[SCM] Samba Shared Repository - branch v3-6-test updated
Günther Deschner
gd at samba.org
Tue Aug 10 09:07:17 MDT 2010
The branch, v3-6-test has been updated
via 9673c7f... cleanups: Trailing spaces, line length, etc... (cherry picked from commit 28c74564c5bd3c972745deaa904ec8695f21ea1f)
via 398020f... s3-dcerpc: Use dcerpc_guess_sizes in the server code too. (cherry picked from commit 57bd974e5865212641f6941dd875bc1bc4967ed9)
via c12e4f2... s3-dceprc: Improve dcerpc_guess_sizes() interface
via da1b08d... s3-dcerpc: rationalize packet creation in the server code
via 191f069... s3-dcerpc: Make function to guess pdu sizes common. (cherry picked from commit a9d3a596a7c4d7e5775751cbce74e2fb07ce2192)
via 3a8a549... s3-dceprc: consolidate use of dcerpc_push_dcerpc_auth() (cherry picked from commit 9329a9fe848761e2835ff58123d8f64d8bab35b2)
via 6d550ef... s3-dcerpc: Remove unused functions (cherry picked from commit da6c246aacc298ec0c7536289afbd9e0d99ea130)
via 88cf1c1... s3-dcerpc: use common spengo wrapper code for client SPNEGO/NTLMSSP (cherry picked from commit 186f93633b4890c444115ac4eed109aa24f20b44)
via 04f397f... s3-dcerpc: add sign/seal support when using SPNEGO/KRB5 (cherry picked from commit 984438ca1522bfc2d882b2e3e7e8db187577e05a)
via 3bf1347... s3-dcerpc: Add SPNEGO incapsulation for KRB5 auth
via 9132f34... rpcclient: Use DCERPC_AUTH_LEVEL_CONNECT if no sign/seal is set for ntlmssp (cherry picked from commit e286b9c0bd7bf553f216d7c8288bb75a6b3dde95)
via db8bd28... s3-dcerpc: Try to fix build when gssapi_ext.h is not available (cherry picked from commit e8ac4a8b82798ef0691d384f59d880dc38b56592)
via 24b0188... Do not refernece pipe_auth_data directly in dcerpc_gssapi.c (cherry picked from commit 7c9c075987e7cdb2d5cb6311876f088f907e46f2)
via 0ce9b97... s3-dcerpc: Avoid ifdef, it is handled within dcerpc_gssapi.c already (cherry picked from commit d17abc69f690ccc845a0a1d6d291b6e21ce86b3d)
via bcb5b48... smbd: Fix build warning (cherry picked from commit c4b3c9ec0f2efa937529160999f7e44bcad3591f)
via b8979bb... s3-dcerpc: Add sign/seal with gssapi (cherry picked from commit 7eaa15af2c5b544946bfb2b8c522ba9677527972)
via 6841746... s3-dcerpc: Add next authentication step with gssapi (cherry picked from commit 1abcbd70aed327ae5233423ce74662241fa9d21a)
via c09e659... s3-decrpc: Introduce gssapi support for dcerpc krb5 auth
via acd1abe... rpcclient: Use DCERPC_AUTH_LEVEL_CONNECT if no sign/seal is set for krb5 auth (cherry picked from commit 72088096af8dbf57cbc85c71cd0eef4447e7560d)
via be1c095... s3-dcerpc: Refactor calculate_data_len_tosend() (cherry picked from commit 183e0a0d9f87bc619cd832decf5745be1d28f598)
via a448126... s3-dcerpc: Add auth trailer only when appropriate. (cherry picked from commit c08d684f4ef679831e8fed69cd87e4d9b06cb3e0)
via 42eb8ca... s3-dcerpc: consolidate unmarshalling of dcerpc_auth (cherry picked from commit 866f85e31973de356c3843836d5cacdbdf245e32)
via 268df6f... s3-dcerpc: revive cli_rpc_pipe_open_krb5() (cherry picked from commit 146af48d4887e8fa0c66bf53aa5f204366648478)
via d92aab4... misc: Remove unused structure elements (cherry picked from commit 250e341e0aad67c2f70fea597f34deadea1d2ccc)
via 881236a... s3-rpcclient: Allow choosing spnego mech: (ntlm/krb5) (cherry picked from commit b00f9a0a2d3b692dd12e182a2a4a7979c626dec7)
via 05dc21c... s3-dcerpc: Use dcerpc_AuthType in pipe_auth_data (cherry picked from commit 2463a871776bb4de8653d6a44469d2adb3ec9418)
via 810c4a6... s3-dcerpc: Cleanup and refactor create_rpc_bind_req() (cherry picked from commit 1e915d231d4191bf3a0bb54ba99a31ad6b2afd3b)
