summaryrefslogtreecommitdiffstats
path: root/source/libsmb/ntlmssp.c
Commit message (Collapse)AuthorAgeFilesLines
* ntlmssp: replace UNKNOWN_02000000 with NTLMSSP_NEGOTIATE_VERSION.Günther Deschner2008-04-301-3/+5
| | | | Guenther
* Restore 3.0 behaviour with empty /etc/hostsVolker Lendecke2008-02-291-2/+5
| | | | | | | | | | | | | | Jeremy, in 3.0 we allowed get_mydnsdomname and get_mydnsfullname to fail without filling in anything useful. Worked fine. Without this patch and a empty /etc/hosts and no DNS configured, session setup would return NT_STATUS_BAD_NETWORK_NAME. This is confusing at best, BAD_NETWORK_NAME afaik is only ever returned from tcon normally. This restores the 3.0 behaviour. Comments? Volker
* Check the right variable for being NULLVolker Lendecke2008-02-291-1/+1
|
* Remove static zerosVolker Lendecke2007-12-281-2/+5
|
* Remove more fstring/pstring bad useage. Go talloc !Jeremy Allison2007-11-081-20/+24
| | | | Jeremy.
* RIP BOOL. Convert BOOL -> bool. I found a few interestingJeremy Allison2007-10-181-3/+3
| | | | | | | bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy.
* r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell2007-10-101-2/+1
|
* r23779: Change from v2 or later to v3 or later.Jeremy Allison2007-10-101-1/+1
| | | | Jeremy.
* r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke2007-10-101-17/+17
| | | | replace all data_blob(NULL, 0) calls.
* r22001: change prototype of dump_data(), so that it takes unsigned char * now,Stefan Metzmacher2007-10-101-6/+6
| | | | | | | | which matches what samba4 has. also fix all the callers to prevent compiler warnings metze
* r19936: Patch from Kai Blin <kai.blin@gmail.com> toJeremy Allison2007-10-101-2/+4
| | | | | match Windows NTLMSSP flags. Jeremy.
* r18029: More C++ stuffVolker Lendecke2007-10-101-1/+1
|
* r18008: Ok, same fix as before. But this time also allocate the session key. ↵Volker Lendecke2007-10-101-5/+14
| | | | | | | | | This had worked in one test, no idea what memory I've overwritten that time. This time it survives the unpatched w2k password change. Volker
* r18005: The ntlmssp fix is not correct yet, working on itVolker Lendecke2007-10-101-6/+5
|
* r17977: To be honest, I have NO idea whatsoever what this does, but it fixes ↵Volker Lendecke2007-10-101-5/+6
| | | | | | | | | | | | | | | | what I have been able to reproduce with smbtorture4 for bug number 4059. It's too late here now to check with W2k native, I'll do that tomorrow or over the weekend. I'll then also check in a samba4 torture test to walk this from now on. Abartlet, can you do me a favor and look over this? It is a 1:1 copy of the corresponding Samba4 code. Thanks, Volker
* r17620: Fix two C++ Warnings and a memleakVolker Lendecke2007-10-101-2/+6
|
* r17612: Modify NTLMSSP session code so that it doesn't storeJeremy Allison2007-10-101-22/+34
| | | | | | | | | | | a copy of the plaintext password, only the NT and LM hashes (all it needs). Fix smbencrypt to expose hash verions of plaintext function. Andrew Bartlett, you might want to look at this for gensec. This should make it easier for winbindd to store cached credentials without having to store plaintext passwords in an NTLM-only environment (non krb5). Jeremy.
