Back out the crazy notion that the NTLMSSP flags actually mean anything...

Replace this with some flags that *we* define.  We can do a mapping later
if we actually get some more reliable info about what passwords are actually
valid.

Andrew Bartlett
(This used to be commit 7f7a42c3e4d5798ac87ea16a42e4976c3778a76b)

diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index f1bcae461e006621ae72fabf39312e509eadc110..107e33c60002e16dccfcf5ec7084ddeaf6a9b1ee 100644 (file)
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -140,7 +140,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 {
        uint16 acct_ctrl;
        const uint8 *nt_pw, *lm_pw;
-       uint32 ntlmssp_flags;
+       uint32 auth_flags;
 
        acct_ctrl = pdb_get_acct_ctrl(sampass);
        if (acct_ctrl & ACB_PWNOTREQ) 
@@ -160,16 +160,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
        nt_pw = pdb_get_nt_passwd(sampass);
        lm_pw = pdb_get_lanman_passwd(sampass);
        
-       ntlmssp_flags = user_info->ntlmssp_flags;
+       auth_flags = user_info->auth_flags;
 
        if (nt_pw == NULL) {
                DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", 
                         pdb_get_username(sampass)));
                /* No return, we want to check the LM hash below in this case */
-               ntlmssp_flags &= (~(NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2));
+               auth_flags &= (~(AUTH_FLAG_NTLMv2_RESP |  AUTH_FLAG_NTLM_RESP));
        }
        
-       if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+       if (auth_flags & AUTH_FLAG_NTLMv2_RESP) {
                /* We have the NT MD4 hash challenge available - see if we can
                   use it (ie. does it exist in the smbpasswd file).
                */
@@ -185,7 +185,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
                        DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
                        return NT_STATUS_WRONG_PASSWORD;
                }
-       } else if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM) {
+       } else if (auth_flags & AUTH_FLAG_NTLM_RESP) {
                if (lp_ntlm_auth()) {                           
                        /* We have the NT MD4 hash challenge available - see if we can
                           use it (ie. does it exist in the smbpasswd file).
@@ -208,10 +208,10 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
        
        if (lm_pw == NULL) {
                DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass)));
-               ntlmssp_flags &= (~NTLMSSP_NEGOTIATE_OEM);              
+               auth_flags &= (~AUTH_FLAG_LM_RESP);             
        }
        
-       if (ntlmssp_flags & NTLMSSP_NEGOTIATE_OEM) {
+       if (auth_flags & AUTH_FLAG_LM_RESP) {
                
                if (user_info->lm_resp.length != 24) {
                        DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", 

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index a479f52ab2340068abe972f2ac992a76bbc1f984..a747cf8a35183b672552d3821b85f7fb1e9cfa25 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -111,7 +111,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
                           const char *wksta_name, 
                           DATA_BLOB lm_pwd, DATA_BLOB nt_pwd,
                           DATA_BLOB plaintext, 
-                          uint32 ntlmssp_flags, BOOL encrypted)
+                          uint32 auth_flags, BOOL encrypted)
 {
 
        DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
@@ -173,7 +173,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info,
        (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length);
 
        (*user_info)->encrypted = encrypted;
-       (*user_info)->ntlmssp_flags = ntlmssp_flags;
+       (*user_info)->auth_flags = auth_flags;
 
        DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
 
@@ -248,14 +248,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
        DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
        DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
        DATA_BLOB plaintext_blob = data_blob(NULL, 0);
-       uint32 ntlmssp_flags = 0;
+       uint32 auth_flags = AUTH_FLAG_NONE;
 
        if (lm_pwd_len)
-               ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM;
+               auth_flags |= AUTH_FLAG_LM_RESP;
        if (nt_pwd_len == 24) {
-               ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; 
+               auth_flags |= AUTH_FLAG_NTLM_RESP; 
        } else if (nt_pwd_len != 0) {
-               ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; 
+               auth_flags |= AUTH_FLAG_NTLMv2_RESP; 
        }
 
        ret = make_user_info_map(user_info, 
@@ -263,7 +263,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
                                 wksta_name, 
                                 lm_blob, nt_blob,
                                 plaintext_blob, 
-                                ntlmssp_flags, True);
+                                auth_flags, True);
                
        data_blob_free(&lm_blob);
        data_blob_free(&nt_blob);
@@ -289,7 +289,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
        unsigned char local_lm_response[24];
        unsigned char local_nt_response[24];
        unsigned char key[16];
-       uint32 ntlmssp_flags = 0;
+       uint32 auth_flags = AUTH_FLAG_NONE;
        
        ZERO_STRUCT(key);
        memcpy(key, dc_sess_key, 8);
@@ -334,9 +334,9 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
                DATA_BLOB plaintext_blob = data_blob(NULL, 0);
 
                if (lm_interactive_pwd)
-                       ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM;
+                       auth_flags |= AUTH_FLAG_LM_RESP;
                if (nt_interactive_pwd)
-                       ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; 
+                       auth_flags |= AUTH_FLAG_NTLM_RESP; 
 
                ret = make_user_info_map(user_info, 
                                         smb_name, client_domain, 
@@ -344,7 +344,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
                                         local_lm_blob,
                                         local_nt_blob,
                                         plaintext_blob, 
-                                        ntlmssp_flags, True);
+                                        auth_flags, True);
                
                data_blob_free(&local_lm_blob);
                data_blob_free(&local_nt_blob);
@@ -367,7 +367,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
        DATA_BLOB local_lm_blob;
        DATA_BLOB local_nt_blob;
        BOOL ret = False;
-       uint32 ntlmssp_flags = 0;
+       uint32 auth_flags = AUTH_FLAG_NONE;
                        
