Stefan Metzmacher [Fri, 26 Feb 2016 15:41:10 +0000 (16:41 +0100)]
s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 10 Nov 2015 09:25:10 +0000 (10:25 +0100)]
s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 15 Dec 2015 21:44:24 +0000 (22:44 +0100)]
s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
This is the only way to get a reliable transport session key.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 19:18:42 +0000 (20:18 +0100)]
s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
It requires a transport session key, which is only reliable available
over SMB.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 29 Feb 2016 06:47:39 +0000 (07:47 +0100)]
s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Dec 2015 07:55:03 +0000 (08:55 +0100)]
s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 06:27:41 +0000 (07:27 +0100)]
s3:libsmb: remove unused functions in clispnego.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 06:27:16 +0000 (07:27 +0100)]
s3:libsmb: remove unused cli_session_setup_kerberos*() functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 13:58:30 +0000 (14:58 +0100)]
s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 13:35:21 +0000 (14:35 +0100)]
s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 1 Mar 2016 14:47:11 +0000 (15:47 +0100)]
s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
It will be possible to use this for more than just NTLMSSP in future.
This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 1 Mar 2016 17:31:50 +0000 (18:31 +0100)]
s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 10:49:37 +0000 (11:49 +0100)]
s3:libsmb: unused ntlmssp.c
Everything uses the top level ntlmssp code via gensec now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 26 Nov 2015 13:34:46 +0000 (14:34 +0100)]
s3:libsmb: make use gensec based SPNEGO/NTLMSSP
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 10:42:51 +0000 (11:42 +0100)]
s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 10:33:04 +0000 (11:33 +0100)]
s3:libads: keep service and hostname separately in ads_service_principal
Caller will use them instead of the full principal in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 10:31:01 +0000 (11:31 +0100)]
s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 12:14:05 +0000 (13:14 +0100)]
s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
It will be possible to use this for more than just NTLMSSP in future.
Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 14:02:29 +0000 (15:02 +0100)]
s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 14:04:02 +0000 (15:04 +0100)]
s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 5 Mar 2016 01:53:45 +0000 (02:53 +0100)]
s3:libads: add missing TALLOC_FREE(frame) in error path
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 13:51:57 +0000 (14:51 +0100)]
s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 10:46:22 +0000 (11:46 +0100)]
s4:selftest: simplify the loops over samba4.ldb.ldap
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 08:54:08 +0000 (09:54 +0100)]
s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
The LDAP client library uses tstream and that handles non blocking
sockets natively.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 18 Dec 2015 12:10:58 +0000 (13:10 +0100)]
s4:libcli/ldap: fix retry authentication after a bad password
We need to start with an empty input buffer.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 13:51:57 +0000 (14:51 +0100)]
s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 8 Mar 2016 11:58:51 +0000 (12:58 +0100)]
auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
This is now handled by GENSEC_FEATURE_LDAP_STYLE.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 13:48:14 +0000 (14:48 +0100)]
auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
We want also work against old Samba servers which didn't had
GENSEC_FEATURE_LDAP_STYLE we negotiate SEAL too. We may remove this in a few
years. As all servers should support GENSEC_FEATURE_LDAP_STYLE by then.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 13:48:14 +0000 (14:48 +0100)]
auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
We need to handle NTLMSSP_NEGOTIATE_SIGN as
NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
is requested.
This works arround a bug in Windows, which allow signed only
messages using NTLMSSP and LDAP.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 13:48:14 +0000 (14:48 +0100)]
auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
This will be used for LDAP connections and may trigger
backend specific behaviour.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Günther Deschner [Tue, 18 Aug 2009 22:40:12 +0000 (00:40 +0200)]
auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 24 Nov 2015 14:40:29 +0000 (15:40 +0100)]
librpc/ndr: add ndr_ntlmssp_find_av() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 19 Nov 2015 14:38:02 +0000 (15:38 +0100)]
ntlmssp.idl: make AV_PAIR_LIST public
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 21 Dec 2015 08:07:57 +0000 (09:07 +0100)]
ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 21 Dec 2015 08:06:56 +0000 (09:06 +0100)]
security.idl: add LSAP_TOKEN_INFO_INTEGRITY
This is used in [MS-KILE] and implicit in [MS-NLMP].
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 24 Nov 2015 13:07:23 +0000 (14:07 +0100)]
auth/ntlmssp: use ntlmssp_version_blob() in the server
We already set NTLMSSP_NEGOTIATE_VERSION in
gensec_ntlmssp_server_start(), so it's always
set in chal_flags.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 09:52:29 +0000 (10:52 +0100)]
auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
This matches a modern Windows client.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 24 Nov 2015 13:05:17 +0000 (14:05 +0100)]
auth/ntlmssp: add ntlmssp_version_blob()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 09:52:29 +0000 (10:52 +0100)]
auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
We don't set NTLMSSP_NEGOTIATE_OEM_{DOMAIN,WORKSTATION}_SUPPLIED anyway.