via fda83be... s3-auth: Remove unimplemented functions (cherry picked from commit 3c3237dd0afa37ba0e545424f5008973b645cf96)
via 304081a... s3-dcerpc: Set flags directly instead of calling unimplemented functions. (cherry picked from commit bfe53d414548cd8a0226136b73cf2b766b6a61ef)
via fecb756... s3-dcerpc: Use dcerpc_check_auth in client code too (cherry picked from commit 7407c979a1469997c9277c501787b5f222216aac)
via 4c5995b... s3-dcerpc: Make dcerpc_check_auth() common code (cherry picked from commit 9565e3f6a7ef2fb590558eb7b29c6c2fc657fca9)
via b0363df... s3-dcerpc: Add the same paranoia checks we have in the client code (cherry picked from commit 5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611)
via 63ada38... s3-dcerpc: Split auth checking into a generic function. (cherry picked from commit 49a8c2965d2982e6510609fa9772a56597494641)
via d923df6... s3-dcerpc do not pass pipes_struct to dcesrv_auth_request() (cherry picked from commit 1fc71c9c6ff26f2d49f314b8425c6cd4c91683f3)
via 6850e68... s3-dcerpc: Make dcesrv_auth_request() return NTSTATUS codes (cherry picked from commit 2ce169ce187cc7229aecdc3e5cd889c5194956aa)
via d586cdb... s3-dcerpc: Use the common dcerpc_add_auth_footer() in the server code (cherry picked from commit aa4c5a2bfb27fc274de2a83c4724e0f10ad6b119)
via e953871... s3-dcerpc: Move dcerpc_add_auth_footer() to the common helpers file (cherry picked from commit 31393334194be7763072900408bb61ebb7c1d11a)
via 1fb22ee... s3-dcerpc: Introduce generic helper function to add auth trailer (cherry picked from commit 6f5cdf9ae9707cdbc62e0ed5ad2578316796b4b3)
via a5ddac2... s3-dcerpc: Pass explicit arguments so that this is not client specific (cherry picked from commit 1b572493e2ea30b262a0ca1b04e913017a3ac13d)
via 18c4c8b... s3-dcerpc: Move marshalling of dcerpc_auth_header in the callers (cherry picked from commit e2b0e43da9b6c3f1fb12a10898dcc09e56da795a)
from 8c66926... Fix bug #7608 - Win7 SMB2 authentication causes smbd panic
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 9673c7f01ec562cf9e5a203cf584cdfc8c87987b
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 16:34:53 2010 -0400
cleanups: Trailing spaces, line length, etc...
(cherry picked from commit 28c74564c5bd3c972745deaa904ec8695f21ea1f)
commit 398020fb42cd97dc4e2a918f8adc1656724cb08d
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 14:01:01 2010 -0400
s3-dcerpc: Use dcerpc_guess_sizes in the server code too.
(cherry picked from commit 57bd974e5865212641f6941dd875bc1bc4967ed9)
commit c12e4f2cb13f4fdd52602d3d0fe2bb36731a31f6
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 13:12:35 2010 -0400
s3-dceprc: Improve dcerpc_guess_sizes() interface
Make it possible to pass in the NDR padding size so that theoretically
client and server code can decide to use a different alignment.
Pass in the header length as a parameter so that this function can be used for
different type of packets.
Make sure padding size will not make the fragment exceed the maximum length.
Calculate padding taking in account the header length.
(cherry picked from commit 4c64e4d4af3403559b370381d7f14a83a39adfa7)
commit da1b08d3c957dc78c2d8ffe3329494331d3af6ae
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 12:19:20 2010 -0400
s3-dcerpc: rationalize packet creation in the server code
Move all related functions into create_next_packet, but make it transport
neutral (not pass in pipse_struct)
(cherry picked from commit 3469fbc5e4098e798a03d14fece24fde2b60d9b9)
commit 191f069fad1c9b537b67076470e57217c3cbcc38
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 30 11:27:40 2010 -0400
s3-dcerpc: Make function to guess pdu sizes common.
