[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Jan 7 08:54:03 MST 2014
The branch, master has been updated
via 7d2abf5 s4:netlogon: implement "allow nt4 crypto" and "reject md5 clients" features.
via 2e36fbc s4:netlogon: don't generate a debug message for SEC_CHAN_NULL.
via 3b77b80 s4:netlogon: correctly calculate the negotiate_flags
via 0d4806f selftest/Samba4: use "allow nt4 crypto = yes" for testing
via 807bcb4 lib/param: add "reject md5 client" option, defaulting to false
via 87bdc88 lib/param: add "allow nt4 crypto" option, defaulting to false
via 3d45d4d libcli/auth: remove unused netlogon_creds_cli_context_copy()
via c0761c3 s3:rpc_client: finally remove unused rpc_pipe_client->netlogon_creds
via 3f41b58 s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon()
via e4fea80 s3:rpc_client: remove unused rpccli_netlogon_sam_logon()
via a4faf57 s3:rpc_client: remove unused rpccli_netlogon_setup_creds()
via 6d457ad s3:rpc_client: remove unused rpccli_netlogon_set_trust_password()
via 660150b s3:rpc_client: make cli_rpc_pipe_open_schannel() more flexible
via a34c837 s3:winbindd: make use of rpccli_netlogon_network_logon()
via c6bb47f s3:rpcclient: make use of rpccli_netlogon_password_logon() in the 'samlogon' cmd
via 4c99e49 s3:rpcclient: remove optional auth_level parameter of the 'samlogon' cmd
via a012e2f s3:rpcclient: give errors and clean up correctly after failing to obtain secret
via 5107ca0 s3:rpcclient: make use of rpccli_{create,setup}_netlogon_creds()
via 77defb1 s3:libnet: pass in struct netlogon_creds_cli_context from the caller.
via a8ecebe s3:libsmb: remove unused trust_pw_find_change_and_store_it()
via 3c30e19 s3:winbindd: make use of trust_pw_change() in _wbint_ChangeMachineAccount()
via 57741dd s3:winbindd: make use of trust_pw_change() for periodic password changes
via dbd49d9 s3:winbindd: use invalidate_cm_connection() to kill the netlogon connection
via cfd1393 s3:net_rpc: make use of trust_pw_change()
via a9281e6 s3:rpcclient: make use of trust_pw_change()
via 16c6e49 s3:libsmb: add trust_pw_change()
via d1340c2 s3:net_rpc: add net_context->netlogon_creds
via 3bf7781 s3:rpcclient: make use of rpcclient_netlogon_creds instead of cli->netlogon_creds
via fb13b00 s3:rpcclient: remove unused rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
via 1696b12 s3:rpcclient: add rpcclient_netlogon_creds
via a1c468e s3:rpcclient: add rpcclient_msg_ctx
via 94caf7e s3:rpc_client: use rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
via 3a89eee s3:libnet: use rpccli_{create,setup}_netlogon_creds() in libnet_join_joindomain_rpc_unsecure
via 9638005 s3:libnet_join: make use of rpccli_{create,setup}_netlogon_creds()
via 531bbf3 s3:auth_domain: make use of rpccli_netlogon_network_logon()
via 34e6678 s3:auth_domain: make use of rpccli_{create,setup}_netlogon_creds()
via d9d55f5 s3:auth_domain: simplify connect_to_domain_password_server()
via 22e4e2c s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds()
via 07126b6 s3:winbindd: call rpccli_pre_open_netlogon_creds() in the parent
via b7dc3fb s3:rpc_client: add rpccli_netlogon_password_logon()
via 5196493 s3:rpc_client: add rpccli_netlogon_network_logon()
via a07cc9a s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon_ex()
via 3c025af s3:rpc_client: add rpccli_pre_open_netlogon_creds()
via 14ceb7b s3:rpc_client: add rpccli_{create,setup}_netlogon_creds()
via 5adfc5f s3:rpc_client: use netlogon_creds_cli_auth_level() in cli_rpc_pipe_open_schannel_with_key()
via 38d4dba3 s3:rpc_client: make use of the new netlogon_creds_cli_context
via 11aed7c docs-xml: update 'winbind sealed pipes' description
via 225982e s3:winbindd: make use of the "winbind sealed pipes" option for all connections
via 1d69fdd docs-xml: explain the interaction of 'client schannel' with 'require strong key = yes'
via f703a37 docs-xml: explain the interaction between security = ads and other options.
