[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Tue Nov 29 01:19:04 UTC 2016
The branch, master has been updated
via 4ca7d50 ntlm_auth4: Remove it
from f241484 ctdb-daemon: Mark RecoverPDBBySeqNum tunable deprecated
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4ca7d50c872e36df7c05730f6ea0b413740d6ccc
Author: Volker Lendecke <vl at samba.org>
Date: Tue Nov 22 01:54:08 2016 +0100
ntlm_auth4: Remove it
This had install=False for rather exactly 4 years now. If someone wants to
start working on it again, we can always dig it up from the git history.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue Nov 29 02:18:37 CET 2016 on sn-devel-144
-----------------------------------------------------------------------
Summary of changes:
source4/utils/man/ntlm_auth4.1.xml | 269 --------
source4/utils/ntlm_auth.c | 1179 ------------------------------------
source4/utils/wscript_build | 11 -
3 files changed, 1459 deletions(-)
delete mode 100644 source4/utils/man/ntlm_auth4.1.xml
delete mode 100644 source4/utils/ntlm_auth.c
Changeset truncated at 500 lines:
diff --git a/source4/utils/man/ntlm_auth4.1.xml b/source4/utils/man/ntlm_auth4.1.xml
deleted file mode 100644
index fe6ce6d..0000000
--- a/source4/utils/man/ntlm_auth4.1.xml
+++ /dev/null
@@ -1,269 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-<refentry id="ntlm-auth.1">
-
-<refmeta>
- <refentrytitle>ntlm_auth4</refentrytitle>
- <manvolnum>1</manvolnum>
- <refmiscinfo class="source">Samba</refmiscinfo>
- <refmiscinfo class="manual">User Commands</refmiscinfo>
- <refmiscinfo class="version">4.0</refmiscinfo>
-</refmeta>
-
-
-<refnamediv>
- <refname>ntlm_auth4</refname>
- <refpurpose>tool to allow external access to Winbind's NTLM authentication function</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
- <cmdsynopsis>
- <command>ntlm_auth4</command>
- <arg choice="opt">-d debuglevel</arg>
- <arg choice="opt">-l logdir</arg>
- <arg choice="opt">-s <smb config file></arg>
- </cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
- <title>DESCRIPTION</title>
-
- <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
- <manvolnum>7</manvolnum></citerefentry> suite.</para>
-
- <para><command>ntlm_auth4</command> is a helper utility that authenticates
- users using NT/LM authentication. It returns 0 if the users is authenticated
- successfully and 1 if access was denied. ntlm_auth4 uses winbind to access
- the user and authentication data for a domain. This utility
- is only indended to be used by other programs (currently squid).
- </para>
-</refsect1>
-
-<refsect1>
- <title>OPERATIONAL REQUIREMENTS</title>
-
- <para>
- The <citerefentry><refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> daemon must be operational
- for many of these commands to function.</para>
-
- <para>Some of these commands also require access to the directory
- <filename>winbindd_privileged</filename> in
- <filename>$LOCKDIR</filename>. This should be done either by running
- this command as root or providing group access
- to the <filename>winbindd_privileged</filename> directory. For
- security reasons, this directory should not be world-accessable. </para>
-
-</refsect1>
-
-
-<refsect1>
- <title>OPTIONS</title>
-
- <variablelist>
- <varlistentry>
- <term>--helper-protocol=PROTO</term>
- <listitem><para>
- Operate as a stdio-based helper. Valid helper protocols are:
- </para>
- <variablelist>
- <varlistentry>
- <term>squid-2.4-basic</term>
- <listitem><para>
- Server-side helper for use with Squid 2.4's basic (plaintext)
- authentication. </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>squid-2.5-basic</term>
- <listitem><para>
- Server-side helper for use with Squid 2.5's basic (plaintext)
- authentication. </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>squid-2.5-ntlmssp</term>
- <listitem><para>
- Server-side helper for use with Squid 2.5's NTLMSSP
- authentication. </para>
- <para>Requires access to the directory
- <filename>winbindd_privileged</filename> in
- <filename>$LOCKDIR</filename>. The protocol used is
- described here: <ulink
- url="http://devel.squid-cache.org/ntlm/squid_helper_protocol.html">http://devel.squid-cache.org/ntlm/squid_helper_protocol.html</ulink>
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>ntlmssp-client-1</term>
- <listitem><para>
- Cleint-side helper for use with arbitary external
- programs that may wish to use Samba's NTLMSSP
- authentication knowlege. </para>
- <para>This helper is a client, and as such may be run by any
- user. The protocol used is
- effectivly the reverse of the previous protocol.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>gss-spnego</term>
- <listitem><para>
- Server-side helper that implements GSS-SPNEGO. This
- uses a protocol that is almost the same as
- <command>squid-2.5-ntlmssp</command>, but has some
- subtle differences that are undocumented outside the
- source at this stage.
