5c5ad1f3ca82cf43d2b1dbc9cd9e7dcb3c6a7589
[gd/samba-autobuild/.git] / source4 / auth / ntlm_check.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5    Copyright (C) Gerald Carter                             2003
6    Copyright (C) Luke Kenneth Casson Leighton         1996-2000
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/crypto/crypto.h"
24 #include "librpc/gen_ndr/netlogon.h"
25 #include "libcli/auth/libcli_auth.h"
26
27 /****************************************************************************
28  Core of smb password checking routine.
29 ****************************************************************************/
30
31 static BOOL smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx,
32                                  const DATA_BLOB *nt_response,
33                                  const uint8_t *part_passwd,
34                                  const DATA_BLOB *sec_blob,
35                                  DATA_BLOB *user_sess_key)
36 {
37         /* Finish the encryption of part_passwd. */
38         uint8_t p24[24];
39         
40         if (part_passwd == NULL) {
41                 DEBUG(10,("No password set - DISALLOWING access\n"));
42                 /* No password set - always false ! */
43                 return False;
44         }
45         
46         if (sec_blob->length != 8) {
47                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", 
48                           (unsigned long)sec_blob->length));
49                 return False;
50         }
51         
52         if (nt_response->length != 24) {
53                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", 
54                           (unsigned long)nt_response->length));
55                 return False;
56         }
57
58         SMBOWFencrypt(part_passwd, sec_blob->data, p24);
59         
60 #if DEBUG_PASSWORD
61         DEBUG(100,("Part password (P16) was |\n"));
62         dump_data(100, part_passwd, 16);
63         DEBUGADD(100,("Password from client was |\n"));
64         dump_data(100, nt_response->data, nt_response->length);
65         DEBUGADD(100,("Given challenge was |\n"));
66         dump_data(100, sec_blob->data, sec_blob->length);
67         DEBUGADD(100,("Value from encryption was |\n"));
68         dump_data(100, p24, 24);
69 #endif
70         if (memcmp(p24, nt_response->data, 24) == 0) {
71                 if (user_sess_key != NULL) {
72                         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
73                         SMBsesskeygen_ntv1(part_passwd, user_sess_key->data);
74                 }
75                 return True;
76         } 
77         return False;
78 }
79
80 /****************************************************************************
81  Core of smb password checking routine. (NTLMv2, LMv2)
82  Note:  The same code works with both NTLMv2 and LMv2.
83 ****************************************************************************/
84
85 static BOOL smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
86                                  const DATA_BLOB *ntv2_response,
87                                  const uint8_t *part_passwd,
88                                  const DATA_BLOB *sec_blob,
89                                  const char *user, const char *domain,
90                                  BOOL upper_case_domain, /* should the domain be transformed into upper case? */
91                                  DATA_BLOB *user_sess_key)
92 {
93         /* Finish the encryption of part_passwd. */
94         uint8_t kr[16];
95         uint8_t value_from_encryption[16];
96         DATA_BLOB client_key_data;
97
98         if (part_passwd == NULL) {
99                 DEBUG(10,("No password set - DISALLOWING access\n"));
100                 /* No password set - always False */
101                 return False;
102         }
103
104         if (sec_blob->length != 8) {
105                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n", 
106                           (unsigned long)sec_blob->length));
107                 return False;
108         }
109         
110         if (ntv2_response->length < 24) {
111                 /* We MUST have more than 16 bytes, or the stuff below will go
112                    crazy.  No known implementation sends less than the 24 bytes
113                    for LMv2, let alone NTLMv2. */
114                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", 
115                           (unsigned long)ntv2_response->length));
116                 return False;
117         }
118
119         client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
120         /* 
121            todo:  should we be checking this for anything?  We can't for LMv2, 
122            but for NTLMv2 it is meant to contain the current time etc.
