11511: A classic "friday night check-in" :-). This moves much of the Samba4 timezone handling code back into Samba3. Gets rid of "kludge-gmt" and removes the effectiveness of the parameter "time offset" (I can add this back in very easily if needed) - it's no longer being looked at. I'm hoping this will fix the problems people have been having with DST transitions. I'll start comprehensive testing tomorrow, but for now all modifications are done. Splits time get/set functions into srv_XXX and cli_XXX as they need to look at different timezone offsets. Get rid of much of the "efficiency" cruft that was added to Samba back in the day when the C library timezone handling functions were slow. Jeremy. (This used to be commit 414303bc0272f207046b471a0364fa296b67c1f8) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8118f073df..b352d3572a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1170,7 +1170,7 @@ BOOL cli_negprot(struct cli_state *cli) cli->serverzone = SVALS(cli->inbuf,smb_vwv10); cli->serverzone *= 60; /* this time is converted to GMT by make_unix_date */ - cli->servertime = make_unix_date(cli->inbuf+smb_vwv8); + cli->servertime = cli_make_unix_date(cli,cli->inbuf+smb_vwv8); cli->readbraw_supported = ((SVAL(cli->inbuf,smb_vwv5) & 0x1) != 0); cli->writebraw_supported = ((SVAL(cli->inbuf,smb_vwv5) & 0x2) != 0); cli->secblob = data_blob(smb_buf(cli->inbuf),smb_buflen(cli->inbuf)); @@ -1178,7 +1178,7 @@ BOOL cli_negprot(struct cli_state *cli) /* the old core protocol */ cli->use_spnego = False; cli->sec_mode = 0; - cli->serverzone = TimeDiff(time(NULL)); + cli->serverzone = get_time_zone(time(NULL)); } cli->max_xmit = MIN(cli->max_xmit, CLI_BUFFER_SIZE); -- cgit From d2fff52b913e9ac192163fb615a59aaa3a247afb Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 30 Nov 2005 17:29:33 +0000 Subject: r11975: Fix valgrind error -- bug 3291 (This used to be commit 9a6ce67fbf89ea7fc9eed72776dff4712ba67e2b) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b352d3572a..ac7d1b1650 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -163,6 +163,7 @@ static BOOL cli_session_setup_guest(struct cli_state *cli) char *p; uint32 capabilities = cli_session_setup_capabilities(cli); + memset(cli->outbuf, '\0', smb_size); set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); -- cgit From 855e02f1649992f05b685be96dfff4a9140170e9 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 21:19:24 +0000 Subject: r13310: first round of server affinity patches for winbindd & net ads join (This used to be commit 6c3480f9aecc061660ad5c06347b8f1d3e11a330) --- source3/libsmb/cliconnect.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ac7d1b1650..7c15c8d19f 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -865,14 +865,16 @@ BOOL cli_session_setup(struct cli_state *cli, DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); return False; } - return True; + } else { + /* otherwise do a NT1 style session setup */ + if ( !cli_session_setup_nt1(cli, user, pass, passlen, ntpass, ntpasslen, workgroup) ) { + DEBUG(3,("cli_session_setup: NT1 session setup failed!\n")); + return False; + } } - /* otherwise do a NT1 style session setup */ + return True; - return cli_session_setup_nt1(cli, user, - pass, passlen, ntpass, ntpasslen, - workgroup); } /**************************************************************************** -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7c15c8d19f..6f32fb1b5d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -756,7 +756,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, int ret; use_in_memory_ccache(); - ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL); + ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL, NULL, False, 0); if (ret){ SAFE_FREE(principal); -- cgit From 8189bb6e4c5a3cde757bb7823f51541c8940914b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 15 Feb 2006 02:07:14 +0000 Subject: r13502: Fix error messages for usershares when smbd is not running. More generic error return cleanup in libsmb/ needs doing (everything returning NTSTATUS not BOOL). Jeremy (This used to be commit 654bb9853b450c5d509d182f67ec26ac320fd590) --- source3/libsmb/cliconnect.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6f32fb1b5d..4c6b890db0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1394,7 +1394,11 @@ again: DEBUG(1,("cli_start_connection: failed to connect to %s (%s)\n", nmb_namestr(&called), inet_ntoa(ip))); cli_shutdown(cli); - return NT_STATUS_UNSUCCESSFUL; + if (is_zero_ip(ip)) { + return NT_STATUS_BAD_NETWORK_NAME; + } else { + return NT_STATUS_CONNECTION_REFUSED; + } } if (retry) @@ -1412,7 +1416,7 @@ again: make_nmb_name(&called , "*SMBSERVER", 0x20); goto again; } - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_BAD_NETWORK_NAME; } cli_setup_signing_state(cli, signing_state); @@ -1424,7 +1428,10 @@ again: if (!cli_negprot(cli)) { DEBUG(1,("failed negprot\n")); - nt_status = NT_STATUS_UNSUCCESSFUL; + nt_status = cli_nt_error(cli); + if (NT_STATUS_IS_OK(nt_status)) { + nt_status = NT_STATUS_UNSUCCESSFUL; + } cli_shutdown(cli); return nt_status; } -- cgit From 485a286a65d3b37f424f5701179f73c99eb9b5b9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 20 Mar 2006 19:05:44 +0000 Subject: r14585: Tighten argument list of kerberos_kinit_password again, kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4c6b890db0..48885f19d8 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -756,7 +756,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, int ret; use_in_memory_ccache(); - ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL, NULL, False, 0); + ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL); if (ret){ SAFE_FREE(principal); -- cgit From 7b75d2c650cc8dfe8c9d5b9e396afce1cedb0645 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 22 Apr 2006 02:33:11 +0000 Subject: r15162: Patch for bug #3668. Windows has a bug with LARGE_READX where if you ask for exactly 64k bytes it returns 0. Jeremy. (This used to be commit dcef65acb5bc08ea4b61ef490a518b7e668ff2ee) --- source3/libsmb/cliconnect.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 48885f19d8..6b5de6d143 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -199,6 +199,10 @@ static BOOL cli_session_setup_guest(struct cli_state *cli) p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); + if (strstr(cli->server_type, "Samba")) { + cli->is_samba = True; + } + fstrcpy(cli->user_name, ""); return True; @@ -263,6 +267,10 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); fstrcpy(cli->user_name, user); + if (strstr(cli->server_type, "Samba")) { + cli->is_samba = True; + } + return True; } @@ -408,6 +416,10 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE); p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE); + if (strstr(cli->server_type, "Samba")) { + cli->is_samba = True; + } + fstrcpy(cli->user_name, user); if (session_key.data) { @@ -873,6 +885,10 @@ BOOL cli_session_setup(struct cli_state *cli, } } + if (strstr(cli->server_type, "Samba")) { + cli->is_samba = True; + } + return True; } @@ -1159,9 +1175,9 @@ BOOL cli_negprot(struct cli_state *cli) if (cli->capabilities & (CAP_LARGE_READX|CAP_LARGE_WRITEX)) { SAFE_FREE(cli->outbuf); SAFE_FREE(cli->inbuf); - cli->outbuf = (char *)SMB_MALLOC(CLI_MAX_LARGE_READX_SIZE+SAFETY_MARGIN); - cli->inbuf = (char *)SMB_MALLOC(CLI_MAX_LARGE_READX_SIZE+SAFETY_MARGIN); - cli->bufsize = CLI_MAX_LARGE_READX_SIZE; + cli->outbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN); + cli->inbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN); + cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE; } } else if (cli->protocol >= PROTOCOL_LANMAN1) { -- cgit From ee7b4b47cb590dc16ebdf3a40b360b0f0600aa84 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 13 May 2006 23:05:53 +0000 Subject: r15589: While trying to understand the vuid code I found that security=share is broken right now. r14112 broke it, in 3.0.22 register_vuid for security=share returns UID_FIELD_INVALID which in current 3_0 is turned into an error condition. This makes sure that we only call register_vuid if sec!=share and meanwhile also fixes a little memleak. Then I also found a crash in smbclient with sec=share and hostmsdfs=yes. There's another crash with sec=share when coming from w2k3, but I need sleep now. Someone (jerry,jra?) please review the sesssetup.c change. Thanks, Volker (This used to be commit 8059d0ae395604503cad3d9f197928305923e3f5) --- source3/libsmb/cliconnect.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6b5de6d143..beabddc782 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -221,6 +221,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING); + memset(cli->outbuf, '\0', smb_size); set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -937,7 +938,8 @@ BOOL cli_send_tconX(struct cli_state *cli, pass = ""; } - if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) { + if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && + pass && *pass && passlen != 24) { if (!lp_client_lanman_auth()) { DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'" " is disabled\n")); -- cgit From f9480025b5192263084c601bdb8d15508a61409c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 15 May 2006 04:51:46 +0000 Subject: r15610: Fix Coverity #288 - possible null deref. Jeremy. (This used to be commit b108ab7b122cc607f31772614b221379403b211b) --- source3/libsmb/cliconnect.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index beabddc782..3bdd78560f 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -922,6 +922,7 @@ BOOL cli_ulogoff(struct cli_state *cli) /**************************************************************************** Send a tconX. ****************************************************************************/ + BOOL cli_send_tconX(struct cli_state *cli, const char *share, const char *dev, const char *pass, int passlen) { @@ -936,10 +937,13 @@ BOOL cli_send_tconX(struct cli_state *cli, if (cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) { passlen = 1; pass = ""; + } else if (!pass) { + DEBUG(1, ("Server not using user level security and no password supplied.\n")); + return False; } if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && - pass && *pass && passlen != 24) { + *pass && passlen != 24) { if (!lp_client_lanman_auth()) { DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'" " is disabled\n")); @@ -965,7 +969,9 @@ BOOL cli_send_tconX(struct cli_state *cli, passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE); } else { - memcpy(pword, pass, passlen); + if (passlen) { + memcpy(pword, pass, passlen); + } } } @@ -980,7 +986,9 @@ BOOL cli_send_tconX(struct cli_state *cli, SSVAL(cli->outbuf,smb_vwv3,passlen); p = smb_buf(cli->outbuf); - memcpy(p,pword,passlen); + if (passlen) { + memcpy(p,pword,passlen); + } p += passlen; p += clistr_push(cli, p, fullshare, -1, STR_TERMINATE |STR_UPPER); p += clistr_push(cli, p, dev, -1, STR_TERMINATE |STR_UPPER | STR_ASCII); -- cgit From 78eac3e24bcd27254aaadff498f4d177cb2c1517 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 18 May 2006 04:33:43 +0000 Subject: r15681: fix segv in 'kinit && net ads join' (This used to be commit d77768cb237461b06119ee19f822b120623d77dd) --- source3/libsmb/cliconnect.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3bdd78560f..2400f6ff1d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1493,6 +1493,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, { NTSTATUS nt_status; struct cli_state *cli = NULL; + int pw_len = password ? strlen(password)+1 : 0; nt_status = cli_start_connection(&cli, my_name, dest_host, dest_ip, port, signing_state, flags, retry); @@ -1501,9 +1502,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, return nt_status; } - if (!cli_session_setup(cli, user, password, strlen(password)+1, - password, strlen(password)+1, - domain)) { + if (!cli_session_setup(cli, user, password, pw_len, password, pw_len, domain)) { if ((flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK) && cli_session_setup(cli, "", "", 0, "", 0, domain)) { } else { @@ -1517,8 +1516,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, } if (service) { - if (!cli_send_tconX(cli, service, service_type, - password, strlen(password)+1)) { + if (!cli_send_tconX(cli, service, service_type, password, pw_len)) { nt_status = cli_nt_error(cli); DEBUG(1,("failed tcon_X with %s\n", nt_errstr(nt_status))); cli_shutdown(cli); -- cgit From 824ba94fbe2e25efdd63e15342e14f4a9e078357 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 20 May 2006 18:30:09 +0000 Subject: r15755: Fix Coverity bug # 294. Apparently password can be NULL, but cli_session_setup derefences it. Volker (This used to be commit b013b6908d22cfd38fcc56a9cb2ca675d75996d1) --- source3/libsmb/cliconnect.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2400f6ff1d..7f5b5d7fa5 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1495,6 +1495,10 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct cli_state *cli = NULL; int pw_len = password ? strlen(password)+1 : 0; + if (password == NULL) { + password = ""; + } + nt_status = cli_start_connection(&cli, my_name, dest_host, dest_ip, port, signing_state, flags, retry); -- cgit From fbdcf2663b56007a438ac4f0d8d82436b1bfe688 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 11 Jul 2006 18:01:26 +0000 Subject: r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8) --- source3/libsmb/cliconnect.c | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7f5b5d7fa5..4c3c4f4565 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1394,8 +1394,9 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli, if (!my_name) my_name = global_myname(); - if (!(cli = cli_initialise(NULL))) + if (!(cli = cli_initialise())) { return NT_STATUS_NO_MEMORY; + } make_nmb_name(&calling, my_name, 0x0); make_nmb_name(&called , dest_host, 0x20); @@ -1495,6 +1496,8 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, struct cli_state *cli = NULL; int pw_len = password ? strlen(password)+1 : 0; + *output_cli = NULL; + if (password == NULL) { password = ""; } @@ -1513,8 +1516,9 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, nt_status = cli_nt_error(cli); DEBUG(1,("failed session setup with %s\n", nt_errstr(nt_status))); cli_shutdown(cli); - if (NT_STATUS_IS_OK(nt_status)) + if (NT_STATUS_IS_OK(nt_status)) { nt_status = NT_STATUS_UNSUCCESSFUL; + } return nt_status; } } @@ -1541,7 +1545,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, Attempt a NetBIOS session request, falling back to *SMBSERVER if needed. ****************************************************************************/ -BOOL attempt_netbios_session_request(struct cli_state *cli, const char *srchost, const char *desthost, +BOOL attempt_netbios_session_request(struct cli_state **ppcli, const char *srchost, const char *desthost, struct in_addr *pdest_ip) { struct nmb_name calling, called; @@ -1553,12 +1557,13 @@ BOOL attempt_netbios_session_request(struct cli_state *cli, const char *srchost, * then use *SMBSERVER immediately. */ - if(is_ipaddress(desthost)) + if(is_ipaddress(desthost)) { make_nmb_name(&called, "*SMBSERVER", 0x20); - else + } else { make_nmb_name(&called, desthost, 0x20); + } - if (!cli_session_request(cli, &calling, &called)) { + if (!cli_session_request(*ppcli, &calling, &called)) { struct nmb_name smbservername; make_nmb_name(&smbservername , "*SMBSERVER", 0x20); @@ -1575,23 +1580,23 @@ BOOL attempt_netbios_session_request(struct cli_state *cli, const char *srchost, */ DEBUG(0,("attempt_netbios_session_request: %s rejected the session for name *SMBSERVER \ -with error %s.\n", desthost, cli_errstr(cli) )); +with error %s.\n", desthost, cli_errstr(*ppcli) )); return False; } - /* - * We need to close the connection here but can't call cli_shutdown as - * will free an allocated cli struct. cli_close_connection was invented - * for this purpose. JRA. Based on work by "Kim R. Pedersen" . - */ + /* Try again... */ + cli_shutdown(*ppcli); - cli_close_connection(cli); + *ppcli = cli_initialise(); + if (!