via fa3af7c libcli/auth: make use of real options in netlogon_creds_cli_context_global()
via e7954bc s3:param: set Globals.bRequireStrongKey = true
via 6630c68 lib/param: add "require strong key" option, defaulting to true
via de4f8f0 lib/param: add "reject md5 servers" option, defaulting to false
via b39ca3a lib/param: add "neutralize nt4 emulation" option, defaulting to false
via 99d8653 s3:param: set Globals.bWinbindSealedPipes = true
via dc96b1d libcli/auth: use unique key_name values in netlogon_creds_cli_context_common()
via 6e6d9f9 libcli/auth: add netlogon_creds_cli* infrastructure
from 6b586c3 s4:librpc: remove recv_data from transport
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7d2abf520df1ff46d79dfd8ff579c230f2bc3c2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 6 12:08:50 2013 +0100
s4:netlogon: implement "allow nt4 crypto" and "reject md5 clients" features.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Jan 7 16:53:31 CET 2014 on sn-devel-104
commit 2e36fbc77dc43f31ec78cdbef23b94bd00d6f565
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 23 10:10:17 2013 +0100
s4:netlogon: don't generate a debug message for SEC_CHAN_NULL.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b77b804cdc9e7621f026ef9bc8e7059f471348e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 23 10:12:24 2013 +0100
s4:netlogon: correctly calculate the negotiate_flags
We need to bit-wise AND the client and server flags.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0d4806f9f056c3e37f5aed1ef19e2924aa8f4151
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 6 13:41:43 2013 +0100
selftest/Samba4: use "allow nt4 crypto = yes" for testing
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 807bcb4981fb20a9b97e69f01c3545ea7e85666e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 6 11:39:15 2013 +0100
lib/param: add "reject md5 client" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 87bdc88328568359e51af6615b378ba8dc67f647
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 6 11:38:21 2013 +0100
lib/param: add "allow nt4 crypto" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3d45d4dc3c69557bf1d1fe6d4a880ad74a2a41f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 19:17:12 2013 +0200
libcli/auth: remove unused netlogon_creds_cli_context_copy()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c0761c3eae34175d772476006caf5caad68bd8c6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 19:25:27 2013 +0200
s3:rpc_client: finally remove unused rpc_pipe_client->netlogon_creds
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3f41b583840ffa2220f61eea61833bf3c6bd33db
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 19:23:54 2013 +0200
s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4fea80693b49e79a96acdac09d5ea292756635c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 19:23:18 2013 +0200
s3:rpc_client: remove unused rpccli_netlogon_sam_logon()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a4faf57b47095bfc0f4370ac093c8c4cef17584f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 6 13:06:53 2013 +0200
s3:rpc_client: remove unused rpccli_netlogon_setup_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6d457ad9c156cf86d99e58dea21dba170defad1b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 6 13:54:30 2013 +0200
s3:rpc_client: remove unused rpccli_netlogon_set_trust_password()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 660150b12a637da7f9ebb820e687f27ac22fb93a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 20:53:51 2013 +0200
s3:rpc_client: make cli_rpc_pipe_open_schannel() more flexible
It expects a messaging_context now
and returns a netlogon_creds_cli_context.
