s3:libsmb: Add some useful debug output to cliconnect BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libsmb,s3/smbd: dump SMB3+ session keys if debug parm is set Use of previously added smb.conf global param. Sample usage: $ smbclient //localhost/scratch --option='debugencryption=yes' \ -e -mSMB3 -U aaptel%aaptel -c quit debug encryption: dumping generated session keys Session Id [0000] 26 48 BF FD 00 00 00 00 &H...... Session Key [0000] 63 D6 CA BC 08 C8 4A D2 45 F6 AE 35 AB 4A B3 3B c.....J. E..5.J.; Signing Key [0000] 4E FE 35 92 AC 13 14 FC C9 17 62 B1 82 20 A4 12 N.5..... ..b.. .. App Key [0000] A5 0F F4 8B 2F FB 0D FF F2 BF EE 39 E6 6D F5 0A ..../... ...9.m.. ServerIn Key [0000] 2A 02 7E E1 D3 58 D8 12 4C 63 76 AE 59 17 5A E4 *.~..X.. Lcv.Y.Z. ServerOut Key [0000] 59 F2 5B 7F 66 8F 31 A0 A5 E4 A8 D8 2F BA 00 38 Y.[.f.1. ..../..8 We can now simply pass -ouat:smb2_seskey_list:<sesid>,<seskey> to wireshark or tshark: $ tshark -ouat:smb2_seskey_list:2648BFFD00000000,63D6CABC08C84AD245F6AE35AB4AB33B \ -Y smb2 -r capture.pcap -Tfields -e _ws.col.Info Negotiate Protocol Response Negotiate Protocol Request Negotiate Protocol Response Session Setup Request, NTLMSSP_NEGOTIATE Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE Session Setup Request, NTLMSSP_AUTH, User: WORKGROUP\aaptel Session Setup Response Tree Connect Request Tree: \\localhost\IPC$ Tree Connect Response Decrypted SMB3;Ioctl Request FSCTL_DFS_GET_REFERRALS, File: \localhost\scratch Decrypted SMB3;Ioctl Response, Error: STATUS_NOT_FOUND Decrypted SMB3;Tree Disconnect Request Decrypted SMB3;Tree Disconnect Response Decrypted SMB3;Tree Connect Request Tree: \\localhost\scratch Decrypted SMB3;Tree Connect Response Decrypted SMB3;Tree Disconnect Request Decrypted SMB3;Tree Disconnect Response For more info on Wireshark decryption support see https://wiki.samba.org/index.php/Wireshark_Decryption Signed-off-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Noel Power <npower@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Sat Feb 9 21:43:25 CET 2019 on sn-devel-144
libads: Give krb5_errs.c its own header The protos were declared in lib/krb5_wrap but the functions are not available there. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
libsmb: Give namequery.c its own header Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s3:cliconnect.c: remove useless ';' BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s3:libsmb: allow -U"\\administrator" to work cli_credentials_get_principal() returns NULL in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source3: remove sock_exec Remove the sock_exec code which is no longer needed and additionally has been used by exploit code. This was originally test support code, the tests relying on the sock_exec code have been removed. Past exploits have used sock_exec as a proxy for system() matching a talloc destructor prototype. See for example: Exploit for Samba vulnerabilty (CVE-2015-0240) at https://gist.github.com/worawit/051e881fc94fe4a49295 and the Red Hat post at https://access.redhat.com/blogs/766093/posts/1976553 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Nov 20 07:20:13 CET 2017 on sn-devel-144
s3:libsmb: Print the kinit failed message with DBGLVL_NOTICE The default debug level of smbclient is set to 'log level = 1'. So we need to use at least NOTICE to not get the message when we do not force kerberos. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Aug 24 17:22:18 CEST 2017 on sn-devel-144
s3:libsmb: let get_ipc_connect() use CLI_FULL_CONNECTION_FORCE_SMB1 get_ipc_connect() is only used in code paths that require cli_NetServerEnum() to work, so it must already require SMB1 only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12876 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s3:libsmb: add CLI_FULL_CONNECTION_DISABLE_SMB1 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s3:libsmb: add CLI_FULL_CONNECTION_FORCE_SMB1 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s3:libsmb: no longer pass remote_realm to cli_state_create() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s3: libsmb: Correctly do lifecycle management on cli->smb1.tcon and cli->smb2.tcon. Treat them identically. Create them on demand after for a tcon call, and delete them on a tdis call. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
s3:libsmb: add cli_state_update_after_sesssetup() helper function This function updates cli->server_{os,type,domain} to valid values after a session setup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Revert "s3:libsmb: Fix printing the session setup information" This reverts commit b6f87af427a1fa2bd397668d9f14cb0cf8ec5015. A different fix will follow. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
s3:libsmb: Fix printing the session setup information This fixes a regression and prints the session setup on connect again: Domain=[SAMBA-TEST] OS=[Windows 6.1] Server=[Samba 4.7.0pre1-DEVELOPERBUILD] smb: \> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s3:libsmb: don't rely on gensec_session_key() to work on an unfinished authentication If smbXcli_session_is_guest() returns true, we should handle the authentication as anonymous and don't touch the gensec context anymore. Note that smbXcli_session_is_guest() always returns false, if signing is required! Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s3:libsmb: Only print error message if kerberos use is forced BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144
libcli/smb: add max_credits arg to smbXcli_negprot_send() This allows source4/torture code to set the option for tests by preparing a struct smbcli_options with max_credits set to some value and pass that to a torture_smb2_connection_ext(). This will be used in subsequent smbtorture test for SMB2 creditting. Behaviour of existing upper layers is unchanged, they simply pass the wanted max credits value to smbXcli_negprot_send() instead of retrofitting it with a call to smb2cli_conn_set_max_credits(). Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
s3:libsmb: use a local got_kerberos_mechanism variable in cli_session_creds_prepare_krb5() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>