*ppcli) { + /* Out of memory... */ + return False; + } - if (!cli_initialise(cli) || - !cli_connect(cli, desthost, pdest_ip) || - !cli_session_request(cli, &calling, &smbservername)) { + if (!cli_connect(*ppcli, desthost, pdest_ip) || + !cli_session_request(*ppcli, &calling, &smbservername)) { DEBUG(0,("attempt_netbios_session_request: %s rejected the session for \ -name *SMBSERVER with error %s\n", desthost, cli_errstr(cli) )); +name *SMBSERVER with error %s\n", desthost, cli_errstr(*ppcli) )); return False; } } -- cgit From fe348fdb28624428269bffeb1ff796ec3857ff66 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Jul 2006 05:02:38 +0000 Subject: r17216: From Kai Blin : A patch to make ntlm_auth recognize three new commands in ntlmssp-client-1 and squid-2.5-ntlmssp: The commands are the following: Command: SF Reply: OK Description: Takes feature request flags similar to samba4's gensec_want_feature() call. So far, only NTLMSSP_FEATURE_SESSION_KEY, NTLMSSP_FEATURE_SIGN and NTLMSSP_FEATURE_SEAL are implemented, using the same values as the corresponding GENSEC_FEATURE_* flags in samba4. Command: GF Reply: GF Description: Returns the negotiated flags. Command: GK Reply: GK Description: Returns the negotiated session key. (These commands assist a wine project to use ntlm_auth for signing and sealing of bulk data). Andrew Bartlett (This used to be commit bd3e06a0e4435f1c48fa3b7862333efe273119ee) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4c3c4f4565..d547bb3854 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -599,6 +599,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) { return nt_status; } + ntlmssp_want_feature(ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY); if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) { return nt_status; -- cgit From b29915d6113264bdce243005d29a1af9a8b69bde Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 16 Aug 2006 17:14:16 +0000 Subject: r17571: Change the return code of cli_session_setup from BOOL to NTSTATUS Volker (This used to be commit 94817a8ef53589011bc4ead4e17807a101acf5c9) --- source3/libsmb/cliconnect.c | 65 ++++++++++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 27 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index d547bb3854..ae00dc5489 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -802,11 +802,11 @@ ntlmssp: password is in plaintext, the same should be done. ****************************************************************************/ -BOOL cli_session_setup(struct cli_state *cli, - const char *user, - const char *pass, int passlen, - const char *ntpass, int ntpasslen, - const char *workgroup) +NTSTATUS cli_session_setup(struct cli_state *cli, + const char *user, + const char *pass, int passlen, + const char *ntpass, int ntpasslen, + const char *workgroup) { char *p; fstring user2; @@ -820,8 +820,9 @@ BOOL cli_session_setup(struct cli_state *cli, workgroup = user2; } - if (cli->protocol < PROTOCOL_LANMAN1) - return True; + if (cli->protocol < PROTOCOL_LANMAN1) { + return NT_STATUS_OK; + } /* now work out what sort of session setup we are going to do. I have split this into separate functions to make the @@ -833,31 +834,34 @@ BOOL cli_session_setup(struct cli_state *cli, if (!lp_client_lanman_auth() && passlen != 24 && (*pass)) { DEBUG(1, ("Server requested LM password but 'client lanman auth'" " is disabled\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0 && !lp_client_plaintext_auth() && (*pass)) { DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" " is disabled\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } - return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup); + return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup) ? + NT_STATUS_OK : cli_nt_error(cli); } /* if no user is supplied then we have to do an anonymous connection. passwords are ignored */ if (!user || !*user) - return cli_session_setup_guest(cli); + return cli_session_setup_guest(cli) ? + NT_STATUS_OK : cli_nt_error(cli); /* if the server is share level then send a plaintext null password at this point. The password is sent in the tree connect */ if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) - return cli_session_setup_plaintext(cli, user, "", workgroup); + return cli_session_setup_plaintext(cli, user, "", workgroup) ? + NT_STATUS_OK : cli_nt_error(cli); /* if the server doesn't support encryption then we have to use plaintext. The second password is ignored */ @@ -866,9 +870,10 @@ BOOL cli_session_setup(struct cli_state *cli, if (!lp_client_plaintext_auth() && (*pass)) { DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" " is disabled\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } - return cli_session_setup_plaintext(cli, user, pass, workgroup); + return cli_session_setup_plaintext(cli, user, pass, workgroup) ? + NT_STATUS_OK : cli_nt_error(cli); } /* if the server supports extended security then use SPNEGO */ @@ -877,13 +882,13 @@ BOOL cli_session_setup(struct cli_state *cli, ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup); if (!ADS_ERR_OK(status)) { DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); - return False; + return ads_ntstatus(status); } } else { /* otherwise do a NT1 style session setup */ if ( !cli_session_setup_nt1(cli, user, pass, passlen, ntpass, ntpasslen, workgroup) ) { DEBUG(3,("cli_session_setup: NT1 session setup failed!\n")); - return False; + return cli_nt_error(cli); } } @@ -891,7 +896,7 @@ BOOL cli_session_setup(struct cli_state *cli, cli->is_samba = True; } - return True; + return NT_STATUS_OK; } @@ -1510,20 +1515,26 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, return nt_status; } - if (!cli_session_setup(cli, user, password, pw_len, password, pw_len, domain)) { - if ((flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK) - && cli_session_setup(cli, "", "", 0, "", 0, domain)) { - } else { - nt_status = cli_nt_error(cli); - DEBUG(1,("failed session setup with %s\n", nt_errstr(nt_status))); + nt_status = cli_session_setup(cli, user, password, pw_len, password, + pw_len, domain); + if (!NT_STATUS_IS_OK(nt_status)) { + + if (!(flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK)) { + DEBUG(1,("failed session setup with %s\n", + nt_errstr(nt_status))); cli_shutdown(cli); - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = NT_STATUS_UNSUCCESSFUL; - } return nt_status; } - } + nt_status = cli_session_setup(cli, "", "", 0, "", 0, domain); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1,("anonymous failed session setup with %s\n", + nt_errstr(nt_status))); + cli_shutdown(cli); + return nt_status; + } + } + if (service) { if (!cli_send_tconX(cli, service, service_type, password, pw_len)) { nt_status = cli_nt_error(cli); -- cgit From aa2138ed5badedc5754978b61db1042617857690 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 17 Aug 2006 10:01:48 +0000 Subject: r17583: Change internal cli_session_setup functions to NTSTATUS. Volker (This used to be commit 990da03f0940371d20f89c145b7ebdbe8e9bf4c4) --- source3/libsmb/cliconnect.c | 103 ++++++++++++++++++++++++-------------------- 1 file changed, 56 insertions(+), 47 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index ae00dc5489..3e4b6f0545 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -55,16 +55,19 @@ static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_ Do an old lanman2 style session setup. ****************************************************************************/ -static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, - const char *pass, size_t passlen, const char *workgroup) +static NTSTATUS cli_session_setup_lanman2(struct cli_state *cli, + const char *user, + const char *pass, size_t passlen, + const char *workgroup) { DATA_BLOB session_key = data_blob(NULL, 0); DATA_BLOB lm_response = data_blob(NULL, 0); fstring pword; char *p; - if (passlen > sizeof(pword)-1) - return False; + if (passlen > sizeof(pword)-1) { + return NT_STATUS_INVALID_PARAMETER; + } /* LANMAN servers predate NT status codes and Unicode and ignore those smb flags so we must disable the corresponding default capabilities @@ -82,7 +85,7 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, lm_response = data_blob(NULL, 24); if (!SMBencrypt(pass, cli->secblob.data,(uchar *)lm_response.data)) { DEBUG(1, ("Password is > 14 chars in length, and is therefore incompatible with Lanman authentication\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } } else if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen == 24) { /* Encrypted mode needed, and encrypted password supplied. */ @@ -115,14 +118,15 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); - cli_send_smb(cli); - if (!cli_receive_smb(cli)) - return False; + if (!cli_send_smb(cli) || !cli_receive_smb(cli)) { + return cli_nt_error(cli); + } show_msg(cli->inbuf); - if (cli_is_error(cli)) - return False; + if (cli_is_error(cli)) { + return cli_nt_error(cli); + } /* use the returned vuid from now on */ cli->vuid = SVAL(cli->inbuf,smb_uid); @@ -133,7 +137,7 @@ static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user, cli_set_session_key(cli, session_key); } - return True; + return NT_STATUS_OK; } /**************************************************************************** @@ -158,7 +162,7 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli) Do a NT1 guest session setup. ****************************************************************************/ -static BOOL cli_session_setup_guest(struct cli_state *cli) +static NTSTATUS cli_session_setup_guest(struct cli_state *cli) { char *p; uint32 capabilities = cli_session_setup_capabilities(cli); @@ -183,14 +187,15 @@ static BOOL cli_session_setup_guest(struct cli_state *cli) p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE); cli_setup_bcc(cli, p); - cli_send_smb(cli); - if (!cli_receive_smb(cli)) - return False; + if (!cli_send_smb(cli) || !cli_receive_smb(cli)) { + return cli_nt_error(cli); + } show_msg(cli->inbuf); - if (cli_is_error(cli)) - return False; + if (cli_is_error(cli)) { + return cli_nt_error(cli); + } cli->vuid = SVAL(cli->inbuf,smb_uid); @@ -205,15 +210,16 @@ static BOOL cli_session_setup_guest(struct cli_state *cli) fstrcpy(cli->user_name, ""); - return True; + return NT_STATUS_OK; } /**************************************************************************** Do a NT1 plaintext session setup. ****************************************************************************/ -static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, - const char *pass, const char *workgroup) +static NTSTATUS cli_session_setup_plaintext(struct cli_state *cli, + const char *user, const char *pass, + const char *workgroup) { uint32 capabilities = cli_session_setup_capabilities(cli); char *p; @@ -252,14 +258,15 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, p += clistr_push(cli, p, lanman, -1, STR_TERMINATE); cli_setup_bcc(cli, p); - cli_send_smb(cli); - if (!cli_receive_smb(cli)) - return False; + if (!cli_send_smb(cli) || !cli_receive_smb(cli)) { + return cli_nt_error(cli); + } show_msg(cli->inbuf); - if (cli_is_error(cli)) - return False; + if (cli_is_error(cli)) { + return cli_nt_error(cli); + } cli->vuid = SVAL(cli->inbuf,smb_uid); p = smb_buf(cli->inbuf); @@ -272,7 +279,7 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, cli->is_samba = True; } - return True; + return NT_STATUS_OK; } /**************************************************************************** @@ -285,16 +292,16 @@ static BOOL cli_session_setup_plaintext(struct cli_state *cli, const char *user, @param workgroup The user's domain. ****************************************************************************/ -static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, - const char *pass, size_t passlen, - const char *ntpass, size_t ntpasslen, - const char *workgroup) +static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user, + const char *pass, size_t passlen, + const char *ntpass, size_t ntpasslen, + const char *workgroup) { uint32 capabilities = cli_session_setup_capabilities(cli); DATA_BLOB lm_response = data_blob(NULL, 0); DATA_BLOB nt_response = data_blob(NULL, 0); DATA_BLOB session_key = data_blob(NULL, 0); - BOOL ret = False; + NTSTATUS result; char *p; if (passlen == 0) { @@ -316,7 +323,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, &lm_response, &nt_response, &session_key)) { data_blob_free(&names_blob); data_blob_free(&server_chal); - return False; + return NT_STATUS_ACCESS_DENIED; } data_blob_free(&names_blob); data_blob_free(&server_chal); @@ -398,14 +405,14 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, cli_setup_bcc(cli, p); if (!cli_send_smb(cli) || !cli_receive_smb(cli)) { - ret = False; + result = cli_nt_error(cli); goto end; } /* show_msg(cli->inbuf); */ if (cli_is_error(cli)) { - ret = False; + result = cli_nt_error(cli); goto end; } @@ -428,12 +435,12 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, cli_set_session_key(cli, session_key); } - ret = True; + result = NT_STATUS_OK; end: data_blob_free(&lm_response); data_blob_free(&nt_response); data_blob_free(&session_key); - return ret; + return result; } /**************************************************************************** @@ -844,24 +851,22 @@ NTSTATUS cli_session_setup(struct cli_state *cli, return NT_STATUS_ACCESS_DENIED; } - return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup) ? - NT_STATUS_OK : cli_nt_error(cli); + return cli_session_setup_lanman2(cli, user, pass, passlen, + workgroup); } /* if no user is supplied then we have to do an anonymous connection. passwords are ignored */ if (!user || !*user) - return cli_session_setup_guest(cli) ? - NT_STATUS_OK : cli_nt_error(cli); + return cli_session_setup_guest(cli); /* if the server is share level then send a plaintext null password at this point. The password is sent in the tree connect */ if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) - return cli_session_setup_plaintext(cli, user, "", workgroup) ? - NT_STATUS_OK : cli_nt_error(cli); + return cli_session_setup_plaintext(cli, user, "", workgroup); /* if the server doesn't support encryption then we have to use plaintext. The second password is ignored */ @@ -872,8 +877,7 @@ NTSTATUS cli_session_setup(struct cli_state *cli, " is disabled\n")); return NT_STATUS_ACCESS_DENIED; } - return cli_session_setup_plaintext(cli, user, pass, workgroup) ? - NT_STATUS_OK : cli_nt_error(cli); + return cli_session_setup_plaintext(cli, user, pass, workgroup); } /* if the server supports extended security then use SPNEGO */ @@ -885,10 +889,15 @@ NTSTATUS cli_session_setup(struct cli_state *cli, return ads_ntstatus(status); } } else { + NTSTATUS status; + /* otherwise do a NT1 style session setup */ - if ( !cli_session_setup_nt1(cli, user, pass, passlen, ntpass, ntpasslen, workgroup) ) { - DEBUG(3,("cli_session_setup: NT1 session setup failed!\n")); - return cli_nt_error(cli); + status = cli_session_setup_nt1(cli, user, pass, passlen, + ntpass, ntpasslen, workgroup); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3,("cli_session_setup: NT1 session setup " + "failed: %s\n", nt_errstr(status))); + return status; } } -- cgit From a64925ddff467a47f7adfac4b1b977ddc0c7f4ef Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 24 Aug 2006 16:44:00 +0000 Subject: r17800: Start using struct timespec internally for file times on the wire. This allows us to go to nsec resolution for systems that support it. It should also now be easy to add a correct "create time" (birth time) for systems that support it (*BSD). I'll be watching the build farm closely after this one for breakage :-). Jeremy. (This used to be commit 425280a1d23f97ef0b0be77462386d619f47b21d) --- source3/libsmb/cliconnect.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3e4b6f0545..0e179416dc 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1149,6 +1149,7 @@ BOOL cli_negprot(struct cli_state *cli) } if (cli->protocol >= PROTOCOL_NT1) { + struct timespec ts; /* NT protocol */ cli->sec_mode = CVAL(cli->inbuf,smb_vwv1); cli->max_mux = SVAL(cli->inbuf, smb_vwv1+1); @@ -1157,7 +1158,8 @@ BOOL cli_negprot(struct cli_state *cli) cli->serverzone = SVALS(cli->inbuf,smb_vwv15+1); cli->serverzone *= 60; /* this time arrives in real GMT */ - cli->servertime = interpret_long_date(cli->inbuf+smb_vwv11+1); + ts = interpret_long_date(cli->inbuf+smb_vwv11+1); + cli->servertime = ts.tv_sec; cli->secblob = data_blob(smb_buf(cli->inbuf),smb_buflen(cli->inbuf)); cli->capabilities = IVAL(cli->inbuf,smb_vwv9+1); if (cli->capabilities & CAP_RAW_MODE) { -- cgit From 258a465e20e007a30043220367d17ecfc87b4f90 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 18 Sep 2006 07:52:16 +0000 Subject: r18605: sync dlinklist.h with samba4, that means DLIST_ADD_END() and DLIST_DEMOTE() now take the type of the tmp pointer not the tmp pointer itself anymore. metze (This used to be commit 2f58645b7094e81dff3734f11aa183ea2ab53d2d) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 0e179416dc..cdc22293cb 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1423,7 +1423,7 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli, return NT_STATUS_UNSUCCESSFUL; } - cli_set_timeout(cli, 10000); /* 10 seconds. */ + cli_set_timeout(cli, 30000); /* 10 seconds. */ if (dest_ip) ip = *dest_ip; -- cgit From 6b07596a0f2599a6b39a03af381f12556ca590b6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 18 Sep 2006 15:20:33 +0000 Subject: r18613: Metze, in your DLINKLIST commit you changed this from 10 seconds to 30 seconds. I don't think you meant to do this.... Jeremy. (This used to be commit dd1691cf81492cfecc7f015ba201b78e2588db90) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index cdc22293cb..0e179416dc 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1423,7 +1423,7 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli, return NT_STATUS_UNSUCCESSFUL; } - cli_set_timeout(cli, 30000); /* 10 seconds. */ + cli_set_timeout(cli, 10000); /* 10 seconds. */ if (dest_ip) ip = *dest_ip; -- cgit From b80cbfc20e0d0ede84531a37e187274ba04e822c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Sep 2006 03:21:49 +0000 Subject: r18969: Fix typo. Guenther (This used to be commit 31f21282cd5fb27c867615790e7fd27df4cd4c0e) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 0e179416dc..6e6f7a5ebe 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1530,7 +1530,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, pw_len, domain); if (!NT_STATUS_IS_OK(nt_status)) { - if (!(flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK)) { + if (!(flags & CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK)) { DEBUG(1,("failed session setup with %s\n", nt_errstr(nt_status))); cli_shutdown(cli); @@ -1688,7 +1688,7 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, nt_status = cli_full_connection(&cli, myname, server, server_ip, 0, "IPC$", "IPC", user_info->username, lp_workgroup(), user_info->password, - CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, Undefined, NULL); + CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { return cli; -- cgit From eb00981fc363a104d43dba75a8d18cc02421bbf8 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 2 Oct 2006 12:54:49 +0000 Subject: r19041: Make us connect to Vista RC1. Apparently metze had done the same patch some weeks ago. We have some work before us, when in AD mode Vista sends "not_defined_in_RFC4178@please_ignore" as the principal..... Volker (This used to be commit af85d8ec02b36b765ceadf0a342c7eda2410034b) --- source3/libsmb/cliconnect.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6e6f7a5ebe..983d9012f0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -762,7 +762,20 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, #endif free(OIDs[i]); } - DEBUG(3,("got principal=%s\n", principal)); + + DEBUG(3,("got principal=%s\n", principal ? principal : "")); + + if (got_kerberos_mechanism && (principal == NULL)) { + /* + * It is WRONG to depend on the principal sent in the negprot + * reply, but right now we do it. So for safety (don't + * segfault later) disable Kerberos when no principal was + * sent. -- VL + */ + DEBUG(1, ("Kerberos mech was offered, but no principal was sent\n")); + DEBUGADD(1, ("Disabling Kerberos\n")); + cli->use_kerberos = False; + } fstrcpy(cli->user_name, user); -- cgit From 4295292734c144275bb6e256677f678ae7023fb4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 2 Oct 2006 13:09:42 +0000 Subject: r19042: Fix the non-krb5 build. This needs sooo severe cleanup ... :-) Volker (This used to be commit b601fc42cb289366b7c522f41aa4c66920006890) --- source3/libsmb/cliconnect.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 983d9012f0..070717caef 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -765,6 +765,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, DEBUG(3,("got principal=%s\n", principal ? principal : "")); +#ifdef HAVE_KRB5 if (got_kerberos_mechanism && (principal == NULL)) { /* * It is WRONG to depend on the principal sent in the negprot @@ -776,6 +777,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, DEBUGADD(1, ("Disabling Kerberos\n")); cli->use_kerberos = False; } +#endif fstrcpy(cli->user_name, user); -- cgit From bc2a760498a2b3c918ac3823fe275fc273d98071 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 2 Oct 2006 13:30:05 +0000 Subject: r19043: There's no point in #ifdef'ing the detection whether we were offered KRB5 in SPNEGO, as long as we don't make use of it without krb libs. Makes the code a bit simpler. Volker (This used to be commit 23549e6c082e92e45ced4eee215bcc0094b2a88b) --- source3/libsmb/cliconnect.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 070717caef..81188b004f 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -723,9 +723,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, char *principal; char *OIDs[ASN1_MAX_OIDS]; int i; -#ifdef HAVE_KRB5 BOOL got_kerberos_mechanism = False; -#endif DATA_BLOB blob; DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length)); @@ -754,18 +752,15 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, /* make sure the server understands kerberos */ for (i=0;OIDs[i];i++) { DEBUG(3,("got OID=%s\n", OIDs[i])); -#ifdef HAVE_KRB5 if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 || strcmp(OIDs[i], OID_KERBEROS5) == 0) { got_kerberos_mechanism = True; } -#endif free(OIDs[i]); } DEBUG(3,("got principal=%s\n", principal ? principal : "")); -#ifdef HAVE_KRB5 if (got_kerberos_mechanism && (principal == NULL)) { /* * It is WRONG to depend on the principal sent in the negprot @@ -773,11 +768,10 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, * segfault later) disable Kerberos when no principal was * sent. -- VL */ - DEBUG(1, ("Kerberos mech was offered, but no principal was sent\n")); - DEBUGADD(1, ("Disabling Kerberos\n")); + DEBUG(1, ("Kerberos mech was offered, but no principal was " + "sent, disabling Kerberos\n")); cli->use_kerberos = False; } -#endif fstrcpy(cli->user_name, user); -- cgit From c7864f3d53a59fd823fa2e3bf79edd1d735a15ed Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Wed, 11 Oct 2006 19:51:52 +0000 Subject: r19250: Fixes bug 4156. The protocol negotiation string "LANMAN2.1" was not listed in the set of negotiatiable possibilities, so non-optimal negotiation was taking place. (This used to be commit a0dfa60fc5146ea6af0b88d91e030a4ec3d7f01e) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 81188b004f..f29449cfb2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -33,6 +33,7 @@ static const struct { {PROTOCOL_LANMAN1,"LANMAN1.0"}, {PROTOCOL_LANMAN2,"LM1.2X002"}, {PROTOCOL_LANMAN2,"DOS LANMAN2.1"}, + {PROTOCOL_LANMAN2,"LANMAN2.1"}, {PROTOCOL_LANMAN2,"Samba"}, {PROTOCOL_NT1,"NT LANMAN 1.0"}, {PROTOCOL_NT1,"NT LM 0.12"}, -- cgit From 69cee2a3ec4f39aab83a8cbf55307df182bf3065 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 8 Feb 2007 17:02:39 +0000 Subject: r21240: Fix longstanding Bug #4009. For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f29449cfb2..2742d70194 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -554,7 +554,7 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5, 0); + rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5, 0, NULL); if (rc) { DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc))); -- cgit From 3e12cf85ace31638d2dd924cc202c9d2f31f7890 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 28 Feb 2007 00:35:58 +0000 Subject: r21576: Patch based on work from Todd Stecher to allow client to fragment large SPNEGO blobs (large krb5 tickets). Tested against W2K3R2. Should fix bug #4400. Jeremy. (This used to be commit b81c5c6adce51cec06df0e993534064b20666a8e) --- source3/libsmb/cliconnect.c | 90 +++++++++++++++++++++++++++++++++++++-------- 1 file changed, 74 insertions(+), 16 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2742d70194..886f19b3df 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -517,19 +517,78 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli) } #ifdef HAVE_KRB5 - /**************************************************************************** Send a extended security session setup blob, returning a reply blob. ****************************************************************************/ -static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob) +#define MAX_SESSION_SECURITY_BLOB 4000 + +/* The following is calculated from : + * (smb_size-4) = 35 + * (smb_wcnt * 2) = 24 (smb_wcnt == 12 in cli_session_setup_blob_send() ) + * (strlen("Unix") + 1 + strlen("Samba") + 1) * 2 = 22 (unicode strings at + * end of packet. + */ + +#define BASE_SESSSETUP_BLOB_PACKET_SIZE (35 + 24 + 22) + +static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_BLOB session_key_krb5) { - DATA_BLOB blob2 = data_blob(NULL, 0); - if (!cli_session_setup_blob_send(cli, blob)) { - return blob2; + int32 remaining = blob.length; + int32 cur = 0; + DATA_BLOB send_blob = data_blob(NULL, 0); + int32 max_blob_size = 0; + + if (cli->max_xmit < BASE_SESSSETUP_BLOB_PACKET_SIZE + 1) { + DEBUG(0,("cli_session_setup_blob: cli->max_xmit too small " + "(was %u, need minimum %u)\n", + (unsigned int)cli->max_xmit, + BASE_SESSSETUP_BLOB_PACKET_SIZE)); + cli_set_nt_error(cli, NT_STATUS_INVALID_PARAMETER); + return False; } - - return cli_session_setup_blob_receive(cli); + + max_blob_size = cli->max_xmit - BASE_SESSSETUP_BLOB_PACKET_SIZE; + + while ( remaining > 0) { + if (remaining >= max_blob_size) { + send_blob.length = max_blob_size; + remaining -= max_blob_size; + } else { + DATA_BLOB null_blob = data_blob(NULL, 0); + + send_blob.length = remaining; + remaining = 0; + + /* This is the last packet in the sequence - turn signing on. */ + cli_simple_set_signing(cli, session_key_krb5, null_blob); + } + + send_blob.data = &blob.data[cur]; + cur += send_blob.length; + + DEBUG(10, ("cli_session_setup_blob: Remaining (%u) sending (%u) current (%u)\n", + (unsigned int)remaining, + (unsigned int)send_blob.length, + (unsigned int)cur )); + + if (!cli_session_setup_blob_send(cli, send_blob)) { + DEBUG(0, ("cli_session_setup_blob: send failed\n")); + return False; + } + + cli_session_setup_blob_receive(cli); + + if (cli_is_error(cli) && + !NT_STATUS_EQUAL( cli_get_nt_error(cli), + NT_STATUS_MORE_PROCESSING_REQUIRED)) { + DEBUG(0, ("cli_session_setup_blob: recieve failed (%s)\n", + nt_errstr(cli_get_nt_error(cli)) )); + return False; + } + } + + return True; } /**************************************************************************** @@ -546,9 +605,8 @@ static void use_in_memory_ccache(void) { static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup) { - DATA_BLOB blob2, negTokenTarg; + DATA_BLOB negTokenTarg; DATA_BLOB session_key_krb5; - DATA_BLOB null_blob = data_blob(NULL, 0); int rc; DEBUG(2,("Doing kerberos session setup\n")); @@ -557,7 +615,8 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5, 0, NULL); if (rc) { - DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc))); + DEBUG(1, ("cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: %s\n", + error_message(rc))); return ADS_ERROR_KRB5(rc); } @@ -565,12 +624,11 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length); #endif - cli_simple_set_signing(cli, session_key_krb5, null_blob); - - blob2 = cli_session_setup_blob(cli, negTokenTarg); - - /* we don't need this blob for kerberos */ - data_blob_free(&blob2); + if (!cli_session_setup_blob(cli, negTokenTarg, session_key_krb5)) { + data_blob_free(&negTokenTarg); + data_blob_free(&session_key_krb5); + ADS_ERROR_NT(cli_nt_error(cli)); + } cli_set_session_key(cli, session_key_krb5); -- cgit From 1aa730ef968dac9c27b1f00668d28e71b5c38b72 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 28 Feb 2007 00:38:49 +0000 Subject: r21577: Remove unneeded #define (part of earlier patch that was removed). Jeremy. (This used to be commit 645b0438dde0dad26e950b3184cc412d3d87560a) --- source3/libsmb/cliconnect.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 886f19b3df..e2213c1fcd 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -521,8 +521,6 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli) Send a extended security session setup blob, returning a reply blob. ****************************************************************************/ -#define MAX_SESSION_SECURITY_BLOB 4000 - /* The following is calculated from : * (smb_size-4) = 35 * (smb_wcnt * 2) = 24 (smb_wcnt == 12 in cli_session_setup_blob_send() ) -- cgit From aab1dd4ddbe45c625a6e4502cecd20da5762739b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 Mar 2007 22:29:21 +0000 Subject: r21755: Memory leak fixes from Zack Kirsch . Jeremy. (This used to be commit 02d08ca0be8c374e30c3c0e665853fa9e57f043a) --- source3/libsmb/cliconnect.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index e2213c1fcd..0f09747dbf 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -693,8 +693,6 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use DEBUG(3, ("Failed to send NTLMSSP/SPNEGO blob to server!\n")); nt_status = NT_STATUS_UNSUCCESSFUL; } else { - data_blob_free(&msg1); - blob = cli_session_setup_blob_receive(cli); nt_status = cli_nt_error(cli); @@ -706,6 +704,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } } } + data_blob_free(&msg1); } if (!blob.length) { @@ -736,6 +735,8 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use turn++; } while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)); + data_blob_free(&blob_in); + if (NT_STATUS_IS_OK(nt_status)) { DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, -- cgit From 6b0dcfa62d23980351e852eec05123c0a9823f1d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 20 Mar 2007 22:01:02 +0000 Subject: r21894: Some refactoring of server side encryption context. Support "raw" NTLM auth (no spnego). Jeremy. (This used to be commit 6b5ff7bd591b4f65e2eb767928db50ddf445f09a) --- source3/libsmb/cliconnect.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 0f09747dbf..3970731b45 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -763,7 +763,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } } - /* we have a reference conter on ntlmssp_state, if we are signing + /* we have a reference counter on ntlmssp_state, if we are signing then the state will be kept by the signing engine */ ntlmssp_end(&ntlmssp_state); @@ -973,7 +973,6 @@ NTSTATUS cli_session_setup(struct cli_state *cli, } return NT_STATUS_OK; - } /**************************************************************************** -- cgit From 8c395be5e514a28f13608a462c0c0e8417e21160 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 21 Mar 2007 23:49:57 +0000 Subject: r21922: Fixed the build by rather horrid means. I really need to restructure libsmb/smb_signing.c so it isn't in the base libs path but lives in libsmb instead (like smb_seal.c does). Jeremy. (This used to be commit 1b828f051d0782201f697de15ff973bd6b097d5b) --- source3/libsmb/cliconnect.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3970731b45..15dac093da 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -742,25 +742,25 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length); DATA_BLOB null_blob = data_blob(NULL, 0); - BOOL res; fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); - res = cli_simple_set_signing(cli, key, null_blob); + if (!cli_encryption_on(cli)) { + BOOL res = cli_simple_set_signing(cli, key, null_blob); - data_blob_free(&key); - - if (res) { + if (res) { - /* 'resign' the last message, so we get the right sequence numbers - for checking the first reply from the server */ - cli_calculate_sign_mac(cli); + /* 'resign' the last message, so we get the right sequence numbers + for checking the first reply from the server */ + cli_calculate_sign_mac(cli); - if (!cli_check_sign_mac(cli)) { - nt_status = NT_STATUS_ACCESS_DENIED; + if (!cli_check_sign_mac(cli)) { + nt_status = NT_STATUS_ACCESS_DENIED; + } } } + data_blob_free(&key); } /* we have a reference counter on ntlmssp_state, if we are signing -- cgit From 34dac35e48ca0c03d2744d9925566665285eb973 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 27 Mar 2007 18:04:36 +0000 Subject: r21990: Stop messing with the signing engine just because we're encrypted. This will make further changes and spec much more clear. Jeremy. (This used to be commit ffa3a5c508a494d22e8ee3ada424a6517ddf8923) --- source3/libsmb/cliconnect.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 15dac093da..3970731b45 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -742,25 +742,25 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length); DATA_BLOB null_blob = data_blob(NULL, 0); + BOOL res; fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); - if (!cli_encryption_on(cli)) { - BOOL res = cli_simple_set_signing(cli, key, null_blob); + res = cli_simple_set_signing(cli, key, null_blob); - if (res) { + data_blob_free(&key); + + if (res) { - /* 'resign' the last message, so we get the right sequence numbers - for checking the first reply from the server */ - cli_calculate_sign_mac(cli); + /* 'resign' the last message, so we get the right sequence numbers + for checking the first reply from the server */ + cli_calculate_sign_mac(cli); - if (!cli_check_sign_mac(cli)) { - nt_status = NT_STATUS_ACCESS_DENIED; - } + if (!cli_check_sign_mac(cli)) { + nt_status = NT_STATUS_ACCESS_DENIED; } } - data_blob_free(&key); } /* we have a reference counter on ntlmssp_state, if we are signing -- cgit From eceb926df94063e91c5abc96f52a1bc7b45ce290 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 5 Apr 2007 12:30:23 +0000 Subject: r22092: - make spnego_parse_auth_response() more generic and not specific for NTLMSSP - it's possible that the server sends a mechOID and authdata if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE metze (This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3970731b45..3b9c477b26 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -722,7 +722,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } data_blob_free(&tmp_blob); } else { - if (!spnego_parse_auth_response(blob, nt_status, + if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, &blob_in)) { DEBUG(3,("Failed to parse auth response\n")); if (NT_STATUS_IS_OK(nt_status) -- cgit From bca29ddbba62320204ac9eb098cdaac9a6b03d80 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 7 Apr 2007 05:49:24 +0000 Subject: r22122: Start to fix csc issue with Vista. Make smbd support the extended 7 word response for tconX rather than the 3 word one we supported previously. Jeremy. (This used to be commit 137953226a2d691259e7e84d6ae0dc24755e5a3a) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3b9c477b26..dff098cd01 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1064,6 +1064,7 @@ BOOL cli_send_tconX(struct cli_state *cli, cli_setup_packet(cli); SSVAL(cli->outbuf,smb_vwv0,0xFF); + SSVAL(cli->outbuf,smb_vwv2,TCONX_FLAG_EXTENDED_RESPONSE); SSVAL(cli->outbuf,smb_vwv3,passlen); p = smb_buf(cli->outbuf); -- cgit From 0829e1ad1c3646efecf50729f493b9ee72ef0517 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 19 Apr 2007 22:40:32 +0000 Subject: r22391: Looks bigger than it is. Make "inbuf" available to all callers of smb_setlen (via set_message() calls). This will allow the server to reflect back the correct encryption context. Jeremy. (This used to be commit 2d80a96120a5fe2fe726f00746d36d85044c4bdb) --- source3/libsmb/cliconnect.