[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Mar 10 09:16:04 UTC 2016
The branch, master has been updated
via 645e777 s4:rpc_server: dcesrv_generic_session_key should only work on local transports
via 58b3389 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
via 5a39721 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
via af8c4eb s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
via f699eb3 s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
via c793b23 s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
via 0400f30 s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
via 1433501 s3:libsmb: remove unused functions in clispnego.c
via 95b9539 s3:libsmb: remove unused cli_session_setup_kerberos*() functions
via 0e1b2eb s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
via 907e2b1 s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
via 285c342 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
via 576257f s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
via afffe79 s3:libsmb: unused ntlmssp.c
via 4f6fe27 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
via 2cb07ba s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
via c5d7956 s3:libads: keep service and hostname separately in ads_service_principal
via 0c204e1 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
via 139ce7d s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
via c6f79cf s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
via 357d37f s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
via 8f9a963 s3:libads: add missing TALLOC_FREE(frame) in error path
via 0ebe929 s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
via c431543 s4:selftest: simplify the loops over samba4.ldb.ldap
via 5cf8546 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
via d9d0d2d s4:libcli/ldap: fix retry authentication after a bad password
via d04663b s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
via 5930183 auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
via 122a5f6 auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
via f3dbe19 auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
via 069aee4 auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
via f6b9e1f auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
via c1e2a1f librpc/ndr: add ndr_ntlmssp_find_av() helper function
via f4ff351 ntlmssp.idl: make AV_PAIR_LIST public
via ab54e0f ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
via 1f88812 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
via 8af6b8d auth/ntlmssp: use ntlmssp_version_blob() in the server
via 4a1809c auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
via a61ab39 auth/ntlmssp: add ntlmssp_version_blob()
via 4fca8ea auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
via efd4986 auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
via afba38d auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
via 30d6260 auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
via e63442a auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
via 279d58c s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
via 716e78f winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
via 8bcde9e s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
via b133f66 auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
via 0a93cad auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
via b3d4523 auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
via 52c03c0 s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
via 0d66e2d s3:auth_generic: make use of the top level NTLMSSP client code
via 871e8a9 winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
via 9bd1ecf s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
via 1289130 s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
via cf2ea04 s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
via 69a7ec7 s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
via a85a02b auth/ntlmssp: add gensec_ntlmssp_server_domain()
via 0a9e37a auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
via 79a6fc0 s3:auth_generic: add auth_generic_client_start_by_sasl()
via ccfd264 s3:auth_generic: add auth_generic_client_start_by_name()
via 8efcb49 auth/gensec: make gensec_security_by_name() public
via 64364e3 auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
via 5e913af auth/gensec: keep a pointer to a possible child/sub gensec_security context
via 0f67138 s4:pygensec: make sig_size() and sign/check_packet() available
via dec9d08 s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
via 79bf883 s3:librpc/gse: don't log gss_acquire_creds failed at level 0
via e4aebd7 s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
via a8fa078 s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
via 84c66f1 s3:librpc/gse: fix debug message in gse_init_client()
via 46b9252 s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
via 1fd5bda wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
via cd8af25 s3:libads: remove unused ads_connect_gc()
via 960b0ad s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
via e9e9ba7 librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
via 5afc2d8 dcerpc.idl: make WERROR RPC faults available in ndr_print output
via 2e71f5d epmapper.idl: make epm_twr_t available in python bindings
via 2c9f955 s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
via e906739 s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
via 6400bbb lib/util_net: add support for .ipv6-literal.net
via 771042a lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
via f7116f0 s4-selftest: Make export keytab test heimdal specific
via 5c5d586 s4-libnet: Implement export_keytab without HDB
via eb880cc s3-libnet: Allow the keytab function to use a relative path
via c2f5c30 krb5_wrap: Add smb_krb5_open_keytab_relative() function
via 4e36728 krb5_wrap: Move smb_krb5_kt_add_entry() to krb5_wrap
via 49efa93 s3-libads: Use the C99 boolean false
via a135b35 s3-libads: Call smb_krb5_create_key_from_string() directly
via 1e1e12a s3-libads: Pass down the salt principal in smb_krb5_kt_add_entry()
via c37c4b1 CVE-2016-0771: tests/dns: Remove dependencies on env variables
via 9f1ba00 CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
via 8cee2c8 CVE-2016-0771: tests: rename test getopt to get_opt
via 286b7a5 CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
via 8e056ca CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
via ffec494 CVE-2016-0771: tests/dns: modify tests to check via RPC
via 2a796e5 CVE-2016-0771: tests/dns: Add some more test cases for TXT records
via bbda6b6 CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
via 5b10cc2 CVE-2016-0771: tests/dns: restore formerly segfaulting test
via 866bf51 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
via a988dc7 CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
via 2ad53d1 CVE-2016-0771: tests/dns: prepare script for further testing
via e09544d CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
via d22a9f4 CVE-2016-0771: dns.idl: make use of dnsp_hinfo
via ee8d777 CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
via 1cc57a9 CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
via 63b1fb0 CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
via 42524c2 CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
via 841ae4a CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
via 19eb1c9 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
via 6b61b54 CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
via e7e23e9 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
via 77b3d5b CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
via 3f491d7 CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
via 464d044 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
via 0be0b75 CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
via 5941d75 CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
via 9ee4ddd CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
via 306a7f3 CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
via b551cd8 CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
from fa8bd41 ctdb-tunables: Mark tunable DeferredRebalanceOnNodeAdd obsolete
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 645e777b0aca7d997867e0b3f0b48bfb138cc25c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 10 10:25:10 2015 +0100
s4:rpc_server: dcesrv_generic_session_key should only work on local transports
This matches modern Windows servers.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Mar 10 10:15:21 CET 2016 on sn-devel-144
commit 58b33896b65c5b51486eaf01f5f935ace2369fd0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 26 16:41:10 2016 +0100
s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5a397216d40ff18fd1c0980cd9b7b7c0a970bbbb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 10 10:25:10 2015 +0100
s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit af8c4ebf9be314ddd13ef9ca17a0237927dd2ede
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 22:44:24 2015 +0100
s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
This is the only way to get a reliable transport session key.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f699eb3b1a0660ace3ca99d3f3b5d79ed5537c80
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 20:18:42 2015 +0100
s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
It requires a transport session key, which is only reliable available
over SMB.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c793b23ddb7c048110bc4718574e5b99d5bbcfae
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 29 07:47:39 2016 +0100
s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0400f301e3bcf495748cff009755426a040596fa
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 17 08:55:03 2015 +0100
s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 14335018229801dd6d2b18f8d19ab5b45b8394fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:27:41 2016 +0100
s3:libsmb: remove unused functions in clispnego.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 95b953950d1fd454121ff23a43a8b13a34385ef1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:27:16 2016 +0100
s3:libsmb: remove unused cli_session_setup_kerberos*() functions
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0e1b2ebf884c6f2033b3b9aa7b6f72af54a716b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:58:30 2016 +0100
s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 907e2b1f665cdafc863f4702ede5dcf16e6cc269
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:35:21 2016 +0100
s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 285c342f01a6e9a892f03360f8d2d0097e7a41cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 15:47:11 2016 +0100
s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
It will be possible to use this for more than just NTLMSSP in future.
