Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth

An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml
index 042893acbac92cb8079ecf40a87a5252e641154f..616d537890d1bb4c5b1956b26d544e51ba359f59 100644 (file)
--- a/docs-xml/manpages/ntlm_auth.1.xml
+++ b/docs-xml/manpages/ntlm_auth.1.xml
@@ -380,6 +380,11 @@
        <listitem><para>Whether to use credentials cached by winbindd.</para></listitem>
        </varlistentry>
 
+       <varlistentry>
+       <term>--allow-mschapv2</term>
+       <listitem><para>Explicitly allow MSCHAPv2.</para></listitem>
+       </varlistentry>
+
        <varlistentry>
        <term>--offline-logon</term>
        <listitem><para>Allow offline logons for plain text auth.

diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index 6ec83778fd3205147317a181731c2de797f061af..8c1803b7a051594749335c5813cc6e3101f7be99 100644 (file)
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -316,6 +316,7 @@ struct wbcChangePasswordParams {
 #define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT          0x00000020
 #define WBC_MSV1_0_RETURN_PROFILE_PATH                 0x00000200
 #define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT     0x00000800
+#define WBC_MSV1_0_ALLOW_MSVCHAPV2                     0x00010000
 
 /* wbcAuthUserParams->flags */
 

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index f37cfa3a41e11ccb1385b4d91c805a0b908d3569..25c20d86834e70fa53fc961f38e68fe050d250d8 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -169,6 +169,7 @@ static int request_lm_key;
 static int request_user_session_key;
 static int use_cached_creds;
 static int offline_logon;
+static int opt_allow_mschapv2;
 
 static const char *require_membership_of;
 static const char *require_membership_of_sid;
@@ -533,6 +534,10 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
        request.data.auth_crap.logon_parameters = extra_logon_parameters
                | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
 
+       if (opt_allow_mschapv2) {
+                       request.data.auth_crap.logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
+       }
+
        if (require_membership_of_sid)
                fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
 
@@ -2185,6 +2190,7 @@ enum {
        OPT_DIAGNOSTICS,
        OPT_REQUIRE_MEMBERSHIP,
        OPT_USE_CACHED_CREDS,
+       OPT_ALLOW_MSCHAPV2,
        OPT_PAM_WINBIND_CONF,
        OPT_TARGET_SERVICE,
        OPT_TARGET_HOSTNAME,
@@ -2225,6 +2231,7 @@ enum {
                { "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"},
                { "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"},
                { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
+               { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
                { "offline-logon", 0, POPT_ARG_NONE, &offline_logon,
                  OPT_OFFLINE_LOGON,
                  "Use cached passwords when DC is offline"},

diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index f7c95ebff7029d34523db45d8a7a6dbe85c24554..08160247745cb4d6417d46c4fa97d063b3f890eb 100644 (file)
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -104,6 +104,7 @@ static const char *opt_workstation;
 static const char *opt_password;
 static int opt_multiplex;
 static int use_cached_creds;
+static int opt_allow_mschapv2;
 
 
 static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3);
@@ -174,6 +175,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
        if (!mem_ctx) {
                nt_status = NT_STATUS_NO_MEMORY;
        } else {
+               uint32_t logon_parameters = 0;
                
                E_md4hash(opt_password, nt_pw.hash);
                if (E_deshash(opt_password, lm_pw.hash)) {
@@ -183,10 +185,14 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
                }
                nt_pwd = &nt_pw;
                
+               if (opt_allow_mschapv2) {
+                       logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
+               }
                
                nt_status = ntlm_password_check(mem_ctx, 
                                                lpcfg_lanman_auth(lp_ctx),
                                                lpcfg_ntlm_auth(lp_ctx),
+                                               logon_parameters |
                                                MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
                                                MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
                                                challenge,
@@ -1043,6 +1049,7 @@ enum {
        OPT_REQUIRE_MEMBERSHIP,
        OPT_MULTIPLEX,
        OPT_USE_CACHED_CREDS,
+       OPT_ALLOW_MSCHAPV2,
 };
 
 int main(int argc, const char **argv)
@@ -1069,6 +1076,7 @@ int main(int argc, const char **argv)
                { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},            
                { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"},
                { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "silently ignored for compatibility reasons"},
+               { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
                POPT_COMMON_SAMBA
                POPT_COMMON_VERSION
                { NULL }