* r17216: From Kai Blin <kai.blin@gmail.com>:Andrew Bartlett2007-10-101-6/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | A patch to make ntlm_auth recognize three new commands in ntlmssp-client-1 and squid-2.5-ntlmssp: The commands are the following: Command: SF <hex number> Reply: OK Description: Takes feature request flags similar to samba4's gensec_want_feature() call. So far, only NTLMSSP_FEATURE_SESSION_KEY, NTLMSSP_FEATURE_SIGN and NTLMSSP_FEATURE_SEAL are implemented, using the same values as the corresponding GENSEC_FEATURE_* flags in samba4. Command: GF Reply: GF <hex number> Description: Returns the negotiated flags. Command: GK Reply: GK <base64 encoded session key> Description: Returns the negotiated session key. (These commands assist a wine project to use ntlm_auth for signing and sealing of bulk data). Andrew Bartlett
* r15129: Separate out mechanism and policy for NTLMSSP auth/sign/seal.Jeremy Allison2007-10-101-4/+16
| | | | | | With this change (and setting lanman auth = no in smb.conf) we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth. Jeremy
* r13473: Back port r13470, r13471, r13472 from Samba4. Thanks Andrew:Jeremy Allison2007-10-101-17/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ----------------------------------- Thanks to a report from VL: We were causing mayhem by weakening the keys at the wrong point in time. I think this is the correct place to do it. The session key for SMB signing, and the 'smb session key' (used for encrypting password sets) is never weakened. The session key used for bulk data encryption/signing is weakened. This also makes more sense, when we look at the NTLM2 code. Andrew Bartlett ----------------------------------- With more 'try all options' testing, I found this 'simple' but in the NTLM2 signing code. Andrew Bartlett ----------------------------------- After Volker's advise, try every combination of parameters. This isn't every parameter on NTLMSSP, but it is most of the important ones. This showed up that we had the '128bit && LM_KEY' case messed up. This isn't supported, so we must look instead at the 56 bit flag. Andrew Bartlett ----------------------------------- We should now try retesting with NT4. This should be standalone enough to port into a SAMBA_3_0_RELEASE branch fix. Jeremy.
* r12922: Fix typo.Jeremy Allison2007-10-101-1/+1
| | | | Jeremy.
* r12920: Fix for #3401 from Andrew Bartlett. Original fix fromJeremy Allison2007-10-101-0/+5
| | | | | Yau Lam Yiu <yiuext@cs.ust.hk>. Jeremy.
* r11079: Narrowing down on the #1828 PPC bug. The PPC client sends anJeremy Allison2007-10-101-32/+6
| | | | | | initial NTLMSSP negotiate blob of only 16 bytes - no strings added ! (So don't try parsing them). Jeremy.
* r11075: Still working on bug #1828, PPC hell. The PPC client sends theJeremy Allison2007-10-101-2/+19
| | | | | | NTLMSSP client and domain strings as Unicode, even when setting flags as OEM. Cope with this. Jeremy.
* r10656: BIG merge from trunk. Features not copied overGerald Carter2007-10-101-16/+68
| | | | | | | * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck)
* r8475: BUG 2872: fix cut-n-paste error when checking pointer value in ↵Gerald Carter2007-10-101-1/+1
| | | | ntlmssp_set_workstation()
* r7472: fix smbpasswd user password change (still worked by bad error ↵Gerald Carter2007-10-101-2/+2
| | | | messages) due to trying to strdup a NULL pointer
* r5455: Remove bogus DEBUG messages (dump for a failure to parse NTLMSSP,Andrew Bartlett2007-10-101-4/+2
| | | | | | | | before trying the alternate format). This only caused confusion and bug reports... Andrew Bartlett
* r5272: BUG 2132, 2134: patch from Jason Mader <jason@ncac.gwu.edu> to remove ↵Gerald Carter2007-10-101-7/+0
| | | | unused variables
* r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison2007-10-101-2/+2
| | | | | | | | | allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy.
* r1492: Rework our random number generation system.Andrew Bartlett2007-10-101-3/+3
| | | | | | | | | | On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett
* r296: patch from j.lu -- don't force an upper case domain name in the ↵Gerald Carter2007-10-101-3/+1
| | | | ntlmssp code
* r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session ↵Andrew Bartlett2007-10-101-10/+10
| | | | | | | key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it.