(cherry picked from commit a9d3a596a7c4d7e5775751cbce74e2fb07ce2192)
commit 3a8a5492f4cbe09475c279773f591be0a3868009
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 20:20:49 2010 -0400
s3-dceprc: consolidate use of dcerpc_push_dcerpc_auth()
(cherry picked from commit 9329a9fe848761e2835ff58123d8f64d8bab35b2)
commit 6d550efdbe2e4514f2da990f13dbfa6393ad197a
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 20:21:53 2010 -0400
s3-dcerpc: Remove unused functions
(cherry picked from commit da6c246aacc298ec0c7536289afbd9e0d99ea130)
commit 88cf1c1d4ccfe38a9a6111a1f58d7c5e3c59c98d
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 19:55:44 2010 -0400
s3-dcerpc: use common spengo wrapper code for client SPNEGO/NTLMSSP
(cherry picked from commit 186f93633b4890c444115ac4eed109aa24f20b44)
commit 04f397fdc8fe20dbc1cc78c32892d22a8e79859b
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 16:34:39 2010 -0400
s3-dcerpc: add sign/seal support when using SPNEGO/KRB5
(cherry picked from commit 984438ca1522bfc2d882b2e3e7e8db187577e05a)
commit 3bf13474133d014bfaceef9d38b0a748651dda76
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 28 17:06:51 2010 -0400
s3-dcerpc: Add SPNEGO incapsulation for KRB5 auth
commit 9132f34c2e31f41ce815e04e1ef509be8b875c9d
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 29 20:07:19 2010 -0400
rpcclient: Use DCERPC_AUTH_LEVEL_CONNECT if no sign/seal is set for ntlmssp
(cherry picked from commit e286b9c0bd7bf553f216d7c8288bb75a6b3dde95)
commit db8bd28f5d7e5b7082ca4f04a94557c5279d0fd8
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 28 17:06:14 2010 -0400
s3-dcerpc: Try to fix build when gssapi_ext.h is not available
(cherry picked from commit e8ac4a8b82798ef0691d384f59d880dc38b56592)
commit 24b0188ca69447a2c3e6c8228c25675ebd0b0439
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 28 15:53:56 2010 -0400
Do not refernece pipe_auth_data directly in dcerpc_gssapi.c
(cherry picked from commit 7c9c075987e7cdb2d5cb6311876f088f907e46f2)
commit 0ce9b9728ce6a218747c038719b17949e5229234
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 28 15:35:02 2010 -0400
s3-dcerpc: Avoid ifdef, it is handled within dcerpc_gssapi.c already
(cherry picked from commit d17abc69f690ccc845a0a1d6d291b6e21ce86b3d)
commit bcb5b482a374511223c05f924364fc77a125214c
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 28 12:44:37 2010 -0400
smbd: Fix build warning
(cherry picked from commit c4b3c9ec0f2efa937529160999f7e44bcad3591f)
commit b8979bba77769129d5b09a03331523fc45d47cc0
Author: Simo Sorce <idra at samba.org>
Date: Sat Jul 24 13:02:57 2010 -0400
s3-dcerpc: Add sign/seal with gssapi
(cherry picked from commit 7eaa15af2c5b544946bfb2b8c522ba9677527972)
commit 6841746520a631f9d4f85bdf15270178e9180171
Author: Simo Sorce <idra at samba.org>
Date: Sat Jul 24 10:35:25 2010 -0400
s3-dcerpc: Add next authentication step with gssapi
(cherry picked from commit 1abcbd70aed327ae5233423ce74662241fa9d21a)
commit c09e6599288f594ce6d91d7690de5b714b56e135
Author: Simo Sorce <idra at samba.org>
Date: Fri Jul 23 14:47:36 2010 -0400
s3-decrpc: Introduce gssapi support for dcerpc krb5 auth
commit acd1abe6c184157bb0fc647567a6b51844046a75
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 21 12:11:37 2010 -0400
rpcclient: Use DCERPC_AUTH_LEVEL_CONNECT if no sign/seal is set for krb5 auth
(cherry picked from commit 72088096af8dbf57cbc85c71cd0eef4447e7560d)
commit be1c095069a882cee384d0c68589e4c948592459
Author: Simo Sorce <idra at samba.org>
Date: Thu Jul 22 16:14:16 2010 -0400
s3-dcerpc: Refactor calculate_data_len_tosend()
(cherry picked from commit 183e0a0d9f87bc619cd832decf5745be1d28f598)
commit a448126bbbb1d9213f0ea0d5d57650fb0d4afb8b
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 21 13:33:09 2010 -0400
s3-dcerpc: Add auth trailer only when appropriate.
