summaryrefslogtreecommitdiff
path: root/libcli
Commit message (Collapse)AuthorAgeFilesLines
...
* netlogon_creds_cli: Fix talloc_stackframe leaksVolker Lendecke2017-09-251-0/+2
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* CVE-2017-12150: libcli/smb: add smbXcli_conn_signing_mandatory()Stefan Metzmacher2017-09-202-0/+6
| | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* libcli: Apply some constVolker Lendecke2017-09-162-4/+6
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Use data_blob_cmp in netlogon_creds_cli_validateVolker Lendecke2017-09-161-11/+3
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Simplify netlogon_creds_cli_context_globalVolker Lendecke2017-09-161-3/+3
| | | | | | | (require_sign_or_seal == false) looks odd :-) Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Simplify netlogon_creds_cli_context_commonVolker Lendecke2017-09-161-11/+2
| | | | | | | | IMHO a full talloc_stackframe is overkill for the one allocation that is left here. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Simplify netlogon_creds_cli_context_commonVolker Lendecke2017-09-161-11/+8
| | | | | | | printf knows to only print part of a string. No need to talloc_strdup. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: A netlogon_creds_cli_context needs a msg_ctxVolker Lendecke2017-09-161-7/+9
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Remove an obsolete commentVolker Lendecke2017-09-161-4/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Avoid a static const structVolker Lendecke2017-09-161-4/+3
| | | | | | | | | | | | | Same number of .text bytes, but simpler code. Yes, this is {{0}} instead of {0}, which I always promote. I've just read a comment on stackoverflow (which I've unfortunately just closed the tab for :-() that {{0}} might actually be the correct way to init a struct to zero if the first struct element is again a struct. I'm lost. 25 years of C coding and I have no clue of the language :-( Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Pass "server_dns_domain" through ↵Volker Lendecke2017-09-162-0/+2
| | | | | | | netlogon_creds_cli_context_global Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Add "dns_domain" to netlogon_creds_cli_contextVolker Lendecke2017-09-161-0/+11
| | | | | | | Used later for creating schannel cli_credentials Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli: SMB2: NetApps negotiate SMB3_11 but also set the SMB2_CAP_ENCRYPTION ↵Jeremy Allison2017-09-141-3/+12
| | | | | | | | | | | | | | flag. This is a SHOULD not, not a MUST not. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13009 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Steve French <sfrench@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Sep 14 14:48:20 CEST 2017 on sn-devel-144
* libcli/security: Move debug message to DBG_DEBUG()Andrew Bartlett2017-09-071-1/+1
| | | | | | | This message shows up a lot at level 6 for no particularly good reason Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* python: Port samba.security to Python 3 compatible form.Lumir Balhar2017-09-062-12/+22
| | | | | | Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* python: Make generated modules samba.ntstatus and samba.werror Python 3 ↵Lumir Balhar2017-08-221-10/+11
| | | | | | | | | | | compatible. Signed-off-by: Lumir Balhar <lbalhar@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Aug 22 17:38:17 CEST 2017 on sn-devel-144
* werror: Add WERR_DS_DRA_RECYCLED_TARGETTim Beale2017-08-181-0/+1
| | | | | | | | | | | | | | | When the DRS client encounters a linked attribute with an unknown target object, it should return a RECYCLED_TARGET error, which should result in the client resending the GETNCChanges request with the GET_TGT flag set. This error code is currently documented by Microsoft under System Error Codes (8200-8999). I contacted them and they will also add it to the MS-ERREF doc in future. Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Garming Sam <garming@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12972
* libcli/smb: debug an error if smb1cli_req_writev_submit() is called for SMB2/3Stefan Metzmacher2017-08-181-0/+3
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12968 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 18 04:45:03 CEST 2017 on sn-devel-144
* lib: Fix an error path memleakVolker Lendecke2017-07-311-1/+3
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jul 31 13:49:02 CEST 2017 on sn-devel-144
* lib: Fix a typoVolker Lendecke2017-07-311-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* lib: auth: Store the netlogon_creds_cli_global_db pointer on the NULL context.Jeremy Allison2017-07-271-2/+2
| | | | | | | | | | | | | | | | Now we shutdown correctly it doesn't need the talloc_autofree_context(). Last use of talloc_autofree_context() ourside the talloc test code ! Please don't add it ever again :-). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jul 27 01:34:12 CEST 2017 on sn-devel-144
* lib: auth: Add a shutdown function for netlogon_creds_cli_global_db.Jeremy Allison2017-07-262-0/+6
| | | | | | | | | Will allow us to move off the talloc_autofree_context(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib: cli: fname is a local variable already freed in the function scope, ↵Jeremy Allison2017-07-261-1/+1
| | | | | | | | | doesn't need to be on talloc_autofree_context() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libsmb: Add smb2cli_notify()Volker Lendecke2017-07-253-0/+205
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* param: Add new "disabled" value to "ntlm auth" to disable NTLM totallyAndrew Bartlett2017-07-042-1/+7
| | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm ↵Andrew Bartlett2017-07-042-3/+14
| | | | | | | | | | | | | | | | | | | | | | | | | auth =' The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()Stefan Metzmacher2017-06-272-11/+13
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: add const to set_pw_in_buffer()Stefan Metzmacher2017-06-272-2/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()Stefan Metzmacher2017-06-272-26/+44
