sess_key, lm_owf_user_pwd, nt_owf_user_pwd);
}
+/****************************************************************************
+ make network sam login info
+ ****************************************************************************/
+void make_nt_login_network(NET_ID_INFO_CTR *ctr,
+ char *workgroup, char *myhostname,
+ uint32 smb_userid, char *username,
+ char lm_chal[8], char lm_chal_resp[24], char nt_chal_resp[24])
+{
+ /* indicate a "network" login */
+ ctr->switch_value = 2;
+
+ /* this is used in both the SAM Logon and the SAM Logoff */
+ make_id_info2(&ctr->auth.id2, workgroup, 0,
+ smb_userid, 0,
+ username, myhostname,
+ lm_chal, lm_chal_resp, nt_chal_resp);
+}
+
/****************************************************************************
experimental nt login.
****************************************************************************/
char nt_pwd[16];
char lm_pwd[16];
unsigned char key[16];
+
memset(key, 0, 16);
memcpy(key, vuser->dc.sess_key, 8);
- memcpy(lm_pwd, id1->lm_owf.data, 16);
- memcpy(nt_pwd, id1->nt_owf.data, 16);
+ memcpy(lm_pwd, id1->lm_owf.data, 16);
+ memcpy(nt_pwd, id1->nt_owf.data, 16);
+
SamOEMhash(lm_pwd, key, False);
SamOEMhash(nt_pwd, key, False);
struct smb_passwd *smb_pass,
user_struct *vuser)
{
- if ((id2->lm_chal_resp.str_str_len == 24 ||
- id2->lm_chal_resp.str_str_len == 0) &&
- id2->nt_chal_resp.str_str_len == 24 &&
- (((smb_pass->smb_nt_passwd != NULL) &&
- smb_password_check(id2->nt_chal_resp.buffer, smb_pass->smb_nt_passwd,
- id2->lm_chal)) ||
- smb_password_check(id2->lm_chal_resp.buffer, smb_pass->smb_passwd,
- id2->lm_chal)))
+ DEBUG(5,("net_login_network: lm_len: %d nt_len: %d\n",
+ id2->lm_chal_resp.str_str_len,
+ id2->nt_chal_resp.str_str_len));
+
+ /* check the lm password, first. */
+ /* lkclXXXX this is not a good place to put disabling of LM hashes in.
+ if that is to be done, first move this entire function into a
+ library routine that calls the two smb_password_check() functions.
+ if disabling LM hashes (which nt can do for security reasons) then
+ an attempt should be made to disable them everywhere (which nt does
+ not do, for various security-hole reasons).
+ */
+
+ if (id2->lm_chal_resp.str_str_len == 24 &&
+ smb_password_check(id2->lm_chal_resp.buffer,
+ smb_pass->smb_passwd,
+ id2->lm_chal))
+ {
+ return 0x0;
+ }
+
+ /* now check the nt password, if it exists */
+
+ if (id2->nt_chal_resp.str_str_len == 24 &&
+ smb_pass->smb_nt_passwd != NULL &&
+ smb_password_check(id2->nt_chal_resp.buffer,
+ smb_pass->smb_nt_passwd,
+ id2->lm_chal))
{
return 0x0;
}
+
+ /* oops! neither password check succeeded */
+
return 0xC0000000 | NT_STATUS_WRONG_PASSWORD;
}
case 1:
{
uni_samlogon_user = &(q_l.sam_id.ctr->auth.id1.uni_user_name);
- pstrcpy(samlogon_user, unistrn2(uni_samlogon_user->buffer,
- uni_samlogon_user->uni_str_len));
- DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. User:[%s]\n",
- lp_workgroup(), samlogon_user));
+ DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ",
+ lp_workgroup()));
break;
}
case 2:
{
uni_samlogon_user = &(q_l.sam_id.ctr->auth.id2.uni_user_name);
- pstrcpy(samlogon_user, unistrn2(uni_samlogon_user->buffer,
- uni_samlogon_user->uni_str_len));
- DEBUG(3,("SAM Logon (Network). Domain:[%s]. User:[%s]\n",
- lp_workgroup(), samlogon_user));
+ DEBUG(3,("SAM Logon (Network). Domain:[%s]. ",
+ lp_workgroup()));
break;
}
default:
pstrcpy(samlogon_user, unistrn2(uni_samlogon_user->buffer,
uni_samlogon_user->uni_str_len));
+ DEBUG(3,("User:[%s]\n", samlogon_user));
+
become_root(True);
smb_pass = get_smbpwd_entry(samlogon_user, 0);
unbecome_root(True);
git.samba.org / kai / samba.git / commitdiff