(cherry picked from commit c08d684f4ef679831e8fed69cd87e4d9b06cb3e0)
commit 42eb8ca66edafc7a3a025e065db3d32dbc8521b1
Author: Simo Sorce <idra at samba.org>
Date: Wed Jul 21 12:12:58 2010 -0400
s3-dcerpc: consolidate unmarshalling of dcerpc_auth
(cherry picked from commit 866f85e31973de356c3843836d5cacdbdf245e32)
commit 268df6f3d9f4952a268541a16ba2da673bde70f5
Author: Simo Sorce <idra at samba.org>
Date: Tue Jul 20 18:43:37 2010 -0400
s3-dcerpc: revive cli_rpc_pipe_open_krb5()
(cherry picked from commit 146af48d4887e8fa0c66bf53aa5f204366648478)
commit d92aab481dbc5e91f0dff318b1a8159a632af6be
Author: Simo Sorce <idra at samba.org>
Date: Tue Jul 20 18:39:46 2010 -0400
misc: Remove unused structure elements
(cherry picked from commit 250e341e0aad67c2f70fea597f34deadea1d2ccc)
commit 881236af69585f84119b04d7a972c44346accd33
Author: Simo Sorce <idra at samba.org>
Date: Tue Jul 20 17:26:32 2010 -0400
s3-rpcclient: Allow choosing spnego mech: (ntlm/krb5)
(cherry picked from commit b00f9a0a2d3b692dd12e182a2a4a7979c626dec7)
commit 05dc21ca9446f64c46cda8a6637a95ce9d699f91
Author: Simo Sorce <idra at samba.org>
Date: Tue Jul 20 13:26:36 2010 -0400
s3-dcerpc: Use dcerpc_AuthType in pipe_auth_data
(cherry picked from commit 2463a871776bb4de8653d6a44469d2adb3ec9418)
commit 810c4a6e2296cb5c910730f234f625ea2aff923c
Author: Simo Sorce <idra at samba.org>
Date: Tue Jul 20 11:49:23 2010 -0400
s3-dcerpc: Cleanup and refactor create_rpc_bind_req()
(cherry picked from commit 1e915d231d4191bf3a0bb54ba99a31ad6b2afd3b)
commit fda83be3765798ef9b50150f07c8f1301f7053c7
Author: Simo Sorce <idra at samba.org>
Date: Tue Jul 20 11:23:11 2010 -0400
s3-auth: Remove unimplemented functions
(cherry picked from commit 3c3237dd0afa37ba0e545424f5008973b645cf96)
commit 304081abc3f82bcd4375a2586a3e2735c2652f22
Author: Simo Sorce <idra at samba.org>
Date: Tue Jul 20 11:22:50 2010 -0400
s3-dcerpc: Set flags directly instead of calling unimplemented functions.
(cherry picked from commit bfe53d414548cd8a0226136b73cf2b766b6a61ef)
commit fecb756f2b6b0d451b65ce9dc4dab34486523b76
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 20:03:08 2010 -0400
s3-dcerpc: Use dcerpc_check_auth in client code too
(cherry picked from commit 7407c979a1469997c9277c501787b5f222216aac)
commit 4c5995b3e9520178b1ee606894f2a99b0fd544f5
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 19:49:35 2010 -0400
s3-dcerpc: Make dcerpc_check_auth() common code
(cherry picked from commit 9565e3f6a7ef2fb590558eb7b29c6c2fc657fca9)
commit b0363df33866a45f8521eb3b1be0801d12729365
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 19:42:12 2010 -0400
s3-dcerpc: Add the same paranoia checks we have in the client code
(cherry picked from commit 5f2cca6b2a7b8b7bad4a47a2bd31174c45fa2611)
commit 63ada388cf9f820d42a929ce31d1951ad5cb976b
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 19:34:34 2010 -0400
s3-dcerpc: Split auth checking into a generic function.
(cherry picked from commit 49a8c2965d2982e6510609fa9772a56597494641)
commit d923df6afdb96023e269272e426bed4082148563
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 17:51:18 2010 -0400
s3-dcerpc do not pass pipes_struct to dcesrv_auth_request()
(cherry picked from commit 1fc71c9c6ff26f2d49f314b8425c6cd4c91683f3)
commit 6850e68d09a2940f2acc29275dd62f7a123347da
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 17:14:56 2010 -0400
s3-dcerpc: Make dcesrv_auth_request() return NTSTATUS codes
(cherry picked from commit 2ce169ce187cc7229aecdc3e5cd889c5194956aa)
commit d586cdb1af4078d9644169b43b08e9199b93dc7a
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 16:16:40 2010 -0400
s3-dcerpc: Use the common dcerpc_add_auth_footer() in the server code
(cherry picked from commit aa4c5a2bfb27fc274de2a83c4724e0f10ad6b119)
commit e95387189a2db566cd6036ac5a421cacc19f6661
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 16:10:35 2010 -0400
s3-dcerpc: Move dcerpc_add_auth_footer() to the common helpers file
(cherry picked from commit 31393334194be7763072900408bb61ebb7c1d11a)
commit 1fb22ee527f1bf77d475df3b053b7c91d71d138a
Author: Simo Sorce <idra at samba.org>
Date: Mon Jul 19 09:07:22 2010 -0400
s3-dcerpc: Introduce generic helper function to add auth trailer
(cherry picked from commit 6f5cdf9ae9707cdbc62e0ed5ad2578316796b4b3)
commit a5ddac2fba3d083e649b1c402c7dfdaf90f3fc14
Author: Simo Sorce <idra at samba.org>
Date: Sat Jul 17 17:53:44 2010 -0400
s3-dcerpc: Pass explicit arguments so that this is not client specific
(cherry picked from commit 1b572493e2ea30b262a0ca1b04e913017a3ac13d)
commit 18c4c8bcfe03d40e12565c2dab7b8ce808fc024f