        /*
         * Not encrypted - do so.
@@ -390,7 +390,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
                   case insensitive */
                local_nt_blob = data_blob(NULL, 0); 
                
-               ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM;
+               auth_flags = (AUTH_FLAG_PLAINTEXT | AUTH_FLAG_LM_RESP);
        } else {
                local_lm_blob = data_blob(NULL, 0); 
                local_nt_blob = data_blob(NULL, 0); 
@@ -402,7 +402,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
                                 local_lm_blob,
                                 local_nt_blob,
                                 plaintext_password, 
-                                ntlmssp_flags, False);
+                                auth_flags, False);
        
        data_blob_free(&local_lm_blob);
        return ret;
@@ -417,18 +417,18 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
                              char *client_domain, 
                              DATA_BLOB lm_resp, DATA_BLOB nt_resp)
 {
-       uint32 ntlmssp_flags = 0;
+       uint32 auth_flags = AUTH_FLAG_NONE;
 
        DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); 
        
        if (lm_resp.length == 24) {
-               ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM;
+               auth_flags |= AUTH_FLAG_LM_RESP;
        }
        if (nt_resp.length == 0) {
        } else if (nt_resp.length == 24) {
-               ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM;
+               auth_flags |= AUTH_FLAG_NTLM_RESP;
        } else {
-               ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+               auth_flags |= AUTH_FLAG_NTLMv2_RESP;
        }
 
        return make_user_info_map(user_info, smb_name, 
@@ -437,7 +437,7 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
                                 lm_resp, 
                                 nt_resp, 
                                 no_plaintext_blob, 
-                                ntlmssp_flags, True);
+                                auth_flags, True);
 }
 
 /****************************************************************************
@@ -449,7 +449,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info)
        DATA_BLOB lm_blob = data_blob(NULL, 0);
        DATA_BLOB nt_blob = data_blob(NULL, 0);
        DATA_BLOB plaintext_blob = data_blob(NULL, 0);
-       uint32 ntlmssp_flags = 0;
+       uint32 auth_flags = AUTH_FLAG_NONE;
 
        return make_user_info(user_info, 
                              "","", 
@@ -457,7 +457,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info)
                              "", 
                              nt_blob, lm_blob,
                              plaintext_blob, 
-                             ntlmssp_flags, True);
+                             auth_flags, True);
 }
 
 /***************************************************************************

diff --git a/source3/include/auth.h b/source3/include/auth.h
index fb486162737fec9bbde332309cc8a8d62e04a624..ed0a4e45f30982f591cbba40b3f486ff7c93c4d1 100644 (file)
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -41,6 +41,12 @@ typedef struct interactive_password
        OWF_INFO          nt_owf;              /* NT OWF Password */
 } auth_interactive_password;
 
+#define AUTH_FLAG_NONE        0x000000
+#define AUTH_FLAG_PLAINTEXT   0x000001
+#define AUTH_FLAG_LM_RESP     0x000002
+#define AUTH_FLAG_NTLM_RESP   0x000004
+#define AUTH_FLAG_NTLMv2_RESP 0x000008
+
 typedef struct auth_usersupplied_info
 {
        
@@ -51,7 +57,7 @@ typedef struct auth_usersupplied_info
        
        BOOL encrypted;
        
-       uint32 ntlmssp_flags;
+       uint32 auth_flags;
 
        AUTH_STR           client_domain;          /* domain name string */
        AUTH_STR           domain;               /* domain name after mapping */

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index f809f9ca0c373484979eb664b90104c3bb105794..519817432dfc2b16ab6627eba6e9d850e54f492a 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -346,6 +346,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
        NTSTATUS nt_status;
        int sess_vuid;
        BOOL as_guest;
+       uint32 auth_flags = AUTH_FLAG_NONE;
 
        auth_usersupplied_info *user_info = NULL;
        auth_serversupplied_info *server_info = NULL;
@@ -382,12 +383,22 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
        file_save("lmhash1.dat", lmhash.data, lmhash.length);
 #endif
 
+       if (lmhash.length) {
+               auth_flags |= AUTH_FLAG_LM_RESP;
+       }
+
+       if (nthash.length == 24) {
+               auth_flags |= AUTH_FLAG_NTLM_RESP;
+       } else if (nthash.length > 24) {
+               auth_flags |= AUTH_FLAG_NTLMv2_RESP;
+       }
+
        if (!make_user_info_map(&user_info, 
                                user, workgroup, 
                                machine, 
                                lmhash, nthash,
                                plaintext_password, 
-                               neg_flags, True)) {
+                               auth_flags, True)) {
                return ERROR_NT(NT_STATUS_NO_MEMORY);
        }