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index dff098cd01..cc2a7304be 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -99,7 +99,7 @@ static NTSTATUS cli_session_setup_lanman2(struct cli_state *cli, /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,10, 0, True); + set_message(NULL,cli->outbuf,10, 0, True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -169,7 +169,7 @@ static NTSTATUS cli_session_setup_guest(struct cli_state *cli) uint32 capabilities = cli_session_setup_capabilities(cli); memset(cli->outbuf, '\0', smb_size); - set_message(cli->outbuf,13,0,True); + set_message(NULL,cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -229,7 +229,7 @@ static NTSTATUS cli_session_setup_plaintext(struct cli_state *cli, fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING); memset(cli->outbuf, '\0', smb_size); - set_message(cli->outbuf,13,0,True); + set_message(NULL,cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -378,7 +378,7 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user, /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,13,0,True); + set_message(NULL,cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -458,7 +458,7 @@ static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,12,0,True); + set_message(NULL,cli->outbuf,12,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -982,7 +982,7 @@ NTSTATUS cli_session_setup(struct cli_state *cli, BOOL cli_ulogoff(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,2,0,True); + set_message(NULL,cli->outbuf,2,0,True); SCVAL(cli->outbuf,smb_com,SMBulogoffX); cli_setup_packet(cli); SSVAL(cli->outbuf,smb_vwv0,0xFF); @@ -1059,7 +1059,7 @@ BOOL cli_send_tconX(struct cli_state *cli, slprintf(fullshare, sizeof(fullshare)-1, "\\\\%s\\%s", cli->desthost, share); - set_message(cli->outbuf,4, 0, True); + set_message(NULL,cli->outbuf,4, 0, True); SCVAL(cli->outbuf,smb_com,SMBtconX); cli_setup_packet(cli); @@ -1110,7 +1110,7 @@ BOOL cli_send_tconX(struct cli_state *cli, BOOL cli_tdis(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,0,0,True); + set_message(NULL,cli->outbuf,0,0,True); SCVAL(cli->outbuf,smb_com,SMBtdis); SSVAL(cli->outbuf,smb_tid,cli->cnum); cli_setup_packet(cli); @@ -1142,7 +1142,7 @@ void cli_negprot_send(struct cli_state *cli) memset(cli->outbuf,'\0',smb_size); /* setup the protocol strings */ - set_message(cli->outbuf,0,0,True); + set_message(NULL,cli->outbuf,0,0,True); p = smb_buf(cli->outbuf); for (numprots=0; @@ -1182,7 +1182,7 @@ BOOL cli_negprot(struct cli_state *cli) numprots++) plength += strlen(prots[numprots].name)+2; - set_message(cli->outbuf,0,plength,True); + set_message(NULL,cli->outbuf,0,plength,True); p = smb_buf(cli->outbuf); for (numprots=0; @@ -1716,7 +1716,7 @@ NTSTATUS cli_raw_tcon(struct cli_state *cli, memset(cli->outbuf,'\0',smb_size); memset(cli->inbuf,'\0',smb_size); - set_message(cli->outbuf, 0, 0, True); + set_message(NULL,cli->outbuf, 0, 0, True); SCVAL(cli->outbuf,smb_com,SMBtcon); cli_setup_packet(cli); -- cgit From d14e7803e7d024f7f95cbfce330e947ab66e3661 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 3 May 2007 11:49:32 +0000 Subject: r22644: Fix memleak. Guenther (This used to be commit 65a2701f36439db37e8cd6067be69e8ffdc4615b) --- source3/libsmb/cliconnect.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index cc2a7304be..6991905c58 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -536,6 +536,7 @@ static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B int32 cur = 0; DATA_BLOB send_blob = data_blob(NULL, 0); int32 max_blob_size = 0; + DATA_BLOB receive_blob = data_blob(NULL, 0); if (cli->max_xmit < BASE_SESSSETUP_BLOB_PACKET_SIZE + 1) { DEBUG(0,("cli_session_setup_blob: cli->max_xmit too small " @@ -575,7 +576,8 @@ static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B return False; } - cli_session_setup_blob_receive(cli); + receive_blob = cli_session_setup_blob_receive(cli); + data_blob_free(&receive_blob); if (cli_is_error(cli) && !NT_STATUS_EQUAL( cli_get_nt_error(cli), -- cgit From b4a7b7a8889737e2891fc1176feabd4ce47f2737 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 14 May 2007 12:16:20 +0000 Subject: r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e) --- source3/libsmb/cliconnect.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 6991905c58..86834ad081 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -61,8 +61,8 @@ static NTSTATUS cli_session_setup_lanman2(struct cli_state *cli, const char *pass, size_t passlen, const char *workgroup) { - DATA_BLOB session_key = data_blob(NULL, 0); - DATA_BLOB lm_response = data_blob(NULL, 0); + DATA_BLOB session_key = data_blob_null; + DATA_BLOB lm_response = data_blob_null; fstring pword; char *p; @@ -299,9 +299,9 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user, const char *workgroup) { uint32 capabilities = cli_session_setup_capabilities(cli); - DATA_BLOB lm_response = data_blob(NULL, 0); - DATA_BLOB nt_response = data_blob(NULL, 0); - DATA_BLOB session_key = data_blob(NULL, 0); + DATA_BLOB lm_response = data_blob_null; + DATA_BLOB nt_response = data_blob_null; + DATA_BLOB session_key = data_blob_null; NTSTATUS result; char *p; @@ -334,7 +334,7 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user, E_md4hash(pass, nt_hash); #ifdef LANMAN_ONLY - nt_response = data_blob(NULL, 0); + nt_response = data_blob_null; #else nt_response = data_blob(NULL, 24); SMBNTencrypt(pass,cli->secblob.data,nt_response.data); @@ -485,7 +485,7 @@ static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli) { - DATA_BLOB blob2 = data_blob(NULL, 0); + DATA_BLOB blob2 = data_blob_null; char *p; size_t len; @@ -534,9 +534,9 @@ static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B { int32 remaining = blob.length; int32 cur = 0; - DATA_BLOB send_blob = data_blob(NULL, 0); + DATA_BLOB send_blob = data_blob_null; int32 max_blob_size = 0; - DATA_BLOB receive_blob = data_blob(NULL, 0); + DATA_BLOB receive_blob = data_blob_null; if (cli->max_xmit < BASE_SESSSETUP_BLOB_PACKET_SIZE + 1) { DEBUG(0,("cli_session_setup_blob: cli->max_xmit too small " @@ -554,7 +554,7 @@ static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B send_blob.length = max_blob_size; remaining -= max_blob_size; } else { - DATA_BLOB null_blob = data_blob(NULL, 0); + DATA_BLOB null_blob = data_blob_null; send_blob.length = remaining; remaining = 0; @@ -656,9 +656,9 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use NTSTATUS nt_status; int turn = 1; DATA_BLOB msg1; - DATA_BLOB blob = data_blob(NULL, 0); - DATA_BLOB blob_in = data_blob(NULL, 0); - DATA_BLOB blob_out = data_blob(NULL, 0); + DATA_BLOB blob = data_blob_null; + DATA_BLOB blob_in = data_blob_null; + DATA_BLOB blob_out = data_blob_null; cli_temp_set_signing(cli); @@ -715,7 +715,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } } else if ((turn == 1) && NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DATA_BLOB tmp_blob = data_blob(NULL, 0); + DATA_BLOB tmp_blob = data_blob_null; /* the server might give us back two challenges */ if (!spnego_parse_challenge(blob, &blob_in, &tmp_blob)) { @@ -743,7 +743,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length); - DATA_BLOB null_blob = data_blob(NULL, 0); + DATA_BLOB null_blob = data_blob_null; BOOL res; fstrcpy(cli->server_domain, ntlmssp_state->server_domain); -- cgit From cc5c058e5992ae8209caaf8ff63d03eff686ce50 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 16 May 2007 09:53:41 +0000 Subject: r22929: Attempt to fix some build farm failures: On port 139 the first successful packet gives len==0 from the server, so the = in if (len <= 0) { in line 136 of clientgen.c throws a failure. Jeremy, please fix this properly, I'm not merging this to 3_0_26 so that you can filter it when you merge. Volker (This used to be commit 9c5111d8c5064a43762d7d0146acff5e7691dafd) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 86834ad081..f13aa21fbd 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1347,7 +1347,7 @@ BOOL cli_session_request(struct cli_state *cli, cli_send_smb(cli); DEBUG(5,("Sent session request\n")); - if (!cli_receive_smb(cli)) + if (!cli_receive_sessionreply(cli)) return False; if (CVAL(cli->inbuf,0) == 0x84) { -- cgit From 478ccc150ba3b8c87ac67769c46be20a73d14096 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 May 2007 17:17:25 +0000 Subject: r22950: Fix the issue Volker reported here : "Attempt to fix some build farm failures: On port 139 the first successful packet gives len==0 from the server, so the = in if (len <= 0) { in line 136 of clientgen.c throws a failure." The irritating thing is that I already had it correct in SAMBA_3_0_26 and forgot to merge the change across. len == 0 is a valid return - I messed that up when converting client_receive_smb() to return a length rather than a BOOL. Doh ! Jeremy. (This used to be commit a398bdf08d9efac51af28aed29f2c0f151cd5aad) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f13aa21fbd..86834ad081 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1347,7 +1347,7 @@ BOOL cli_session_request(struct cli_state *cli, cli_send_smb(cli); DEBUG(5,("Sent session request\n")); - if (!cli_receive_sessionreply(cli)) + if (!cli_receive_smb(cli)) return False; if (CVAL(cli->inbuf,0) == 0x84) { -- cgit From ce02d0dfcbeeeec316578322257d998589090c6f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 20 Jun 2007 17:38:42 +0000 Subject: r23554: Fix bug #4711 by makeing cli_connect return an NTSTATUS. Long overdue fix.... Jeremy. (This used to be commit 073fdc5a58139796dbaa7ea9833dca5308f11282) --- source3/libsmb/cliconnect.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 86834ad081..78386ce503 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1401,7 +1401,7 @@ BOOL cli_session_request(struct cli_state *cli, Open the client sockets. ****************************************************************************/ -BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) +NTSTATUS cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) { int name_type = 0x20; char *p; @@ -1419,7 +1419,7 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) if (!ip || is_zero_ip(*ip)) { if (!resolve_name(cli->desthost, &cli->dest_ip, name_type)) { - return False; + return NT_STATUS_BAD_NETWORK_NAME; } if (ip) *ip = cli->dest_ip; } else { @@ -1444,12 +1444,12 @@ BOOL cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) if (cli->fd == -1) { DEBUG(1,("Error connecting to %s (%s)\n", ip?inet_ntoa(*ip):host,strerror(errno))); - return False; + return map_nt_error_from_unix(errno); } set_socket_options(cli->fd,user_socket_options); - return True; + return NT_STATUS_OK; } /** @@ -1503,15 +1503,12 @@ again: DEBUG(3,("Connecting to host=%s\n", dest_host)); - if (!cli_connect(cli, dest_host, &ip)) { - DEBUG(1,("cli_start_connection: failed to connect to %s (%s)\n", - nmb_namestr(&called), inet_ntoa(ip))); + nt_status = cli_connect(cli, dest_host, &ip); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1,("cli_start_connection: failed to connect to %s (%s). Error %s\n", + nmb_namestr(&called), inet_ntoa(ip), nt_errstr(nt_status) )); cli_shutdown(cli); - if (is_zero_ip(ip)) { - return NT_STATUS_BAD_NETWORK_NAME; - } else { - return NT_STATUS_CONNECTION_REFUSED; - } + return nt_status; } if (retry) @@ -1656,6 +1653,7 @@ BOOL attempt_netbios_session_request(struct cli_state **ppcli, const char *srcho } if (!cli_session_request(*ppcli, &calling, &called)) { + NTSTATUS status; struct nmb_name smbservername; make_nmb_name(&smbservername , "*SMBSERVER", 0x20); @@ -1685,7 +1683,8 @@ with error %s.\n", desthost, cli_errstr(*ppcli) )); return False; } - if (!cli_connect(*ppcli, desthost, pdest_ip) || + status = cli_connect(*ppcli, desthost, pdest_ip); + if (!NT_STATUS_IS_OK(status) || !cli_session_request(*ppcli, &calling, &smbservername)) { DEBUG(0,("attempt_netbios_session_request: %s rejected the session for \ name *SMBSERVER with error %s\n", desthost, cli_errstr(*ppcli) )); -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 78386ce503..7c72c00673 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -6,7 +6,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/libsmb/cliconnect.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7c72c00673..58f893b060 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -15,8 +15,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 87afcae522859d8bff3506e4f0f1c5a73fb2840a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 8 Aug 2007 23:56:55 +0000 Subject: r24281: Fix bug found by Herb. The vuid entry in the cli_state structure gets left as nonzero as returned by the failed cli_session_setup_spnego. When we then try to authenticate as the user in cli_session_setup this returns an error "Bad userid" (as seen in wireshark). "We should only leave cli->vuid != 0 on success. Looks like it's getting set in the cli_session_setup_blob_receive() call and not cleared again on error." Jeremy. (This used to be commit fa8e66dd8d2c68b91b27169c3c43820989f58758) --- source3/libsmb/cliconnect.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 58f893b060..c03097acc3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -583,6 +583,7 @@ static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(0, ("cli_session_setup_blob: recieve failed (%s)\n", nt_errstr(cli_get_nt_error(cli)) )); + cli->vuid = 0; return False; } } @@ -769,6 +770,9 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use ntlmssp_end(&ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + cli->vuid = 0; + } return nt_status; } -- cgit From 1c72c4c360b6443f5b9705f2781fa9917492537e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 28 Aug 2007 14:20:53 +0000 Subject: r24737: Remove older TODO: Convert internal_resolve_name() and friends to NTSTATUS. Guenther (This used to be commit 8300aac4944613e411a78ab98de5d77f8fd38fa7) --- source3/libsmb/cliconnect.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index c03097acc3..820a904ea4 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1847,7 +1847,8 @@ struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user /* Go looking for workgroups by broadcasting on the local network */ - if (!name_resolve_bcast(MSBROWSE, 1, &ip_list, &count)) { + if (!NT_STATUS_IS_OK(name_resolve_bcast(MSBROWSE, 1, &ip_list, + &count))) { DEBUG(99, ("No master browsers responded\n")); return False; } -- cgit From 3529156971e17c7ec13f6a6243f7b613e4666cdd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 03:54:42 +0000 Subject: r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags, and client fixes. Patch from Todd Stetcher . (This used to be commit 8304ccba7346597425307e260e88647e49081f68) --- source3/libsmb/cliconnect.c | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 820a904ea4..a4bbf9a6ec 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -822,20 +822,36 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, free(OIDs[i]); } - DEBUG(3,("got principal=%s\n", principal ? principal : "")); if (got_kerberos_mechanism && (principal == NULL)) { + fstring dns_name; + fstring nb_name; + /* - * It is WRONG to depend on the principal sent in the negprot - * reply, but right now we do it. So for safety (don't - * segfault later) disable Kerberos when no principal was - * sent. -- VL - */ - DEBUG(1, ("Kerberos mech was offered, but no principal was " - "sent, disabling Kerberos\n")); - cli->use_kerberos = False; + * We didn't get a valid principal in the negTokenInit. Fake + * it, or fall back on NTLM. We prefer to fake it, and hit the + * translate_name cache to get a REAL realm name. + */ + if (!