Author: Simo Sorce <idra at samba.org>
Date: Sat Jul 17 17:32:35 2010 -0400
s3-dcerpc: Move marshalling of dcerpc_auth_header in the callers
(cherry picked from commit e2b0e43da9b6c3f1fb12a10898dcc09e56da795a)
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 7 +-
source3/auth/auth_ntlmssp.c | 10 -
source3/configure.in | 3 +-
source3/include/client.h | 6 -
source3/include/ntdomain.h | 19 +-
source3/include/proto.h | 12 +-
source3/libads/kerberos_verify.c | 274 ++++---
source3/librpc/rpc/dcerpc.h | 13 +
source3/librpc/rpc/dcerpc_gssapi.c | 605 ++++++++++++++
source3/librpc/rpc/dcerpc_gssapi.h | 58 ++
source3/librpc/rpc/dcerpc_helpers.c | 773 +++++++++++++++++
source3/librpc/rpc/dcerpc_spnego.c | 354 ++++++++
source3/librpc/rpc/dcerpc_spnego.h | 53 ++
source3/librpc/rpc/rpc_common.c | 33 -
source3/rpc_client/cli_pipe.c | 1560 +++++++++++------------------------
source3/rpc_server/rpc_handles.c | 3 +-
source3/rpc_server/srv_lsa_nt.c | 4 +-
source3/rpc_server/srv_netlog_nt.c | 6 +-
source3/rpc_server/srv_pipe.c | 545 +++----------
source3/rpc_server/srv_samr_nt.c | 4 +-
source3/rpcclient/rpcclient.c | 157 +++--
source3/smbd/process.c | 2 +-
22 files changed, 2769 insertions(+), 1732 deletions(-)
create mode 100644 source3/librpc/rpc/dcerpc_gssapi.c
create mode 100644 source3/librpc/rpc/dcerpc_gssapi.h
create mode 100644 source3/librpc/rpc/dcerpc_spnego.c
create mode 100644 source3/librpc/rpc/dcerpc_spnego.h
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 054c4b9..af26549 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -678,7 +678,10 @@ RPC_SERVER_OBJ = @RPC_STATIC@ $(RPC_PIPE_OBJ) $(NPA_TSTREAM_OBJ)
RPC_PARSE_OBJ = $(RPC_PARSE_OBJ2)
-RPC_CLIENT_OBJ = rpc_client/cli_pipe.o librpc/rpc/rpc_common.o \
+RPC_CLIENT_OBJ = rpc_client/cli_pipe.o \
+ librpc/rpc/dcerpc_gssapi.o \
+ librpc/rpc/dcerpc_spnego.o \
+ librpc/rpc/rpc_common.o \
rpc_client/rpc_transport_np.o \
rpc_client/rpc_transport_sock.o \
rpc_client/rpc_transport_smbd.o
@@ -1359,6 +1362,8 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.o \
$(RPC_CLIENT_OBJ1) \
librpc/rpc/rpc_common.o \
rpc_client/cli_pipe.o \
+ librpc/rpc/dcerpc_gssapi.o \
+ librpc/rpc/dcerpc_spnego.o \
../librpc/rpc/binding.o \
$(LIBMSRPC_GEN_OBJ)
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index e7d8657..c212bb3 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -25,16 +25,6 @@
#include "ntlmssp_wrap.h"
#include "../librpc/gen_ndr/netlogon.h"
-void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-
-}
-
-void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
-{
-
-}
-
NTSTATUS auth_ntlmssp_steal_server_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
struct auth_serversupplied_info **server_info)
diff --git a/source3/configure.in b/source3/configure.in
index a1b6e9e..3868ee7 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3749,7 +3749,7 @@ if test x"$with_ads_support" != x"no"; then
# now check for gssapi headers. This is also done here to allow for
# different kerberos include paths
- AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h com_err.h)
+ AC_CHECK_HEADERS(gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h gssapi/gssapi_ext.h com_err.h)
##################################################################
# we might need the k5crypto and com_err libraries on some systems
@@ -3774,6 +3774,7 @@ if test x"$with_ads_support" != x"no"; then
# now see if we can find the gssapi libs in standard paths
if test x"$have_gssapi" != x"yes"; then
AC_CHECK_LIB_EXT(gssapi_krb5, KRB5_LIBS,gss_display_status,[],[],have_gssapi=yes)
+ AC_CHECK_FUNC_EXT(gss_wrap_iov, $KRB5_LIBS)
fi
AC_CHECK_FUNC_EXT(krb5_set_real_time, $KRB5_LIBS)
diff --git a/source3/include/client.h b/source3/include/client.h
index bc78945..505f7e4 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -215,7 +215,6 @@ struct cli_state {
fstring dev;
struct nmb_name called;
struct nmb_name calling;
- fstring full_dest_host_name;
struct sockaddr_storage dest_ss;
DATA_BLOB secblob; /* cryptkey or negTokenInit */
@@ -241,11 +240,6 @@ struct cli_state {
uint32_t requested_posix_capabilities;
bool dfsroot;
-#if 0
- TALLOC_CTX *longterm_mem_ctx;
- TALLOC_CTX *call_mem_ctx;
-#endif
-
struct smb_signing_state *signing_state;
struct smb_trans_enc_state *trans_enc_state; /* Setup if we're encrypting SMB's. */
diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h
index 5801fd3..f42ff58 100644
--- a/source3/include/ntdomain.h
+++ b/source3/include/ntdomain.h
@@ -93,25 +93,26 @@ typedef struct pipe_rpc_fns {
* Can't keep in sync with wire values as spnego wraps different auth methods.
