summaryrefslogtreecommitdiff
path: root/libcli/auth/netlogon_creds_cli.c
AgeCommit message (Collapse)AuthorFilesLines
2025-01-13libcli/auth: add support for ServerAuthenticateKerberos()Stefan Metzmacher1-3/+198
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-13libcli/auth: add netlogon_creds_cli_use_kerberos() helperStefan Metzmacher1-0/+18
This allows the calling code to decide if a krb5 or anonymous netlogon connection should be tried. Currently we don't try ServerAuthenticateKerberos, but that will change in a few commits. But before we need to prepare the callers... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2024-12-05libcli/auth: return RESOURCE_REQUIREMENTS_CHANGED is the proposed flags changedStefan Metzmacher1-0/+6
This will be important when we add support for netr_ServerAuthenticateKerberos(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05schannel.idl: change netlogon_creds_CredentialState layout for 4.22Stefan Metzmacher1-6/+2
This breaks compat with 4.21 and moves stuff out of netlogon_creds_CredentialState_extra_info. It also prepares support for netr_ServerAuthenticateKerberos() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05Revert "libcli/auth: let netlogon_creds_cli_store_internal check ↵Stefan Metzmacher1-13/+0
netlogon_creds_CredentialState_legacy" This reverts commit c3fa132fbe179bd4e1451240ce572ec791356a16. We break the compat of the netlogon_creds_cli.tdb records compared to 4.21 with the next commits. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05libcli/auth: don't loose server_dns_domain in ↵Stefan Metzmacher1-1/+5
netlogon_creds_cli_context_global() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05netlogon.idl: add NetlogonTicketLogonInformation/NetlogonValidationTicketLogonStefan Metzmacher1-0/+1
I have basic tests, which have shown that the payload is not encrypted at application level. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-11-07libcli/auth: make use of netlogon_creds_cli_check_transport() in more placesStefan Metzmacher1-78/+18
This was somehow missing in commit 7a5ad9f64a905f5744430c6e0796c646baf9432e BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Nov 7 09:14:33 UTC 2024 on atb-devel-224
2024-10-30libcli/auth: split out netlogon_creds_cli_check_transport()Stefan Metzmacher1-73/+65
This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_client_verify()Stefan Metzmacher1-62/+62
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_{de,en}crypt_samr_PasswordStefan Metzmacher1-22/+18
This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_encrypt_SendToSamStefan Metzmacher1-16/+8
This will help when implementing netr_ServerAuthenticateKerberos()... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_encrypt_samr_CryptPasswordStefan Metzmacher1-16/+7
This will help when implementing netr_ServerAuthenticateKerberos()... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to ↵Stefan Metzmacher1-2/+6
netlogon_creds_{de,en}crypt_samlogon_logon() This will be needed when we implement netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: pass auth_{type,level} to ↵Stefan Metzmacher1-2/+12
netlogon_creds_{de,en}crypt_samlogon_validation() This will be needed when we implement netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: let netlogon_creds_cli_store_internal check ↵Stefan Metzmacher1-0/+13
netlogon_creds_CredentialState_legacy Before storing the structure into a ctdb managed volatile database we check against netlogon_creds_CredentialState_legacy (the structure used before recent changes). This makes sure unpatched cluster nodes would not get a parsing error. We'll remove this again in master when we try to implement netr_ServerAuthenticateKerberos() and the related changes to netlogon_creds_CredentialState, which will break the compat... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: let netlogon_creds_cli_store_internal() use talloc_stackframe()Stefan Metzmacher1-2/+5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: also use netlogon_creds_CredentialState_extra_info for the clientStefan Metzmacher1-3/+10
In order to allow backports and cluster updates we simulate a dom_sid, so that the old code is able to parse the blob. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: use netr_LogonGetCapabilities query_level=2 to verify the ↵Stefan Metzmacher1-7/+152
proposed capabilities BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: use a LogonControl after a LogonGetCapabilities downgradeStefan Metzmacher1-2/+74
If LogonGetCapabilities was downgraded by an DCERPC Fault, we rely on the schannel message ordering to detect failures. Instead of letting any real winbindd request trigger this, we do it directly in netlogon_creds_cli_check() with a LogonControl that is also used for 'wbinfo --ping-dc'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: if we require aes we don't need to require arcfour nor strong keyStefan Metzmacher1-3/+5
But we can send arcfour and strong key on the wire and don't need to remove them from the proposed flags. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: don't allow any unexpected upgrades of negotiate_flagsStefan Metzmacher1-5/+7
Only remove the unsupported flags from state->current_flags for the next try... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-10-30libcli/auth: make use of netlogon_creds_cli_store_internal() in ↵Stefan Metzmacher1-17/+2