(cli->desthost && translate_name(domain, dns_name, + nb_name) && + asprintf(&principal, "host/%s@%s", cli->desthost, + dns_name))) { + + /* + * It is WRONG to depend on the principal sent in the + * negprot reply, but right now we do it. So for safety + * (don't segfault later) disable Kerberos when no + * principal was sent. -- VL + */ + DEBUG(1, ("Kerberos mech was offered, but no principal was " + "sent, disabling Kerberos\n")); + cli->use_kerberos = False; + } + } + DEBUG(3,("got principal=%s\n", principal ? principal : "")); + fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 @@ -872,7 +888,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); + /* NTLM is sensitive to adding a domain with a UPN */ + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, + (strchr(user, '@') ? NULL : domain))); } /**************************************************************************** -- cgit From 5221ebb299081da6a806362212c6a8ceb9cc70a8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 18:15:34 +0000 Subject: r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree. The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c) --- source3/libsmb/cliconnect.c | 38 ++++++++++---------------------------- 1 file changed, 10 insertions(+), 28 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index a4bbf9a6ec..820a904ea4 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -822,36 +822,20 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, free(OIDs[i]); } + DEBUG(3,("got principal=%s\n", principal ? principal : "")); if (got_kerberos_mechanism && (principal == NULL)) { - fstring dns_name; - fstring nb_name; - /* - * We didn't get a valid principal in the negTokenInit. Fake - * it, or fall back on NTLM. We prefer to fake it, and hit the - * translate_name cache to get a REAL realm name. - */ - if (!(cli->desthost && translate_name(domain, dns_name, - nb_name) && - asprintf(&principal, "host/%s@%s", cli->desthost, - dns_name))) { - - /* - * It is WRONG to depend on the principal sent in the - * negprot reply, but right now we do it. So for safety - * (don't segfault later) disable Kerberos when no - * principal was sent. -- VL - */ - DEBUG(1, ("Kerberos mech was offered, but no principal was " - "sent, disabling Kerberos\n")); - cli->use_kerberos = False; - } - + * It is WRONG to depend on the principal sent in the negprot + * reply, but right now we do it. So for safety (don't + * segfault later) disable Kerberos when no principal was + * sent. -- VL + */ + DEBUG(1, ("Kerberos mech was offered, but no principal was " + "sent, disabling Kerberos\n")); + cli->use_kerberos = False; } - DEBUG(3,("got principal=%s\n", principal ? principal : "")); - fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 @@ -888,9 +872,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - /* NTLM is sensitive to adding a domain with a UPN */ - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, - (strchr(user, '@') ? NULL : domain))); + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); } /**************************************************************************** -- cgit From e5a951325a6cac8567af3a66de6d2df577508ae4 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Wed, 10 Oct 2007 15:34:30 -0500 Subject: [GLUE] Rsync SAMBA_3_2_0 SVN r25598 in order to create the v3-2-test branch. (This used to be commit 5c6c8e1fe93f340005110a7833946191659d88ab) --- source3/libsmb/cliconnect.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 820a904ea4..78cc63de50 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -98,7 +98,7 @@ static NTSTATUS cli_session_setup_lanman2(struct cli_state *cli, /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(NULL,cli->outbuf,10, 0, True); + set_message(cli->outbuf,10, 0, True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -168,7 +168,7 @@ static NTSTATUS cli_session_setup_guest(struct cli_state *cli) uint32 capabilities = cli_session_setup_capabilities(cli); memset(cli->outbuf, '\0', smb_size); - set_message(NULL,cli->outbuf,13,0,True); + set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -228,7 +228,7 @@ static NTSTATUS cli_session_setup_plaintext(struct cli_state *cli, fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING); memset(cli->outbuf, '\0', smb_size); - set_message(NULL,cli->outbuf,13,0,True); + set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -377,7 +377,7 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user, /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(NULL,cli->outbuf,13,0,True); + set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -457,7 +457,7 @@ static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(NULL,cli->outbuf,12,0,True); + set_message(cli->outbuf,12,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -765,7 +765,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } } - /* we have a reference counter on ntlmssp_state, if we are signing + /* we have a reference conter on ntlmssp_state, if we are signing then the state will be kept by the signing engine */ ntlmssp_end(&ntlmssp_state); @@ -978,6 +978,7 @@ NTSTATUS cli_session_setup(struct cli_state *cli, } return NT_STATUS_OK; + } /**************************************************************************** @@ -987,7 +988,7 @@ NTSTATUS cli_session_setup(struct cli_state *cli, BOOL cli_ulogoff(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); - set_message(NULL,cli->outbuf,2,0,True); + set_message(cli->outbuf,2,0,True); SCVAL(cli->outbuf,smb_com,SMBulogoffX); cli_setup_packet(cli); SSVAL(cli->outbuf,smb_vwv0,0xFF); @@ -1064,7 +1065,7 @@ BOOL cli_send_tconX(struct cli_state *cli, slprintf(fullshare, sizeof(fullshare)-1, "\\\\%s\\%s", cli->desthost, share); - set_message(NULL,cli->outbuf,4, 0, True); + set_message(cli->outbuf,4, 0, True); SCVAL(cli->outbuf,smb_com,SMBtconX); cli_setup_packet(cli); @@ -1115,7 +1116,7 @@ BOOL cli_send_tconX(struct cli_state *cli, BOOL cli_tdis(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); - set_message(NULL,cli->outbuf,0,0,True); + set_message(cli->outbuf,0,0,True); SCVAL(cli->outbuf,smb_com,SMBtdis); SSVAL(cli->outbuf,smb_tid,cli->cnum); cli_setup_packet(cli); @@ -1147,7 +1148,7 @@ void cli_negprot_send(struct cli_state *cli) memset(cli->outbuf,'\0',smb_size); /* setup the protocol strings */ - set_message(NULL,cli->outbuf,0,0,True); + set_message(cli->outbuf,0,0,True); p = smb_buf(cli->outbuf); for (numprots=0; @@ -1187,7 +1188,7 @@ BOOL cli_negprot(struct cli_state *cli) numprots++) plength += strlen(prots[numprots].name)+2; - set_message(NULL,cli->outbuf,0,plength,True); + set_message(cli->outbuf,0,plength,True); p = smb_buf(cli->outbuf); for (numprots=0; @@ -1720,7 +1721,7 @@ NTSTATUS cli_raw_tcon(struct cli_state *cli, memset(cli->outbuf,'\0',smb_size); memset(cli->inbuf,'\0',smb_size); - set_message(NULL,cli->outbuf, 0, 0, True); + set_message(cli->outbuf, 0, 0, True); SCVAL(cli->outbuf,smb_com,SMBtcon); cli_setup_packet(cli); -- cgit From 8e54530b52fd256137740107e9fdf000f00a7a30 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 10 Oct 2007 18:25:16 -0700 Subject: Add start of IPv6 implementation. Currently most of this is avoiding IPv6 in winbindd, but moves most of the socket functions that were wrongly in lib/util.c into lib/util_sock.c and provides generic IPv4/6 independent versions of most things. Still lots of work to do, but now I can see how I'll fix the access check code. Nasty part that remains is the name resolution code which is used to returning arrays of in_addr structs. Jeremy. (This used to be commit 3f6bd0e1ec5cc6670f3d08f76fc2cd94c9cd1a08) --- source3/libsmb/cliconnect.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 78cc63de50..16c3bed438 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1421,7 +1421,7 @@ NTSTATUS cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip *p = 0; } - if (!ip || is_zero_ip(*ip)) { + if (!ip || is_zero_ip_v4(*ip)) { if (!resolve_name(cli->desthost, &cli->dest_ip, name_type)) { return NT_STATUS_BAD_NETWORK_NAME; } @@ -1522,7 +1522,7 @@ again: char *p; DEBUG(1,("session request to %s failed (%s)\n", called.name, cli_errstr(cli))); - if ((p=strchr(called.name, '.')) && !is_ipaddress(called.name)) { + if ((p=strchr(called.name, '.')) && !is_ipaddress_v4(called.name)) { *p = 0; goto again; } @@ -1650,7 +1650,7 @@ BOOL attempt_netbios_session_request(struct cli_state **ppcli, const char *srcho * then use *SMBSERVER immediately. */ - if(is_ipaddress(desthost)) { + if(is_ipaddress_v4(desthost)) { make_nmb_name(&called, "*SMBSERVER", 0x20); } else { make_nmb_name(&called, desthost, 0x20); @@ -1764,7 +1764,7 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, if (NT_STATUS_IS_OK(nt_status)) { return cli; - } else if (is_ipaddress(server)) { + } else if (is_ipaddress_v4(server)) { /* windows 9* needs a correct NMB name for connections */ fstring remote_name; -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/libsmb/cliconnect.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 16c3bed438..82cd6d6d13 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -447,7 +447,7 @@ end: Send a extended security session setup blob ****************************************************************************/ -static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) +static bool cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) { uint32 capabilities = cli_session_setup_capabilities(cli); char *p; @@ -529,7 +529,7 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli) #define BASE_SESSSETUP_BLOB_PACKET_SIZE (35 + 24 + 22) -static BOOL cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_BLOB session_key_krb5) +static bool cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_BLOB session_key_krb5) { int32 remaining = blob.length; int32 cur = 0; @@ -744,7 +744,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use DATA_BLOB key = data_blob(ntlmssp_state->session_key.data, ntlmssp_state->session_key.length); DATA_BLOB null_blob = data_blob_null; - BOOL res; + bool res; fstrcpy(cli->server_domain, ntlmssp_state->server_domain); cli_set_session_key(cli, ntlmssp_state->session_key); @@ -786,7 +786,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, char *principal; char *OIDs[ASN1_MAX_OIDS]; int i; - BOOL got_kerberos_mechanism = False; + bool got_kerberos_mechanism = False; DATA_BLOB blob; DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length)); @@ -985,7 +985,7 @@ NTSTATUS cli_session_setup(struct cli_state *cli, Send a uloggoff. *****************************************************************************/ -BOOL cli_ulogoff(struct cli_state *cli) +bool cli_ulogoff(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); set_message(cli->outbuf,2,0,True); @@ -1010,7 +1010,7 @@ BOOL cli_ulogoff(struct cli_state *cli) Send a tconX. ****************************************************************************/ -BOOL cli_send_tconX(struct cli_state *cli, +bool cli_send_tconX(struct cli_state *cli, const char *share, const char *dev, const char *pass, int passlen) { fstring fullshare, pword; @@ -1113,7 +1113,7 @@ BOOL cli_send_tconX(struct cli_state *cli, Send a tree disconnect. ****************************************************************************/ -BOOL cli_tdis(struct cli_state *cli) +bool cli_tdis(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); set_message(cli->outbuf,0,0,True); @@ -1171,7 +1171,7 @@ void cli_negprot_send(struct cli_state *cli) Send a negprot command. ****************************************************************************/ -BOOL cli_negprot(struct cli_state *cli) +bool cli_negprot(struct cli_state *cli) { char *p; int numprots; @@ -1313,7 +1313,7 @@ BOOL cli_negprot(struct cli_state *cli) Send a session request. See rfc1002.txt 4.3 and 4.3.2. ****************************************************************************/ -BOOL cli_session_request(struct cli_state *cli, +bool cli_session_request(struct cli_state *cli, struct nmb_name *calling, struct nmb_name *called) { char *p; @@ -1381,7 +1381,7 @@ BOOL cli_session_request(struct cli_state *cli, /* Try again */ { static int depth; - BOOL ret; + bool ret; if (depth > 4) { DEBUG(0,("Retarget recursion - failing\n")); return False; @@ -1462,7 +1462,7 @@ NTSTATUS cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip @param dest_host The netbios name of the remote host @param dest_ip (optional) The the destination IP, NULL for name based lookup @param port (optional) The destination port (0 for default) - @param retry BOOL. Did this connection fail with a retryable error ? + @param retry bool. Did this connection fail with a retryable error ? */ NTSTATUS cli_start_connection(struct cli_state **output_cli, @@ -1470,7 +1470,7 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli, const char *dest_host, struct in_addr *dest_ip, int port, int signing_state, int flags, - BOOL *retry) + bool *retry) { NTSTATUS nt_status; struct nmb_name calling; @@ -1566,7 +1566,7 @@ again: @param user Username, unix string @param domain User's domain @param password User's password, unencrypted unix string. - @param retry BOOL. Did this connection fail with a retryable error ? + @param retry bool. Did this connection fail with a retryable error ? */ NTSTATUS cli_full_connection(struct cli_state **output_cli, @@ -1577,7 +1577,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, const char *user, const char *domain, const char *password, int flags, int signing_state, - BOOL *retry) + bool *retry) { NTSTATUS nt_status; struct cli_state *cli = NULL; @@ -1638,7 +1638,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, Attempt a NetBIOS session request, falling back to *SMBSERVER if needed. ****************************************************************************/ -BOOL attempt_netbios_session_request(struct cli_state **ppcli, const char *srchost, const char *desthost, +bool attempt_netbios_session_request(struct cli_state **ppcli, const char *srchost, const char *desthost, struct in_addr *pdest_ip) { struct nmb_name calling, called; -- cgit From f88b7a076be74a29a3bf876b4e2705f4a1ecf42b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 24 Oct 2007 14:16:54 -0700 Subject: This is a large patch (sorry). Migrate from struct in_addr to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd) --- source3/libsmb/cliconnect.c | 152 +++++++++++++++++++++++++------------------- 1 file changed, 87 insertions(+), 65 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 82cd6d6d13..826315ad7a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1366,11 +1366,17 @@ bool cli_session_request(struct cli_state *cli, int16 port; }; */ - int port = (CVAL(cli->inbuf,8)<<8)+CVAL(cli->inbuf,9); + uint16_t port = (CVAL(cli->inbuf,8)<<8)+CVAL(cli->inbuf,9); + struct in_addr dest_ip; + /* SESSION RETARGET */ - putip((char *)&cli->dest_ip,cli->inbuf+4); + putip((char *)&dest_ip,cli->inbuf+4); + in_addr_to_sockaddr_storage(&cli->dest_ss, dest_ip); - cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, port, LONG_CONNECT_TIMEOUT); + cli->fd = open_socket_out(SOCK_STREAM, + &cli->dest_ss, + port, + LONG_CONNECT_TIMEOUT); if (cli->fd == -1) return False; @@ -1405,49 +1411,61 @@ bool cli_session_request(struct cli_state *cli, Open the client sockets. ****************************************************************************/ -NTSTATUS cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip) +NTSTATUS cli_connect(struct cli_state *cli, + const char *host, + struct sockaddr_storage *dest_ss) + { int name_type = 0x20; char *p; /* reasonable default hostname */ - if (!host) host = "*SMBSERVER"; + if (!host) { + host = "*SMBSERVER"; + } fstrcpy(cli->desthost, host); /* allow hostnames of the form NAME#xx and do a netbios lookup */ if ((p = strchr(cli->desthost, '#'))) { - name_type = strtol(p+1, NULL, 16); + name_type = strtol(p+1, NULL, 16); *p = 0; } - - if (!ip || is_zero_ip_v4(*ip)) { - if (!resolve_name(cli->desthost, &cli->dest_ip, name_type)) { + + if (!dest_ss || is_zero_addr(dest_ss)) { + if (!resolve_name(cli->desthost, &cli->dest_ss, name_type)) { return NT_STATUS_BAD_NETWORK_NAME; } - if (ip) *ip = cli->dest_ip; + if (dest_ss) { + *dest_ss = cli->dest_ss; + } } else { - cli->dest_ip = *ip; + cli->dest_ss = *dest_ss; } if (getenv("LIBSMB_PROG")) { cli->fd = sock_exec(getenv("LIBSMB_PROG")); } else { /* try 445 first, then 139 */ - int port = cli->port?cli->port:445; - cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, + uint16_t port = cli->port?cli->port:445; + cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ss, port, cli->timeout); if (cli->fd == -1 && cli->port == 0) { port = 139; - cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ip, + cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ss, port, cli->timeout); } - if (cli->fd != -1) + if (cli->fd != -1) { cli->port = port; + } } if (cli->fd == -1) { + char addr[INET6_ADDRSTRLEN]; + if (dest_ss) { + print_sockaddr(addr, sizeof(addr), dest_ss); + } DEBUG(1,("Error connecting to %s (%s)\n", - ip?inet_ntoa(*ip):host,strerror(errno))); + dest_ss?addr:host,strerror(errno))); return map_nt_error_from_unix(errno); } @@ -1460,7 +1478,7 @@ NTSTATUS cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip establishes a connection to after the negprot. @param output_cli A fully initialised cli structure, non-null only on success @param dest_host The netbios name of the remote host - @param dest_ip (optional) The the destination IP, NULL for name based lookup + @param dest_ss (optional) The the destination IP, NULL for name based lookup @param port (optional) The destination port (0 for default) @param retry bool. Did this connection fail with a retryable error ? @@ -1468,7 +1486,7 @@ NTSTATUS cli_connect(struct cli_state *cli, const char *host, struct in_addr *ip NTSTATUS cli_start_connection(struct cli_state **output_cli, const char *my_name, const char *dest_host, - struct in_addr *dest_ip, int port, + struct sockaddr_storage *dest_ss, int port, int signing_state, int flags, bool *retry) { @@ -1476,7 +1494,7 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli, struct nmb_name calling; struct nmb_name called; struct cli_state *cli; - struct in_addr ip; + struct sockaddr_storage ss; if (retry) *retry = False; @@ -1498,19 +1516,22 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli, cli_set_timeout(cli, 10000); /* 10 seconds. */ - if (dest_ip) - ip = *dest_ip; - else - ZERO_STRUCT(ip); + if (dest_ss) { + ss = *dest_ss; + } else { + zero_addr(&ss, AF_INET); + } again: DEBUG(3,("Connecting to host=%s\n", dest_host)); - - nt_status = cli_connect(cli, dest_host, &ip); + + nt_status = cli_connect(cli, dest_host, &ss); if (!NT_STATUS_IS_OK(nt_status)) { + char addr[INET6_ADDRSTRLEN]; + print_sockaddr(addr, sizeof(addr), &ss); DEBUG(1,("cli_start_connection: failed to connect to %s (%s). Error %s\n", - nmb_namestr(&called), inet_ntoa(ip), nt_errstr(nt_status) )); + nmb_namestr(&called), addr, nt_errstr(nt_status) )); cli_shutdown(cli); return nt_status; } @@ -1520,9 +1541,9 @@ again: if (!cli_session_request(cli, &calling, &called)) { char *p; - DEBUG(1,("session request to %s failed (%s)\n", + DEBUG(1,("session request to %s failed (%s)\n", called.name, cli_errstr(cli))); - if ((p=strchr(called.name, '.')) && !is_ipaddress_v4(called.name)) { + if ((p=strchr(called.name, '.')) && !is_ipaddress(called.name)) { *p = 0; goto again; } @@ -1572,7 +1593,7 @@ again: NTSTATUS cli_full_connection(struct cli_state **output_cli, const char *my_name, const char *dest_host, - struct in_addr *dest_ip, int port, + struct sockaddr_storage *dest_ss, int port, const char *service, const char *service_type, const char *user, const char *domain, const char *password, int flags, @@ -1589,9 +1610,10 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, password = ""; } - nt_status = cli_start_connection(&cli, my_name, dest_host, - dest_ip, port, signing_state, flags, retry); - + nt_status = cli_start_connection(&cli, my_name, dest_host, + dest_ss, port, signing_state, + flags, retry); + if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -1615,7 +1637,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, return nt_status; } } - + if (service) { if (!cli_send_tconX(cli, service, service_type, password, pw_len)) { nt_status = cli_nt_error(cli); @@ -1639,7 +1661,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, ****************************************************************************/ bool attempt_netbios_session_request(struct cli_state **ppcli, const char *srchost, const char *desthost, - struct in_addr *pdest_ip) + struct sockaddr_storage *pdest_ss) { struct nmb_name calling, called; @@ -1650,7 +1672,7 @@ bool attempt_netbios_session_request(struct cli_state **ppcli, const char *srcho * then use *SMBSERVER immediately. */ - if(is_ipaddress_v4(desthost)) { + if(is_ipaddress(desthost)) { make_nmb_name(&called, "*SMBSERVER", 0x20); } else { make_nmb_name(&called, desthost, 0x20); @@ -1687,7 +1709,7 @@ with error %s.\n", desthost, cli_errstr(*ppcli) )); return False; } - status = cli_connect(*ppcli, desthost, pdest_ip); + status = cli_connect(*ppcli, desthost, pdest_ss); if (!NT_STATUS_IS_OK(status) || !cli_session_request(*ppcli, &calling, &smbservername)) { DEBUG(0,("attempt_netbios_session_request: %s rejected the session for \ @@ -1699,10 +1721,6 @@ name *SMBSERVER with error %s\n", desthost, cli_errstr(*ppcli) )); return True; } - - - - /**************************************************************************** Send an old style tcon. ****************************************************************************/ @@ -1749,27 +1767,28 @@ NTSTATUS cli_raw_tcon(struct cli_state *cli, /* Return a cli_state pointing at the IPC$ share for the given server */ -struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, - struct user_auth_info *user_info) +struct cli_state *get_ipc_connect(char *server, + struct sockaddr_storage *server_ss, + struct user_auth_info *user_info) { struct cli_state *cli; pstring myname; NTSTATUS nt_status; get_myname(myname); - - nt_status = cli_full_connection(&cli, myname, server, server_ip, 0, "IPC$", "IPC", + + nt_status = cli_full_connection(&cli, myname, server, server_ss, 0, "IPC$", "IPC", user_info->username, lp_workgroup(), user_info->password, CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { return cli; - } else if (is_ipaddress_v4(server)) { + } else if (is_ipaddress(server)) { /* windows 9* needs a correct NMB name for connections */ fstring remote_name; - if (name_status_find("*", 0, 0, *server_ip, remote_name)) { - cli = get_ipc_connect(remote_name, server_ip, user_info); + if (name_status_find("*", 0, 0, server_ss, remote_name)) { + cli = get_ipc_connect(remote_name, server_ss, user_info); if (cli) return cli; } @@ -1789,14 +1808,16 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip, * entire network browse list) */ -struct cli_state *get_ipc_connect_master_ip(struct ip_service * mb_ip, pstring workgroup, struct user_auth_info *user_info) +struct cli_state *get_ipc_connect_master_ip(struct ip_service *mb_ip, pstring workgroup, struct user_auth_info *user_info) { + char addr[INET6_ADDRSTRLEN]; static fstring name; struct cli_state *cli; - struct in_addr server_ip; + struct sockaddr_storage server_ss; + print_sockaddr(addr, sizeof(addr), &mb_ip->ss); DEBUG(99, ("Looking up name of master browser %s\n", - inet_ntoa(mb_ip->ip))); + addr)); /* * Do a name status query to find out the name of the master browser. @@ -1809,28 +1830,27 @@ struct cli_state *get_ipc_connect_master_ip(struct ip_service * mb_ip, pstring w * the original wildcard query as the first choice and fall back to * MSBROWSE if the wildcard query fails. */ - if (!name_status_find("*", 0, 0x1d, mb_ip->ip, name) && - !name_status_find(MSBROWSE, 1, 0x1d, mb_ip->ip, name)) { + if (!name_status_find("*", 0, 0x1d, &mb_ip->ss, name) && + !name_status_find(MSBROWSE, 1, 0x1d, &mb_ip->ss, name)) { DEBUG(99, ("Could not retrieve name status for %s\n", - inet_ntoa(mb_ip->ip))); + addr)); return NULL; } - if (!find_master_ip(name, &server_ip)) { + if (!find_master_ip(name, &server_ss)) { DEBUG(99, ("Could not find master ip for %s\n", name)); return NULL; } - pstrcpy(workgroup, name); + pstrcpy(workgroup, name); - DEBUG(4, ("found master browser %s, %s\n", - name, inet_ntoa(mb_ip->ip))); + DEBUG(4, ("found master browser %s, %s\n", name, addr)); - cli = get_ipc_connect(inet_ntoa(server_ip), &server_ip, user_info); + print_sockaddr(addr, sizeof(addr), &server_ss); + cli = get_ipc_connect(addr, &server_ss, user_info); - return cli; - + return cli; } /* @@ -1846,7 +1866,7 @@ struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user DEBUG(99, ("Do broadcast lookup for workgroups on local network\n")); - /* Go looking for workgroups by broadcasting on the local network */ + /* Go looking for workgroups by broadcasting on the local network */ if (!NT_STATUS_IS_OK(name_resolve_bcast(MSBROWSE, 1, &ip_list, &count))) { @@ -1855,11 +1875,13 @@ struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user } for (i = 0; i < count; i++) { - DEBUG(99, ("Found master browser %s\n", inet_ntoa(ip_list[i].ip))); + char addr[INET6_ADDRSTRLEN]; + print_sockaddr(addr, sizeof(addr), &ip_list[i].ss); + DEBUG(99, ("Found master browser %s\n", addr)); - cli = get_ipc_connect_master_ip(&ip_list[i], workgroup, user_info); - if (cli) - return(cli); + cli = get_ipc_connect_master_ip(&ip_list[i], workgroup, user_info); + if (cli) + return(cli); } return NULL; -- cgit From d4307679b95088d05f0abad440de5e961ee965df Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 27 Oct 2007 20:29:36 -0700 Subject: Change all occurrences of zero_addr(&ss,AF_INET) to zero_addr(&ss). All current uses were always of the AF_INET form, so simplify the call. If in the future we need to zero an addr to AF_INET6 this can be done separately. Jeremy. (This used to be commit 2e92418a138bf2738b77b7e0fcb2fa37ad84fc0c) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 826315ad7a..448bfd7663 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1519,7 +1519,7 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli, if (dest_ss) { ss = *dest_ss; } else { - zero_addr(&ss, AF_INET); + zero_addr(&ss); } again: -- cgit From 73d407968002587eadd0ff13eb413ddf07c78771 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2007 15:12:42 -0700 Subject: Remove the smb_read_error global variable and replace it with accessor functions. "One global or pstring a day...." :-). Jeremy. (This used to be commit d50d14c300abc83b7015718ec48acc8b3227a273) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 448bfd7663..b86939a897 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -699,7 +699,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use nt_status = cli_nt_error(cli); if (cli_is_error(cli) && NT_STATUS_IS_OK(nt_status)) { - if (cli->smb_rw_error == READ_BAD_SIG) { + if (cli->smb_rw_error == SMB_READ_BAD_SIG) { nt_status = NT_STATUS_ACCESS_DENIED; } else { nt_status = NT_STATUS_UNSUCCESSFUL; -- cgit From 5f4693d8f8cf435cb2c62787ba95acf2b0b5f7d2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 8 Nov 2007 18:50:07 -0800 Subject: Remove more pstring/fstrings. Jeremy. (This used to be commit 7a1de5b44e84a7474e78518c6ba33b3fedc42b5f) --- source3/libsmb/cliconnect.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b86939a897..8b180f0135 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1772,12 +1772,9 @@ struct cli_state *get_ipc_connect(char *server, struct user_auth_info *user_info) { struct cli_state *cli; - pstring myname; NTSTATUS nt_status; - get_myname(myname); - - nt_status = cli_full_connection(&cli, myname, server, server_ss, 0, "IPC$", "IPC", + nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC", user_info->username, lp_workgroup(), user_info->password, CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL); -- cgit From e63bcdd720d801df278ef84063c46144df087793 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 1 Nov 2007 18:13:00 +0100 Subject: Remove the silly "user_socket_options" global variable This is better done with a 'lp_do_parameter(-1, "socket options", ..); (This used to be commit 814bed029efa391e664ac432d0d68dfeab26381f) --- source3/libsmb/cliconnect.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8b180f0135..2fdd1223f0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -20,8 +20,6 @@ #include "includes.h" -extern pstring user_socket_options; - static const struct { int prot; const char *name; @@ -1382,7 +1380,7 @@ bool cli_session_request(struct cli_state *cli, DEBUG(3,("Retargeted\n")); - set_socket_options(cli->fd,user_socket_options); + set_socket_options(cli->fd, lp_socket_options()); /* Try again */ { @@ -1469,7 +1467,7 @@ NTSTATUS cli_connect(struct cli_state *cli, return map_nt_error_from_unix(errno); } - set_socket_options(cli->fd,user_socket_options); + set_socket_options(cli->fd, lp_socket_options()); return NT_STATUS_OK; } -- cgit From 50d9b94f6f7762fb4a86b020af461553422a71ad Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 11 Nov 2007 15:38:50 +0100 Subject: Remove a static fstring I'm not sure why this used to be static, to me it seems that every time this variable is overwritten. I just don't see how name_status_find() could return true and not overwrite name. Can someone please review this and potentially check it in? Thanks, Volker (This used to be commit 329c688e4a9e69b71996fd1b0eee2202a849f3f5) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2fdd1223f0..f0b03a85cf 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1806,7 +1806,7 @@ struct cli_state *get_ipc_connect(char *server, struct cli_state *get_ipc_connect_master_ip(struct ip_service *mb_ip, pstring workgroup, struct user_auth_info *user_info) { char addr[INET6_ADDRSTRLEN]; - static fstring name; + fstring name; struct cli_state *cli; struct sockaddr_storage server_ss; -- cgit From d2cf97aeba14a4d336fb57b01f19bd5a08dcb003 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 29 Nov 2007 13:24:54 -0800 Subject: Remove the explicit TALLOC_CTX * from cli_struct. Make us very explicit about how long a talloc ctx should last. Jeremy. (This used to be commit ba9e2be2b5a59684e854609f9d82ea1633448c62) --- source3/libsmb/cliconnect.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f0b03a85cf..e3800bfb33 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1803,13 +1803,18 @@ struct cli_state *get_ipc_connect(char *server, * entire network browse list) */ -struct cli_state *get_ipc_connect_master_ip(struct ip_service *mb_ip, pstring workgroup, struct user_auth_info *user_info) +struct cli_state *get_ipc_connect_master_ip(TALLOC_CTX *ctx, + struct ip_service *mb_ip, + struct user_auth_info *user_info, + char **pp_workgroup_out) { char addr[INET6_ADDRSTRLEN]; fstring name; struct cli_state *cli; struct sockaddr_storage server_ss; + *pp_workgroup_out = NULL; + print_sockaddr(addr, sizeof(addr), &mb_ip->ss); DEBUG(99, ("Looking up name of master browser %s\n", addr)); @@ -1838,7 +1843,7 @@ struct cli_state *get_ipc_connect_master_ip(struct ip_service *mb_ip, pstring wo return NULL; } - pstrcpy(workgroup, name); + *pp_workgroup_out = talloc_strdup(ctx, name); DEBUG(4, ("found master browser %s, %s\n", name, addr)); @@ -1853,12 +1858,16 @@ struct cli_state *get_ipc_connect_master_ip(struct ip_service *mb_ip, pstring wo * connect to it. */ -struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user_auth_info *user_info) +struct cli_state *get_ipc_connect_master_ip_bcast(TALLOC_CTX *ctx, + struct user_auth_info *user_info, + char **pp_workgroup_out) { struct ip_service *ip_list; struct cli_state *cli; int i, count; + *pp_workgroup_out = NULL; + DEBUG(99, ("Do broadcast lookup for workgroups on local network\n")); /* Go looking for workgroups by broadcasting on the local network */ @@ -1874,7 +1883,8 @@ struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user print_sockaddr(addr, sizeof(addr), &ip_list[i].ss); DEBUG(99, ("Found master browser %s\n", addr)); - cli = get_ipc_connect_master_ip(&ip_list[i], workgroup, user_info); + cli = get_ipc_connect_master_ip(ctx, &ip_list[i], + user_info, pp_workgroup_out); if (cli) return(cli); } -- cgit From f692694b99319ef1f534ea29f001922656402cdf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 29 Nov 2007 17:25:41 -0800 Subject: Remove PSTRING_LEN from smbd/ nmbd/. Remove pstring from libsmb/clidfs.c except for a nasty hack (that will be removed when pstrings are gone from client/). Jeremy. (This used to be commit cc257b71d13daa47e6f2315d0f07a60eb4aaeca6) --- source3/libsmb/cliconnect.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index e3800bfb33..14140811d2 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -879,8 +879,8 @@ ntlmssp: password is in plaintext, the same should be done. ****************************************************************************/ -NTSTATUS cli_session_setup(struct cli_state *cli, - const char *user, +NTSTATUS cli_session_setup(struct cli_state *cli, + const char *user, const char *pass, int passlen, const char *ntpass, int ntpasslen, const char *workgroup) @@ -888,8 +888,17 @@ NTSTATUS cli_session_setup(struct cli_state *cli, char *p; fstring user2; + if (user) { + fstrcpy(user2, user); + } else { + user2[0] ='\0'; + } + + if (!workgroup) { + workgroup = ""; + } + /* allow for workgroups as part of the username */ - fstrcpy(user2, user); if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) || (p=strchr_m(user2,*lp_winbind_separator()))) { *p = 0; -- cgit From acf15ae730c95443681404c76b67ccfca0253d8b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 7 Dec 2007 12:26:32 -0800 Subject: Don't build rpctorture anymore - not maintained. Just remove. Remove all vestiges of pstring (except for smbctool as noted in previous commit). Jeremy (This used to be commit 4c32a22ac50ada3275d2ffba3c1aa08bee7d1549) --- source3/libsmb/cliconnect.