* Add a few comments explaining KEY_EXCHAndrew Bartlett2004-03-271-4/+7
| | | | Andrew Bartlett
* Based on the detective work of Jianliang Lu <j.lu@tiesse.com>, allow yetAndrew Bartlett2004-03-271-1/+3
| | | | | | | | | | | | | another NTLMv2 combination. We should allow the NTLMv2 response to be calculated with either the domain as supplied, or the domain in UPPER case (as we always did in the past). As a client, we always UPPER case it (as per the spec), but we also make sure to UPPER case the domain, when we send it. This should give us maximum compatability. Andrew Bartlett
* Fix up name canonicalization (needed for krb5 keytab support later).Jeremy Allison2004-01-301-3/+2
| | | | | Remove source_env handler (no longer used in any codepath). Jeremy.
* fix some warnings from the Sun compilerGerald Carter2004-01-091-1/+1
|
* Fix more cases to ensure that as a server, we don't complain to the clientAndrew Bartlett2004-01-051-3/+1
| | | | | | about our server-side lack of session key. Andrew Bartlett
* Ensure we set "always sign" flag if set. We don't currently do anything withJeremy Allison2004-01-051-0/+4
| | | | | this but we should log the fact it was negotiated. Jeremy.
* Don't free the encrypted_session_key early - that causes the subsequentAndrew Bartlett2004-01-051-1/+1
| | | | | | | | | test for a valid length to fail... This should fix 'security=server' and hosts-equiv failures picked up by the build farm. Andrew Bartlett
* Automaticly initialise the signing engine, if we have a session key.Andrew Bartlett2004-01-051-0/+6
|
* There is not a particularly good excuse for complaining to the *client* thatAndrew Bartlett2004-01-031-4/+12
| | | | | | | | it sent 'INVALID_PARAMETER', when it was us as the server that could not come up with a session key. Instead, allow normal authentication to take place, but do not setup a session key. Andrew Bartlett
* This patch corrects some errors in the NTLMSSP implementation, thatAndrew Bartlett2003-12-271-9/+18
| | | | | | | would incorrectly return INVALID_PARAMETER, instead of allowing a login. Andrew Bartlett
* Add in comments explaining NTLMv2 selection. Use lm session key if that'sJeremy Allison2003-12-171-1/+13
| | | | | all there is. Jeremy.
* Tidyup debug message in ntlmssp code. Add brackets around dodgy if statement.Jeremy Allison2003-12-171-5/+17
| | | | Jeremy
* Make sure we correctly generate the lm session key.Gerald Carter2003-12-171-2/+6
| | | | | | | | | This fixes a problem joining a Samba domain from a vanilla win2k client that doesn't set the NTLMSSP_NEGOTIATE_NTLM2 flag. Reported on samba ml as "decode_pw: incorrect password length" when handling a samr_set_userinfo(23 or 24) RPC.
* Picked up by the build farm - despite all my efforts, security=server wasAndrew Bartlett2003-12-041-8/+13
| | | | | | | broken by my NTLM2 commit. This should correctly cause the NTLM2 case not to be negotiated when 'security=server' is in effect. Andrew Bartlett
* Do not add NTLM2 to the NTLMSSP flags unconditionally - allow theAndrew Bartlett2003-11-251-2/+6
| | | | | | | | | | | defaults specified by the caller to prevail. Don't use NTLM2 for RPC pipes, until we know how it works in signing or sealing. Call ntlmssp_sign_init() unconditionally in the client - we setup the session key, why not setup the rest of the data. Andrew Bartlett
* Changes all over the shop, but all towards:Andrew Bartlett2003-11-221-245/+496
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures...
* Fix #442 which Alexander considered a showstopper. Allow us to join mixedJeremy Allison2003-09-161-0/+6
| | | | | mode domains. Jeremy.
generated by cgit (git 2.34.1) at 2025-09-01 08:16:52 +0000