summaryrefslogtreecommitdiff
path: root/libcli
Commit message (Collapse)AuthorAgeFilesLines
* param: Add new "disabled" value to "ntlm auth" to disable NTLM totallyAndrew Bartlett2017-07-042-1/+7
| | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm ↵Andrew Bartlett2017-07-042-3/+14
| | | | | | | | | | | | | | | | | | | | | | | | | auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()Stefan Metzmacher2017-06-272-11/+13
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: add const to set_pw_in_buffer()Stefan Metzmacher2017-06-272-2/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()Stefan Metzmacher2017-06-272-26/+44
| | | | | | | | | | | | This way the caller can pass more than 2 hashes and can only know which hash was used for a successful connection. We allow up to 4 hashes (next, current, old, older). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/smb: add smb_protocol_types_string()Stefan Metzmacher2017-06-223-0/+40
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: smb: Add smb2cli_tcon_set_id().Jeremy Allison2017-06-172-0/+6
| | | | | | | | | Will be used in test and client code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
* libcli: smb: Add smbXcli_tcon_copy().Jeremy Allison2017-06-172-0/+34
| | | | | | | | | | Makes a deep copy of a struct smbXcli_tcon *, will be used later. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
* libcli:smb2: Gracefully handle not supported for FSCTL_VALIDATE_NEGOTIATE_INFOAndreas Schneider2017-06-151-0/+15
| | | | | | | | | | | | | | | If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only server then gracefully handle NT_STATUS_NOT_SUPPORTED too. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808 Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
* libcli:smb: Add unit test for smb_bytes_pull_str()Andreas Schneider2017-06-092-0/+219
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* libcli/smb: Fix alignment problems of smb_bytes_pull_str()Stefan Metzmacher2017-06-093-31/+47
| | | | | | | | | | | This function needs to get the whole smb buffer in order to get the alignment for unicode correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Revert "libcli:smb: Fix pulling strings from the wire"Andreas Schneider2017-06-091-1/+1
| | | | | | | | | | | This reverts commit a4efe647c51700cee93b7574e5955e264aa96893. A different fix will follow. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:smb: Fix pulling strings from the wireAndreas Schneider2017-06-071-1/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli:util: Update werror tableAndreas Schneider2017-06-072-4/+7
| | | | | | | This adds ERROR_PRINTER_DRIVER_DOWNLOAD_NEEDED for MS-PAR. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* netlogon: Implement SendToSam along with its winbind forwardingGarming Sam2017-05-302-0/+271
| | | | | | | | | | | This allows you to forward bad password count resets to 0. Currently, there is a missing access check for the RODC to ensure it only applies to cached users (msDS-Allowed-Password-Replication-Group). (further patches still need to address forcing a RWDC contact) Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Do not corrupt authenticator state on application level ↵Garming Sam2017-05-301-15/+17
| | | | | | | | | | | errors If the NETLOGON response was an error e.g. NT_STATUS_NOT_IMPLEMENTED, any subsequent calls failed with NT_STATUS_ACCESS_DENIED. This is likely to be the cause of RODC DNS updates falling off and never continuing. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4: nmblookup: Allocate event context off NULL instead of ↵Jeremy Allison2017-05-131-1/+1
| | | | | | | | | | | | talloc_autofree_context(). It's already correctly freed on exit. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Sat May 13 21:01:25 CEST 2017 on sn-devel-144
* s4: torture: Change torture_register_suite() to add a TALLOC_CTX *.Jeremy Allison2017-05-051-2/+2
| | | | | | | | Change callers to use the passed in TALLOC_CTX * instead of talloc_autofree_context(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-221-2/+2
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* lib/util: add and use iov_concatRalph Boehme2017-04-181-24/+2
| | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli/security: fix dom_sid_in_domain()Ralph Boehme2017-04-121-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure the SID has exactly one component more then the domain SID, eg Domain SID: S-1-5-21-1-2-3 SID: S-1-5-21-1-2-3-4 This will return true. If the SID has more components, eg SID: S-1-5-21-1-2-3-4-5, or SID: S-1-5-21-1-2-3-4-5-6-7-8 dom_sid_in_domain() must return false. This was verified against Windows: lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'W4EDOM-L4' sid : * sid : S-1-5-21-278041429-3399921908-1452754838 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000004 (4) names : * names: ARRAY(4) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' sid_index : 0x00000001 (1) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x005c (92) size : 0x005e (94) string : * string : 'S-1-5-21-278041429-3399921908-1452754838-500-1' sid_index : 0xffffffff (4294967295) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Administrators' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x001c (28) size : 0x001e (30) string : * string : 'S-1-5-32-544-9' sid_index : 0xffffffff (4294967295) count : * count : 0x00000002 (2) result : STATUS_SOME_UNMAPPED Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* named_pipe_auth: Rename client -> remote_client and server -> local_serverGary Lockyer2017-03-292-58/+66
| | | | | | | | | While these names may have been clear, much of Samba uses remote_address and local_address, and this difference has hidden bugs. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* libcli: introduce smbXcli_conn_support_passthrough()Uri Simchoni2017-03-282-0/+18