This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 576257f6e1488a623306dc368c806e218b1fcdf2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 18:31:50 2016 +0100
s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit afffe797547a97ec839913e1ca89045989bbea49
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 11:49:37 2015 +0100
s3:libsmb: unused ntlmssp.c
Everything uses the top level ntlmssp code via gensec now.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f6fe27c7020822dd1ce88b7dd63725d6082b190
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 14:34:46 2015 +0100
s3:libsmb: make use gensec based SPNEGO/NTLMSSP
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:42:51 2016 +0100
s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c5d7956364047925dee5d6f71a5b92a38c73e5a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:33:04 2016 +0100
s3:libads: keep service and hostname separately in ads_service_principal
Caller will use them instead of the full principal in future.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0c204e11925982d8bd835830985479792b8cc820
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 11:31:01 2016 +0100
s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 139ce7d8b687cc54560ce353ea6f86a4d2d2ae04
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 13:14:05 2015 +0100
s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
It will be possible to use this for more than just NTLMSSP in future.
Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c6f79cfa86e23217a510c6fe205da0c18ef2a9b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 15:02:29 2015 +0100
s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 357d37fa11b7d944e9f5fe2e0cc6730d498bc2dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 15:04:02 2015 +0100
s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8f9a9633e4f55f85a3f68bf2e8c78414f31511ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 5 02:53:45 2016 +0100
s3:libads: add missing TALLOC_FREE(frame) in error path
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0ebe929810e922e7cf7742a1f3e4ad222006377f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:51:57 2015 +0100
s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit c431543fb989938898e33e1ffdb80cb97e4a3bb2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 11:46:22 2015 +0100
s4:selftest: simplify the loops over samba4.ldb.ldap
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5cf8546674a4f49618bdade1567fac00d72db454
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 09:54:08 2015 +0100
s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
The LDAP client library uses tstream and that handles non blocking
sockets natively.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d9d0d2d5a2667ea8984772b678272650a8719c21
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 18 13:10:58 2015 +0100
s4:libcli/ldap: fix retry authentication after a bad password
We need to start with an empty input buffer.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d04663b8b075a69141fe2f45d0906b528d99ab85
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:51:57 2015 +0100
s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 59301830e27bf537d04808d2ac37d6cf9ef56713
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 12:58:51 2016 +0100
auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
This is now handled by GENSEC_FEATURE_LDAP_STYLE.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 122a5f6b58e6cead061a7ee64033ccc1940742ed
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
We want also work against old Samba servers which didn't had
GENSEC_FEATURE_LDAP_STYLE we negotiate SEAL too. We may remove this in a few
years. As all servers should support GENSEC_FEATURE_LDAP_STYLE by then.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f3dbe19e14eaf7a462f14485c6a9138a7348db2e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
We need to handle NTLMSSP_NEGOTIATE_SIGN as
NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
is requested.
This works arround a bug in Windows, which allow signed only
messages using NTLMSSP and LDAP.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 069aee42c2f12ed5feb23c19dc0a4771d913619a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 14:48:14 2015 +0100
auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
This will be used for LDAP connections and may trigger
backend specific behaviour.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f6b9e1feab8d435b1e44fef81e867c01ed01db95
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 19 00:40:12 2009 +0200
auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Günther Deschner <gd at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c1e2a1f0a75605a8792b615a41392fc018198a10
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 15:40:29 2015 +0100
librpc/ndr: add ndr_ntlmssp_find_av() helper function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit f4ff3510164748977de056bb8cdbbd22e5fedb3c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 19 15:38:02 2015 +0100
ntlmssp.idl: make AV_PAIR_LIST public
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit ab54e0fd7040e7717fe979b54fb4dfa16813524f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 09:07:57 2015 +0100
ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1f88812316144b06b11eb3dc90a6081cb57783da
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 21 09:06:56 2015 +0100
security.idl: add LSAP_TOKEN_INFO_INTEGRITY
This is used in [MS-KILE] and implicit in [MS-NLMP].
