source3/smbd/auth_smbpasswd.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    Password and authentication handling
   5    Copyright (C) Andrew Tridgell              1992-2000
   6    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
   7    Copyright (C) Andrew Bartlett              2001
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25
  26 extern int DEBUGLEVEL;
  27
  28 /****************************************************************************
  29 core of smb password checking routine.
  30 ****************************************************************************/
  31 static BOOL smb_pwd_check_ntlmv1(const uchar *password,
  32                                 const uchar *part_passwd,
  33                                 const uchar *c8,
  34                                 uchar user_sess_key[16])
  35 {
  36   /* Finish the encryption of part_passwd. */
  37   uchar p24[24];
  38
  39   if (part_passwd == NULL) {
  40           DEBUG(10,("No password set - DISALLOWING access\n"));
  41           /* No password set - always false ! */
  42           return False;
  43   }
  44
  45   SMBOWFencrypt(part_passwd, c8, p24);
  46         if (user_sess_key != NULL)
  47         {
  48                 SMBsesskeygen_ntv1(part_passwd, NULL, (char *)user_sess_key);
  49         }
  50
  51
  52
  53 #if DEBUG_PASSWORD
  54         DEBUG(100,("Part password (P16) was |"));
  55         dump_data(100, part_passwd, 16);
  56         DEBUG(100,("Password from client was |"));
  57         dump_data(100, password, 24);
  58         DEBUG(100,("Given challenge was |"));
  59         dump_data(100, c8, 8);
  60         DEBUG(100,("Value from encryption was |"));
  61         dump_data(100, p24, 24);
  62 #endif
  63   return (memcmp(p24, password, 24) == 0);
  64 }
  65
  66 /****************************************************************************
  67 core of smb password checking routine.
  68 ****************************************************************************/
  69 static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len,
  70                                 uchar *part_passwd,
  71                                 uchar const *c8,
  72                                 const char *user, const char *domain,
  73                                 char *user_sess_key)
  74 {
  75         /* Finish the encryption of part_passwd. */
  76         uchar kr[16];
  77         uchar resp[16];
  78
  79         if (part_passwd == NULL)
  80         {
  81                 DEBUG(10,("No password set - DISALLOWING access\n"));
  82                 /* No password set - always False */
  83                 return False;
  84         }
  85
  86         ntv2_owf_gen(part_passwd, user, domain, kr);
  87         SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, (char *)resp);
  88         if (user_sess_key != NULL)
  89         {
  90                 SMBsesskeygen_ntv2(kr, resp, user_sess_key);
  91         }
  92
  93 #if DEBUG_PASSWORD
  94         DEBUG(100,("Part password (P16) was |"));
  95         dump_data(100, part_passwd, 16);
  96         DEBUG(100,("Password from client was |"));
  97         dump_data(100, password, pwd_len);
  98         DEBUG(100,("Given challenge was |"));
  99         dump_data(100, c8, 8);
 100         DEBUG(100,("Value from encryption was |"));
 101         dump_data(100, resp, 16);
 102 #endif
 103
 104         return (memcmp(resp, password, 16) == 0);
 105 }
 106
 107
 108 /****************************************************************************
 109  Do a specific test for an smb password being correct, given a smb_password and
 110  the lanman and NT responses.