- </para>
- <para>Requires access to the directory
- <filename>winbindd_privileged</filename> in
- <filename>$LOCKDIR</filename>.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>gss-spnego-client</term>
- <listitem><para>
- Client-side helper that implements GSS-SPNEGO. This
- also uses a protocol similar to the above helpers, but
- is currently undocumented.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--username=USERNAME</term>
- <listitem><para>
- Specify username of user to authenticate
- </para></listitem>
-
- </varlistentry>
-
- <varlistentry>
- <term>--domain=DOMAIN</term>
- <listitem><para>
- Specify domain of user to authenticate
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--workstation=WORKSTATION</term>
- <listitem><para>
- Specify the workstation the user authenticated from
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--challenge=STRING</term>
- <listitem><para>NTLM challenge (in HEXADECIMAL)</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--lm-response=RESPONSE</term>
- <listitem><para>LM Response to the challenge (in HEXADECIMAL)</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--nt-response=RESPONSE</term>
- <listitem><para>NT or NTLMv2 Response to the challenge (in HEXADECIMAL)</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--password=PASSWORD</term>
- <listitem><para>User's plaintext password</para><para>If
- not specified on the command line, this is prompted for when
- required. </para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--request-lm-key</term>
- <listitem><para>Retrieve LM session key</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--request-nt-key</term>
- <listitem><para>Request NT key</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--diagnostics</term>
- <listitem><para>Perform Diagnostics on the authentication
- chain. Uses the password from <command>--password</command>
- or prompts for one.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>--require-membership-of={SID|Name}</term>
- <listitem><para>Require that a user be a member of specified
- group (either name or SID) for authentication to succeed.</para>
- </listitem>
- </varlistentry>
-
- </variablelist>
-</refsect1>
-
-<refsect1>
- <title>EXAMPLE SETUP</title>
-
- <para>To setup ntlm_auth4 for use by squid 2.5, with both basic and
- NTLMSSP authentication, the following
- should be placed in the <filename>squid.conf</filename> file.
-<programlisting>
-auth_param ntlm program ntlm_auth4 --helper-protocol=squid-2.5-ntlmssp
-auth_param basic program ntlm_auth4 --helper-protocol=squid-2.5-basic
-auth_param basic children 5
-auth_param basic realm Squid proxy-caching web server
-auth_param basic credentialsttl 2 hours
-</programlisting></para>
-
-<note><para>This example assumes that ntlm_auth4 has been installed into your
- path, and that the group permissions on
- <filename>winbindd_privileged</filename> are as described above.</para></note>
-
- <para>To setup ntlm_auth4 for use by squid 2.5 with group limitation in addition to the above
- example, the following should be added to the <filename>squid.conf</filename> file.
-<programlisting>
-auth_param ntlm program ntlm_auth4 --helper-protocol=squid-2.5-ntlmssp --require-membership-of='WORKGROUP\Domain Users'
-auth_param basic program ntlm_auth4 --helper-protocol=squid-2.5-basic --require-membership-of='WORKGROUP\Domain Users'
-</programlisting></para>
-
-</refsect1>
-
-<refsect1>
- <title>TROUBLESHOOTING</title>
-
- <para>If you're experiencing problems with authenticating Internet Explorer running
- under MS Windows 9X or Millenium Edition against ntlm_auth4's NTLMSSP authentication
- helper (--helper-protocol=squid-2.5-ntlmssp), then please read
- <ulink url="http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP">
- the Microsoft Knowledge Base article #239869 and follow instructions described there</ulink>.
- </para>
-</refsect1>
-
-<refsect1>
- <title>VERSION</title>
-
- <para>This man page is correct for version 3.0 of the Samba
- suite.</para>
-</refsect1>
-
-<refsect1>
- <title>AUTHOR</title>
-
- <para>The original Samba software and related utilities
- were created by Andrew Tridgell. Samba is now developed
- by the Samba Team as an Open Source project similar
- to the way the Linux kernel is developed.</para>
-
- <para>The ntlm_auth4 manpage was written by Jelmer Vernooij and
- Andrew Bartlett.</para>
-</refsect1>
-
-</refentry>
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
deleted file mode 100644
index a4a1c8b..0000000
--- a/source4/utils/ntlm_auth.c
+++ /dev/null
@@ -1,1179 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- Winbind status program.
