static DATA_BLOB opt_lm_response;
static DATA_BLOB opt_nt_response;
static int request_lm_key;
-static int request_nt_key;
+static int request_user_session_key;
static const char *require_membership_of;
static const char *require_membership_sid;
if (winbindd_request(WINBINDD_INFO, NULL, &response) !=
NSS_STATUS_SUCCESS) {
d_printf("could not obtain winbind separator!\n");
- return '\\';
+ return *lp_winbind_separator();
}
sep = response.data.info.winbind_separator;
if (!sep) {
d_printf("winbind separator was NULL!\n");
- return '\\';
+ return *lp_winbind_separator();
}
return sep;
if (winbindd_request(WINBINDD_DOMAIN_NAME, NULL, &response) !=
NSS_STATUS_SUCCESS) {
DEBUG(0, ("could not obtain winbind domain name!\n"));
- exit(1);
+ return lp_workgroup();
}
fstrcpy(winbind_domain, response.data.domain_name);
if (winbindd_request(WINBINDD_NETBIOS_NAME, NULL, &response) !=
NSS_STATUS_SUCCESS) {
DEBUG(0, ("could not obtain winbind netbios name!\n"));
- return NULL;
+ return global_myname();
}
fstrcpy(winbind_netbios_name, response.data.netbios_name);
const DATA_BLOB *nt_response,
uint32 flags,
uint8 lm_key[8],
- uint8 nt_key[16],
+ uint8 user_session_key[16],
char **error_string,
char **unix_name)
{
struct winbindd_request request;
struct winbindd_response response;
- static uint8 zeros[16];
-
if (!get_require_membership_sid()) {
return NT_STATUS_INVALID_PARAMETER;
}
return nt_status;
}
- if ((flags & WBFLAG_PAM_LMKEY) && lm_key
- && (memcmp(zeros, response.data.auth.first_8_lm_hash,
- sizeof(response.data.auth.first_8_lm_hash)) != 0)) {
+ if ((flags & WBFLAG_PAM_LMKEY) && lm_key) {
memcpy(lm_key, response.data.auth.first_8_lm_hash,
- sizeof(response.data.auth.first_8_lm_hash));
+ sizeof(response.data.auth.first_8_lm_hash));
}
- if ((flags & WBFLAG_PAM_USER_SESSION_KEY) && nt_key
- && (memcmp(zeros, response.data.auth.user_session_key,
- sizeof(response.data.auth.user_session_key)) != 0)) {
- memcpy(nt_key, response.data.auth.user_session_key,
+ if ((flags & WBFLAG_PAM_USER_SESSION_KEY) && user_session_key) {
+ memcpy(user_session_key, response.data.auth.user_session_key,
sizeof(response.data.auth.user_session_key));
}
NTSTATUS nt_status;
char *error_string;
uint8 lm_key[8];
- uint8 nt_key[16];
+ uint8 user_sess_key[16];
char *unix_name;
nt_status = contact_winbind_auth_crap(ntlmssp_state->user, ntlmssp_state->domain,
&ntlmssp_state->lm_resp,
&ntlmssp_state->nt_resp,
WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
- lm_key, nt_key,
+ lm_key, user_sess_key,
&error_string, &unix_name);
if (NT_STATUS_IS_OK(nt_status)) {
memset(lm_session_key->data+8, '\0', 8);
}
- if (memcmp(nt_key, zeros, 16) != 0) {
- *user_session_key = data_blob(nt_key, 16);
+ if (memcmp(user_sess_key, zeros, 16) != 0) {
+ *user_session_key = data_blob(user_sess_key, 16);
}
ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state->mem_ctx, unix_name);
SAFE_FREE(unix_name);
static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
- static const char zeros[16];