 111 ****************************************************************************/
 112 NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
 113 {
 114         uint8 *nt_pw, *lm_pw;
 115         uint16  acct_ctrl = pdb_get_acct_ctrl(sampass);
 116         char *workstation_list;
 117         time_t kickoff_time;
 118
 119         /* Quit if the account was disabled. */
 120         if(acct_ctrl & ACB_DISABLED) {
 121                 DEBUG(1,("Account for user '%s' was disabled.\n", sampass->username));
 122                 return(NT_STATUS_ACCOUNT_DISABLED);
 123         }
 124
 125         /* Test account expire time */
 126
 127         kickoff_time = pdb_get_kickoff_time(sampass);
 128         if (kickoff_time != (time_t)-1) {
 129                 if (time(NULL) > kickoff_time) {
 130                         return NT_STATUS_ACCOUNT_EXPIRED;
 131                 }
 132         }
 133
 134         /* Test workstation. Workstation list is comma separated. */
 135
 136         workstation_list = strdup(pdb_get_workstations(sampass));
 137
 138         if (workstation_list) {
 139                 if (*workstation_list) {
 140                         BOOL invalid_ws = True;
 141                         char *s = workstation_list;
 142
 143                         fstring tok;
 144
 145                         while (next_token(&s, tok, ",", sizeof(tok))) {
 146                                 DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
 147                                           tok, user_info->wksta_name.str, user_info->wksta_name.len));
 148                                 if(strequal(tok, user_info->wksta_name.str)) {
 149                                         invalid_ws = False;
 150                                         break;
 151                                 }
 152                         }
 153
 154                         SAFE_FREE(workstation_list);
 155                         if (invalid_ws)
 156                                 return NT_STATUS_INVALID_WORKSTATION;
 157                 } else {
 158                         SAFE_FREE(workstation_list);
 159                 }
 160         } else {
 161                 return NT_STATUS_NO_MEMORY;
 162         }
 163
 164         if (acct_ctrl & ACB_PWNOTREQ)
 165         {
 166                 if (lp_null_passwords())
 167                 {
 168                         DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", sampass->username));
 169                         return(NT_STATUS_OK);
 170                 }
 171                 else
 172                 {
 173                         DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", sampass->username));
 174                         return(NT_STATUS_LOGON_FAILURE);
 175                 }
 176         }
 177
 178         if (!user_info || !sampass)
 179                 return(NT_STATUS_LOGON_FAILURE);
 180
 181         DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",sampass->username));
 182
 183         nt_pw = pdb_get_nt_passwd(sampass);
 184
 185         if (nt_pw != NULL) {
 186                 if ((user_info->nt_resp.len > 24 )) {
 187                         /* We have the NT MD4 hash challenge available - see if we can
 188                            use it (ie. does it exist in the smbpasswd file).
 189                         */
 190                         DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n"));
 191                         if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer,
 192                                                   user_info->nt_resp.len,
 193                                                   nt_pw,
 194                                                   user_info->chal, sampass->username,
 195                                                   user_info->requested_domain.str,
 196                                                   (char *)server_info->session_key))
 197                         {
 198                                 return NT_STATUS_OK;
 199                         }
 200                         DEBUG(4,("smb_password_ok: NTLMv2 password check failed\n"));
 201
 202                 } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24 )) {
 203                                 /* We have the NT MD4 hash challenge available - see if we can
 204                                    use it (ie. does it exist in the smbpasswd file).
 205                                 */
 206                         DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
 207                         if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer,
 208                                                  nt_pw, user_info->chal,
 209                                                  server_info->session_key)) {
 210                                 DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n"));
 211                                 return NT_STATUS_OK;
 212                         } else {
 213                                 DEBUG(4,("smb_password_ok: NT MD4 password check failed\n"));
 214                                 return NT_STATUS_WRONG_PASSWORD;
 215                         }
 216                 }
 217         }
 218
 219         lm_pw = pdb_get_lanman_passwd(sampass);
 220
 221         if(lp_lanman_auth() && (lm_pw != NULL) && (user_info->lm_resp.len == 24 )) {
 222                 DEBUG(4,("smb_password_ok: Checking LM password\n"));
 223                 if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer,
 224                                          lm_pw, user_info->chal,
 225                                          server_info->session_key)) {
 226                         DEBUG(4,("smb_password_ok: LM password check succeeded\n"));
 227                         return NT_STATUS_OK;
 228                 } else {
 229                         DEBUG(4,("smb_password_ok: LM password check failed\n"));
 230                         return NT_STATUS_WRONG_PASSWORD;
 231                 }
 232         }
 233
 234         return NT_STATUS_LOGON_FAILURE;
 235 }
 236
 237
 238 /****************************************************************************
 239 check if a username/password is OK assuming the password is a 24 byte
 240 SMB hash supplied in the user_info structure
 241 return an NT_STATUS constant.
 242 ****************************************************************************/
 243
 244 NTSTATUS check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
 245 {
 246         SAM_ACCOUNT *sampass=NULL;
 247         BOOL ret;
 248         NTSTATUS nt_status;
 249
 250         pdb_init_sam(&sampass);
 251
 252         /* get the account information */
 253
 254         become_root();
 255         ret = pdb_getsampwnam(sampass, user_info->unix_username.str);
 256         unbecome_root();
 257
 258         if (ret == False)
 259         {
 260                 DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->unix_username.str));
 261                 pdb_free_sam(sampass);
 262                 return NT_STATUS_NO_SUCH_USER;
 263         }
 264
 265         nt_status = smb_password_ok(sampass, user_info, server_info);
 266
 267         pdb_free_sam(sampass);
 268         return nt_status;
 269 }
 270
 271