TATUS auth_init(struct auth_context *auth_context, const char *param, auth_methods
**auth_method);
int auth_paula_init(void)
{
return smb_register_auth("paula", auth_init, AUTH_INTERFACE_VERSION);
}
cheers,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
should stay basically where
>it is.
In that case, perhaps it *is* better just to provide a get/set command line
tool for the secret store rather than trying to hook the keytab into SAMBA
per se.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
#x27;t think it's that complicated. It is not difficult to enumerate the
supported encryption types. Moreover, there's no requirement that SAMBA use
the same keytab as other applications, or that keytab support completely
replace the secret store.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
a few occasions, albeit
as compile-time options.
Adding support for writing to the keytab and/or runtime support for the
keytab remains to be done...
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
assword under
>us' stuff.
Hmm, why would this be a problem? (I mean, I can understand it would be
a problem if it happened while SAMBA was running, but keytabs tend to be
fairly static...)
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
>Ah, and another point: This is certainly not race-free. But
>that is difficult to do with LDAP.
This is true.
In our code we ended up implementing "lazy" set accessors that
took both a snapshot of the entry and a set of changes as
inputs.
-- Luke
--
Luke Howard | PADL
Will the migration to the new format be difficult and/or documented?
-- Luke
>From: Jelmer Vernooij <[EMAIL PROTECTED]>
>Subject: Re: The new modules system
>To: Luke Howard <[EMAIL PROTECTED]>
>Cc: [EMAIL PROTECTED]
>Date: Thu, 20 Mar 2003 13:12:39 +0100
>
>O
Will this break compatability with auth plugins?
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
oduct by renaming some
attributes and object classes (moreso in subsequent versions). We have had
to address similar issues in our domain controller implementation, albeit
less aggressively.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
e UNIX
platform, and is thus unlikely to disappear overnight. Many large
organisations have deployed this schema (they are our customers).
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
>I hadn't realized that an SID is actually 256 bits and we at
>best only have 32 bits to work with I I was only thinking
>about the RIDs).
A SID is variable length, really.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
could remain enabled in HEAD but cause an error in release
branches.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
>What is it that limit samba to root ? When I use samba with afs beeing root
>will certenly not help samba access files, what else do samba need.
SAMBA does need to bind to privileged ports.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
ARCFOUR_HMAC,
+#elif defined(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5)
+ ENCTYPE_ARCFOUR_HMAC_MD5,
#endif
ENCTYPE_DES_CBC_MD5,
ENCTYPE_NULL};
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
-- let me send you the revised patch. :-)
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
=
RCS file: /cvsroot/samba/source/libads/kerberos_verify.c,v
retrieving revision 1.6
diff -u -r1.6 kerberos_verify.c
--- libads/kerberos_verify.c19 Feb 2003 01:16:40 - 1.6
+++ libads/kerberos_verify.c24 Feb 2003 06:04:26 -
@@ -3,7 +3,7 @@
kerbero
e in asn_1.h or
>similar?
Again, see RFC 1964. Actually, they probably shouldn't be little-
endian shorts; my bad (but they certainly weren't ASN.1 booleans! :-))
Better to do:
#define TOK_ID_KRB_AP_REQ "\x01\x00"
#define TOK_ID_KRB_AP_REP "\x02\x00"
I'll knock up another patch later today...
cheers,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
:51:12 -
@@ -3,7 +3,7 @@
kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
-
+ Copyright (C) Luke Howard 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Publi
,w3svc,iisadmin
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
>On Tue, 4 Feb 2003, Luke Howard wrote:
>
>> >I created it with OpenLDAP's ldapmodify after I joined the machine to the
>> >domain. An LDIF like this should work:
>>
>> Interesting. According to Microsoft documentation, the servicePrincipalName
>>
pmodify after I joined the machine to the
>domain. An LDIF like this should work:
Interesting. According to Microsoft documentation, the servicePrincipalName
can never be modified over LDAP, only over RPC.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
Also, if you are going to support specific enctypes, note that Heimdal
defines ENCTYPE_ARCFOUR_HMAC_MD5 rather than ENCTYPE_ARCFOUR_HMAC.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
t;key" should probably
be freed.
-- Luke
>From: Luke Howard <[EMAIL PROTECTED]>
>Subject: Re: heimdal didn't have AP_OPTS_USE_SUBKEY
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Date: Sun, 2 Feb 2003 23:17:42 +1100
>Organization: PADL Software Pty Ltd
>Versions: d
2 Feb 2003 12:12:48 -
@@ -3,7 +3,7 @@
kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
-
+ Copyright (C) Luke Howard 2003
This program is free software; you can redistribute it and/or modify
it under the terms of th
l 2001
Copyright (C) Remus Koos 2001
-
+ Copyright (C) Luke Howard 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -29,15 +29,14 @@
authorization_data if available
arding and delegation.
