| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
there were 2 bugs:
1) we were sending a null challenge when we should have sent an empty
challenge
2) the password can be in unicode if unicode is negotiated. This means
our client code was wrong too :(
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
patches:
Andrew Bartlett
From his e-mail:
Below I attach the following patches as a result of my work
on trusted domains support:
1) srv_samr_nt.c.diff
This fixes a bug which caused to return null string as
the first entry of enumerated accounts list (no matter what
entry, it was always null string and rid) and possibly
spoiled further names, depeding on their length.
I found that while testing my 'net rpc trustdom list'
against nt servers and samba server.
2) libsmb.diff
Now, fallback to anonymous connection works correctly.
3) smbpasswd.c.diff
Just a little fix which actually allows one to create
a trusting domain account using smbpasswd
4) typos.diff
As the name suggests, it's just a few typos fix :)
|
| | |
|
| |
|
|
|
|
|
|
| |
distinction between uchar and char).
Lots of const etc.
Andrew Bartlett
|
| |
|
|
|
|
| |
wrappers.
Andrew Bartlett
|
| |
|
|
| |
generating a warning
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bytes which follow the header, not the full packet size.
[Yes, the length field is either 17-bits, or (per the RFCs) it is a
16-bit length field preceeded by an 8-bit flags field of which only
the low-order bit may be used. If that bit is set, then add 65536 to
the 16-bit length field. (In other words, it's a 17-bit unsigned
length field.)
...unless, of course, the transport is native TCP [port 445] in which
case the length field *might* be 24-bits wide.]
Anyway, the change is a very minor one. We were including the four bytes
of the header in the length count and, as a result, sending four bytes of
garbage at the end of the SESSION REQUEST packet.
Small fix in function cli_session_request().
|
| | |
|
| |
|
|
|
|
| |
few more places to use it.
Andrew Bartlett
|
| |
|
|
|
| |
Replaced with "unsigned int".
Jeremy.
|
| |
|
|
|
|
|
|
| |
rebind proc (some give an extra paramter to pass a void* paramater) and
some small changes for the SMB signing code to reset things when the
signing starts, and to 'turn off' signing if the session setup failed.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The problem was that *all* packets were being signed, even packets before
signing was set up. (This broke the session request).
This fixes it to be an 'opt in' measure - that is, we only attempt to sign
things after we have got a valid, non-guest session setup as per the CIFS spec.
I've not tested this against an MS server, becouse my VMware is down, but
at least it doesn't break the build farm any more.
Andrew Bartlett
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
|
|
|
| |
(const, takes unix string as arg)
Also update cli_full_connection to take NULL pointers as 'undefined' correctly,
and therefore do its own lookup etc. This what was intended, but previously
you needed to supply a 0.0.0.0 IP address.
Andrew Bartlett
|
| |
|
|
| |
Jeremy.
|
| |
|
|
|
|
|
|
|
| |
unix and DOS strings.
This pushes all the 'have to uppercase, must be 14 chars' stuff behind the
the interface.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Importantly:
The removal of the silly 'delete user script' behaviour when secuity=domain.
I have left the name the same - as it still does the (previously documented,
but not in smb.conf(5)) sane behaviour of deleting users on request.
When we decide what to do with the 'add user' functionality, we might
rename it.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
didn't make any sense, and its was always just strlen(password) anyway.
This fixes it to be strlen(password)+1
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this:
More code cleanup - this lot a bit more dodgy than the last:
The aim is to trim pwd_cache down to size. Its overly complex, and a
pain to deal with. With a header comment like this:
'obfusticaion is planned'
I think it deserved to die (at least partly).
This was being done to allow 'cli_establish_connection' to die - its
functionality has been replaced by cli_full_connection(), which does
not duplicate code everywhere for creating names etc.
This also removes the little 'init' fucntions for the various pipes,
becouse they were only used in one place, and even then it was dodgy.
(I've reworked smbcacls not to use anonymous connections any more, as
this will (should) fail with a 'restrict anonymous' PDC).
This allowed me to remove cli_pipe_util.c, which was calling
cli_establish_connection.
tpot: I'm not sure what direction you were going with the client stuff,
and you may well have been wanting the init functions. If thats the case,
give me a yell and I'll reimplement them against cli_full_connection.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option was badly maintained, useless and confused our users and
distirbutors. (its SSL, therfore it must be good...)