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8af6b8d2eb6b873620131b4b5b570ec24985d86a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 14:07:23 2015 +0100
auth/ntlmssp: use ntlmssp_version_blob() in the server
We already set NTLMSSP_NEGOTIATE_VERSION in
gensec_ntlmssp_server_start(), so it's always
set in chal_flags.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 4a1809cb14dcb03e9ba386af5b90650400377875
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
This matches a modern Windows client.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a61ab398ccc1036edce677e00569fd7f58b70995
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 24 14:05:17 2015 +0100
auth/ntlmssp: add ntlmssp_version_blob()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 4fca8eaaae23955e704dc9c45d373fe78bf88201
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
We don't set NTLMSSP_NEGOTIATE_OEM_{DOMAIN,WORKSTATION}_SUPPLIED anyway.
This matches modern Windows clients.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit efd4986794889f1315dbd011b94b8673d785053a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 8 13:59:42 2015 +0100
auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
This matches a modern Windows client.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit afba38dbf5c954abbcfc485a81f510255b69a426
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 11:01:24 2015 +0100
auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 30d626024c7e8f275d64f835632717b0130be4b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 20 10:52:29 2015 +0100
auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
NTLMSSP_NEGOTIATE_VERSION only indicates the existence of the version
information in the packet.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e63442a1c27c475e373048893d9cf04859dd1792
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 1 11:16:02 2015 +0100
auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 279d58c1e68c9466a76e4a67d2cfea22e8719d31
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 10:54:56 2015 +0100
s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
This implicitly fixes bug #10708.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10708
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 716e78f3b294210130f3cf253f496391534819b0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:46:52 2015 +0100
winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8bcde9ec625547df42915e9138d696deeabdb62d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Dec 10 15:42:51 2015 +0100
s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
This will be used by winbindd in order to correctly implement WINBINDD_CCACHE_NTLMAUTH.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b133f66e0da5ed05bbe81098e52c744bac4b48ac
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 15:35:40 2015 +0100
auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
This can used in order to use the WINBINDD_CCACHE_NTLMAUTH
code of winbindd to do NTLMSSP authentication with a cached
password.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0a93cad337578a7ba61f12726c9a15ecf869db7b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 27 13:42:30 2015 +0100
auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b3d4523ff7810279dc4d3201a09a868545d4d253
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 25 21:41:23 2015 +0100
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
These can be used to implement the winbindd side of
the WINBINDD_CCACHE_NTLMAUTH call.
It can properly get the initial NEGOTIATE messages
injected if available.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 52c03c07151a12e84fb4d34443864e59583c0db9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 11 12:47:40 2015 +0100
s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 0d66e2d34f656028eb3adb35acb653a45c041890
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:45:33 2015 +0100
s3:auth_generic: make use of the top level NTLMSSP client code
There's no reason to use gensec_ntlmssp3_client_ops, the
WINBINDD_CCACHE_NTLMAUTH isn't available via gensec anyway.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 871e8a9fd029bbcbccb79bd17f9c6a2617b8be55
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 15 09:07:33 2015 +0100
winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
We should avoid using NULL.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9bd1ecffffd070333a22ef2449a179cee3effe5d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 16:15:13 2015 +0100
s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 1289130ad2aeded63990bf1bde6f169505c62280
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 16:15:13 2015 +0100
s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit cf2ea04135774853d1cebca82c60bed890135163
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 11 12:11:05 2015 +0100
s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 69a7ec794213e8adec5dcbd9ca45172df13292c1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 9 21:23:33 2015 +0100
s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit a85a02b631609cd9c16e1048c62dbe9661128279
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 12:06:50 2016 +0100
auth/ntlmssp: add gensec_ntlmssp_server_domain()
This is a hack in order to temporary export the server domain
from NTLMSSP through the gensec stack.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0a9e37a0db86815d2baf7ab791721b6a7e04a717
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 22:15:50 2016 +0100
auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 79a6fc0532936558421eb4321f795655b5280763
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 19:39:04 2016 +0100
s3:auth_generic: add auth_generic_client_start_by_sasl()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ccfd2647c7e65c3e2ad92dbc27c21570da0706d4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:44:02 2015 +0100
s3:auth_generic: add auth_generic_client_start_by_name()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8efcb4943585f015c9956118d8f42be89d5c7677
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 26 11:43:02 2015 +0100
auth/gensec: make gensec_security_by_name() public
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 64364e365c56c93e86305a536c5c68450d154d2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 19:29:40 2016 +0100
auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
We do that for all other gensec_security_by_*() functions already.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e913af833721733c4f79f2636fc3ae19d5f42f0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 12:06:50 2016 +0100
auth/gensec: keep a pointer to a possible child/sub gensec_security context
This is a hack in order to temporary implement something like:
gensec_ntlmssp_server_domain(), which may be used within spnego.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0f6713826dfe73b7f338b8110c53ce52d42efbda
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 19 10:53:34 2015 +0200
s4:pygensec: make sig_size() and sign/check_packet() available
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dec9d085f3eea8d49fa129c05c030bdd779cba54
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Mar 5 02:52:29 2016 +0100
s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
This is important in order to support gensec_[un]wrap() with GENSEC_SEAL.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 79bf88353488b5912435e0c7f8e77f2d075ce134
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 07:42:41 2016 +0100
s3:librpc/gse: don't log gss_acquire_creds failed at level 0