-- Luke
>From: Steve Langasek <[EMAIL PROTECTED]>
>Subject: Re: More Kerberos-related questions
>To: Andrew Bartlett <[EMAIL PROTECTED]>
>Cc: [EMAIL PROTECTED], Luke Howard <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED]
>Date: Wed, 8 Jan 2003 16:08:
>smbfs share and with the Linux server set up to understand Kerberos
>credentials. The question here would be if the smbfs client side would
>understand the kerberos credentials of the user?
I think you could do this using delegation.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
You might want to look at the University of Michigan's NFSv4
client. Although that has nothing to do with CIFS, you might
be able to leverage their user-space credential management
daemon (I think they have one).
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
>> By default, Kerberos is used for SMB authentication only.
>
>I thought I had seen some of the new Windows 2000 DCERPC pipes (FRS
>for example) use Kerberos encryption.
Yes (and LDAP too). I meant to refer only to SMB, though.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
ault, Kerberos is used for SMB authentication only.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
chema is correct, you should use the
trustPartner attribute to determine the trusted domain name, as
cn is _just_ a naming attribute.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
>The RPC server listens on ncacn_ip_tcp, ncacn_ip_udp, ncalrpc and
Should be ncadg_ip_udp. Whoops.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
ns a delegated security context.
While we have implemetned "named pipes" on top of UNIX domain sockets,
it is important to note that they are logically distinct from raw
DCE RPC over domain sockets (ncalrpc).
Non-named pipe clients must make a DCE RPC BIND or ALTER_CONTEXT in order
ty issues"; SAMBA, LDAP, the KDC,
our RPC server all form part of the TCB.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
CE authentication subsystem.
So, from a RPC server perspective, a named pipe client looks exactly
the same as a client that has authenticated using NTLMSSP, SPNEGO or
Kerberos.
Code is at http://www.padl.com/~lukeh/XAD/dce_funnel.tar.gz.
cheers,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
I would like to add support for dynamic loading of named pipe
providers in rpc_server/srv_pipe_hnd.c.
- Is anyone else working on this?
- Would such a patch be accepted?
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
function 'pdb_init' using sys_dlsym in sam
plugin %s (%s)\n", plugin_name, sys_dlerror()));
+ DEBUG(0, ("Failed to find function 'auth_init' using sys_dlsym in sam
+plugin %s (%s)\n", plugin_name, sys_dlerror()));
retur
Copyright (C) Luke Howard 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This
#defines but it would be nice not to.
regards,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
?) it should work.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
Active Directory is patented
by Microsoft. This is only useful in a multi-master
directory, though.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
is just a starting point...
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
forwarding NTLM credentials via a temporary
file.
Thanks to the SAMBA team for making the named pipe API easy to extend!
Luke Howard <[EMAIL PROTECTED]>
PADL Software Pty Ltd
August 26, 2002
dce_funnel.tar.gz
Description: Binary data
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
dle, &hinfo) == 0)) {
+ if (hinfo->ai->ai_family == AF_INET) {
+ struct in_addr in;
+ memcpy(&in, hinfo->ai->ai_addr, MIN(sizeof(in),
+hinfo->ai->ai_addrlen));
+ d_printf("%s:%hd\n", inet_ntoa(in), hinfo->port);
+ }
+ }
+#else
rc = krb5_locate_kdc(ctx, &realm, &addrs, &num_kdcs, 0);
if (rc) {
DEBUG(1, ("krb5_locate_kdc failed (%s)\n", error_message(rc)));
@@ -209,6 +227,7 @@
if (addrs[i].sin_family == AF_INET)
d_printf("%s:%hd\n", inet_ntoa(addrs[i].sin_addr),
ntohs(addrs[i].sin_port));
+#endif /* HEIMDAL */
return 0;
#endif
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
seen Microsoft's implementation include this field,
though, except on the NegTokenTarg in which case it includes a
copy of the responseToken.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
---
> Hewlett-Packard http://www.hp.com
> SAMBA Team http://www.samba.org
> --http://www.plainjoe.org
> "SAMS Teach Yourself Samba in 24 Hours" 2ed.
ate 'domain' this
>way. (I favor putting special cases into modules, rather than in
>interfaces).
FWIW, this is what Active Directory does (cf. builtinDomain in the
schema).
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
et, but I'm getting around to it.
>
>Thanks for the info. Did you solve it by patching the code, or was it just
>tweaking compile-time options?
>
>
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
the domain GUID. It does need to be retrieved somewhere else,
>IMO, and I don't really want to do that to Makefile.in. Otherwise it's not
>to bad to do it...
>
>
>Jim McDonough
>IBM Linux Technology Center
>Samba Team
>6 Minuteman Drive
&g
04074
>USA
>
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>
>Phone: (207) 885-5565
>IBM tie-line: 776-9984
>
>
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
implemented,
RPCs. If there isn't much overlap then yes, choosing DCE RPC
doesn't buy you much in terms of reduced amounts of code on
the server.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
e using the
OSF DCE runtime (actually, FreeDCE), which is BSD-licensed.
