r21128: Fix Vista connecting to Samba in share level security.

Vista sends the NTLMv2 blob by default in the tconX
packet. Make sure we save off the workgroup the user
was logged into on the client in the sessionsetupX
and re-use it for the NTLMv2 calc.
Jeremy.
(This used to be commit 45dcf62960c2815c4d8e0c5f4a2d0af24df83290)

diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c
index bd5d7f02290cec6121f095ab67551f113152febf..7b9802f7d4e9d7462c9cf4db0bc06a9ce155c0ac 100644 (file)
--- a/source3/auth/auth_compat.c
+++ b/source3/auth/auth_compat.c
@@ -92,18 +92,25 @@ static NTSTATUS pass_check_smb(const char *smb_name,
 check if a username/password pair is ok via the auth subsystem.
 return True if the password is correct, False otherwise
 ****************************************************************************/
+
 BOOL password_ok(char *smb_name, DATA_BLOB password_blob)
 {
 
        DATA_BLOB null_password = data_blob(NULL, 0);
-       BOOL encrypted = (global_encrypted_passwords_negotiated && password_blob.length == 24);
+       BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46));
        
        if (encrypted) {
                /* 
                 * The password could be either NTLM or plain LM.  Try NTLM first, 
                 * but fall-through as required.
-                * NTLMv2 makes no sense here.
+                * Vista sends NTLMv2 here - we need to try the client given workgroup.
                 */
+               if (get_session_workgroup()) {
+                       if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) {
+                               return True;
+                       }
+               }
+
                if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) {
                        return True;
                }
@@ -119,5 +126,3 @@ BOOL password_ok(char *smb_name, DATA_BLOB password_blob)
 
        return False;
 }
-
-

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 38000e93f4b8ebaaff6395d9a8cf04fe90e9289f..10cb9202374281a0f1b88ab9fbd43d19b6a796dd 100644 (file)
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -23,6 +23,8 @@
 /* users from session setup */
 static char *session_userlist = NULL;
 static int len_session_userlist = 0;
+/* workgroup from session setup. */
+static char *session_workgroup = NULL;
 
 /* this holds info on user ids that are already validated for this VC */
 static user_struct *validated_users;
@@ -402,6 +404,29 @@ void add_session_user(const char *user)
        safe_strcat(session_userlist,suser,len_session_userlist-1);
 }
 
+/****************************************************************************
+ In security=share mode we need to store the client workgroup, as that's
+  what Vista uses for the NTLMv2 calculation.
+****************************************************************************/
+
+void add_session_workgroup(const char *workgroup)
+{
+       if (session_workgroup) {
+               SAFE_FREE(session_workgroup);
+       }
+       session_workgroup = smb_xstrdup(workgroup);
+}
+
+/****************************************************************************
+ In security=share mode we need to return the client workgroup, as that's
+  what Vista uses for the NTLMv2 calculation.
+****************************************************************************/
+
+const char *get_session_workgroup(void)
+{
+       return session_workgroup;
+}
+
 /****************************************************************************
  Check if a user is in a netgroup user list. If at first we don't succeed,
  try lower case.

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 4d731f9c595bdf4447b063877a9c2b697cf12450..6c5e8f678f26e063ad10b6ac91971118088e33b6 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -1050,6 +1050,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 
                map_username(sub_user);
                add_session_user(sub_user);
+               add_session_workgroup(domain);
                /* Then force it to null for the benfit of the code below */
                *user = 0;
        }