This way we can finally avoid having a rpc_pipe_client->netlogon_creds.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a34c837fdb59df1e66be9b5f23a07990e34fea1c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 00:56:15 2013 +0200
s3:winbindd: make use of rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c6bb47f2f199cc13101dccf656ac36e9eb879201
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 00:48:31 2013 +0200
s3:rpcclient: make use of rpccli_netlogon_password_logon() in the 'samlogon' cmd
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4c99e49898151a514e334a07f38eed83fe608c05
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Sep 17 00:46:09 2013 +0200
s3:rpcclient: remove optional auth_level parameter of the 'samlogon' cmd
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a012e2fdd6733e871ddeb68874a2df8413ad91ed
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Nov 29 14:45:20 2013 +1300
s3:rpcclient: give errors and clean up correctly after failing to obtain secret
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5107ca02a41673739a1fc4a1c2a0fbe8465f211a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 20:51:25 2013 +0200
s3:rpcclient: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 77defb175e3ffd1b096485ac7de38ad161594b72
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 19:19:39 2013 +0200
s3:libnet: pass in struct netlogon_creds_cli_context from the caller.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a8ecebe3e840005c81df043cb07773972aaa2371
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:39:52 2013 +0200
s3:libsmb: remove unused trust_pw_find_change_and_store_it()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3c30e19c4a0e60e355b2f1d35edbb0a3b7688089
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:37:34 2013 +0200
s3:winbindd: make use of trust_pw_change() in _wbint_ChangeMachineAccount()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57741dd4ba5a9ed3abf7aad35a2a69fd66b49b4b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:36:43 2013 +0200
s3:winbindd: make use of trust_pw_change() for periodic password changes
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dbd49d90bbf175525557eaa983ad57ca5076d710
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:35:39 2013 +0200
s3:winbindd: use invalidate_cm_connection() to kill the netlogon connection
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cfd139347c21f4f4ddd16026c2c8c221feabd6c5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:34:48 2013 +0200
s3:net_rpc: make use of trust_pw_change()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a9281e6570fcc5ff5abe3149615bed7029d1cf71
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:33:51 2013 +0200
s3:rpcclient: make use of trust_pw_change()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 16c6e4992fa882207eeaff0a1c4d9fe217be48b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Sep 15 13:19:52 2013 +0200
s3:libsmb: add trust_pw_change()
This protects the password change using a domain specific g_lock,
so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
even on multiple cluster nodes doesn't race anymore.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d1340c20b0900f54e2c73c4a363f45988b1ba097
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 19:59:11 2013 +0200
s3:net_rpc: add net_context->netlogon_creds
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3bf77812e80b50f254af64e4935301719f78987e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 19:00:22 2013 +0200
s3:rpcclient: make use of rpcclient_netlogon_creds instead of cli->netlogon_creds
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fb13b002d599049f229d2014e1b94f82952b7150
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:57:09 2013 +0200
s3:rpcclient: remove unused rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
rpccli_netlogon_setup_creds() is already called in the main do_cmd()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1696b127c61fea76fce3d992632a822ed78de07c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:29:30 2013 +0200
s3:rpcclient: add rpcclient_netlogon_creds
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a1c468e1d75d490f0e531feb08188ddc3f0d77b5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 16 18:24:44 2013 +0200
s3:rpcclient: add rpcclient_msg_ctx
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 94caf7e190563423914b653d0c2fc4a4abf1f899
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 11 10:06:41 2013 +0200
s3:rpc_client: use rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3a89eee03a95d4b142bf0830f40debc75bfa2e26
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Sep 5 20:57:02 2013 +0200
s3:libnet: use rpccli_{create,setup}_netlogon_creds() in libnet_join_joindomain_rpc_unsecure
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 963800539cea7487fc6258f8ac8f7cacc3426b83
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Sep 2 19:32:23 2013 +0200
s3:libnet_join: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 531bbf3aff3fb08aaf112b21038f20544db60b69
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 27 15:02:26 2013 +0200
s3:auth_domain: make use of rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 34e66780e573bebf4b971fb96e1ed8680c1488a9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 27 15:01:10 2013 +0200
s3:auth_domain: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d9d55f5406949187901476d673c7d6ff0fc165c2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 27 13:07:45 2013 +0200
s3:auth_domain: simplify connect_to_domain_password_server()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 22e4e2c1d1252e434cb928d4530c378a62a64138
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 7 11:32:44 2013 +0200
s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 07126b6fb22cebce660d1d1a4f0f9fb905064aa0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 20:06:14 2013 +0100
s3:winbindd: call rpccli_pre_open_netlogon_creds() in the parent
This opens the CLEAR_IF_FIRST tdb in the long living parent.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b7dc3fb20468aa67ea7ddc1cea21fbe458e74565
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 27 14:56:06 2013 +0200
s3:rpc_client: add rpccli_netlogon_password_logon()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5196493c9e599b741417b119b48188ba0d646a37
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 27 14:36:24 2013 +0200
s3:rpc_client: add rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a07cc9a1c6ab8fee516e069a6f90bb48a7abf875
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 27 14:07:43 2013 +0200
s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon_ex()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3c025af657899c9a2ff14f868c03ff72ab74cf8e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 17 20:05:56 2013 +0100
s3:rpc_client: add rpccli_pre_open_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 14ceb7b501fce6623be284cbcceb573fd2e10d3a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 7 11:27:25 2013 +0200
s3:rpc_client: add rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5adfc5f9f737c003b84b0187fa17b9fc3784442e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 17:03:00 2013 +0200
s3:rpc_client: use netlogon_creds_cli_auth_level() in cli_rpc_pipe_open_schannel_with_key()
This means the auth level is now based on the "winbindd sealed pipes" option,
defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 38d4dba37406515181e4d6f1a1faffc18e652e27
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jul 27 11:30:13 2013 +0200
s3:rpc_client: make use of the new netlogon_creds_cli_context
This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
and lets the secure channel session state be stored in node local database.