| | | | | | | | | | | | This way the caller can pass more than 2 hashes and can only know which hash was used for a successful connection. We allow up to 4 hashes (next, current, old, older). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/smb: add smb_protocol_types_string()Stefan Metzmacher2017-06-223-0/+40
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli: smb: Add smb2cli_tcon_set_id().Jeremy Allison2017-06-172-0/+6
| | | | | | | | | Will be used in test and client code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
* libcli: smb: Add smbXcli_tcon_copy().Jeremy Allison2017-06-172-0/+34
| | | | | | | | | | Makes a deep copy of a struct smbXcli_tcon *, will be used later. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12831 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
* libcli:smb2: Gracefully handle not supported for FSCTL_VALIDATE_NEGOTIATE_INFOAndreas Schneider2017-06-151-0/+15
| | | | | | | | | | | | | | | If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only server then gracefully handle NT_STATUS_NOT_SUPPORTED too. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808 Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
* libcli:smb: Add unit test for smb_bytes_pull_str()Andreas Schneider2017-06-092-0/+219
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* libcli/smb: Fix alignment problems of smb_bytes_pull_str()Stefan Metzmacher2017-06-093-31/+47
| | | | | | | | | | | This function needs to get the whole smb buffer in order to get the alignment for unicode correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Revert "libcli:smb: Fix pulling strings from the wire"Andreas Schneider2017-06-091-1/+1
| | | | | | | | | | | This reverts commit a4efe647c51700cee93b7574e5955e264aa96893. A different fix will follow. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli:smb: Fix pulling strings from the wireAndreas Schneider2017-06-071-1/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli:util: Update werror tableAndreas Schneider2017-06-072-4/+7
| | | | | | | This adds ERROR_PRINTER_DRIVER_DOWNLOAD_NEEDED for MS-PAR. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* netlogon: Implement SendToSam along with its winbind forwardingGarming Sam2017-05-302-0/+271
| | | | | | | | | | | This allows you to forward bad password count resets to 0. Currently, there is a missing access check for the RODC to ensure it only applies to cached users (msDS-Allowed-Password-Replication-Group). (further patches still need to address forcing a RWDC contact) Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* netlogon_creds_cli: Do not corrupt authenticator state on application level ↵Garming Sam2017-05-301-15/+17
| | | | | | | | | | | errors If the NETLOGON response was an error e.g. NT_STATUS_NOT_IMPLEMENTED, any subsequent calls failed with NT_STATUS_ACCESS_DENIED. This is likely to be the cause of RODC DNS updates falling off and never continuing. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4: nmblookup: Allocate event context off NULL instead of ↵Jeremy Allison2017-05-131-1/+1
| | | | | | | | | | | | talloc_autofree_context(). It's already correctly freed on exit. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Sat May 13 21:01:25 CEST 2017 on sn-devel-144
* s4: torture: Change torture_register_suite() to add a TALLOC_CTX *.Jeremy Allison2017-05-051-2/+2
| | | | | | | | Change callers to use the passed in TALLOC_CTX * instead of talloc_autofree_context(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-221-2/+2
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* lib/util: add and use iov_concatRalph Boehme2017-04-181-24/+2
| | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libcli/security: fix dom_sid_in_domain()Ralph Boehme2017-04-121-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure the SID has exactly one component more then the domain SID, eg Domain SID: S-1-5-21-1-2-3 SID: S-1-5-21-1-2-3-4 This will return true. If the SID has more components, eg SID: S-1-5-21-1-2-3-4-5, or SID: S-1-5-21-1-2-3-4-5-6-7-8 dom_sid_in_domain() must return false. This was verified against Windows: lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'W4EDOM-L4' sid : * sid : S-1-5-21-278041429-3399921908-1452754838 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000004 (4) names : * names: ARRAY(4) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' sid_index : 0x00000001 (1) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x005c (92) size : 0x005e (94) string : * string : 'S-1-5-21-278041429-3399921908-1452754838-500-1' sid_index : 0xffffffff (4294967295) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Administrators' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x001c (28) size : 0x001e (30) string : * string : 'S-1-5-32-544-9' sid_index : 0xffffffff (4294967295) count : * count : 0x00000002 (2) result : STATUS_SOME_UNMAPPED Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* named_pipe_auth: Rename client -> remote_client and server -> local_serverGary Lockyer2017-03-292-58/+66
| | | | | | | | | While these names may have been clear, much of Samba uses remote_address and local_address, and this difference has hidden bugs. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* libcli: introduce smbXcli_conn_support_passthrough()Uri Simchoni2017-03-282-0/+18
| | | | | | | | | | This routine queries the client connenction whether it supports query/set InfoLevels beyond 1000 (which, in Windows OS, is a pass-through mechanism to the file system). Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* libcli/security: add SID_NAME_LABEL to sid_type_lookup()Stefan Metzmacher2017-03-231-1/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* getncchanges: Return correct denied REPL_SECRET error codeGarming Sam2017-03-131-0/+2
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* libcli/smb: add smb2cli_conn_get_mid and smb2cli_conn_set_midRalph Boehme2017-03-032-0/+12
| | | | | | | This will be needed for a torture test in the next commit. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status