Thanks to jaltman for pointing out some files I missed
(basically those in two-level deep directories).
(cherry picked from commit b0f773c41c68fd7833a669693d30b27a12f3ba8e)
Over last several years significant efforts have been made to work around
the inability to protect user tokens from use by inappropriate entities.
The tokens are associated with a given userid and session by a combination
of an SMB based ioctl and an authenticated/encrypted RPC. This has opened
the door for tokens to be borrowed by other users if they could connect
to the same SMB server with the identical userid. This was trivially
possible because the SMB connections were unauthenticated.
This patch adds two forms of authenticated SMB connections: NTLM and
Extended Security (aka GSS SPNEGO). By default Extended Security mode
is used. This patch has been tested on 2000 workstation, 2000 server,
XP SP1, and 2003 Server, and XP SP2 RC2. The Extended Security works on
all platforms except for XP SP2 RC2 regards of whether or not the machine
is part of a domain or not; and whether or not a local or domain account
is used.
On XP SP2 RC2, attempts to use negotiate Extended Security result in a
Logon Denied error from AcceptSecurityContext() and a substatus code of
0x7C90486A is logged to the Security Event log via the NTLM SSP.
The SMB AUTH NTLM mode succeeds on XP SP2 RC2.
Disabling SMB Authentication or specifying the use of NTLM mode may be done
via the registry.
Value : smbAuthType
Type : DWORD {0..2}
Default : 2
If this value is specified, it defines the type of SMB authentication
which must be present in order for the Windows SMB client to connect
to the AFS Client Service's SMB server. The values are:
0 = No authentication required
1 = NTLM authentication required
2 = Extended (GSS SPNEGO) authentication required
The default is Extended authentication
Integration of Heimdal MD4/MD5 code
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
Integration of Heimdal's MD4/MD5 code
====================
Integrate Heimdal's MD4/MD5 code
====================
Integrate Heimdal's MD4/MD5 code
====================
Integrate Heimdal's md4/md5 code
====================
Integration of Heimdal's MD4/MD5 code
krb5_des_decrypt() does not initialize the return value to 1, failure,
therefore it returns random success (0) values when ticket types of
DES-CBC-MD5 or DES-CBC-MD4 are used because we do not have checksum
functions for those types.
In order to support the large ticket sizes produced by Microsoft
Active Directory and allow the use of raw Kerberos 5 tickets as tokens
increase the size of MAXKTCTICKETLEN and MAXKRB5TICKETLEN to 4096
from 344 and 1024 respectively.
TICKET 2618
flexelint patches for prototype handling from Joe Beuhler
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
This patch adds a bunch of missing prototypes, makes various
corrections to global prototypes, and removes global declarations that
are not needed.
One set of added prototypes is commented out because it applies to
some printf-like functions that are implemented the way it used to be
done before varargs existed, and they need to be unprototyped or the
code will fail to compile. (There are a number of functions in the
OpenAFS code that need to be converted to use varargs...)
There is one place of note in src/WINNT/afsd/fs.c where typedefs for
afs_int32 and afs_uint32 conflict with afs/stds.h. I just added a
note to that effect.
Prototypes in src/WINNT/afsd/fs.c are incorrect for Windows NT. I
don't know whether the return type involved changes from platform to
platform -- they come from .xg files.
Some prototypes are now commented out or #ifdef'd to match the code
that uses them.
Some global variables conflict between modules and have been made static.
The bufferBlock variable was of two completely different types...
In src/config/stds.h, I changed the declaration of afs_intmax_t to
reflect the fact that the Windows platform supports 64 bit integers.
This may be incorrect semantically, but I believe it is needed for the
%llx format to match afs_intmax_t arguments (for printing of inodes
mainly, I believe).
There were two different declarations for the rxkad_stats structure --
I synced them up.
- Joe
Removed the conflicting typedefs from src/WINNT/afsd/fs.c
Removed the changes to src/config/stds.h. Added declaration of
AFS_64BIT_CLIENT to src/config/NTMakefile.i386_nt40 instead.
Do not remove unused variables which are defintions of data type
values. Instead comment them out to avoid space utilization and
warnings.
This patch mainly makes explicit some initializations that were implicit.
There are several places where it looks like the missing initialization
may be a bug, and I have inserted comments to that effect in the
relevant patches. Someone needs to look at them and supply
whatever is missing (if anything is).
In make_keyperm.c, an array was sized too large.
--
Joe Buehler
This massive patch contains changes in several significant areas for Windows:
- the ability to specify the mount point to be something other than /afs
- functionality to assist debugging of the NT Services
- support for languages other than English (NTLang.bat)
- revisions to the Build system to support separate trees for src, obj,
dest and free or checked; allow any MS compiler to be used
- updates to NSIS installer build
- mutex locking added to critical locations
- updates to IS5 directory tree creation
- update to afswsNetscape_config.sh
FIXES 1774
thanks to nneul@umr.edu for providing a script to do this.
gnu indent 2.2.9 options:
-npro -nbad -bap -nbc -bbo -br -ce -cdw -brs -ncdb -cp1 -ncs -di2 -ndj -nfc1
-nfca -i4 -lp -npcs -nprs -psl -sc -nsob -ts8
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
FIXES 1774
fix subst mistake
tkt_DecodeTicket didn't seem to check that ticketLen < MAXKTCTICKETLEN
didn't matter since no callers failed to check, but we should enforce this where the limit is
support for V6.0 and .Net complier, compile from either NT4.0 or XP
Source and object are separated into different directories. The directory
tree would look as follows:
Base from %AFSROOT% environment variable
%AFSROOT%\src\... - all source and generated source
%AFSROOT%\obj\checked\... objects from a checked build
%AFSROOT%\obj\free\... objects from a free build
%AFSROOT%\obj\dest\checked\... DEST folder from a checked build
%AFSROOT%\obj\dest\free\.... DEST folder from a free build
Before you start the build, you must build an object tree by issuing the
following:
nmake -f NTMAKEFILE mkdir
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
support for V6.0 and .Net complier, compile from either NT4.0 or XP
Source and object are separated into different directories. The directory
tree would look as follows:
make the libafsrpc libraries work with new fcrypt
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
readd missing statistics
make cm and ukernel compile with new stuff
====================
readd missing statistics
make cm and ukernel compile with new stuff
====================
make it work with ukernel macros
Added support to rxkad for servers accepting Kerberos V5 tickets and
truncated "proposal 2b" tickets. When used with an appropriate aklog
or krb524d (such as shipped with Heimdal and MIT Kerberos), this allows
the use of Kerberos V5 tickets (with DES session keys) to authenticate
connections to OpenAFS servers.
Fix includes for mbuf.h, if.h
auth/cellconfig.p.h:
Use (void *) for 2d arg to afsconf_ClientAuth(), since we have no def for
struct rx_securityClass at this point
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
More OpenBSD merge
prototypes
cleanup
fix the following problems
- including osi_vfs.h on almost all platforms, even though afsincludes.h
already deals with it
- universally declaring afs_globalVFS as a struct vfs *
- declaring afs_stats_XferSumBytes in a header without a storage class
- using afsincludes.h without sysincludes.h
- make clean removes a source file in rxkad
====================
This delta was composed from multiple commits as part of the CVS->Git migration.
The checkin message with each commit was inconsistent.
The following are the additional commit messages.
====================
irix needs this, put it back
====================
cast parm argument to CreateProcess
====================
more lwp createprocess fun
====================
more lwp