This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 11aed7cd3dbd967593b34a206f0802fd0002bf27
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 14 18:53:06 2013 +0100
docs-xml: update 'winbind sealed pipes' description
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 225982e1cb6276ed5c6a47c0e4827d75e8ab2fb1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 19:31:58 2013 +0200
s3:winbindd: make use of the "winbind sealed pipes" option for all connections
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1d69fdddd5287757c2e67b0982d00241a6d75d26
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 23 10:46:57 2013 +0100
docs-xml: explain the interaction of 'client schannel' with 'require strong key = yes'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f703a37a56e215827dbb2a7ec8da6738bf17f600
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 23 10:45:27 2013 +0100
docs-xml: explain the interaction between security = ads and other options.
It implies 'require strong key = yes' and 'client schannel = yes'.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fa3af7c2e8f1bf292e190ba3d933b6e1d552595d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 18:48:15 2013 +0200
libcli/auth: make use of real options in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e7954bcc04ec6761b2ed6dad08b90c65efafa948
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 19:01:47 2013 +0200
s3:param: set Globals.bRequireStrongKey = true
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 18:39:56 2013 +0200
lib/param: add "require strong key" option, defaulting to true
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit de4f8f0825790452455a9d51e9d84d4d4a5c0d3b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 18:39:56 2013 +0200
lib/param: add "reject md5 servers" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b39ca3a2aefdd43a55b9cdd8fa5136254b283927
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 18:39:56 2013 +0200
lib/param: add "neutralize nt4 emulation" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 99d8653d83aa2e2e3a0ea097ab7cb65d62d76daf
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Oct 17 19:01:28 2013 +0200
s3:param: set Globals.bWinbindSealedPipes = true
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dc96b1ddccfe8eb1a631355f9471ee0b620d682c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 13 17:31:45 2013 +0100
libcli/auth: use unique key_name values in netlogon_creds_cli_context_common()
Until all callers are fixed to pass the same 'server_computer'
value, we try to calculate a server_netbios_name and use this
as unique identifier for a specific domain controller.
Otherwise winbind would use 'hostname.example.com'
while 'net rpc testjoin' would use 'HOSTNAME',
which leads to 2 records in netlogon_creds_cli.tdb
for the same domain controller.
Once all callers are fixed we can think about reverting this
commit.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6e6d9f9f12284ed06a21cc02080e436b7326065f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 18 19:16:42 2013 +0200
libcli/auth: add netlogon_creds_cli* infrastructure
This provides an abstraction to hide netlogon_creds_CredentialState,
which is stored in a node local tdb.
Where the global state (netlogon_creds_CredentialState) between client and
server was only kept in memory (on the client side), we now use
the abstracted netlogon_creds_cli_context.
We now use a node specific computer name in order to establish
individual netlogon sessions per node.
If the caller wants to use some netlogon calls with credential chain
(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
to get the current netlogon_creds_CredentialState in a g_lock'ed
fashion, a talloc_free() will release the lock.
The locking is needed as there might be more than one process
(multiple winbindd child, cmdline tools) which want to talk
to a specific domain controller. The usage of netlogon_creds_CredentialState
needs to be serialized as it uses sequence numbers.
