summaryrefslogtreecommitdiffstats
path: root/source/libsmb/clispnego.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix Kerberos interop with Mac OS X 10.5 clients.Bill Ricker2008-04-071-0/+12
| | | | | Ignore optional req_flags. Use the Kerberos mechanism OID negotiated with the client rather than hardcoding OID_KERBEROS5_OLD.
* Allow the mechOID to be written separately.Jeremy Allison2008-02-141-2/+4
| | | | Jeremy.
* RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison2007-10-181-9/+9
| | | | | | | bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy.
* r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree.Gerald Carter2007-10-101-19/+0
| | | | | | The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run).
* r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,Gerald Carter2007-10-101-0/+19
| | | | and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
* r25227: Patch from "Steven Danneman" <steven.danneman@isilon.com>:Stefan Metzmacher2007-10-101-0/+14
| | | | | | | | | | | | | | | | | | | | | - We ran across a bug joining our Samba server to a Win2K domain with LDAP signing turned on. Upon investigation I discovered that there is a bug in Win2K server which returns a duplicated responseToken in the LDAP bindResponse packet. This blob is placed in the optional mechListMIC field which is unsupported in both Win2K and Win2K3. You can see RFC 2478 for the proper packet construction. I've worked with metze on this to confirm all these finding. This patch properly parses then discards the mechListMIC field if it exists in the packet, so we don't produce a malformed packet error, causing LDAP signed joins to fail. Also attached is a sniff of the domain join, exposing Win2Ks bad behavior (packet 21). - (I've just changed the scope of the DATA_BLOB mechList) metze
* r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell2007-10-101-2/+1
|
* r23779: Change from v2 or later to v3 or later.Jeremy Allison2007-10-101-1/+1
| | | | Jeremy.
* r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke2007-10-101-1/+1
| | | | replace all data_blob(NULL, 0) calls.
* r22093: send also the correct OID_KERBEROS5 not only the brokenStefan Metzmacher2007-10-101-1/+1
| | | | | | OID_KERBEROS_OLD one. metze
* r22092: - make spnego_parse_auth_response() more generic andStefan Metzmacher2007-10-101-8/+15
| | | | | | | | | not specific for NTLMSSP - it's possible that the server sends a mechOID and authdata if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE metze
* r21240: Fix longstanding Bug #4009.Günther Deschner2007-10-101-2/+4
| | | | | | | | | | | | | | | | | For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther
* r19041: Make us connect to Vista RC1. Apparently metze had done the same ↵Volker Lendecke2007-10-101-7/+10
| | | | | | | | | | | patch some weeks ago. We have some work before us, when in AD mode Vista sends "not_defined_in_RFC4178@please_ignore" as the principal..... Volker
* r19037: Fix a segfaultVolker Lendecke2007-10-101-1/+1
|
* r16306: Error handling in this asn1 code *sucks*. Fix a genericJeremy Allison2007-10-101-3/+24
| | | | | | | class of memory leak bugs on error found by Klocwork (#123). Many of these functions didn't free allocated memory on error exit. Jeremy.
* r16156: Fix storing NULL in the wrong place. Klocwork id's 127 and 128.Volker Lendecke2007-10-101-2/+2
| | | | Volker
* r13316: Let the carnage begin....Gerald Carter2007-10-101-1/+1
| | | | Sync with trunk as off r13315
* r12476: Apply some constVolker Lendecke2007-10-101-1/+1
|
* r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison2007-10-101-1/+1
| | | | | x86_64 box. Jeremy.
* r10656: BIG merge from trunk. Features not copied overGerald Carter2007-10-101-2/+3
| | | | | | | * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck)
* r7139: trying to reduce the number of diffs between trunk and 3.0; changing ↵Gerald Carter2007-10-101-2/+1
| | | | version to 3.0.20pre1
* r6149: Fixes bugs #2498 and 2484.Derrell Lipman2007-10-101-1/+2
| | | | | | | | | | | | | | | | | | 1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task.
* r1240: Ensure we don't shadow Heimdal globals.Jeremy Allison2007-10-101-6/+6
| | | | Jeremy.
* This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett2004-01-081-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett
* Changes all over the shop, but all towards:Andrew Bartlett2003-11-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures...