*/
-enum pipe_auth_type { PIPE_AUTH_TYPE_NONE = 0, PIPE_AUTH_TYPE_NTLMSSP, PIPE_AUTH_TYPE_SCHANNEL,
- PIPE_AUTH_TYPE_SPNEGO_NTLMSSP, PIPE_AUTH_TYPE_KRB5, PIPE_AUTH_TYPE_SPNEGO_KRB5 };
-
-/* auth state for krb5. */
-struct kerberos_auth_struct {
- const char *service_principal;
- DATA_BLOB session_key;
+enum pipe_auth_type_spnego {
+ PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
+ PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
+ PIPE_AUTH_TYPE_SPNEGO_KRB5
};
+struct gse_context;
+
/* auth state for all bind types. */
struct pipe_auth_data {
- enum pipe_auth_type auth_type; /* switch for union below. */
+ enum dcerpc_AuthType auth_type;
+ enum pipe_auth_type_spnego spnego_type; /* used by server only */
enum dcerpc_AuthLevel auth_level;
union {
struct schannel_state *schannel_auth;
struct auth_ntlmssp_state *auth_ntlmssp_state;
- struct kerberos_auth_struct *kerberos_auth; /* Client only for now */
+ struct gse_context *gssapi_state;
+ struct spnego_context *spnego_state;
} a_u;
/* Only the client code uses these 3 for now */
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 59276a5..61ef13f 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -57,8 +57,6 @@ NTSTATUS auth_netlogond_init(void);
NTSTATUS auth_ntlmssp_steal_server_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
struct auth_serversupplied_info **server_info);
-void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state);
-void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state);
NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state);
@@ -4468,7 +4466,6 @@ const struct ndr_interface_table *get_iface_from_syntax(
const struct ndr_syntax_id *syntax);
const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
const struct ndr_syntax_id *syntax);
-enum dcerpc_AuthType map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type);
struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
struct event_context *ev,
@@ -4559,11 +4556,20 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
struct rpc_pipe_client **presult);
NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
const struct ndr_syntax_id *interface,
+ enum dcerpc_transport_t transport,
enum dcerpc_AuthLevel auth_level,
const char *service_princ,
const char *username,
const char *password,
struct rpc_pipe_client **presult);
+NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
+ const struct ndr_syntax_id *interface,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *server,
+ const char *username,
+ const char *password,
+ struct rpc_pipe_client **presult);
NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli,
DATA_BLOB *session_key);
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 54328fb..887dac0 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -1,24 +1,24 @@
-/*
+/*
Unix SMB/CIFS implementation.
kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
- Copyright (C) Luke Howard 2003
+ Copyright (C) Luke Howard 2003
Copyright (C) Guenther Deschner 2003, 2005
Copyright (C) Jim McDonough (jmcd at us.ibm.com) 2003
Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2005
Copyright (C) Jeremy Allison 2007
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -116,11 +116,11 @@ static bool ads_dedicated_keytab_verify_ticket(krb5_context context,
return auth_ok;
}
-/**********************************************************************************
- Try to verify a ticket using the system keytab... the system keytab has kvno -1 entries, so
- it's more like what microsoft does... see comment in utils/net_ads.c in the
- ads_keytab_add_entry function for details.
-***********************************************************************************/
+/******************************************************************************
+ Try to verify a ticket using the system keytab... the system keytab has
+ kvno -1 entries, so it's more like what microsoft does... see comment in
+ utils/net_ads.c in the ads_keytab_add_entry function for details.