LogonSamLogonEx doesn't use the credential chain, but for some operations
it needs the global session in order to de/encrypt individual fields.
It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
functions, which just make sure the session hasn't changed between
get and validate.
This is prepares the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/logon/allownt4crypto.xml | 26 +
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 18 +
docs-xml/smbdotconf/security/clientschannel.xml | 5 +
docs-xml/smbdotconf/security/security.xml | 5 +-
.../smbdotconf/winbind/netutralizent4emulation.xml | 19 +
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 23 +
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 +
docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 6 +-
lib/param/loadparm.c | 1 +
lib/param/param_functions.c | 5 +
lib/param/param_table.c | 45 +
libcli/auth/netlogon_creds_cli.c | 2575 ++++++++++++++++++++
libcli/auth/netlogon_creds_cli.h | 134 +
libcli/auth/wscript_build | 4 +
selftest/target/Samba4.pm | 1 +
source3/auth/auth_domain.c | 197 +-
source3/include/proto.h | 11 +-
source3/libnet/libnet_join.c | 178 +-
source3/libnet/libnet_join.h | 5 +-
source3/libnet/libnet_samsync.c | 19 +-
source3/libnet/libnet_samsync.h | 1 +
source3/libsmb/trusts_util.c | 192 ++-
source3/param/loadparm.c | 2 +
source3/rpc_client/cli_netlogon.c | 622 ++----
source3/rpc_client/cli_netlogon.h | 87 +-
source3/rpc_client/cli_pipe.c | 138 +-
source3/rpc_client/cli_pipe.h | 15 +-
source3/rpc_client/cli_pipe_schannel.c | 170 +-
source3/rpc_client/rpc_client.h | 3 -
source3/rpcclient/cmd_netlogon.c | 114 +-
source3/rpcclient/rpcclient.c | 78 +-
source3/rpcclient/rpcclient.h | 2 +
source3/utils/net.h | 1 +
source3/utils/net_rpc.c | 15 +-
source3/utils/net_rpc_samsync.c | 1 +
source3/winbindd/winbindd.c | 8 +
source3/winbindd/winbindd.h | 15 +-
source3/winbindd/winbindd_cm.c | 178 +-
source3/winbindd/winbindd_dual.c | 18 +-
source3/winbindd/winbindd_dual_srv.c | 36 +-
source3/winbindd/winbindd_pam.c | 160 +-
source3/wscript_build | 6 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 75 +-
43 files changed, 4011 insertions(+), 1230 deletions(-)
create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml
create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml
create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml
create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml
create mode 100644 libcli/auth/netlogon_creds_cli.c
create mode 100644 libcli/auth/netlogon_creds_cli.h
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
new file mode 100644
index 0000000..4d417c7
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="allow nt4 crypto"
+ context="G"
+ type="boolean"
+ advanced="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+ nor NETLOGON_NEG_SUPPORTS_AES.</para>
+
+ <para>This option was added with Samba 4.2.0. It may lock out clients
+ which worked fine with Samba versions up to 4.1.x. as the effective default
+ was "yes" there, while it is "no" now.</para>
+
+ <para>If you have clients without RequireStrongKey = 1 in the registry,
+ you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
+ </para>
+
+ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
+
+ <para>This option yields precedence to the 'reject md5 clients' option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
new file mode 100644
index 0000000..04a5b4d
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="reject md5 clients"
+ context="G"
+ type="boolean"
+ advanced="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
+
+ <para>You can set this to yes if all domain members support aes.
+ This will prevent downgrade attacks.</para>
+
+ <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index e229182..ac4cc59 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -12,6 +12,11 @@
enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access
if the server is not able to speak netlogon schannel.
</para>
+
+ <para>Note that for active directory domains this is hardcoded to
+ <smbconfoption name="client schannel">yes</smbconfoption>.</para>
+
+ <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
</description>
<value type="default">auto</value>
<value type="example">yes</value>
diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
index 406089f..2f5c3f7 100644
--- a/docs-xml/smbdotconf/security/security.xml
+++ b/docs-xml/smbdotconf/security/security.xml
@@ -99,7 +99,10 @@
<para>Note that this mode does NOT make Samba operate as a Active Directory Domain
Controller. </para>
-
+
+ <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
+ and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
+
<para>Read the chapter about Domain Membership in the HOWTO for details.</para>
</description>
diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
new file mode 100644
index 0000000..8294a90
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="neutralize nt4 emulation"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether winbindd sends
+ the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
+ the NT4 emulation of a domain controller.</para>
+
+ <para>Typically you should not need set this.