| | | | | | | | | | This routine queries the client connenction whether it supports query/set InfoLevels beyond 1000 (which, in Windows OS, is a pass-through mechanism to the file system). Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add SID_NAME_LABEL to sid_type_lookup()Stefan Metzmacher2017-03-231-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* getncchanges: Return correct denied REPL_SECRET error codeGarming Sam2017-03-131-0/+2
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/smb: add smb2cli_conn_get_mid and smb2cli_conn_set_midRalph Boehme2017-03-032-0/+12
| | | | | | | This will be needed for a torture test in the next commit. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/smb: add smb2cli_conn_get_cur_creditsRalph Boehme2017-03-032-0/+6
| | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/smb: add max_credits arg to smbXcli_negprot_send()Ralph Boehme2017-03-032-13/+10
| | | | | | | | | | | | | | | This allows source4/torture code to set the option for tests by preparing a struct smbcli_options with max_credits set to some value and pass that to a torture_smb2_connection_ext(). This will be used in subsequent smbtorture test for SMB2 creditting. Behaviour of existing upper layers is unchanged, they simply pass the wanted max credits value to smbXcli_negprot_send() instead of retrofitting it with a call to smb2cli_conn_set_max_credits(). Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Correct "intialise" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* libcli/auth: add netlogon_creds_cli_debug_string()Stefan Metzmacher2017-02-212-0/+12
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* libcli/auth: check E_md4hash() result in ↵Stefan Metzmacher2017-02-211-1/+5
| | | | | | | | | | | netlogon_creds_cli_ServerPasswordSet_send() We need to make sure we can convert the given string to an nthash. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* libcli/auth: use the correct creds value against servers without LogonSamLogonExStefan Metzmacher2017-02-211-2/+17
| | | | | | | | | | | | If we use the credential chain we need to use the value from netlogon_creds_client_authenticator() to make sure we have the current value to encrypt in logon info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* errors: add WERROR generation to build systemBob Campbell2017-02-143-7850/+143
| | | | | | | | | | | | Parts of doserr.c and werror.h are now generated into werror_gen.c and werror_gen.h, respectively. Also, py_werror.c is now generated. Some errors were not included in the list which we now generate WERRORs from. These errors have been manually included. Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* errors: add table to generate WERRORs fromBob Campbell2017-02-141-0/+18929
| | | | | | Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* errors: pull out code into common fileBob Campbell2017-02-141-1/+1
| | | | | | | | This is a precursor to generating other types of errors. Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* python: Add python module with NTSTATUS constantsBob Campbell2017-02-141-0/+5
| | | | | | | | This has been generated by gen_ntstatus.py Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* errors: add gen_ntstatus.py to build systemBob Campbell2017-02-143-5456/+102
| | | | | | | | | | | | | | nterr_gen.c, ntstatus_gen.h and py_ntstatus.c are now generated files. Errors which are now generated have been removed from nterr.c and ntstatus.h. Errors which existed previously but are not in the table we generated from have been manually added. Some errors are incorrectly named; e.g. STATUS_MORE_ENTRIES should be NT_STATUS_MORE_ENTRIES. These are simply remapped to the correct names. Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* errors/gen_ntstatus: add error table for generation scriptBob Campbell2017-02-141-0/+12629
| | | | | | Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* libcli/smb: outbuf length is a IVAL ie a uint32_tRalph Boehme2017-01-311-1/+1
| | | | | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jan 31 04:34:29 CET 2017 on sn-devel-144
* libcli: Add an overflow checkVolker Lendecke2017-01-231-0/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: Do not overwrite pointer on realloc failureVolker Lendecke2017-01-231-3/+5
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* wscript: remove executable bits for all wscript* filesStefan Metzmacher2017-01-114-0/+0
| | | | | | | | | | These files should not be executable. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
* libcli: Use "all_zero" where appropriateVolker Lendecke2017-01-031-9/+6
| | | | | | | ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* libcli: Use "all_zero" where appropriateVolker Lendecke2017-01-031-7/+3
| | | | | | | ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* libcli: Use "all_zero" where appropriateVolker Lendecke2017-01-031-3/+2
| | | | | | | ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* libcli: Use "all_zero" where appropriateVolker Lendecke2017-01-031-19/+14
| | | | | | | ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* lib: Add required prerequisites for librpc/gen_ndr/security.hVolker Lendecke2016-12-281-0/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
* lib: Fix whitespace in lmhosts.cVolker Lendecke2016-12-271-4/+4
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* rpc_server:netlogon Move from memcache to a tdb cacheDouglas Bagnall2016-12-142-0/+273
| | | | | | | | | | | | | | | | This allows the netlogon server to be moved into a multi-process model while still supporting clients that use a challenge from a different network connection. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Dec 14 20:12:14 CET 2016 on sn-devel-144
* pam: map more NT password errors to PAM errorsBjörn Jacke2016-12-131-1/+5
| | | | | | | | | | | | | | | | NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTION, NT_STATUS_PWD_HISTORY_CONFLICT, NT_STATUS_PWD_TOO_RECENT, NT_STATUS_PWD_TOO_SHORT now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is the closest match. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210 Signed-off-by: Bjoern Jacke <bj@sernet.de> Reviewed by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status