username));
return NT_STATUS_WRONG_PASSWORD;
}
+ if (strchr_m(username, '@')) {
+ return NT_STATUS_NOT_FOUND;
+ }
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
return NT_STATUS_OK;
return NT_STATUS_WRONG_PASSWORD;
}
}
+ if (strchr_m(username, '@')) {
+ return NT_STATUS_NOT_FOUND;
+ }
return NT_STATUS_WRONG_PASSWORD;
}
&& (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
struct samr_Password client_nt;
struct samr_Password client_lm;
- uint8_t dospwd[14];
+ uint8_t dospwd[15];
+ char *unix_pw;
DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
username));
mdfour(client_nt.hash, nt_response->data, nt_response->length);
ZERO_STRUCT(dospwd);
- memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
+ convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX,
+ lm_response->data, lm_response->length,
+ (void **)&unix_pw);
+
/* Only the fisrt 14 chars are considered, password need not be null terminated. */
+ push_ascii(dospwd, unix_pw, sizeof(dospwd), STR_UPPER);
/* we *might* need to upper-case the string here */
E_P16((const uint8_t *)dospwd, client_lm.hash);
- return hash_password_check(mem_ctx, &client_lm, &client_nt,
+ return hash_password_check(mem_ctx,
+ lm_response->length ? &client_lm : NULL,
+ nt_response->length ? &client_nt : NULL,
username,
stored_lanman, stored_nt);
}
} else if (!stored_lanman) {
DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
username));
+ } else if (strchr_m(username, '@')) {
+ DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n",
+ username));
} else {
DEBUG(4,("ntlm_password_check: Checking LM password\n"));
if (smb_pwd_check_ntlmv1(mem_ctx,
} else {
DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
}
+
+ /* Try and match error codes */
+ if (strchr_m(username, '@')) {
+ return NT_STATUS_NOT_FOUND;
+ }
return NT_STATUS_WRONG_PASSWORD;
}
return True;
}
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
+ } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) {
+ return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT));
} else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return True;
}
return break_which == BREAK_BOTH;
+ } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) {
+ return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT));
} else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return True;
}
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
+ } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) {
+ return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
} else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
return True;
}
return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH));
+ } else if (NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, nt_status) && strchr_m(samlogon_state->account_name, '@')) {
+ return ((break_which == BREAK_NT) || (break_which == BREAK_BOTH) || (break_which == NO_NT));
} else if (!NT_STATUS_EQUAL(samlogon_state->expected_error, nt_status)) {
SAFE_FREE(*error_string);
asprintf(error_string, "Expected error: %s, got %s", nt_errstr(samlogon_state->expected_error), nt_errstr(nt_status));
const char *comment,
const char *workstation_name,
const char *account_domain, const char *account_name,
- const char *plain_pass, NTSTATUS expected_error)
+ const char *plain_pass, uint32_t parameter_control,
+ NTSTATUS expected_error)
{
NTSTATUS status;
TALLOC_CTX *fn_ctx = talloc_named(mem_ctx, 0, "test_InteractiveLogon function-level context");
r.in.flags = 0;
pinfo.identity_info.domain_name.string = account_domain;
- pinfo.identity_info.parameter_control = 0;
+ pinfo.identity_info.parameter_control = parameter_control;
pinfo.identity_info.logon_id_low = 0;
pinfo.identity_info.logon_id_high = 0;
pinfo.identity_info.account_name.string = account_name;
cli_credentials_get_domain(cmdline_credentials)
),
.password = cli_credentials_get_password(cmdline_credentials),
- .network_login = False,
+ .network_login = False, /* works for some things, but not NTLMv2. Odd */
.expected_interactive_error = NT_STATUS_OK,
.expected_network_error = NT_STATUS_OK
},
cli_credentials_get_domain(machine_credentials)
),
.password = cli_credentials_get_password(machine_credentials),
- .network_login = False,
+ .network_login = False, /* works for some things, but not NTLMv2. Odd */
.expected_interactive_error = NT_STATUS_NO_SUCH_USER,
.parameter_control = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
},
TEST_USER_NAME,
userdomain),
.password = user_password,
- .network_login = False,
+ .network_login = False, /* works for some things, but not NTLMv2. Odd */
.expected_interactive_error = NT_STATUS_OK,
.expected_network_error = NT_STATUS_OK
},
usercreds[ci].domain,
usercreds[ci].username,
usercreds[ci].password,
+ usercreds[ci].parameter_control,
usercreds[ci].expected_interactive_error)) {
ret = False;
}
usercreds[0].domain,
usercreds[0].username,
usercreds[0].password,
+ usercreds[0].parameter_control,
usercreds[0].expected_interactive_error)) {
ret = False;
}
usercreds[0].password,
usercreds[0].parameter_control,
usercreds[0].expected_network_error,
- usercreds[ci].old_password,
+ usercreds[0].old_password,
1)) {
ret = False;
}