+ It can be useful for upgrades from NT4 to AD domains.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
new file mode 100644
index 0000000..18f8bcb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="reject md5 servers"
+ context="G"
+ type="boolean"
+ advanced="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether winbindd requires support
+ for aes support for the netlogon secure channel.</para>
+
+ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
+ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+ <para>You can set this to yes if all domain controllers support aes.
+ This will prevent downgrade attacks.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
+
+ <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
new file mode 100644
index 0000000..de749bb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="require strong key"
+ context="G"
+ type="boolean"
+ advanced="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether winbindd requires support
+ for md5 strong key support for the netlogon secure channel.</para>
+
+ <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
+ NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+ <para>You can set this to no if some domain controllers only support des.
+ This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
+
+ <para>Note for active directory domain this option is hardcoded to 'yes'</para>
+
+ <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
+
+ <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
index 26f446e..63f5588 100644
--- a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -4,12 +4,12 @@
advanced="1" developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
- <para>This option controls whether any requests made over the Samba 4 winbind
+ <para>This option controls whether any requests from winbindd to domain controllers
pipe will be sealed. Disabling sealing can be useful for debugging
purposes.</para>
- <para>Note that this option only applies to the Samba 4 winbind and not
- to the standard winbind.</para>
+ <para>The behavior can be controlled per netbios domain
+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
</description>
<value type="default">yes</value>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index df2ff6e..0e41aec 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2184,6 +2184,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+ lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index c4071c9..151c8b9 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
FN_LOCAL_BOOL(durable_handles, bDurableHandles)
FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
+FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
@@ -192,6 +193,7 @@ FN_GLOBAL_BOOL(log_writeable_files_on_exit, bLogWriteableFilesOnExit)
FN_GLOBAL_BOOL(map_untrusted_to_domain, bMapUntrustedToDomain)
FN_GLOBAL_BOOL(ms_add_printer_wizard, bMsAddPrinterWizard)
FN_GLOBAL_BOOL(multicast_dns_register, bMulticastDnsRegister)
+FN_GLOBAL_BOOL(neutralize_nt4_emulation, bNeutralizeNT4Emulation)
FN_GLOBAL_BOOL(nis_home_map, bNISHomeMap)
FN_GLOBAL_BOOL(nmbd_bind_explicit_broadcast, bNmbdBindExplicitBroadcast)
FN_GLOBAL_BOOL(ntlm_auth, bNTLMAuth)
@@ -203,6 +205,9 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
+FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
+FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
+FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
FN_GLOBAL_BOOL(stat_cache, bStatCache)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 10cf046..3b1555d 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -4180,6 +4180,33 @@ static struct parm_struct parm_table[] = {
.enum_list = NULL,
.flags = FLAG_ADVANCED,
},
+ {
+ .label = "neutralize nt4 emulation",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(bNeutralizeNT4Emulation),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
+ .label = "reject md5 servers",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(bRejectMD5Servers),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
+ .label = "require strong key",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(bRequireStrongKey),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
{N_("DNS options"), P_SEP, P_SEPARATOR},
{
@@ -4289,6 +4316,24 @@ static struct parm_struct parm_table[] = {
.special = NULL,
.enum_list = NULL
},
+ {
+ .label = "allow nt4 crypto",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(bAllowNT4Crypto),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
+ .label = "reject md5 clients",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(bRejectMD5Clients),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