Some callers just retry after a kinit.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4aebd7e28e7b00a13246b367eb2e7de5ae7b57b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 1 17:37:38 2016 +0100
s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a8fa078f1acbd9fb1a1681033922731dce855aad
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:22:44 2015 +0200
s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 84c66f1a388c8b5105f3740a3cd5d4d5a27f6ee8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:21:53 2015 +0200
s3:librpc/gse: fix debug message in gse_init_client()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 46b92525181fa32c5797c914e8de92f3c226e3c7
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:21:05 2015 +0200
s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1fd5bdafbddfd0ad2926ef50a0cb7d07956ddd44
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 22 15:18:22 2015 +0200
wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
Newer MIT versions (maybe krb5-1.14) will also support this.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cd8af25d4bf87a9156cb2afb3dd206c68b1bedd7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 2 14:36:14 2016 +0100
s3:libads: remove unused ads_connect_gc()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 960b0adfb398eeabd48213393bc560654baeed5b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Dec 23 11:06:47 2015 +0100
s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e9e9ba7eaecf2b6d95e79fbe424e1479e9468d63
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 17 03:36:36 2015 +0200
librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5afc2d85b3d17b32ca9bd2856958114af146f80e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jul 17 03:35:19 2015 +0200
dcerpc.idl: make WERROR RPC faults available in ndr_print output
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 2e71f5d9351b9660a5ef94309674e09fdeb7ab48
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 16 17:15:24 2015 +0200
epmapper.idl: make epm_twr_t available in python bindings
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2c9f9557e4d7e02b4f588aa0a6551a6881ac57af
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 15:53:21 2016 +0100
s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e906739553ee6112426af0cf29e33ef1920a316c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 8 15:47:59 2016 +0100
s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6400bbb5eee958babbdd578c2f80b0c65d6f6e7a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 4 02:18:38 2016 +0100
lib/util_net: add support for .ipv6-literal.net
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 771042a2387b596fff2ab59a1a68d75c6c27b2cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 4 02:18:38 2016 +0100
lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f7116f0ad021dc3652f31f7d2a55612b6133eff8
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 1 15:54:32 2016 +0100
s4-selftest: Make export keytab test heimdal specific
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5c5d586d3ebd402061a9143dc55543115bcd2476
Author: Andreas Schneider <asn at samba.org>
Date: Mon Feb 29 15:12:02 2016 +0100
s4-libnet: Implement export_keytab without HDB
This is used by 'samba-tool domain exportkeytab'. This loads the HDB
Samba backend thus needs access to samdb. To avoid using heimdal
specific code here, we could talk to samdb directly and write a
keytab file.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit eb880ccc7c39aea3896f68c66feca473ece56606
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 8 17:08:22 2016 +0100
s3-libnet: Allow the keytab function to use a relative path
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c2f5c30bea372182578055a7bd50ee8076946ef3
Author: Andreas Schneider <asn at samba.org>
Date: Tue Mar 8 17:07:23 2016 +0100
krb5_wrap: Add smb_krb5_open_keytab_relative() function
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4e367288a593ecfbfaeb199b7fd5783fd9e15d68
Author: Andreas Schneider <asn at samba.org>
Date: Mon Feb 29 17:31:56 2016 +0100
krb5_wrap: Move smb_krb5_kt_add_entry() to krb5_wrap
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 49efa9379c935a59cee73c282d887803c112eeec
Author: Andreas Schneider <asn at samba.org>
Date: Mon Feb 29 17:25:33 2016 +0100
s3-libads: Use the C99 boolean false
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a135b353ae8a50dc9848319707a4277fd4c92b21
Author: Andreas Schneider <asn at samba.org>
Date: Mon Feb 29 17:22:50 2016 +0100
s3-libads: Call smb_krb5_create_key_from_string() directly
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1e1e12a82523ce2f4518ad26724390e51c6b78bb
Author: Andreas Schneider <asn at samba.org>
Date: Mon Feb 29 16:21:56 2016 +0100
s3-libads: Pass down the salt principal in smb_krb5_kt_add_entry()
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c37c4b18e022a786f230fa953f2d0c99e389b83c
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 29 17:28:54 2016 +1300
CVE-2016-0771: tests/dns: Remove dependencies on env variables
Now that it is invoked as a normal script, there should be less of them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9f1ba00f1f52faa403d1cd648b2e5c7a33c6041a
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 29 17:03:56 2016 +1300
CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
This makes it easier to invoke, particularly against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8cee2c814680147f3a4fc29957af35d4abe15788
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 22 11:35:03 2016 +1300
CVE-2016-0771: tests: rename test getopt to get_opt
This avoids any conflicts in this directory with the original toplevel
getopt.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 286b7a5e3f8ad7605300e53599eeaf3bc0eef0b7
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 28 12:54:58 2016 +1300
CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
Make sure that TXT entries stored via RPC come out the same in DNS.
This has one caveat in that adding over RPC in Windows eats slashes,
and so fails there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8e056caa8b0145a5f74723f8a3d02ff834c14437
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 28 12:36:43 2016 +1300
CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
While using a charset is not entirely logical, it allows testing of non
UTF-8 data (like inserting 0xFF into the TXT string).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ffec494826cfa65b76631636f0ae57df6cdc50c4
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jan 27 17:41:44 2016 +1300
CVE-2016-0771: tests/dns: modify tests to check via RPC
This checks that TXT records added over DNS, look the same over RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a796e5de78715a61f7c2bc726e004d0c588464b
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Jan 18 12:39:46 2016 +1300
CVE-2016-0771: tests/dns: Add some more test cases for TXT records
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bbda6b6eda5f9d911cc1180779573465ad380037
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 10:25:44 2016 +1300
CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
Both Samba and Windows returned NXRRSET
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5b10cc25be87978ad076b2dbf6e3dc6fdd4af140
Author: Garming Sam <garming at catalyst.net.nz>
Date: Tue Dec 15 17:22:32 2015 +1300
CVE-2016-0771: tests/dns: restore formerly segfaulting test
This was on the client side, due the a strlen(NULL) on the previously
DOS-encoded TXT field. With a new IDL structure, this segfault no longer exists.