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 14140811d2..fdf7491d80 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1776,13 +1776,15 @@ NTSTATUS cli_raw_tcon(struct cli_state *cli, struct cli_state *get_ipc_connect(char *server, struct sockaddr_storage *server_ss, - struct user_auth_info *user_info) + const struct user_auth_info *user_info) { struct cli_state *cli; NTSTATUS nt_status; nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC", - user_info->username, lp_workgroup(), user_info->password, + user_info->username ? user_info->username : "", + lp_workgroup(), + user_info->password ? user_info->password : "", CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { @@ -1814,7 +1816,7 @@ struct cli_state *get_ipc_connect(char *server, struct cli_state *get_ipc_connect_master_ip(TALLOC_CTX *ctx, struct ip_service *mb_ip, - struct user_auth_info *user_info, + const struct user_auth_info *user_info, char **pp_workgroup_out) { char addr[INET6_ADDRSTRLEN]; @@ -1868,7 +1870,7 @@ struct cli_state *get_ipc_connect_master_ip(TALLOC_CTX *ctx, */ struct cli_state *get_ipc_connect_master_ip_bcast(TALLOC_CTX *ctx, - struct user_auth_info *user_info, + const struct user_auth_info *user_info, char **pp_workgroup_out) { struct ip_service *ip_list; -- cgit From e3e16928c057b35b66bc814a507fc79b9e02084c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 12 Dec 2007 09:42:58 -0800 Subject: Allow cliconnect to loop through multiple ip addresses for a server. We should have been doing this for a while, but it's more critical with IPv6. Original patch fixed up by James. Jeremy. (This used to be commit 5c7f7629a97ef0929e00e52f1fae4386c984000b) --- source3/libsmb/cliconnect.c | 72 ++++++++++++++++++++++++++++++--------------- 1 file changed, 49 insertions(+), 23 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index fdf7491d80..45c202090e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1424,7 +1424,11 @@ NTSTATUS cli_connect(struct cli_state *cli, { int name_type = 0x20; - char *p; + TALLOC_CTX *frame = talloc_stackframe(); + unsigned int num_addrs = 0; + unsigned int i = 0; + struct sockaddr_storage *ss_arr = NULL; + char *p = NULL; /* reasonable default hostname */ if (!host) { @@ -1440,44 +1444,66 @@ NTSTATUS cli_connect(struct cli_state *cli, } if (!dest_ss || is_zero_addr(dest_ss)) { - if (!resolve_name(cli->desthost, &cli->dest_ss, name_type)) { + NTSTATUS status =resolve_name_list(frame, + cli->desthost, + name_type, + &ss_arr, + &num_addrs); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); return NT_STATUS_BAD_NETWORK_NAME; } - if (dest_ss) { - *dest_ss = cli->dest_ss; - } } else { - cli->dest_ss = *dest_ss; + num_addrs = 1; + ss_arr = TALLOC_P(frame, struct sockaddr_storage); + if (!ss_arr) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + *ss_arr = *dest_ss; } - if (getenv("LIBSMB_PROG")) { - cli->fd = sock_exec(getenv("LIBSMB_PROG")); - } else { - /* try 445 first, then 139 */ - uint16_t port = cli->port?cli->port:445; - cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ss, - port, cli->timeout); - if (cli->fd == -1 && cli->port == 0) { - port = 139; + for (i = 0; i < num_addrs; i++) { + cli->dest_ss = ss_arr[i]; + if (getenv("LIBSMB_PROG")) { + cli->fd = sock_exec(getenv("LIBSMB_PROG")); + } else { + /* try 445 first, then 139 */ + uint16_t port = cli->port?cli->port:445; cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ss, port, cli->timeout); + if (cli->fd == -1 && cli->port == 0) { + port = 139; + cli->fd = open_socket_out(SOCK_STREAM, &cli->dest_ss, + port, cli->timeout); + } + if (cli->fd != -1) { + cli->port = port; + } } - if (cli->fd != -1) { - cli->port = port; + if (cli->fd == -1) { + char addr[INET6_ADDRSTRLEN]; + print_sockaddr(addr, sizeof(addr), &ss_arr[i]); + DEBUG(2,("Error connecting to %s (%s)\n", + dest_ss?addr:host,strerror(errno))); + } else { + /* Exit from loop on first connection. */ + break; } } + if (cli->fd == -1) { - char addr[INET6_ADDRSTRLEN]; - if (dest_ss) { - print_sockaddr(addr, sizeof(addr), dest_ss); - } - DEBUG(1,("Error connecting to %s (%s)\n", - dest_ss?addr:host,strerror(errno))); + TALLOC_FREE(frame); return map_nt_error_from_unix(errno); } + if (dest_ss) { + *dest_ss = cli->dest_ss; + } + set_socket_options(cli->fd, lp_socket_options()); + TALLOC_FREE(frame); return NT_STATUS_OK; } -- cgit From 5dbc4a23bcae0087ab4319b5343cf6f44a4819e3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 15 Dec 2007 23:22:25 -0800 Subject: Added patch originally by Andreas Schneider to cause us to behave like Vista when looking for remote machine principal. Modified by me. Jeremy. (This used to be commit d0e33840fb4cfc85990d3ee327428b0854a22722) --- source3/libsmb/cliconnect.c | 50 +++++++++++++++++++++++++++++++++++++-------- 1 file changed, 42 insertions(+), 8 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 45c202090e..52ff69953e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -37,6 +37,8 @@ static const struct { {-1,NULL} }; +static const char *star_smbserver_name = "*SMBSERVER"; + /** * Set the user session key for a connection * @param cli The cli structure to add it too @@ -858,10 +860,42 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, } } - rc = cli_session_setup_kerberos(cli, principal, domain); - if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) { + /* If we get a bad principal, try to guess it if + we have a valid host NetBIOS name. + */ + if (strequal(principal, + "not_defined_in_RFC4178@please_ignore")) { SAFE_FREE(principal); - return rc; + } + + if (principal == NULL && + !is_ipaddress(cli->desthost) && + !strequal(star_smbserver_name, + cli->desthost)) { + char *realm = NULL; + DEBUG(3,("cli_session_setup_spnego: got a " + "bad server principal, trying to guess ...\n")); + + realm = kerberos_get_default_realm_from_ccache(); + if (realm && *realm) { + if (asprintf(&principal, "%s$@%s", + cli->desthost, realm) < 0) { + SAFE_FREE(realm); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + DEBUG(3,("cli_session_setup_spnego: guessed " + "server principal=%s\n", + principal ? principal : "")); + } + SAFE_FREE(realm); + } + + if (principal) { + rc = cli_session_setup_kerberos(cli, principal, domain); + if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) { + SAFE_FREE(principal); + return rc; + } } } #endif @@ -1432,7 +1466,7 @@ NTSTATUS cli_connect(struct cli_state *cli, /* reasonable default hostname */ if (!host) { - host = "*SMBSERVER"; + host = star_smbserver_name; } fstrcpy(cli->desthost, host); @@ -1580,8 +1614,8 @@ again: *p = 0; goto again; } - if (strcmp(called.name, "*SMBSERVER")) { - make_nmb_name(&called , "*SMBSERVER", 0x20); + if (strcmp(called.name, star_smbserver_name)) { + make_nmb_name(&called , star_smbserver_name, 0x20); goto again; } return NT_STATUS_BAD_NETWORK_NAME; @@ -1706,7 +1740,7 @@ bool attempt_netbios_session_request(struct cli_state **ppcli, const char *srcho */ if(is_ipaddress(desthost)) { - make_nmb_name(&called, "*SMBSERVER", 0x20); + make_nmb_name(&called, star_smbserver_name, 0x20); } else { make_nmb_name(&called, desthost, 0x20); } @@ -1715,7 +1749,7 @@ bool attempt_netbios_session_request(struct cli_state **ppcli, const char *srcho NTSTATUS status; struct nmb_name smbservername; - make_nmb_name(&smbservername , "*SMBSERVER", 0x20); + make_nmb_name(&smbservername, star_smbserver_name, 0x20); /* * If the name wasn't *SMBSERVER then -- cgit From 5f1d36ce9abdb33ebb4f21c66c0885ea70097f6f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 19 Dec 2007 20:24:33 +0100 Subject: Fix debug messages When warning that "client plaintext auth" is not enabled where the server requested them we should not talk about "client use plaintext auth" (This used to be commit 7799e18994354b2705ee8c64ae8c75e062ace460) --- source3/libsmb/cliconnect.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 52ff69953e..d370808bba 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -959,8 +959,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli, if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0 && !lp_client_plaintext_auth() && (*pass)) { - DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" - " is disabled\n")); + DEBUG(1, ("Server requested plaintext password but " + "'client plaintext auth' is disabled\n")); return NT_STATUS_ACCESS_DENIED; } @@ -986,8 +986,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli, if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { if (!lp_client_plaintext_auth() && (*pass)) { - DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" - " is disabled\n")); + DEBUG(1, ("Server requested plaintext password but " + "'client plaintext auth' is disabled\n")); return NT_STATUS_ACCESS_DENIED; } return cli_session_setup_plaintext(cli, user, pass, workgroup); @@ -1086,8 +1086,9 @@ bool cli_send_tconX(struct cli_state *cli, } else { if((cli->sec_mode & (NEGOTIATE_SECURITY_USER_LEVEL|NEGOTIATE_SECURITY_CHALLENGE_RESPONSE)) == 0) { if (!lp_client_plaintext_auth() && (*pass)) { - DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" - " is disabled\n")); + DEBUG(1, ("Server requested plaintext " + "password but 'client plaintext " + "auth' is disabled\n")); return False; } @@ -1798,8 +1799,8 @@ NTSTATUS cli_raw_tcon(struct cli_state *cli, char *p; if (!lp_client_plaintext_auth() && (*pass)) { - DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" - " is disabled\n")); + DEBUG(1, ("Server requested plaintext password but 'client " + "plaintext auth' is disabled\n")); return NT_STATUS_ACCESS_DENIED; } -- cgit From 574354a7ec76e85e0f5a1172de9e59ae5bc52d48 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 21 Dec 2007 13:40:11 +0100 Subject: Use ADS_IGNORE_PRINCIPAL define. Guenther (This used to be commit 763e13315fc71237b14a186810bc201e725648f5) --- source3/libsmb/cliconnect.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index d370808bba..33110c803f 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -863,8 +863,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, /* If we get a bad principal, try to guess it if we have a valid host NetBIOS name. */ - if (strequal(principal, - "not_defined_in_RFC4178@please_ignore")) { + if (strequal(principal, ADS_IGNORE_PRINCIPAL)) { SAFE_FREE(principal); } -- cgit From afc93255d183eefb68e45b8ec6275f6a62cf9795 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 26 Dec 2007 17:12:36 -0800 Subject: Add SMB encryption. Still fixing client decrypt but negotiation works. Jeremy. (This used to be commit d78045601af787731f0737b8627450018902b104) --- source3/libsmb/cliconnect.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 33110c803f..4560521d4a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -98,7 +98,7 @@ static NTSTATUS cli_session_setup_lanman2(struct cli_state *cli, /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,10, 0, True); + cli_set_message(cli->outbuf,10, 0, True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -168,7 +168,7 @@ static NTSTATUS cli_session_setup_guest(struct cli_state *cli) uint32 capabilities = cli_session_setup_capabilities(cli); memset(cli->outbuf, '\0', smb_size); - set_message(cli->outbuf,13,0,True); + cli_set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -228,7 +228,7 @@ static NTSTATUS cli_session_setup_plaintext(struct cli_state *cli, fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING); memset(cli->outbuf, '\0', smb_size); - set_message(cli->outbuf,13,0,True); + cli_set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -377,7 +377,7 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user, /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,13,0,True); + cli_set_message(cli->outbuf,13,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -457,7 +457,7 @@ static bool cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob) /* send a session setup command */ memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,12,0,True); + cli_set_message(cli->outbuf,12,0,True); SCVAL(cli->outbuf,smb_com,SMBsesssetupX); cli_setup_packet(cli); @@ -1028,7 +1028,7 @@ NTSTATUS cli_session_setup(struct cli_state *cli, bool cli_ulogoff(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,2,0,True); + cli_set_message(cli->outbuf,2,0,True); SCVAL(cli->outbuf,smb_com,SMBulogoffX); cli_setup_packet(cli); SSVAL(cli->outbuf,smb_vwv0,0xFF); @@ -1106,7 +1106,7 @@ bool cli_send_tconX(struct cli_state *cli, slprintf(fullshare, sizeof(fullshare)-1, "\\\\%s\\%s", cli->desthost, share); - set_message(cli->outbuf,4, 0, True); + cli_set_message(cli->outbuf,4, 0, True); SCVAL(cli->outbuf,smb_com,SMBtconX); cli_setup_packet(cli); @@ -1157,7 +1157,7 @@ bool cli_send_tconX(struct cli_state *cli, bool cli_tdis(struct cli_state *cli) { memset(cli->outbuf,'\0',smb_size); - set_message(cli->outbuf,0,0,True); + cli_set_message(cli->outbuf,0,0,True); SCVAL(cli->outbuf,smb_com,SMBtdis); SSVAL(cli->outbuf,smb_tid,cli->cnum); cli_setup_packet(cli); @@ -1189,7 +1189,7 @@ void cli_negprot_send(struct cli_state *cli) memset(cli->outbuf,'\0',smb_size); /* setup the protocol strings */ - set_message(cli->outbuf,0,0,True); + cli_set_message(cli->outbuf,0,0,True); p = smb_buf(cli->outbuf); for (numprots=0; @@ -1229,7 +1229,7 @@ bool cli_negprot(struct cli_state *cli) numprots++) plength += strlen(prots[numprots].name)+2; - set_message(cli->outbuf,0,plength,True); + cli_set_message(cli->outbuf,0,plength,True); p = smb_buf(cli->outbuf); for (numprots=0; @@ -1806,7 +1806,7 @@ NTSTATUS cli_raw_tcon(struct cli_state *cli, memset(cli->outbuf,'\0',smb_size); memset(cli->inbuf,'\0',smb_size); - set_message(cli->outbuf, 0, 0, True); + cli_set_message(cli->outbuf, 0, 0, True); SCVAL(cli->outbuf,smb_com,SMBtcon); cli_setup_packet(cli); -- cgit From cfe7b54e96d39d19ad6b28c0d7db380907171e21 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 17 Jan 2008 11:35:40 +0100 Subject: Fix Windows 2008 (Longhorn) join. During 'net ads join' the cli->desthost is a hostname (e.g. rupert.galaxy.site). Check if we have a hostname and use only the first part, the machine name, of the string. (This used to be commit 5f60ed4af680ba2811db8d9f8267348ce05f26d2) --- source3/libsmb/cliconnect.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4560521d4a..de5813df6b 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -872,13 +872,26 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, !strequal(star_smbserver_name, cli->desthost)) { char *realm = NULL; + char *machine = NULL; + char *host = NULL; DEBUG(3,("cli_session_setup_spnego: got a " "bad server principal, trying to guess ...\n")); + host = strchr(cli->desthost, '.'); + if (host) { + machine = SMB_STRNDUP(cli->desthost, + host - cli->desthost); + } else { + machine = SMB_STRDUP(cli->desthost); + } + if (machine == NULL) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + realm = kerberos_get_default_realm_from_ccache(); if (realm && *realm) { if (asprintf(&principal, "%s$@%s", - cli->desthost, realm) < 0) { + machine, realm) < 0) { SAFE_FREE(realm); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } @@ -886,6 +899,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, "server principal=%s\n", principal ? principal : "")); } + SAFE_FREE(machine); SAFE_FREE(realm); } -- cgit From fe8a8f47e0eefd064031e87fec4cdd2736716550 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Jan 2008 15:00:40 -0800 Subject: Use strchr_m in seaching for '.' in the hostname to make sure we're mb safe. Jeremy. (This used to be commit 090061b73a1c086ff8a7797e1a63532eacd91148) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index de5813df6b..fd860ae7f0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -877,7 +877,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, DEBUG(3,("cli_session_setup_spnego: got a " "bad server principal, trying to guess ...