-
- Copyright (C) Tim Potter 2000-2003
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2003-2004
- Copyright (C) Francesco Chemolli <kinkie at kame.usr.dsi.unimi.it> 2000
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "system/filesys.h"
-#include "lib/cmdline/popt_common.h"
-#include <ldb.h>
-#include "auth/credentials/credentials.h"
-#include "auth/gensec/gensec.h"
-#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
-#include "auth/auth.h"
-#include "librpc/gen_ndr/ndr_netlogon.h"
-#include "auth/auth_sam.h"
-#include "libcli/auth/libcli_auth.h"
-#include "libcli/security/security.h"
-#include "lib/events/events.h"
-#include "lib/messaging/messaging.h"
-#include "lib/messaging/irpc.h"
-#include "auth/ntlmssp/ntlmssp.h"
-#include "param/param.h"
-#include "lib/util/base64.h"
-#include "lib/util/xfile.h"
-
-#define INITIAL_BUFFER_SIZE 300
-#define MAX_BUFFER_SIZE 63000
-
-enum stdio_helper_mode {
- SQUID_2_4_BASIC,
- SQUID_2_5_BASIC,
- SQUID_2_5_NTLMSSP,
- NTLMSSP_CLIENT_1,
- GSS_SPNEGO_CLIENT,
- GSS_SPNEGO_SERVER,
- NTLM_SERVER_1,
- NUM_HELPER_MODES
-};
-
-#define NTLM_AUTH_FLAG_USER_SESSION_KEY 0x0004
-#define NTLM_AUTH_FLAG_LMKEY 0x0008
-
-
-typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode,
- struct loadparm_context *lp_ctx,
- char *buf, int length, void **private1,
- unsigned int mux_id, void **private2);
-
-static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode,
- struct loadparm_context *lp_ctx,
- char *buf, int length, void **private1,
- unsigned int mux_id, void **private2);
-
-static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode,
- struct loadparm_context *lp_ctx,
- char *buf, int length, void **private1,
- unsigned int mux_id, void **private2);
-
-static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode,
- struct loadparm_context *lp_ctx,
- char *buf, int length, void **private1,
- unsigned int mux_id, void **private2);
-
-static void manage_squid_request(struct loadparm_context *lp_ctx,
- enum stdio_helper_mode helper_mode,
- stdio_helper_function fn, void **private2);
-
-static const struct {
- enum stdio_helper_mode mode;
- const char *name;
- stdio_helper_function fn;
-} stdio_helper_protocols[] = {
- { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request},
- { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request},
- { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_gensec_request},
- { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gensec_request},
- { GSS_SPNEGO_SERVER, "gss-spnego", manage_gensec_request},
- { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_gensec_request},
- { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request},
- { NUM_HELPER_MODES, NULL, NULL}
-};
-
-extern int winbindd_fd;
-
-static const char *opt_username;
-static const char *opt_domain;
-static const char *opt_workstation;
-static const char *opt_password;
-static int opt_multiplex;
-static int use_cached_creds;
-static int opt_allow_mschapv2;
-
-
-static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3);
-
-static void mux_printf(unsigned int mux_id, const char *format, ...)
-{
- va_list ap;
-
- if (opt_multiplex) {
- x_fprintf(x_stdout, "%d ", mux_id);
- }
-
- va_start(ap, format);
- x_vfprintf(x_stdout, format, ap);
- va_end(ap);
-}
-
-
-
-/* Copy of parse_domain_user from winbindd_util.c. Parse a string of the
- form DOMAIN/user into a domain and a user */
-
-static bool parse_ntlm_auth_domain_user(const char *domuser, char **domain,
- char **user, char winbind_separator)
-{
-
- char *p = strchr(domuser, winbind_separator);
-
- if (!p) {
- return false;
- }
-
- *user = smb_xstrdup(p+1);
- *domain = smb_xstrdup(domuser);
- (*domain)[PTR_DIFF(p, domuser)] = 0;
-
- return true;
-}
-
-
-/* Authenticate a user with a plaintext password */
-
-static bool check_plaintext_auth(const char *user, const char *pass,
- bool stdout_diagnostics)
-{
- return (strcmp(pass, opt_password) == 0);
-}
-
-/* authenticate a user with an encrypted username/password */
-
-static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
- const char *username,
- const char *domain,
- const char *workstation,
- const DATA_BLOB *challenge,
- const DATA_BLOB *lm_response,
- const DATA_BLOB *nt_response,
- uint32_t flags,
- DATA_BLOB *lm_session_key,
- DATA_BLOB *user_session_key,
- char **error_string,
- char **unix_name)
-{
- NTSTATUS nt_status;
- struct samr_Password lm_pw, nt_pw;
- struct samr_Password *lm_pwd, *nt_pwd;
- TALLOC_CTX *mem_ctx = talloc_init("local_pw_check_specified");
- if (!mem_ctx) {
- nt_status = NT_STATUS_NO_MEMORY;
- } else {
- uint32_t logon_parameters = 0;
-
- E_md4hash(opt_password, nt_pw.hash);
- if (E_deshash(opt_password, lm_pw.hash)) {
- lm_pwd = &lm_pw;
- } else {
- lm_pwd = NULL;
- }
- nt_pwd = &nt_pw;
-
- if (opt_allow_mschapv2) {
- logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
- }
-
- nt_status = ntlm_password_check(mem_ctx,
- lpcfg_lanman_auth(lp_ctx),
- lpcfg_ntlm_auth(lp_ctx),
- logon_parameters |
- MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
- MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
- challenge,
- lm_response,
- nt_response,
- username,
- username,
- domain,
- lm_pwd, nt_pwd, user_session_key, lm_session_key);
-
- if (NT_STATUS_IS_OK(nt_status)) {
- if (unix_name) {
- if (asprintf(unix_name, "%s%c%s", domain,
- *lpcfg_winbind_separator(lp_ctx),
- username) < 0) {
- nt_status = NT_STATUS_NO_MEMORY;
- }
- }
- } else {
- DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
- domain, username, workstation,
- nt_errstr(nt_status)));
--
Samba Shared Repository
More information about the samba-cvs
mailing list