This matches modern Windows clients.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 8 Dec 2015 12:59:42 +0000 (13:59 +0100)]
auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication
This matches a modern Windows client.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 10:01:24 +0000 (11:01 +0100)]
auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 20 Nov 2015 09:52:29 +0000 (10:52 +0100)]
auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option
NTLMSSP_NEGOTIATE_VERSION only indicates the existence of the version
information in the packet.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Dec 2015 10:16:02 +0000 (11:16 +0100)]
auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 09:54:56 +0000 (10:54 +0100)]
s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"
This implicitly fixes bug #10708.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10708
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 26 Nov 2015 10:46:52 +0000 (11:46 +0100)]
winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 10 Dec 2015 14:42:51 +0000 (15:42 +0100)]
s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()
This will be used by winbindd in order to correctly implement WINBINDD_CCACHE_NTLMAUTH.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 27 Nov 2015 14:35:40 +0000 (15:35 +0100)]
auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE
This can used in order to use the WINBINDD_CCACHE_NTLMAUTH
code of winbindd to do NTLMSSP authentication with a cached
password.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 27 Nov 2015 12:42:30 +0000 (13:42 +0100)]
auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 25 Nov 2015 20:41:23 +0000 (21:41 +0100)]
auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend
These can be used to implement the winbindd side of
the WINBINDD_CCACHE_NTLMAUTH call.
It can properly get the initial NEGOTIATE messages
injected if available.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 11 Dec 2015 11:47:40 +0000 (12:47 +0100)]
s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 26 Nov 2015 10:45:33 +0000 (11:45 +0100)]
s3:auth_generic: make use of the top level NTLMSSP client code
There's no reason to use gensec_ntlmssp3_client_ops, the
WINBINDD_CCACHE_NTLMAUTH isn't available via gensec anyway.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 15 Dec 2015 08:07:33 +0000 (09:07 +0100)]
winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()
We should avoid using NULL.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 15:15:13 +0000 (16:15 +0100)]
s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 15:15:13 +0000 (16:15 +0100)]
s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 11 Dec 2015 11:11:05 +0000 (12:11 +0100)]
s3:torture/test_ntlm_auth.py: replace tabs with whitespaces
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 9 Dec 2015 20:23:33 +0000 (21:23 +0100)]
s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 11:06:50 +0000 (12:06 +0100)]
auth/ntlmssp: add gensec_ntlmssp_server_domain()
This is a hack in order to temporary export the server domain
from NTLMSSP through the gensec stack.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 21:15:50 +0000 (22:15 +0100)]
auth/ntlmssp: keep ntlmssp_state->server.netbios_domain on the correct talloc context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 1 Mar 2016 18:39:04 +0000 (19:39 +0100)]
s3:auth_generic: add auth_generic_client_start_by_sasl()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 26 Nov 2015 10:44:02 +0000 (11:44 +0100)]
s3:auth_generic: add auth_generic_client_start_by_name()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 26 Nov 2015 10:43:02 +0000 (11:43 +0100)]
auth/gensec: make gensec_security_by_name() public
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 1 Mar 2016 18:29:40 +0000 (19:29 +0100)]
auth/gensec: handle gensec_security_by_sasl_name(NULL, ...)
We do that for all other gensec_security_by_*() functions already.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 11:06:50 +0000 (12:06 +0100)]
auth/gensec: keep a pointer to a possible child/sub gensec_security context
This is a hack in order to temporary implement something like:
gensec_ntlmssp_server_domain(), which may be used within spnego.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 19 Aug 2015 08:53:34 +0000 (10:53 +0200)]
s4:pygensec: make sig_size() and sign/check_packet() available
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 5 Mar 2016 01:52:29 +0000 (02:52 +0100)]
s3:librpc/gse: implement gensec_gse_max_{input,wrapped}_size()
This is important in order to support gensec_[un]wrap() with GENSEC_SEAL.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 06:42:41 +0000 (07:42 +0100)]
s3:librpc/gse: don't log gss_acquire_creds failed at level 0
Some callers just retry after a kinit.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 1 Mar 2016 16:37:38 +0000 (17:37 +0100)]
s3:librpc/gse: correctly support GENSEC_FEATURE_SESSION_KEY
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 22 Jun 2015 13:22:44 +0000 (15:22 +0200)]
s3:librpc/gse: set GSS_KRB5_CRED_NO_CI_FLAGS_X in gse_init_client() if available
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 22 Jun 2015 13:21:53 +0000 (15:21 +0200)]
s3:librpc/gse: fix debug message in gse_init_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 22 Jun 2015 13:21:05 +0000 (15:21 +0200)]
s3:librpc/gse: make use of GSS_C_EMPTY_BUFFER in gse_init_client
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 22 Jun 2015 13:18:22 +0000 (15:18 +0200)]
wscript_configure_system_mitkrb5: add configure checks for GSS_KRB5_CRED_NO_CI_FLAGS_X
Newer MIT versions (maybe krb5-1.14) will also support this.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 2 Mar 2016 13:36:14 +0000 (14:36 +0100)]