NTSTATUS nt_status;
- uint8 lm_key[8];
- uint8 nt_key[16];
uint8 lm_pw[16], nt_pw[16];
nt_lm_owf_gen (opt_password, nt_pw, lm_pw);
lm_pw, nt_pw, user_session_key, lm_session_key);
if (NT_STATUS_IS_OK(nt_status)) {
- if (memcmp(lm_key, zeros, 8) != 0) {
- *lm_session_key = data_blob(NULL, 16);
- memcpy(lm_session_key->data, lm_key, 8);
- memset(lm_session_key->data+8, '\0', 8);
- }
-
- if (memcmp(nt_key, zeros, 16) != 0) {
- *user_session_key = data_blob(nt_key, 16);
- }
ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state->mem_ctx,
"%s%c%s", ntlmssp_state->domain,
*lp_winbind_separator(),
NTSTATUS nt_status;
uint32 flags = 0;
char lm_key[8];
- char nt_key[16];
+ char user_session_key[16];
char *hex_lm_key;
- char *hex_nt_key;
+ char *hex_user_session_key;
char *error_string;
static uint8 zeros[16];
if (request_lm_key)
flags |= WBFLAG_PAM_LMKEY;
- if (request_nt_key)
+ if (request_user_session_key)
flags |= WBFLAG_PAM_USER_SESSION_KEY;
flags |= WBFLAG_PAM_NT_STATUS_SQUASH;
&opt_nt_response,
flags,
(unsigned char *)lm_key,
- (unsigned char *)nt_key,
+ (unsigned char *)user_session_key,
&error_string, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
x_fprintf(x_stdout, "LM_KEY: %s\n", hex_lm_key);
SAFE_FREE(hex_lm_key);
}
- if (request_nt_key
- && (memcmp(zeros, nt_key,
- sizeof(nt_key)) != 0)) {
- hex_encode((const unsigned char *)nt_key,
- sizeof(nt_key),
- &hex_nt_key);
- x_fprintf(x_stdout, "NT_KEY: %s\n", hex_nt_key);
- SAFE_FREE(hex_nt_key);
+ if (request_user_session_key
+ && (memcmp(zeros, user_session_key,
+ sizeof(user_session_key)) != 0)) {
+ hex_encode((const unsigned char *)user_session_key,
+ sizeof(user_session_key),
+ &hex_user_session_key);
+ x_fprintf(x_stdout, "NT_KEY: %s\n", hex_user_session_key);
+ SAFE_FREE(hex_user_session_key);
}
return True;
DATA_BLOB session_key = data_blob(NULL, 16);
uchar lm_key[8];
- uchar nt_key[16];
+ uchar user_session_key[16];
uchar lm_hash[16];
uchar nt_hash[16];
DATA_BLOB chall = get_challenge();
char *error_string;
ZERO_STRUCT(lm_key);
- ZERO_STRUCT(nt_key);
+ ZERO_STRUCT(user_session_key);
flags |= WBFLAG_PAM_LMKEY;
flags |= WBFLAG_PAM_USER_SESSION_KEY;
&nt_response,
flags,
lm_key,
- nt_key,
+ user_session_key,
&error_string, NULL);
data_blob_free(&lm_response);
}
if (break_which == NO_NT) {
- if (memcmp(lm_hash, nt_key,
+ if (memcmp(lm_hash, user_session_key,
8) != 0) {
DEBUG(1, ("NT Session Key does not match expectations (should be LM hash)!\n"));
- DEBUG(1, ("nt_key:\n"));
- dump_data(1, (const char *)nt_key, sizeof(nt_key));
+ DEBUG(1, ("user_session_key:\n"));
+ dump_data(1, (const char *)user_session_key, sizeof(user_session_key));
DEBUG(1, ("expected:\n"));
dump_data(1, (const char *)lm_hash, sizeof(lm_hash));
pass = False;
}
} else {
- if (memcmp(session_key.data, nt_key,
- sizeof(nt_key)) != 0) {
+ if (memcmp(session_key.data, user_session_key,
+ sizeof(user_session_key)) != 0) {
DEBUG(1, ("NT Session Key does not match expectations!\n"));
- DEBUG(1, ("nt_key:\n"));