+******************************************************************************/
static bool ads_keytab_verify_ticket(krb5_context context,
krb5_auth_context auth_context,
@@ -134,12 +134,14 @@ static bool ads_keytab_verify_ticket(krb5_context context,
krb5_keytab keytab = NULL;
krb5_kt_cursor kt_cursor;
krb5_keytab_entry kt_entry;
- char *valid_princ_formats[7] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL };
+ char *valid_princ_formats[7] = { NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL };
char *entry_princ_s = NULL;
fstring my_name, my_fqdn;
int i;
int number_matched_principals = 0;
krb5_data packet;
+ int err;
*pp_tkt = NULL;
*keyblock = NULL;
@@ -154,25 +156,39 @@ static bool ads_keytab_verify_ticket(krb5_context context,
my_fqdn[0] = '\0';
name_to_fqdn(my_fqdn, global_myname());
- if (asprintf(&valid_princ_formats[0], "%s$@%s", my_name, lp_realm()) == -1) {
+ err = asprintf(&valid_princ_formats[0],
+ "%s$@%s", my_name, lp_realm());
+ if (err == -1) {
goto out;
}
- if (asprintf(&valid_princ_formats[1], "host/%s@%s", my_name, lp_realm()) == -1) {
+ err = asprintf(&valid_princ_formats[1],
+ "host/%s@%s", my_name, lp_realm());
+ if (err == -1) {
goto out;
}
- if (asprintf(&valid_princ_formats[2], "host/%s@%s", my_fqdn, lp_realm()) == -1) {
+ err = asprintf(&valid_princ_formats[2],
+ "host/%s@%s", my_fqdn, lp_realm());
+ if (err == -1) {
goto out;
}
- if (asprintf(&valid_princ_formats[3], "host/%s.%s@%s", my_name, lp_realm(), lp_realm()) == -1) {
+ err = asprintf(&valid_princ_formats[3],
+ "host/%s.%s@%s", my_name, lp_realm(), lp_realm());
+ if (err == -1) {
goto out;
}
- if (asprintf(&valid_princ_formats[4], "cifs/%s@%s", my_name, lp_realm()) == -1) {
+ err = asprintf(&valid_princ_formats[4],
+ "cifs/%s@%s", my_name, lp_realm());
+ if (err == -1) {
goto out;
}
- if (asprintf(&valid_princ_formats[5], "cifs/%s@%s", my_fqdn, lp_realm()) == -1) {
+ err = asprintf(&valid_princ_formats[5],
+ "cifs/%s@%s", my_fqdn, lp_realm());
+ if (err == -1) {
goto out;
}
- if (asprintf(&valid_princ_formats[6], "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm()) == -1) {
+ err = asprintf(&valid_princ_formats[6],
+ "cifs/%s.%s@%s", my_name, lp_realm(), lp_realm());
+ if (err == -1) {
goto out;
}
@@ -181,7 +197,8 @@ static bool ads_keytab_verify_ticket(krb5_context context,
ret = smb_krb5_open_keytab(context, NULL, False, &keytab);
if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_open_keytab failed (%s)\n", error_message(ret)));
+ DEBUG(1, (__location__ ": smb_krb5_open_keytab failed (%s)\n",
+ error_message(ret)));
goto out;
}
@@ -191,15 +208,20 @@ static bool ads_keytab_verify_ticket(krb5_context context,
ret = krb5_kt_start_seq_get(context, keytab, &kt_cursor);
if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
+ DEBUG(1, (__location__ ": krb5_kt_start_seq_get failed (%s)\n",
+ error_message(ret)));
goto out;
}
- while (!auth_ok && (krb5_kt_next_entry(context, keytab, &kt_entry, &kt_cursor) == 0)) {
- ret = smb_krb5_unparse_name(talloc_tos(), context, kt_entry.principal, &entry_princ_s);
+ while (!auth_ok &&
+ (krb5_kt_next_entry(context, keytab,
+ &kt_entry, &kt_cursor) == 0)) {
+ ret = smb_krb5_unparse_name(talloc_tos(), context,
+ kt_entry.principal,
+ &entry_princ_s);
if (ret) {
- DEBUG(1, ("ads_keytab_verify_ticket: smb_krb5_unparse_name failed (%s)\n",
- error_message(ret)));
+ DEBUG(1, (__location__ ": smb_krb5_unparse_name "
+ "failed (%s)\n", error_message(ret)));
goto out;
}
@@ -214,32 +236,35 @@ static bool ads_keytab_verify_ticket(krb5_context context,
packet.data = (char *)ticket->data;
*pp_tkt = NULL;
- ret = krb5_rd_req_return_keyblock_from_keytab(context, &auth_context, &packet,
- kt_entry.principal, keytab,
- NULL, pp_tkt, keyblock);
+ ret = krb5_rd_req_return_keyblock_from_keytab(context,
+ &auth_context, &packet,
+ kt_entry.principal, keytab,
+ NULL, pp_tkt, keyblock);
if (ret) {
- DEBUG(10,("ads_keytab_verify_ticket: "
- "krb5_rd_req_return_keyblock_from_keytab(%s) failed: %s\n",
- entry_princ_s, error_message(ret)));
+ DEBUG(10, (__location__ ": krb5_rd_req_return"
+ "_keyblock_from_keytab(%s) "
+ "failed: %s\n", entry_princ_s,
+ error_message(ret)));
- /* workaround for MIT:
+ /* workaround for MIT:
* as krb5_ktfile_get_entry will explicitly
* close the krb5_keytab as soon as krb5_rd_req
* has successfully decrypted the ticket but the
* ticket is not valid yet (due to clockskew)
* there is no point in querying more keytab
* entries - Guenther */
-
- if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
+
+ if (ret == KRB5KRB_AP_ERR_TKT_NYV ||
ret == KRB5KRB_AP_ERR_TKT_EXPIRED ||