Note that both Samba and Windows return NXRRSET instead of FORMERR.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 866bf51758efd1a63023440d33e202a3ff0876ba
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 17:08:18 2016 +1300
CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a988dc7b2de0ec9beb64b4c0b00794fb56bb6155
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 15:43:55 2016 +1300
CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
Two requests with identical parameters which are poorly formatted, can
non-deterministically return FORMERR or simply fail to give a response.
Setting the timeout to a number allows Windows to succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2ad53d1c075b9ad0dae80deed4f6551f78e16c6d
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 16:58:40 2016 +1300
CVE-2016-0771: tests/dns: prepare script for further testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e09544de6313ae646e0635f4f875242c52b213ea
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jan 6 14:12:35 2016 +1300
CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d22a9f427c1fb0608e36eb16c90bc7d14649ef14
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: dns.idl: make use of dnsp_hinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ee8d777bbfa23e60e37e875a08335769de424b03
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
From RFC 1035:
3.3.14. TXT RDATA format
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
TXT-DATA One or more <character-string>s.
TXT RRs are used to hold descriptive text. The semantics of the text
depends on the domain where it is found.
Each record contains an array of strings instead of just one string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1cc57a98d4ae2381e95bd7aa9c987e8b05dafb6e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 63b1fb06cf4d77e1a1902dfe917e4ad2ec7b9c71
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
RPC_NDR_DNSSERVER is the client interface NDR_DNSP contains just
marshalling helpers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 42524c20a89539984294da9129d5a5b6f80b5f96
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 841ae4a2e297d9d2211d8fb79c8f180ae295aae9
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 7 14:26:35 2016 -0800
CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 19eb1c9311955b769afdc9ff593a21800424cf27
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 7 12:58:34 2016 -0800
CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 6b61b5448a96c762ddae36e5055050c5ca869ea2
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 6 17:02:52 2016 -0800
CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit e7e23e96478870a3bf37b8b2d984890feabcf808
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 6 17:17:24 2016 -0800
CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 77b3d5b2a8848303070ba2e44476534885469a00
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:33:48 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 3f491d77567ddc1b51f6c77c94d26b4d4cc2e5d0
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:29:38 2016 -0800
CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 464d044145faa6db166e9bf4c080a3dd15422834
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:05:48 2016 -0800
CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 0be0b755cdd2a74cf364e69c3babeb714244a604
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:24:36 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 5941d75fd4380455d6e0552e8f92b5e7c0c356d6
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:22:12 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 9ee4ddd36656370e252405fae07ddd7b782f28bd
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 10:52:50 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 306a7f39add1f0b58b2705499405b7d81bf36793
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 10:38:28 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit b551cd83ef74340adaf88629a9ee9fa5c5215ec6
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:18:12 2016 -0800
CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec.h | 4 +
auth/gensec/gensec_internal.h | 2 +
auth/gensec/gensec_start.c | 10 +-
auth/gensec/spnego.c | 3 +
auth/ntlmssp/gensec_ntlmssp_server.c | 9 +
auth/ntlmssp/ntlmssp.c | 66 +-
auth/ntlmssp/ntlmssp.h | 5 +
auth/ntlmssp/ntlmssp_client.c | 274 ++++++-
auth/ntlmssp/ntlmssp_private.h | 6 +
auth/ntlmssp/ntlmssp_server.c | 70 +-
auth/ntlmssp/ntlmssp_sign.c | 65 +-
auth/ntlmssp/ntlmssp_util.c | 116 +--
auth/ntlmssp/wscript_build | 2 +-
lib/krb5_wrap/krb5_samba.c | 335 ++++++++-
lib/krb5_wrap/krb5_samba.h | 27 +-
lib/util/util_net.c | 247 +++++--
lib/util/util_net.h | 1 +
librpc/idl/dcerpc.idl | 13 +-
librpc/idl/dns.idl | 18 +-
librpc/idl/dnsp.idl | 4 +-
librpc/idl/dnsserver.idl | 2 +-
librpc/idl/epmapper.idl | 2 +-
librpc/idl/ntlmssp.idl | 21 +-
librpc/idl/security.idl | 9 +
librpc/ndr/ndr_dns.c | 27 +
librpc/ndr/ndr_dnsp.c | 24 +
librpc/ndr/ndr_dnsp.h | 4 +
librpc/ndr/ndr_ntlmssp.c | 16 +
librpc/ndr/ndr_ntlmssp.h | 2 +
librpc/rpc/dcerpc_error.c | 6 +-
librpc/wscript_build | 20 +-
python/samba/tests/dns.py | 642 ++++++++++++-----