No windows client uses this protocol without help from an SSL tunnel.
I can't see any reason why setting up a unix-side SSL wrapper would
be any more difficult than the > 10 config options this mess added
to samba in any case.
On the Samba client end, I think the LIBSMB_PROG hack should be
sufficient to start stunnel on the unix side. We might extend this
to take %i and %p (IP and port) if there is demand.
Andrew Bartlett
|
| | |
|
| |
|
|
| |
Jeremy.
|
| |
|
|
| |
Small tidyups.
|
| |
|
|
| |
Changed "SMB/Netbios" to "SMB/CIFS" in file header.
|
| |
|
|
|
|
|
|
| |
case.
Thanks to Nigel Williams <nigel@wednesday.demon.co.uk> for spotting these!
Andrew Bartlett
|
| |
|
|
| |
Jeremy.
|
| | |
|
| |
|
|
|
|
|
|
| |
This fixes up a problem where a machine would join (or downgrade by trust
password change) to NT4 membership and not be able to regain full ADS
membership until a 'net ads leave'.
Andrew Bartlett
|
| |
|
|
| |
Patch from Alexander Bokovoy <a.bokovoy@sam-solutions.net>
|
| | |
|
| |
|
|
| |
- don't display Domain=[] for auth protocols that don't give us a domain
|
| | |
|
| | |
|
| |
|
|
|
|
| |
netbios lookup for name NAME with node type xx.
This affects all our client progs. Very useful :)
|
| |
|
|
| |
session setup
|
| |
|
|
|
|
|
|
|
|
|
| |
'net' untility.
This should make it easier to port rpcclient code across to net.
It also allows SPNEGO (the NTLMSSP subsystem in particular) to work, becouse
it kills off the early destruction of the clear-text password.
Andrew Bartlett
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
and replaced with two functions:
void zero_ip(struct in_adder *ip);
BOOL is_zero_ip(struct in_addr ip);
|
| | |
|
| |
|
|
|
|
|
|
|
| |
samba domain.
The PDC must be running a special authenticaion module that spits out NT errors
based on username.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subystem.
The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.
This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality. While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.
This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists. It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.
Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.
While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.
The following parameters have changed:
- use rhosts =
This has been replaced by the 'rhosts' authentication method,
and can be specified like 'auth methods = guest rhosts'
- hosts equiv =
This needs both this parameter and an 'auth methods' entry
to be effective. (auth methods = guest hostsequiv ....)
- plaintext to smbpasswd =
This is replaced by specifying 'sam' rather than 'local'
in the auth methods.
The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.
The available auth methods are:
guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)
Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
open to w2k
- fix the string handling in the device name to match NT and smbd
- don't pull the domain from negprot if CAP_EXTENDED_SECURITY is set
|
| |
|
|
| |
Jeremy.
|
| | |
|
| |
|
|
| |
2.2 to HEAD?
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Andrew Bartlett.
From kai@cmail.ru Mon Oct 29 18:50:42 2001
Date: Fri, 19 Oct 2001 17:26:06 +0300
From: Andrew V. Samoilov <kai@cmail.ru>
To: samba-technical@lists.samba.org
Subject: [patch]: makes some arrays const to be shared between processes
Hi!
This patch makes some arrays const. So these arrays go to text/rodata
segment and are shared between all of the processes which use shared
library with these arrays.
Regards,
Andrew V. Samoilov.
P.S. Please cc your answer to kai@cmail.ru,
I don't subscribed to this list.
ChangeLog:
* cliconnect.c (prots): Make const.
* clierror.c (rap_errmap): Likewise.
* nmblib.c (nmb_header_opcode_names): Likewise.
(lookup_opcode_name): Make opcode_namep const. Eliminate i.
* nterr.c (nt_err_code_struct): Typedef const.
* smberr.c (err_code_struct): Make const.
(err_classes): Likewise.
|
| | |
|
| |
|
|
|
|
|
| |
NTLMSSP in cli_establish_connection()
What we really need to do is kill off the pwd_cache code. It is horrible,
and assumes the challenge comes in the negprot reply.
|