- dump_data(1, (const char *)nt_key, 16);
+ DEBUG(1, ("user_session_key:\n"));
+ dump_data(1, (const char *)user_session_key, 16);
DEBUG(1, ("expected:\n"));
dump_data(1, (const char *)session_key.data, session_key.length);
pass = False;
uchar lm_key[8];
uchar lm_hash[16];
- uchar nt_key[16];
+ uchar user_session_key[16];
DATA_BLOB chall = get_challenge();
char *error_string;
- ZERO_STRUCT(nt_key);
+ ZERO_STRUCT(user_session_key);
flags |= WBFLAG_PAM_LMKEY;
flags |= WBFLAG_PAM_USER_SESSION_KEY;
NULL,
flags,
lm_key,
- nt_key,
+ user_session_key,
&error_string, NULL);
data_blob_free(&nt_response);
dump_data(1, (const char *)lm_hash, 8);
pass = False;
}
- if (memcmp(lm_hash, nt_key, 8) != 0) {
+ if (memcmp(lm_hash, user_session_key, 8) != 0) {
DEBUG(1, ("Session Key (first 8 lm hash) does not match expectations!\n"));
- DEBUG(1, ("nt_key:\n"));
- dump_data(1, (const char *)nt_key, 16);
+ DEBUG(1, ("user_session_key:\n"));
+ dump_data(1, (const char *)user_session_key, 16);
DEBUG(1, ("expected:\n"));
dump_data(1, (const char *)lm_hash, 8);
pass = False;
char lm_key[8];
char lm_hash[16];
- char nt_key[16];
+ char user_session_key[16];
char nt_hash[16];
DATA_BLOB chall = get_challenge();
char *error_string;
ZERO_STRUCT(lm_key);
- ZERO_STRUCT(nt_key);
+ ZERO_STRUCT(user_session_key);
flags |= WBFLAG_PAM_LMKEY;
flags |= WBFLAG_PAM_USER_SESSION_KEY;
&nt_response,
flags,
(unsigned char *)lm_key,
- (unsigned char *)nt_key,
+ (unsigned char *)user_session_key,
&error_string, NULL);
data_blob_free(&nt_response);
dump_data(1, lm_hash, 8);
pass = False;
}
- if (memcmp(session_key.data, nt_key,
- sizeof(nt_key)) != 0) {
+ if (memcmp(session_key.data, user_session_key,
+ sizeof(user_session_key)) != 0) {
DEBUG(1, ("NT Session Key does not match expectations!\n"));
- DEBUG(1, ("nt_key:\n"));
- dump_data(1, nt_key, 16);
+ DEBUG(1, ("user_session_key:\n"));
+ dump_data(1, user_session_key, 16);
DEBUG(1, ("expected:\n"));
dump_data(1, (const char *)session_key.data, session_key.length);
pass = False;
uint32 flags = 0;
DATA_BLOB ntlmv2_response = data_blob(NULL, 0);
DATA_BLOB lmv2_response = data_blob(NULL, 0);
- DATA_BLOB user_session_key = data_blob(NULL, 0);
+ DATA_BLOB ntlmv2_session_key = data_blob(NULL, 0);
DATA_BLOB names_blob = NTLMv2_generate_names_blob(get_winbind_netbios_name(), get_winbind_domain());
- uchar nt_key[16];
+ uchar user_session_key[16];
DATA_BLOB chall = get_challenge();
char *error_string;
- ZERO_STRUCT(nt_key);
+ ZERO_STRUCT(user_session_key);
flags |= WBFLAG_PAM_USER_SESSION_KEY;
if (!SMBNTLMv2encrypt(opt_username, opt_domain, opt_password, &chall,
&names_blob,
&lmv2_response, &ntlmv2_response,
- &user_session_key)) {
+ &ntlmv2_session_key)) {
data_blob_free(&names_blob);
return False;
}
&ntlmv2_response,
flags,
NULL,
- nt_key,
+ user_session_key,
&error_string, NULL);
data_blob_free(&lmv2_response);
return break_which == BREAK_NT;
}
- if (break_which != NO_NT && break_which != BREAK_NT && memcmp(user_session_key.data, nt_key,