{N_("TLS options"), P_SEP, P_SEPARATOR},
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
new file mode 100644
index 0000000..1724064
--- /dev/null
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -0,0 +1,2575 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ module to store/fetch session keys for the schannel client
+
+ Copyright (C) Stefan Metzmacher 2013
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/filesys.h"
+#include <tevent.h>
+#include "lib/util/tevent_ntstatus.h"
+#include "lib/dbwrap/dbwrap.h"
+#include "lib/dbwrap/dbwrap_rbt.h"
+#include "lib/util/util_tdb.h"
+#include "libcli/security/security.h"
+#include "../lib/param/param.h"
+#include "../libcli/auth/schannel.h"
+#include "../librpc/gen_ndr/ndr_schannel.h"
+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "../librpc/gen_ndr/server_id.h"
+#include "netlogon_creds_cli.h"
+#include "source3/include/messages.h"
+#include "source3/include/g_lock.h"
+
+struct netlogon_creds_cli_locked_state;
+
+struct netlogon_creds_cli_context {
+ struct {
+ const char *computer;
+ const char *account;
+ uint32_t proposed_flags;
+ uint32_t required_flags;
+ enum netr_SchannelType type;
+ enum dcerpc_AuthLevel auth_level;
+ } client;
+
+ struct {
+ const char *computer;
+ const char *netbios_domain;
+ uint32_t cached_flags;
+ bool try_validation6;
+ bool try_logon_ex;
+ bool try_logon_with;
+ } server;
+
+ struct {
+ const char *key_name;
+ TDB_DATA key_data;
+ struct db_context *ctx;
+ struct g_lock_ctx *g_ctx;
+ struct netlogon_creds_cli_locked_state *locked_state;
+ } db;
+};
+
+struct netlogon_creds_cli_locked_state {
+ struct netlogon_creds_cli_context *context;
+ bool is_glocked;
+ struct netlogon_creds_CredentialState *creds;
+};
+
+static int netlogon_creds_cli_locked_state_destructor(
+ struct netlogon_creds_cli_locked_state *state)
+{
+ struct netlogon_creds_cli_context *context = state->context;
+
+ if (context == NULL) {
+ return 0;
+ }
+
+ if (context->db.locked_state == state) {
+ context->db.locked_state = NULL;
+ }
+
+ if (state->is_glocked) {
+ g_lock_unlock(context->db.g_ctx,
+ context->db.key_name);
+ }
+
+ return 0;
+}
+
+static NTSTATUS netlogon_creds_cli_context_common(
+ const char *client_computer,
+ const char *client_account,
+ enum netr_SchannelType type,
+ enum dcerpc_AuthLevel auth_level,
+ uint32_t proposed_flags,
+ uint32_t required_flags,
+ const char *server_computer,
+ const char *server_netbios_domain,
+ TALLOC_CTX *mem_ctx,
+ struct netlogon_creds_cli_context **_context)
+{
+ struct netlogon_creds_cli_context *context = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+ char *_key_name = NULL;
+ char *server_netbios_name = NULL;
+ char *p = NULL;
+
+ *_context = NULL;
+
+ context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
+ if (context == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->client.computer = talloc_strdup(context, client_computer);
+ if (context->client.computer == NULL) {
+ TALLOC_FREE(context);
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->client.account = talloc_strdup(context, client_account);
+ if (context->client.account == NULL) {
+ TALLOC_FREE(context);
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->client.proposed_flags = proposed_flags;
+ context->client.required_flags = required_flags;
+ context->client.type = type;
+ context->client.auth_level = auth_level;
+
+ context->server.computer = talloc_strdup(context, server_computer);
+ if (context->server.computer == NULL) {
+ TALLOC_FREE(context);
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
+ if (context->server.netbios_domain == NULL) {
+ TALLOC_FREE(context);
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * TODO:
+ * Force the callers to provide a unique
+ * value for server_computer and use this directly.
+ *
+ * For now we have to deal with
+ * "HOSTNAME" vs. "hostname.example.com".
+ */
+ server_netbios_name = talloc_strdup(frame, server_computer);
+ if (server_netbios_name == NULL) {
+ TALLOC_FREE(context);
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ p = strchr(server_netbios_name, '.');
+ if (p != NULL) {
+ p[0] = '\0';
+ }
+
+ _key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
+ client_computer,
+ client_account,
+ server_netbios_name,
+ server_netbios_domain);
+ if (_key_name == NULL) {
+ TALLOC_FREE(context);
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->db.key_name = talloc_strdup_upper(context, _key_name);
+ if (context->db.key_name == NULL) {
+ TALLOC_FREE(context);
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->db.key_data = string_term_tdb_data(context->db.key_name);
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list