\n")); - host = strchr(cli->desthost, '.'); + host = strchr_m(cli->desthost, '.'); if (host) { machine = SMB_STRNDUP(cli->desthost, host - cli->desthost); -- cgit From ffc84a10447a1bd3329b874b9e1bd4c6e6c2ff66 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Jan 2008 15:23:16 -0800 Subject: Don't leak memory in error path. Jeremy. (This used to be commit 2df0cdaafdced798f81e30d34371aa1d8e963208) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index fd860ae7f0..f3926b777b 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -892,6 +892,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, if (realm && *realm) { if (asprintf(&principal, "%s$@%s", machine, realm) < 0) { + SAFE_FREE(machine); SAFE_FREE(realm); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } -- cgit From b4dd60efa9d59dc70f0f0e58be6fa769c543d059 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 11 Feb 2008 18:36:06 +0100 Subject: Add a missing return If I'm not completely blind, we should return here. Not doing it here seems not to be a major flaw, as far as I can see we're only missing the error code. This might account for some of the very unhelpful NT_STATUS_UNSUCCESSFUL error messages people see during joins. All with stake in Samba client, please check! (This used to be commit eadd15c9363a57c214ede3c489057646baca48f8) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f3926b777b..e97be98fc1 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -627,7 +627,7 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * if (!cli_session_setup_blob(cli, negTokenTarg, session_key_krb5)) { data_blob_free(&negTokenTarg); data_blob_free(&session_key_krb5); - ADS_ERROR_NT(cli_nt_error(cli)); + return ADS_ERROR_NT(cli_nt_error(cli)); } cli_set_session_key(cli, session_key_krb5); -- cgit From a5e43bc81711e25cb07224df5e64f0120d4ef500 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 23 Feb 2008 21:40:39 +0100 Subject: Fix typo (This used to be commit 621db68f32f7007de8b2c4d7cf604a5778725615) --- source3/libsmb/cliconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index e97be98fc1..d88a5d6242 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -581,8 +581,8 @@ static bool cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob, DATA_B if (cli_is_error(cli) && !NT_STATUS_EQUAL( cli_get_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(0, ("cli_session_setup_blob: recieve failed (%s)\n", - nt_errstr(cli_get_nt_error(cli)) )); + DEBUG(0, ("cli_session_setup_blob: receive failed " + "(%s)\n", nt_errstr(cli_get_nt_error(cli)))); cli->vuid = 0; return False; } -- cgit From 4b5169f590425334d9ae3f2b7be2201e2e0b747e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 12 Feb 2008 11:54:37 +0100 Subject: Add explicit buf arg to cli_encrypt_message and cli_calculate_sign_mac (This used to be commit db6ae9ed2326e6cd68475375d049084cf1d5a98c) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index d88a5d6242..9c27d30166 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -757,7 +757,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use /* 'resign' the last message, so we get the right sequence numbers for checking the first reply from the server */ - cli_calculate_sign_mac(cli); + cli_calculate_sign_mac(cli, cli->outbuf); if (!cli_check_sign_mac(cli)) { nt_status = NT_STATUS_ACCESS_DENIED; -- cgit From b9f7dd2909487f8e306774ee0475f8b20331a866 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 12 Feb 2008 23:16:37 +0100 Subject: Add explicit buf arg to cli_check_sign_mac (This used to be commit ffc1c8cc03e6bad40ed2be91392074b4f038a1bf) --- source3/libsmb/cliconnect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9c27d30166..912b841d5e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -759,7 +759,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use for checking the first reply from the server */ cli_calculate_sign_mac(cli, cli->outbuf); - if (!cli_check_sign_mac(cli)) { + if (!cli_check_sign_mac(cli, cli->inbuf)) { nt_status = NT_STATUS_ACCESS_DENIED; } } -- cgit From 5e86a172a567ca9a60d74d1076430fb5e70b27a6 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 12 Mar 2008 16:19:56 +0100 Subject: For convenience reasons, always create cli->srv_name_slash in the rpc_client. Guenther (This used to be commit 6363c383d6989d2dfb2ee488ffa7aeb128c5385b) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 912b841d5e..5e8a586cd0 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1485,6 +1485,7 @@ NTSTATUS cli_connect(struct cli_state *cli, } fstrcpy(cli->desthost, host); + fstr_sprintf(cli->srv_name_slash, "\\\\%s", cli->desthost); /* allow hostnames of the form NAME#xx and do a netbios lookup */ if ((p = strchr(cli->desthost, '#'))) { -- cgit From 69b23a39cde21989946fc9f44defec6d2302b5da Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 Apr 2008 01:44:43 +0200 Subject: Always uppercase cli->srv_name_slash. Not that I think it is of any importance... Guenther (This used to be commit 352f8440c74bc22416e21783e1dc5fecf5869902) --- source3/libsmb/cliconnect.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 5e8a586cd0..8bdc284693 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1486,6 +1486,7 @@ NTSTATUS cli_connect(struct cli_state *cli, fstrcpy(cli->desthost, host); fstr_sprintf(cli->srv_name_slash, "\\\\%s", cli->desthost); + strupper_m(cli->srv_name_slash); /* allow hostnames of the form NAME#xx and do a netbios lookup */ if ((p = strchr(cli->desthost, '#'))) { -- cgit From 1a64916775e8ef5081f1cf0627f15396b6457830 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Apr 2008 15:28:14 -0700 Subject: When using plaintext ucs2 passwords clistr_push calls ucs2_align, which causes the space taken by the unicode password to be one byte too long (as we're on an odd byte boundary here). Reduce the count by 1 to cope with this. Fixes smbclient against NetApp servers which can't cope. Fix from bryan.kolodziej@allenlund.com in bug #3840. Jeremy. (This used to be commit 1e7e7d86a1ae1cd2c3cc3de9f36b7326ad249b82) --- source3/libsmb/cliconnect.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8bdc284693..4573f39eb3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -247,9 +247,16 @@ static NTSTATUS cli_session_setup_plaintext(struct cli_state *cli, p += clistr_push(cli, p, pass, -1, STR_TERMINATE); /* password */ SSVAL(cli->outbuf,smb_vwv7,PTR_DIFF(p, smb_buf(cli->outbuf))); } - else { + else { + /* For ucs2 passwords clistr_push calls ucs2_align, which causes + * the space taken by the unicode password to be one byte too + * long (as we're on an odd byte boundary here). Reduce the + * count by 1 to cope with this. Fixes smbclient against NetApp + * servers which can't cope. Fix from + * bryan.kolodziej@allenlund.com in bug #3840. + */ p += clistr_push(cli, p, pass, -1, STR_UNICODE|STR_TERMINATE); /* unicode password */ - SSVAL(cli->outbuf,smb_vwv8,PTR_DIFF(p, smb_buf(cli->outbuf))); + SSVAL(cli->outbuf,smb_vwv8,PTR_DIFF(p, smb_buf(cli->outbuf))-1); } p += clistr_push(cli, p, user, -1, STR_TERMINATE); /* username */ @@ -1033,7 +1040,6 @@ NTSTATUS cli_session_setup(struct cli_state *cli, } return NT_STATUS_OK; - } /**************************************************************************** -- cgit From aa41d74843dd6532c300da682472787759b6d82d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 7 Apr 2008 10:18:36 +0200 Subject: Fix a misleading debug message (This used to be commit 494b32197f0872b115f0cd1a35421d00a89360a6) --- source3/libsmb/cliconnect.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4573f39eb3..b76814e45f 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1093,8 +1093,9 @@ bool cli_send_tconX(struct cli_state *cli, if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) { if (!lp_client_lanman_auth()) { - DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'" - " is disabled\n")); + DEBUG(1, ("Server requested LANMAN password " + "(share-level security) but " + "'client lanman auth' is disabled\n")); return False; } -- cgit From e49200c1a2836bda4a86b034153365b8d9e99ce1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 8 Apr 2008 14:10:48 +0200 Subject: Add CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS define. This allows to switch on the cli->fallback_after_kerberos switch. Guenther (This used to be commit 15ba45e567d910c1b2336dcc0c475e12b082f30f) --- source3/libsmb/cliconnect.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b76814e45f..949bca747d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1652,6 +1652,11 @@ again: else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) cli->use_kerberos = True; + if ((flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) && + cli->use_kerberos) { + cli->fallback_after_kerberos = true; + } + if (!cli_negprot(cli)) { DEBUG(1,("failed negprot\n")); nt_status = cli_nt_error(cli); -- cgit From 9048cafbeaf82d1916de6538024fd660612dd25f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 19 Apr 2008 23:03:16 +0200 Subject: Move srv_name_slash from cli_state to rpc_pipe_client (This used to be commit a9061e52e1ff8e31aa480f4a30cda64c9d93214e) --- source3/libsmb/cliconnect.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 949bca747d..7d3d246da5 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1492,8 +1492,6 @@ NTSTATUS cli_connect(struct cli_state *cli, } fstrcpy(cli->desthost, host); - fstr_sprintf(cli->srv_name_slash, "\\\\%s", cli->desthost); - strupper_m(cli->srv_name_slash); /* allow hostnames of the form NAME#xx and do a netbios lookup */ if ((p = strchr(cli->desthost, '#'))) { -- cgit From 4d8836ab96889bcdc35e86bedffa6117f9c35095 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 5 May 2008 16:58:24 +0200 Subject: Fix client authentication with -P switch in client tools (Bug 5435). Guenther (This used to be commit d077ef64cd1d9bbaeb936566c2c70da508de829f) --- source3/libsmb/cliconnect.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7d3d246da5..671f0e7bc5 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -795,6 +795,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, int i; bool got_kerberos_mechanism = False; DATA_BLOB blob; + const char *p = NULL; + char *account = NULL; DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length)); @@ -925,7 +927,17 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); + account = talloc_strdup(talloc_tos(), user); + ADS_ERROR_HAVE_NO_MEMORY(account); + + /* when falling back to ntlmssp while authenticating with a machine + * account strip off the realm - gd */ + + if ((p = strchr_m(user, '@')) != NULL) { + account[PTR_DIFF(p,user)] = '\0'; + } + + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass, domain)); } /**************************************************************************** @@ -1867,12 +1879,18 @@ struct cli_state *get_ipc_connect(char *server, { struct cli_state *cli; NTSTATUS nt_status; + uint32_t flags = CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK; + + if (user_info->use_kerberos) { + flags |= CLI_FULL_CONNECTION_USE_KERBEROS; + } nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC", user_info->username ? user_info->username : "", lp_workgroup(), user_info->password ? user_info->password : "", - CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL); + flags, + Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { return cli; -- cgit From 611d79d0ed27a1762c40caeb12b383fd96a58511 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 6 May 2008 09:48:16 +0200 Subject: build: fix the build w/o ldap. Guenther (This used to be commit a159ec5f1f3ec8e9232b8f3230a996a3f9986bc1) --- source3/libsmb/cliconnect.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 671f0e7bc5..751f10bc53 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -928,7 +928,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: account = talloc_strdup(talloc_tos(), user); - ADS_ERROR_HAVE_NO_MEMORY(account); + if (!account) { + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } /* when falling back to ntlmssp while authenticating with a machine * account strip off the realm - gd */ -- cgit From 4d2f71e53f5a6cdc5b84a0eeab5822a7f8ca48b9 Mon Sep 17 00:00:00 2001 From: "Gerald W. Carter" Date: Fri, 23 May 2008 16:01:45 -0500 Subject: Manually merge Steven Danneman's patch for SPNEGO auth to a trusted Win2008 domain (merged from v3-0-test). commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405 Author: Steven Danneman Date: Wed May 7 13:34:26 2008 -0700 spnego SPN fix when contacting trusted domains cli_session_setup_spnego() was not taking into consideration the situation where we're connecting to a trusted domain, specifically one (like W2K8) which doesn't return a SPN in the NegTokenInit. This caused two problems: 1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we were always using our default realm, not the realm of the domain we're connecting to. 2) When falling back on NTLMSSP for authentication we were passing the name of the domain we're connecting to for use in our credentials when we should be passing our own workgroup name. The fix for both was to split the single "domain" parameter into "user_domain" and "dest_realm" parameters. We use the "user_domain" parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN if none was returned in the NegTokenInit2 packet. If no "dest_realm" is provided we assume we're connecting to our own domain and use the credentials cache to build the SPN. Since we have a reasonable guess at the SPN, I removed the check that defaults us directly to NTLM when negHint is empty. (This used to be commit b78b14c88e8354aadf9ba7644bdb1c29245fe419) --- source3/libsmb/cliconnect.c | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 751f10bc53..134c3c8a1d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -785,12 +785,16 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use /**************************************************************************** Do a spnego encrypted session setup. + + user_domain: The shortname of the domain the user/machine is a member of. + dest_realm: The realm we're connecting to, if NULL we use our default realm. ****************************************************************************/ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, - const char *pass, const char *domain) + const char *pass, const char *user_domain, + const char * dest_realm) { - char *principal; + char *principal = NULL; char *OIDs[ASN1_MAX_OIDS]; int i; bool got_kerberos_mechanism = False; @@ -813,8 +817,10 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, /* there is 16 bytes of GUID before the real spnego packet starts */ blob = data_blob(cli->secblob.data+16, cli->secblob.length-16); - /* the server sent us the first part of the SPNEGO exchange in the negprot - reply */ + /* The server sent us the first part of the SPNEGO exchange in the + * negprot reply. It is WRONG to depend on the principal sent in the + * negprot reply, but right now we do it. If we don't receive one, + * we try to best guess, then fall back to NTLM. */ if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { data_blob_free(&blob); return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); @@ -833,18 +839,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, DEBUG(3,("got principal=%s\n", principal ? principal : "")); - if (got_kerberos_mechanism && (principal == NULL)) { - /* - * It is WRONG to depend on the principal sent in the negprot - * reply, but right now we do it. So for safety (don't - * segfault later) disable Kerberos when no principal was - * sent. -- VL - */ - DEBUG(1, ("Kerberos mech was offered, but no principal was " - "sent, disabling Kerberos\n")); - cli->use_kerberos = False; - } - fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 @@ -897,7 +891,12 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } - realm = kerberos_get_default_realm_from_ccache(); + if (dest_realm) { + realm = SMB_STRDUP(dest_realm); + strupper_m(realm); + } else { + realm = kerberos_get_default_realm_from_ccache(); + } if (realm && *realm) { if (asprintf(&principal, "%s$@%s", machine, realm) < 0) { @@ -914,7 +913,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, } if (principal) { - rc = cli_session_setup_kerberos(cli, principal, domain); + rc = cli_session_setup_kerberos(cli, principal, + dest_realm); if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) { SAFE_FREE(principal); return rc; @@ -939,7 +939,7 @@ ntlmssp: account[PTR_DIFF(p,user)] = '\0'; } - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass, domain)); + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass, user_domain)); } /**************************************************************************** @@ -1031,7 +1031,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli, /* if the server supports extended security then use SPNEGO */ if (cli->capabilities & CAP_EXTENDED_SECURITY) { - ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup); + ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, + workgroup, NULL); if (!ADS_ERR_OK(status)) { DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); return ads_ntstatus(status); -- cgit From 1c0a9759b92c92636f83f965950acc12b07b1eed Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 2 Jun 2008 18:37:16 -0700 Subject: Fix bug reported by David Eisner . When allocating cli buffers for large read/write - make sure we take account of the large read/write SMB headers as well as the buffer space. Jeremy. (This used to be commit 19519bca9b64b736d2fe0447b7cd495f00dba60a) --- source3/libsmb/cliconnect.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 134c3c8a1d..4285753e20 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1353,9 +1353,9 @@ bool cli_negprot(struct cli_state *cli) if (cli->capabilities & (CAP_LARGE_READX|CAP_LARGE_WRITEX)) { SAFE_FREE(cli->outbuf); SAFE_FREE(cli->inbuf); - cli->outbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN); - cli->inbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN); - cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE; + cli->outbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN); + cli->inbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN); + cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE + LARGE_WRITEX_HDR_SIZE; } } else if (cli->protocol >= PROTOCOL_LANMAN1) { -- cgit From 617bf10c66f45b6ed83d7f5441586606261e0560 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 7 Aug 2008 17:55:57 -0700 Subject: Fix bug #5675 with a varient of Tim Waugh's patch, as proposed by James Peach. Jeremy. (This used to be commit 5c27ad75836136c39774c9456d63f46fa62e281f) --- source3/libsmb/cliconnect.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/cliconnect.c') diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 4285753e20..8ef14d7973 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -797,7 +797,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, char *principal = NULL; char *OIDs[ASN1_MAX_OIDS]; int i; - bool got_kerberos_mechanism = False; DATA_BLOB blob; const char *p = NULL; char *account = NULL; @@ -832,7 +831,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, DEBUG(3,("got OID=%s\n", OIDs[i])); if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 || strcmp(OIDs[i], OID_KERBEROS5) == 0) { - got_kerberos_mechanism = True; + cli->got_kerberos_mechanism = True; } free(OIDs[i]); } @@ -845,7 +844,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, /* If password is set we reauthenticate to kerberos server * and do not store results */ - if (got_kerberos_mechanism && cli->use_kerberos) { + if (cli->got_kerberos_mechanism && cli->use_kerberos) { ADS_STATUS rc; if (pass && *pass) { -- cgit