- sizeof(nt_key)) != 0) {
- DEBUG(1, ("USER (NT) Session Key does not match expectations!\n"));
- DEBUG(1, ("nt_key:\n"));
- dump_data(1, (const char *)nt_key, 16);
+ if (break_which != NO_NT && break_which != BREAK_NT && memcmp(ntlmv2_session_key.data, user_session_key,
+ sizeof(user_session_key)) != 0) {
+ DEBUG(1, ("USER (NTLMv2) Session Key does not match expectations!\n"));
+ DEBUG(1, ("user_session_key:\n"));
+ dump_data(1, (const char *)user_session_key, 16);
DEBUG(1, ("expected:\n"));
- dump_data(1, (const char *)user_session_key.data, user_session_key.length);
+ dump_data(1, (const char *)ntlmv2_session_key.data, ntlmv2_session_key.length);
pass = False;
}
return pass;
DATA_BLOB lm_response = data_blob(NULL, 0);
char *password;
- uchar nt_key[16];
+ uchar user_session_key[16];
uchar lm_key[16];
static const uchar zeros[8];
DATA_BLOB chall = data_blob(zeros, sizeof(zeros));
char *error_string;
- ZERO_STRUCT(nt_key);
+ ZERO_STRUCT(user_session_key);
flags |= WBFLAG_PAM_LMKEY;
flags |= WBFLAG_PAM_USER_SESSION_KEY;
&nt_response,
flags,
lm_key,
- nt_key,
+ user_session_key,
&error_string, NULL);
SAFE_FREE(nt_response.data);
OPT_NT,
OPT_PASSWORD,
OPT_LM_KEY,
- OPT_NT_KEY,
+ OPT_USER_SESSION_KEY,
OPT_DIAGNOSTICS,
OPT_REQUIRE_MEMBERSHIP
};
{ "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"},
{ "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},
{ "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retreive LM session key"},
- { "request-nt-key", 0, POPT_ARG_NONE, &request_nt_key, OPT_NT_KEY, "Retreive NT session key"},
+ { "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retreive User (NT) session key"},
{ "diagnostics", 0, POPT_ARG_NONE, &diagnostics, OPT_DIAGNOSTICS, "Perform diagnostics on the authentictaion chain"},
{ "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" },
POPT_COMMON_SAMBA
case OPT_CHALLENGE:
opt_challenge = strhex_to_data_blob(hex_challenge);
if (opt_challenge.length != 8) {
- x_fprintf(x_stderr, "hex decode of %s failed!\n", hex_challenge);
+ x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
+ hex_challenge,
+ (int)opt_challenge.length);
exit(1);
}
break;
case OPT_LM:
opt_lm_response = strhex_to_data_blob(hex_lm_response);
if (opt_lm_response.length != 24) {
- x_fprintf(x_stderr, "hex decode of %s failed!\n", hex_lm_response);
+ x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
+ hex_lm_response,
+ (int)opt_lm_response.length);
exit(1);
}
break;
case OPT_NT:
opt_nt_response = strhex_to_data_blob(hex_nt_response);
if (opt_nt_response.length < 24) {
- x_fprintf(x_stderr, "hex decode of %s failed!\n", hex_nt_response);
+ x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
+ hex_nt_response,
+ (int)opt_nt_response.length);
exit(1);
}
break;
if (diagnostics) {
if (!diagnose_ntlm_auth()) {
- exit(1);
+ return 1;
}
} else {
fstring user;
fstr_sprintf(user, "%s%c%s", opt_domain, winbind_separator(), opt_username);
if (!check_plaintext_auth(user, opt_password, True)) {
- exit(1);
+ return 1;
}
}