python/samba/tests/{getopt.py => get_opt.py} | 0
selftest/knownfail | 6 +
selftest/tests.py | 2 +-
source3/client/client.c | 2 +-
source3/include/auth_generic.h | 7 +-
source3/include/proto.h | 44 --
source3/libads/ads_proto.h | 1 -
source3/libads/kerberos.c | 37 +-
source3/libads/kerberos_keytab.c | 285 ++------
source3/libads/kerberos_proto.h | 4 +
source3/libads/ldap.c | 134 ----
source3/libads/sasl.c | 636 +++++------------
source3/libnet/libnet_keytab.c | 34 +-
source3/librpc/crypto/gse.c | 81 ++-
source3/librpc/crypto/gse_krb5.c | 36 +-
source3/libsmb/auth_generic.c | 51 +-
source3/libsmb/cliconnect.c | 639 +++++++++--------
source3/libsmb/clifile.c | 130 +++-
source3/libsmb/clispnego.c | 282 --------
source3/libsmb/ntlmssp.c | 765 --------------------
source3/libsmb/ntlmssp_wrap.c | 135 ----
source3/libsmb/proto.h | 17 +-
source3/script/tests/test_ntlm_auth_s3.sh | 2 +
source3/script/tests/test_smbclient_auth.sh | 11 +
source3/selftest/tests.py | 5 +-
source3/smbd/nttrans.c | 13 +
source3/smbd/trans2.c | 68 +-
source3/torture/test_ntlm_auth.py | 553 ++++++++-------
source3/torture/torture.c | 376 ++++++++++
source3/utils/ntlm_auth.c | 789 +++------------------
source3/winbindd/winbindd_ccache_access.c | 36 +-
source3/wscript_build | 10 +-
source4/auth/gensec/pygensec.c | 83 +++
source4/dns_server/dns_query.c | 23 +-
source4/dns_server/dns_update.c | 31 +-
source4/ldap_server/ldap_bind.c | 1 +
source4/libcli/ldap/ldap_bind.c | 11 +-
source4/libnet/libnet_export_keytab.c | 192 ++++-
source4/librpc/rpc/dcerpc.c | 3 +
source4/librpc/rpc/dcerpc_util.c | 10 +
source4/librpc/wscript_build | 4 +-
source4/rpc_server/common/reply.c | 7 +
source4/rpc_server/samr/samr_password.c | 25 +-
source4/selftest/tests.py | 16 +-
source4/torture/ndr/ntlmssp.c | 13 +-
source4/torture/rpc/backupkey.c | 19 +-
source4/torture/rpc/backupkey_heimdal.c | 19 +-
source4/torture/rpc/samba3rpc.c | 55 +-
source4/torture/rpc/testjoin.c | 35 +-
...ort_keytab.sh => test_export_keytab_heimdal.sh} | 0
wscript_configure_system_mitkrb5 | 4 +-
83 files changed, 3798 insertions(+), 3996 deletions(-)
rename python/samba/tests/{getopt.py => get_opt.py} (100%)
delete mode 100644 source3/libsmb/ntlmssp.c
delete mode 100644 source3/libsmb/ntlmssp_wrap.c
rename testprogs/blackbox/{test_export_keytab.sh => test_export_keytab_heimdal.sh} (100%)
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index d09813e..e8bd7b1 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -61,6 +61,8 @@ struct gensec_target {
#define GENSEC_FEATURE_SIGN_PKT_HEADER 0x00000040
#define GENSEC_FEATURE_NEW_SPNEGO 0x00000080
#define GENSEC_FEATURE_UNIX_TOKEN 0x00000100
+#define GENSEC_FEATURE_NTLM_CCACHE 0x00000200
+#define GENSEC_FEATURE_LDAP_STYLE 0x00000400
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
@@ -163,6 +165,8 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
const struct gensec_security_ops *gensec_security_by_auth_type(
struct gensec_security *gensec_security,
uint32_t auth_type);
+const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
+ const char *name);
const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx);
const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 45a66f8..2751196 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -110,6 +110,8 @@ struct gensec_security {
* NTLM authentication backend, and user lookup (such as if no
* PAC is found) */
struct auth4_context *auth_context;
+
+ struct gensec_security *child_security;
};
/* this structure is used by backends to determine the size of some critical types */
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index be31697..bb9cd18 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -211,8 +211,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
- if (!gensec_security_ops_enabled(backends[i], gensec_security))
- continue;
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security)) {
+ continue;
+ }
if (backends[i]->sasl_name
&& (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
backend = backends[i];
@@ -253,8 +255,8 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
return NULL;
}
-static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
- const char *name)
+const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
+ const char *name)
{
int i;
const struct gensec_security_ops **backends;
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 079a2bc..0079bb8 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1265,6 +1265,9 @@ static NTSTATUS gensec_spnego_update_wrapper(struct gensec_security *gensec_secu
&spnego_state->out_frag);
data_blob_free(&spnego_state->in_frag);
spnego_state->in_needed = 0;
+ if (NT_STATUS_IS_OK(status)) {
+ gensec_security->child_security = spnego_state->sub_sec_security;
+ }
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
return status;
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 03d539b..5a57413 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -153,6 +153,15 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+
+ if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
+ /*
+ * We need to handle NTLMSSP_NEGOTIATE_SIGN as
+ * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
+ * is requested.