s3:libads: remove unused ads_connect_gc()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Dec 2015 10:06:47 +0000 (11:06 +0100)]
s4:librpc/rpc: map alter context SEC_PKG_ERROR to NT_STATUS_LOGON_FAILURE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Jul 2015 01:36:36 +0000 (03:36 +0200)]
librpc/rpc: add error mappings for NO_CALL_ACTIVE, OUT_OF_RESOURCES and BAD_STUB_DATA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 17 Jul 2015 01:35:19 +0000 (03:35 +0200)]
dcerpc.idl: make WERROR RPC faults available in ndr_print output
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 16 Jul 2015 15:15:24 +0000 (17:15 +0200)]
epmapper.idl: make epm_twr_t available in python bindings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 8 Mar 2016 14:53:21 +0000 (15:53 +0100)]
s3:selftest: run samba3.blackbox.smbclient_auth.plain also with $SERVER_IPV6
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 8 Mar 2016 14:47:59 +0000 (15:47 +0100)]
s3:test_smbclient_auth.sh: test using the ip address in the unc path (incl. ipv6-literal.net)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 4 Mar 2016 01:18:38 +0000 (02:18 +0100)]
lib/util_net: add support for .ipv6-literal.net
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 4 Mar 2016 01:18:38 +0000 (02:18 +0100)]
lib/util_net: move ipv6 linklocal handling into interpret_string_addr_internal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 1 Mar 2016 14:54:32 +0000 (15:54 +0100)]
s4-selftest: Make export keytab test heimdal specific
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 29 Feb 2016 14:12:02 +0000 (15:12 +0100)]
s4-libnet: Implement export_keytab without HDB
This is used by 'samba-tool domain exportkeytab'. This loads the HDB
Samba backend thus needs access to samdb. To avoid using heimdal
specific code here, we could talk to samdb directly and write a
keytab file.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Tue, 8 Mar 2016 16:08:22 +0000 (17:08 +0100)]
s3-libnet: Allow the keytab function to use a relative path
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Tue, 8 Mar 2016 16:07:23 +0000 (17:07 +0100)]
krb5_wrap: Add smb_krb5_open_keytab_relative() function
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 29 Feb 2016 16:31:56 +0000 (17:31 +0100)]
krb5_wrap: Move smb_krb5_kt_add_entry() to krb5_wrap
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 29 Feb 2016 16:25:33 +0000 (17:25 +0100)]
s3-libads: Use the C99 boolean false
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 29 Feb 2016 16:22:50 +0000 (17:22 +0100)]
s3-libads: Call smb_krb5_create_key_from_string() directly
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 29 Feb 2016 15:21:56 +0000 (16:21 +0100)]
s3-libads: Pass down the salt principal in smb_krb5_kt_add_entry()
This is a preparation to move smb_krb5_kt_add_entry() to krb5_wrap.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Garming Sam [Fri, 29 Jan 2016 04:28:54 +0000 (17:28 +1300)]
CVE-2016-0771: tests/dns: Remove dependencies on env variables
Now that it is invoked as a normal script, there should be less of them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 29 Jan 2016 04:03:56 +0000 (17:03 +1300)]
CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
This makes it easier to invoke, particularly against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 21 Jan 2016 22:35:03 +0000 (11:35 +1300)]
CVE-2016-0771: tests: rename test getopt to get_opt
This avoids any conflicts in this directory with the original toplevel
getopt.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 27 Jan 2016 23:54:58 +0000 (12:54 +1300)]
CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
Make sure that TXT entries stored via RPC come out the same in DNS.
This has one caveat in that adding over RPC in Windows eats slashes,
and so fails there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 27 Jan 2016 23:36:43 +0000 (12:36 +1300)]
CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
While using a charset is not entirely logical, it allows testing of non
UTF-8 data (like inserting 0xFF into the TXT string).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 27 Jan 2016 04:41:44 +0000 (17:41 +1300)]
CVE-2016-0771: tests/dns: modify tests to check via RPC
This checks that TXT records added over DNS, look the same over RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Sun, 17 Jan 2016 23:39:46 +0000 (12:39 +1300)]
CVE-2016-0771: tests/dns: Add some more test cases for TXT records
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 20 Jan 2016 21:25:44 +0000 (10:25 +1300)]
CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
Both Samba and Windows returned NXRRSET
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 15 Dec 2015 04:22:32 +0000 (17:22 +1300)]
CVE-2016-0771: tests/dns: restore formerly segfaulting test
This was on the client side, due the a strlen(NULL) on the previously
DOS-encoded TXT field. With a new IDL structure, this segfault no longer exists.
Note that both Samba and Windows return NXRRSET instead of FORMERR.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 21 Jan 2016 04:08:18 +0000 (17:08 +1300)]
CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 21 Jan 2016 02:43:55 +0000 (15:43 +1300)]
CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
Two requests with identical parameters which are poorly formatted, can
non-deterministically return FORMERR or simply fail to give a response.
Setting the timeout to a number allows Windows to succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 21 Jan 2016 03:58:40 +0000 (16:58 +1300)]
CVE-2016-0771: tests/dns: prepare script for further testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>