* Don't wrap up anything that is not there. Otherwise upper layersVolker Lendecke2003-08-131-0/+3
| | | | | | can not figure that we got no ticket. Volker
* Update my copyrights according to my agreement with IBMJim McDonough2003-08-011-1/+1
|
* W00t! Client smb signing is now working correctly with krb5 and w2k server.Jeremy Allison2003-07-251-3/+3
| | | | | | | | | Server code *should* also work (I'll check shortly). May be the odd memory leak. Problem was we (a) weren't setting signing on in the client krb5 sessionsetup code (b) we need to ask for a subkey... (c). The client and server need to ask for local and remote subkeys respectively. Thanks to Paul Nelson @ Thursby for some sage advice on this :-). Jeremy.
* More on bug 137: rename more of krb5_xxx functions to not start with krb5_Jim McDonough2003-05-301-1/+1
|
* Merge from HEAD - sync up SessionSetup code to HEAD, including Luke Howard'sAndrew Bartlett2003-03-171-13/+16
| | | | | | session key and auth verifier patches. Andrew Bartlett
* Merge from HEAD client-side authentication changes:Andrew Bartlett2003-02-241-284/+37
| | | | | | | | | | - new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett
* Merge minor library fixes from HEAD to 3.0.Andrew Bartlett2003-02-191-7/+8
| | | | | | | | | | | | | | - setenv() replacement - mimir's ASN1/SPNEGO typo fixes - (size_t)-1 fixes for push_* returns - function argument signed/unsigned correction - ASN1 error handling (ensure we don't use initiailsed data) - extra net ads join error checking - allow 'set security discriptor' to fail - escape ldap strings in libads. - getgrouplist() correctness fixes (include primary gid) Andrew Bartlett
* Merge from HEAD:Andrew Bartlett2003-01-281-60/+64
| | | | | | | | | | | | | | - NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett
* sync'ing up for 3.0alpha20 releaseGerald Carter2002-09-251-22/+70
|
* sync 3.0 branch with headJelmer Vernooij2002-08-171-0/+61
|
* updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell2002-07-151-1/+42
|
* Try not to malloc -1 bytes (apx 4GB) when the data is already in error.Andrew Bartlett2002-02-151-2/+12
| | | | Andrew Bartlett
* Removed version number from file header.Tim Potter2002-01-301-2/+1
| | | | Changed "SMB/Netbios" to "SMB/CIFS" in file header.
* simple fix for creating blank data blobsAndrew Tridgell2002-01-051-3/+1
|
* added internal sasl/gssapi code. This means we are no longer dependent on ↵Andrew Tridgell2001-12-081-1/+1
| | | | cyrus-sasl which makes the code much less fragile. Also added code to auto-determine the server name or realm
* Ok, I know it's a language thing and it shouldn't matter.... but a kerberosJeremy Allison2001-10-211-8/+8
| | | | | name is a "principal", not a principle. English majors will complain :-). Jeremy.
* made smbclient cope better with arbitrary principle formsAndrew Tridgell2001-10-211-14/+1
|
* the beginnings of kerberos support in smbd. It doesn't work yet, butAndrew Tridgell2001-10-181-0/+23
| | | | | it should give something for others to hack on and possibly find what I'm doing wrong.
* added basic NTLMSSP support in smbd. This is still quite rough, andAndrew Tridgell2001-10-171-7/+215
| | | | | | loses things like username mapping. I wanted to get this in then discuss it a bit to see how we want to split up the existing session setup code
* fixed NTLMSSP with XP servers (who don't send the duplicate challengeAndrew Tridgell2001-10-141-3/+9
| | | | in the asn1 spnego structures)
* moved some OIDs to the ASN.1 headerAndrew Tridgell2001-10-121-6/+2
|
* added NTLMSSP authentication to libsmb. It seems to work well so I have ↵Andrew Tridgell2001-10-121-0/+395
enabled it by default if the server supports it. Let me know if this breaks anything. Choose kerberos with the -k flag to smbclient, otherwise it will use SPNEGO/NTLMSSP/NTLM
generated by cgit (git 2.34.1) at 2025-09-01 13:46:17 +0000