ret == KRB5KRB_AP_ERR_SKEW) {
break;
}
} else {
- DEBUG(3,("ads_keytab_verify_ticket: "
- "krb5_rd_req_return_keyblock_from_keytab succeeded for principal %s\n",
- entry_princ_s));
+ DEBUG(3, (__location__ ": krb5_rd_req_return"
+ "_keyblock_from_keytab succeeded "
+ "for principal %s\n",
+ entry_princ_s));
auth_ok = True;
break;
}
@@ -256,18 +281,20 @@ static bool ads_keytab_verify_ticket(krb5_context context,
ZERO_STRUCT(kt_cursor);
- out:
-
+out:
+
for (i = 0; i < ARRAY_SIZE(valid_princ_formats); i++) {
SAFE_FREE(valid_princ_formats[i]);
}
-
+
if (!auth_ok) {
if (!number_matched_principals) {
- DEBUG(3, ("ads_keytab_verify_ticket: no keytab principals matched expected file service name.\n"));
+ DEBUG(3, (__location__ ": no keytab principals "
+ "matched expected file service name.\n"));
} else {
- DEBUG(3, ("ads_keytab_verify_ticket: krb5_rd_req failed for all %d matched keytab principals\n",
- number_matched_principals));
+ DEBUG(3, (__location__ ": krb5_rd_req failed for "
+ "all %d matched keytab principals\n",
+ number_matched_principals));
}
}
@@ -276,7 +303,8 @@ static bool ads_keytab_verify_ticket(krb5_context context,
{
krb5_keytab_entry zero_kt_entry;
ZERO_STRUCT(zero_kt_entry);
- if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
+ if (memcmp(&zero_kt_entry, &kt_entry,
+ sizeof(krb5_keytab_entry))) {
smb_krb5_kt_free_entry(context, &kt_entry);
}
}
@@ -284,7 +312,8 @@ static bool ads_keytab_verify_ticket(krb5_context context,
{
krb5_kt_cursor zero_csr;
ZERO_STRUCT(zero_csr);
- if ((memcmp(&kt_cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) && keytab) {
+ if ((memcmp(&kt_cursor, &zero_csr,
+ sizeof(krb5_kt_cursor)) != 0) && keytab) {
krb5_kt_end_seq_get(context, keytab, &kt_cursor);
}
}
@@ -296,9 +325,9 @@ static bool ads_keytab_verify_ticket(krb5_context context,
return auth_ok;
}
-/**********************************************************************************
+/*****************************************************************************
Try to verify a ticket using the secrets.tdb.
-***********************************************************************************/
+******************************************************************************/
static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
krb5_auth_context auth_context,
@@ -314,12 +343,12 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
char *password_s = NULL;
/* Let's make some room for 2 password (old and new)*/
krb5_data passwords[2];
- krb5_enctype enctypes[] = {
+ krb5_enctype enctypes[] = {
#if defined(ENCTYPE_ARCFOUR_HMAC)
ENCTYPE_ARCFOUR_HMAC,
#endif
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_DES_CBC_MD5,
ENCTYPE_NULL
};
krb5_data packet;
@@ -337,9 +366,10 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
return False;
}
- password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+ password_s = secrets_fetch_machine_password(lp_workgroup(),
+ NULL, NULL);
if (!password_s) {
- DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n"));
+ DEBUG(1,(__location__ ": failed to fetch machine password\n"));
*perr = KRB5_LIBOS_CANTREADPWD;
return False;
}
@@ -349,7 +379,7 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
password_s = secrets_fetch_prev_machine_password(lp_workgroup());
if (password_s) {
- DEBUG(10,("ads_secrets_verify_ticket: found previous password\n"));
+ DEBUG(10, (__location__ ": found previous password\n"));
passwords[1].data = password_s;
passwords[1].length = strlen(password_s);
}
@@ -359,7 +389,8 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
packet.length = ticket->length;
packet.data = (char *)ticket->data;
- /* We need to setup a auth context with each possible encoding type in turn. */
+ /* We need to setup a auth context with each possible encoding type
+ * in turn. */
for (j=0; j<2 && passwords[j].length; j++) {
for (i=0;enctypes[i];i++) {
@@ -370,18 +401,22 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
goto out;
}
- if (create_kerberos_key_from_string(context, host_princ, &passwords[j], key, enctypes[i], false)) {
+ if (create_kerberos_key_from_string(context,
+ host_princ, &passwords[j],
+ key, enctypes[i], false)) {
SAFE_FREE(key);
continue;
}
- krb5_auth_con_setuseruserkey(context, auth_context, key);
+ krb5_auth_con_setuseruserkey(context,
+ auth_context, key);
- if (!(ret = krb5_rd_req(context, &auth_context, &packet,
- NULL,
- NULL, NULL, pp_tkt))) {
- DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
- (unsigned int)enctypes[i] ));
+ if (!(ret = krb5_rd_req(context, &auth_context,
--
Samba Shared Repository
More information about the samba-cvs
mailing list