netlogon_creds_cli_auth_srvauth_done() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-12-13CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about ↵Stefan Metzmacher1-0/+15
"kerberos encryption types=legacy" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yesStefan Metzmacher1-2/+2
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no reason to allow md5 servers by default. Note the change in netlogon_creds_cli_context_global() is only cosmetic, but avoids confusion while reading the code. Check with: git show -U35 libcli/auth/netlogon_creds_cli.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()Stefan Metzmacher1-0/+66
This warns the admin about insecure options BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2022-12-13CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()Stefan Metzmacher1-1/+2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2022-09-20s3:g_lock: add callback function to g_lock_lock_send()Stefan Metzmacher1-2/+4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15125 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-06-09lib/util: Change function to mem_equal_const_time()Joseph Sutton1-7/+7
Since memcmp_const_time() doesn't act as an exact replacement for memcmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09lib/util: Change function to data_blob_equal_const_time()Joseph Sutton1-3/+3
Since data_blob_cmp_const_time() doesn't act as an exact replacement for data_blob_cmp(), and its return value is only ever compared with zero, simplify it and emphasize the intention of checking equality by returning a bool instead. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-09auth: Use constant-time memcmp when comparing sensitive buffersJoseph Sutton1-5/+5
This helps to avoid timing attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15010 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-02libcli:auth: Allow to connect to netlogon server offering only AESAndreas Schneider1-10/+38
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184
2021-10-19netlogon_creds_cli: add netlogon_creds_cli_SendToSam_recv() and don't ignore ↵Stefan Metzmacher1-3/+16
result This is a low level function that should not ignore results. If the caller doesn't care it's his choice. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Oct 19 20:20:00 UTC 2021 on sn-devel-184
2021-08-03netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.Andreas Schneider1-0/+12
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-09-18CVE-2020-1472(ZeroLogon): libcli/auth: make use of ↵Stefan Metzmacher1-2/+1
netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate a weak challenge. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-10smbdes: convert des_crypt112_16 to use gnutlsIsaac Boukris1-6/+18
Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-11-14libcli:auth Check return code of netlogon_creds_aes_encrypt()Andrew Bartlett1-6/+14
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Nov 14 09:25:36 UTC 2019 on sn-devel-184
2019-11-14libcli:auth: Check return code of netlogon_creds_client_authenticator()Andreas Schneider1-15/+41
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14195 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-09-20libcli/auth: add netlogon_creds_cli_LogonGetDomainInfo()Stefan Metzmacher1-1/+280
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
2019-08-27libcli/auth: clang: Fix 'Value stored to 'status' is never read'Noel Power1-1/+1
Fixes: libcli/auth/netlogon_creds_cli.c:2622:2: warning: Value stored to 'status' is never read <--[clang] status = netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds, ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 warning generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-08-14Revert "libcli:auth: Use generate_secret_buffer() for netlogon challenge"Andreas Schneider1-2/+1
This reverts commit c3ba556f52b15dd80efc26e4fb8f43ce2ee3a7f0. Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-08-12libcli:auth: Use generate_secret_buffer() for netlogon challengeAndreas Schneider1-1/+2
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Aug 12 10:42:35 UTC 2019 on sn-devel-184
2019-06-27libcli:auth: Return NTSTATUS for netlogon_creds_arcfour_crypt()Andreas Schneider1-6/+14
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27libcli:auth: Return NTSTATUS for netlogon_creds_encrypt_samlogon_logon()Andreas Schneider1-6/+16
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-06-27libcli:auth: Return NTSTATUS for netlogon_creds_decrypt_samlogon_validation()Andreas Schneider1-6/+14
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-02-27libcli:auth: Only use the required md4 headerAndreas Schneider1-1/+1
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
2018-04-24dbwrap: Remove calls to loadparmVolker Lendecke1-1/+0
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24libcli: Call dbwrap_local_open with the correct tdb flagsVolker Lendecke1-2/+5
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-24libcli: Call dbwrap_local_open with the correct hash sizeVolker Lendecke1-6/+13
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2018-02-08lib: Make g_lock_unlock use TDB_DATAVolker Lendecke1-2/+3
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 12:48:24 +0000