We are doing a similar thing, except in reverse, so that SAMBA can act as
a named pipe front-end to our proprietary DCE RPC services. More
information is at http://www.padl.com/Research/XAD.html.
-- Luke
--
Luke Howard | PA
BA's "LSA" secret repository. Haven't tested
it yet, but I'm getting around to it.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
from the app
>reaches the server ungarbled.
You could use UTF-8 if you are forced through C string API.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
do with Active Directory presuming
that downlevel clients (which negotiate 0x1ff) do not support Kerberos,
and thus do not have a servicePrincipalName. You might try using the
altSecurityIdentities attribute instead, eg:
altSecurityIdentities: Kerberos:cifs/foobar.windows2000.spinnakernet.com
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
and it). Not all NETLOGON
RPCs take a credential.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
n Sign&Seal is in use.
I haven't seen this, probably because I don't have WinXP. :-) But I have
seen 0x0007bfff from Win2K.
regards,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
il so far. How did the SAMBA team figure
out the original secure channel, I wonder?
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
ould verify it and at
>>least disprove it.
Isn't that just analagous to presenting different negotiation flags,
assuming the IDL code on NT ignores the trailing data?
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
test as
we are using the OSF IDL compiler and runtime, but I'll give it a go.
What made you try 0x6B? :-)
cheers,
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
hat the flags are ostensibly irrelevant, because the client
sends the authenticator before it receives the flags from the
server.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
>> What is returned in the bind response?
>
>An array of 8 nonce bytes if memory serves well.
Hmm, maybe that is used to generate a subkey so the credential chain
session key is not over-used.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
o
>where I can find
>the algo ?
The return code always follows the last top-level [out] value, but there
is an additional [out] ULONG in NetrServerAuthenticate3.
The algorithm for calculating credentials is the same.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
x27;ve heard, is similar to the
rc4-hmac GSS_Wrap() except with a token header of
0x77 0x00 0x7a 0x00 0xff 0xff 0x00 0x00
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
;re saying that the secure channel is negotiated over SPNEGO?
I haven't seen that before, I'd like to know what OID they use.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
other things,
verifying the PAC signatures (as completely unnecessary as this is from
an architectural standpoint).
OTOH, from a resourcing point of view, there are other interoperability
hurdles that we need to resolve before we look at finishing our
implementation of this (which doe
th NTLMSSP). Of course, I could just turn SignOrSeal
back on and get some traces myself :-)
cheers,
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
similarities.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
contain a Kerberos message
(KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID
field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP
messages and 03 00 for KRB_ERROR messages.
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
>1. User send encrypted pasword to samba
>2. Samba converts password to text, and check it agaists pam
It cannot be done; to do so would defeat the purposes of storing
passwords encrypted with a one-way function.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
Oh, and the aforementioned funnel still relies on SAMBA's internal mapping
of pipe names to UUIDs. It's a start, though...
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
s and debugging the interoperability of the OSF DCE runtime, it's real
nice to be able to have all the marshalling and unmarshalling taken care of
by an IDL compiler, be able to support RPC directly over IP (as required
by Windos 2000) and yet still have SAMBA funnel over named pipe RPCs. :
tory domain controller.
cheers,
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
which appears to be used
in the SPNEGO negotiation only. The next is the real Kerberos OID. Not
sure about the one afther that. The final one is NTLMSSP.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
Hopefully this will put an end to the "SAMBA is monopolizing port
443" compliants from certain parties :-)
cheers,
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
>Note sure about 0x1D; could it be the PAC verification RPC? Fairly
>sure we saw it at domain logon.
0pcode 0x1D on the NETLOGON pipe is NetrLogonGetDomainInfo(). This is
actually documented somewhere within the bowels of Microsoft's web
site...
-- Luke
--
Luke Howard | lukehowa
chard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED],
>[EMAIL PROTECTED]
>
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
r which is
definitely a PAC verifier according to Ethereal).
But I'm not sure whether anyone has actually seen this RPC. OTOH while we
know the layout of the structures passed to and from 0x1D, the contents are
not yet clear.
>Time to get a new trace with sign&seal disabled.
Yes, plea
ich my MIT KDC doesn't like. Any ideas here?
Why don't you patch the KDC to accept different name types and
canonicalize them appropriately.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
bably use the "account" structural object class which only
requires the "uid" attribute. See section 5.3 of RFC 2307.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
ate3().
Note sure about 0x1D; could it be the PAC verification RPC? Fairly
sure we saw it at domain logon.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
lt;->win2k, and you'll see the
>realm thing I'm talking about...
>
>
>
>Jim McDonough
>IBM Linux Technology Center
>Samba Team
>6 Minuteman Drive
>Scarborough, ME 04074
>USA
>
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>
>Phone: (207) 885-5565
>IBM tie-line: 776-9984
>
>
>
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
82 matches
Mail list logo