+ */
+ ntlmssp_state->force_wrap_seal = true;
+ }
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 916b376..091fdab 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -48,6 +48,10 @@ static const struct ntlmssp_callbacks {
.command = NTLMSSP_INITIAL,
.sync_fn = ntlmssp_client_initial,
},{
+ .role = NTLMSSP_CLIENT,
+ .command = NTLMSSP_NEGOTIATE,
+ .sync_fn = gensec_ntlmssp_resume_ccache,
+ },{
.role = NTLMSSP_SERVER,
.command = NTLMSSP_NEGOTIATE,
.sync_fn = gensec_ntlmssp_server_negotiate,
@@ -82,6 +86,15 @@ static NTSTATUS gensec_ntlmssp_update_find(struct gensec_security *gensec_securi
if (!input.length) {
switch (gensec_ntlmssp->ntlmssp_state->role) {
case NTLMSSP_CLIENT:
+ if (gensec_ntlmssp->ntlmssp_state->resume_ccache) {
+ /*
+ * make sure gensec_ntlmssp_resume_ccache()
+ * will be called
+ */
+ ntlmssp_command = NTLMSSP_NEGOTIATE;
+ break;
+ }
+
ntlmssp_command = NTLMSSP_INITIAL;
break;
case NTLMSSP_SERVER:
@@ -194,6 +207,15 @@ static const struct gensec_security_ops gensec_ntlmssp_security_ops = {
.priority = GENSEC_NTLMSSP
};
+static const struct gensec_security_ops gensec_ntlmssp_resume_ccache_ops = {
+ .name = "ntlmssp_resume_ccache",
+ .client_start = gensec_ntlmssp_resume_ccache_start,
+ .update = gensec_ntlmssp_update,
+ .session_key = gensec_ntlmssp_session_key,
+ .have_feature = gensec_ntlmssp_have_feature,
+ .enabled = true,
+ .priority = GENSEC_NTLMSSP
+};
_PUBLIC_ NTSTATUS gensec_ntlmssp_init(void)
{
@@ -206,16 +228,58 @@ _PUBLIC_ NTSTATUS gensec_ntlmssp_init(void)
return ret;
}
+ ret = gensec_register(&gensec_ntlmssp_resume_ccache_ops);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
+ gensec_ntlmssp_resume_ccache_ops.name));
+ return ret;
+ }
+
return ret;
}
+static struct gensec_security *gensec_find_child_by_ops(struct gensec_security *gensec_security,
+ const struct gensec_security_ops *ops)
+{
+ struct gensec_security *current = gensec_security;
+
+ while (current != NULL) {
+ if (current->ops == ops) {
+ return current;
+ }
+
+ current = current->child_security;
+ }
+
+ return NULL;
+}
+
uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security)
{
struct gensec_ntlmssp_context *gensec_ntlmssp;
- if (gensec_security->ops != &gensec_ntlmssp_security_ops) {
+
+ gensec_security = gensec_find_child_by_ops(gensec_security,
+ &gensec_ntlmssp_security_ops);
+ if (gensec_security == NULL) {
return 0;
}
+
gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
return gensec_ntlmssp->ntlmssp_state->neg_flags;
}
+
+const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security)
+{
+ struct gensec_ntlmssp_context *gensec_ntlmssp;
+
+ gensec_security = gensec_find_child_by_ops(gensec_security,
+ &gensec_ntlmssp_security_ops);
+ if (gensec_security == NULL) {
+ return NULL;
+ }
+
+ gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ return gensec_ntlmssp->ntlmssp_state->server.netbios_domain;
+}
diff --git a/auth/ntlmssp/ntlmssp.h b/auth/ntlmssp/ntlmssp.h
index 6061cd0..c63c23d 100644
--- a/auth/ntlmssp/ntlmssp.h
+++ b/auth/ntlmssp/ntlmssp.h
@@ -62,6 +62,7 @@ struct ntlmssp_state
bool unicode;
bool use_ntlmv2;
bool use_ccache;
+ bool resume_ccache;
bool use_nt_response; /* Set to 'False' to debug what happens when the NT response is omited */
bool allow_lm_key; /* The LM_KEY code is not very secure... */
@@ -81,6 +82,7 @@ struct ntlmssp_state
const char *netbios_domain;
const char *dns_name;
const char *dns_domain;
+ struct AV_PAIR_LIST av_pair_list;
} server;
DATA_BLOB internal_chal; /* Random challenge as supplied to the client for NTLM authentication */
@@ -92,6 +94,8 @@ struct ntlmssp_state
uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
+ bool force_wrap_seal;
+
union ntlmssp_crypt_state *crypt;
};
@@ -132,3 +136,4 @@ bool ntlmssp_blob_matches_magic(const DATA_BLOB *blob);
NTSTATUS gensec_ntlmssp_init(void);
uint32_t gensec_ntlmssp_neg_flags(struct gensec_security *gensec_security);
+const char *gensec_ntlmssp_server_domain(struct gensec_security *gensec_security);
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b22619b..fe9e5d4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -34,6 +34,7 @@ struct auth_session_info;
#include "auth/ntlmssp/ntlmssp_private.h"
#include "../librpc/gen_ndr/ndr_ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp_ndr.h"
+#include "../nsswitch/libwbclient/wbclient.h"
/*********************************************************************
Client side NTLMSSP
@@ -57,38 +58,18 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
talloc_get_type_abort(gensec_security->private_data,
struct gensec_ntlmssp_context);
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
- const char *domain = ntlmssp_state->client.netbios_domain;
- const char *workstation = ntlmssp_state->client.netbios_name;
NTSTATUS status;
-
- /* These don't really matter in the initial packet, so don't panic if they are not set */
- if (!domain) {
- domain = "";
- }
-
- if (!workstation) {
- workstation = "";
- }
-
- if (ntlmssp_state->unicode) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
- } else {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
- }
-
- if (ntlmssp_state->use_ntlmv2) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
- }
+ const DATA_BLOB version_blob = ntlmssp_version_blob();
/* generate the ntlmssp negotiate packet */
status = msrpc_gen(out_mem_ctx,
- out, "CddAA",
+ out, "CddAAb",
"NTLMSSP",
NTLMSSP_NEGOTIATE,
ntlmssp_state->neg_flags,
- domain,
- workstation);
-
+ "", /* domain */
+ "", /* workstation */
+ version_blob.data, version_blob.length);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("ntlmssp_client_initial: failed to generate "
"ntlmssp negotiate packet\n"));
@@ -114,6 +95,98 @@ NTSTATUS ntlmssp_client_initial(struct gensec_security *gensec_security,
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
+NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB in, DATA_BLOB *out)
+{
+ struct gensec_ntlmssp_context *gensec_ntlmssp =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ntlmssp_context);
+ struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
+ uint32_t neg_flags = 0;
+ uint32_t ntlmssp_command;
+ NTSTATUS status;
+ bool ok;
+
+ *out = data_blob_null;
+
+ if (in.length == 0) {
+ /*
+ * This is compat code for older callers
+ * which were missing the "initial_blob"
+ */
+ ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
+ /* parse the NTLMSSP packet */
+
+ if (in.length > UINT16_MAX) {
+ DEBUG(1, ("%s: reject large request of length %u\n",
+ __func__, (unsigned int)in.length));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ok = msrpc_parse(ntlmssp_state, &in, "Cdd",
+ "NTLMSSP",
+ &ntlmssp_command,
+ &neg_flags);
+ if (!ok) {
+ DEBUG(1, ("%s: failed to parse NTLMSSP Negotiate of length %u\n",
+ __func__, (unsigned int)in.length));
+ dump_data(2, in.data, in.length);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (ntlmssp_command != NTLMSSP_NEGOTIATE) {
+ DEBUG(1, ("%s: no NTLMSSP Negotiate message (length %u)\n",
+ __func__, (unsigned int)in.length));
+ dump_data(2, in.data, in.length);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ntlmssp_state->neg_flags = neg_flags;
+ DEBUG(3, ("Imported Negotiate flags:\n"));
+ debug_ntlmssp_flags(neg_flags);
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_UNICODE) {
+ ntlmssp_state->unicode = true;
+ } else {
+ ntlmssp_state->unicode = false;
+ }
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ gensec_security->want_features |= GENSEC_FEATURE_SIGN;
+
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ }
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ gensec_security->want_features |= GENSEC_FEATURE_SEAL;
+
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ }
+
+ if (DEBUGLEVEL >= 10) {
+ struct NEGOTIATE_MESSAGE *negotiate = talloc(
+ ntlmssp_state, struct NEGOTIATE_MESSAGE);
+ if (negotiate != NULL) {
+ status = ntlmssp_pull_NEGOTIATE_MESSAGE(
+ &in, negotiate, negotiate);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(NEGOTIATE_MESSAGE,
+ negotiate);
+ }
+ TALLOC_FREE(negotiate);
+ }
+ }
+
+ ntlmssp_state->expected_state = NTLMSSP_CHALLENGE;
+
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+}
+
/**
* Next state function for the Challenge Packet. Generate an auth packet.
*
@@ -148,6 +221,8 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
NTSTATUS nt_status;
int flags = 0;
const char *user = NULL, *domain = NULL, *workstation = NULL;
+ bool is_anonymous = false;
+ const DATA_BLOB version_blob = ntlmssp_version_blob();
TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
if (!mem_ctx) {
@@ -181,7 +256,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
chal_parse_string = "CdUdbdd";
chal_parse_string_short = "CdUdb";
}
- auth_gen_string = "CdBBUUUBd";
+ auth_gen_string = "CdBBUUUBdb";
} else {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
chal_parse_string = "CdAdbddB";
@@ -190,7 +265,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
chal_parse_string_short = "CdAdb";
}
- auth_gen_string = "CdBBAAABd";
+ auth_gen_string = "CdBBAAABdb";
}
if (!msrpc_parse(mem_ctx,
@@ -244,7 +319,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
/* TODO: parse struct_blob and fill in the rest */
ntlmssp_state->server.netbios_name = "";
- ntlmssp_state->server.netbios_domain = server_domain;
+ ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain);
ntlmssp_state->server.dns_name = "";
ntlmssp_state->server.dns_domain = "";
@@ -253,6 +328,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
return NT_STATUS_INVALID_PARAMETER;
}
+ is_anonymous = cli_credentials_is_anonymous(gensec_security->credentials);
cli_credentials_get_ntlm_username_domain(gensec_security->credentials, mem_ctx,
&user, &domain);
@@ -273,6 +349,88 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
return NT_STATUS_INVALID_PARAMETER;
}
+ if (is_anonymous) {
+ ntlmssp_state->neg_flags |= NTLMSSP_ANONYMOUS;
+ /*
+ * don't use the ccache for anonymous auth
+ */
+ ntlmssp_state->use_ccache = false;
+ }
+ if (ntlmssp_state->use_ccache) {
+ struct samr_Password *nt_hash = NULL;
+
+ /*
+ * If we have a password given we don't
+ * use the ccache
+ */
+ nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials,
+ mem_ctx);
+ if (nt_hash != NULL) {
+ ZERO_STRUCTP(nt_hash);
+ TALLOC_FREE(nt_hash);
+ ntlmssp_state->use_ccache = false;
+ }
+ }
+
+ if (ntlmssp_state->use_ccache) {
+ struct wbcCredentialCacheParams params;
+ struct wbcCredentialCacheInfo *info = NULL;
+ struct wbcAuthErrorInfo *error = NULL;
+ struct wbcNamedBlob auth_blobs[1];
+ const struct wbcBlob *wbc_auth_blob = NULL;
+ const struct wbcBlob *wbc_session_key = NULL;
+ wbcErr wbc_status;
+ int i;
+
+ params.account_name = user;
+ params.domain_name = domain;
+ params.level = WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP;
+
+ auth_blobs[0].name = "challenge_blob";
+ auth_blobs[0].flags = 0;
+ auth_blobs[0].blob.data = in.data;
+ auth_blobs[0].blob.length = in.length;
+ params.num_blobs = ARRAY_SIZE(auth_blobs);
+ params.blobs = auth_blobs;
+
+ wbc_status = wbcCredentialCache(¶ms, &info, &error);
+ wbcFreeMemory(error);
+ if (!WBC_ERROR_IS_OK(wbc_status)) {
+ return NT_STATUS_WRONG_CREDENTIAL_HANDLE;
+ }
+
+ for (i=0; i<info->num_blobs; i++) {
+ if (strequal(info->blobs[i].name, "auth_blob")) {
+ wbc_auth_blob = &info->blobs[i].blob;
+ }
+ if (strequal(info->blobs[i].name, "session_key")) {
+ wbc_session_key = &info->blobs[i].blob;
+ }
+ }
+ if ((wbc_auth_blob == NULL) || (wbc_session_key == NULL)) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list