123         */
124
125         if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
126                 return False;
127         }
128
129         SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
130
131 #if DEBUG_PASSWORD
132         DEBUG(100,("Part password (P16) was |\n"));
133         dump_data(100, part_passwd, 16);
134         DEBUGADD(100,("Password from client was |\n"));
135         dump_data(100, ntv2_response->data, ntv2_response->length);
136         DEBUGADD(100,("Variable data from client was |\n"));
137         dump_data(100, client_key_data.data, client_key_data.length);
138         DEBUGADD(100,("Given challenge was |\n"));
139         dump_data(100, sec_blob->data, sec_blob->length);
140         DEBUGADD(100,("Value from encryption was |\n"));
141         dump_data(100, value_from_encryption, 16);
142 #endif
143         data_blob_clear_free(&client_key_data);
144         if (memcmp(value_from_encryption, ntv2_response->data, 16) == 0) { 
145                 if (user_sess_key != NULL) {
146                         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
147                         SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
148                 }
149                 return True;
150         }
151         return False;
152 }
153
154 /****************************************************************************
155  Core of smb password checking routine. (NTLMv2, LMv2)
156  Note:  The same code works with both NTLMv2 and LMv2.
157 ****************************************************************************/
158
159 static BOOL smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
160                                 const DATA_BLOB *ntv2_response,
161                                 const uint8_t *part_passwd,
162                                 const DATA_BLOB *sec_blob,
163                                 const char *user, const char *domain,
164                                 BOOL upper_case_domain, /* should the domain be transformed into upper case? */
165                                 DATA_BLOB *user_sess_key)
166 {
167         /* Finish the encryption of part_passwd. */
168         uint8_t kr[16];
169         uint8_t value_from_encryption[16];
170         DATA_BLOB client_key_data;
171
172         if (part_passwd == NULL) {
173                 DEBUG(10,("No password set - DISALLOWING access\n"));
174                 /* No password set - always False */
175                 return False;
176         }
177
178         if (sec_blob->length != 8) {
179                 DEBUG(0, ("smb_sess_key_ntlmv2: incorrect challenge size (%lu)\n", 
180                           (unsigned long)sec_blob->length));
181                 return False;
182         }
183         
184         if (ntv2_response->length < 24) {
185                 /* We MUST have more than 16 bytes, or the stuff below will go
186                    crazy.  No known implementation sends less than the 24 bytes
187                    for LMv2, let alone NTLMv2. */
188                 DEBUG(0, ("smb_sess_key_ntlmv2: incorrect password length (%lu)\n", 
189                           (unsigned long)ntv2_response->length));
190                 return False;
191         }
192
193         client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
194
195         if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
196                 return False;
197         }
198
199         SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
200         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
201         SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
202         return True;
203 }
204
205 /**
206  * Compare password hashes against those from the SAM
207  *
208  * @param mem_ctx talloc context
209  * @param client_lanman LANMAN password hash, as supplied by the client
210  * @param client_nt NT (MD4) password hash, as supplied by the client
211  * @param username internal Samba username, for log messages
212  * @param client_username username the client used
213  * @param client_domain domain name the client used (may be mapped)
214  * @param stored_lanman LANMAN password hash, as stored on the SAM
215  * @param stored_nt NT (MD4) password hash, as stored on the SAM
216  * @param user_sess_key User session key
217  * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
218  */
219
220 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
221                              const struct samr_Password *client_lanman,
222                              const struct samr_Password *client_nt,
223                              const char *username, 
224                              const struct samr_Password *stored_lanman, 
225                              const struct samr_Password *stored_nt)
226 {
227         if (stored_nt == NULL) {
228                 DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
229                          username));
230         }
231
232         if (client_nt && stored_nt) {
233                 if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
234                         return NT_STATUS_OK;
235                 } else {
236                         DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
237                                  username));
238                         return NT_STATUS_WRONG_PASSWORD;
239                 }
240
241         } else if (client_lanman && stored_lanman) {
242                 if (!lp_lanman_auth()) {
243                         DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
244                                  username));
245                         return NT_STATUS_WRONG_PASSWORD;
246                 }
247                 if (strchr_m(username, '@')) {
248                         return NT_STATUS_NOT_FOUND;
249                 }
250
251                 if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
252                         return NT_STATUS_OK;
253                 } else {
254                         DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
255                                  username));
256                         return NT_STATUS_WRONG_PASSWORD;
257                 }
258         }
259         if (strchr_m(username, '@')) {
260                 return NT_STATUS_NOT_FOUND;
261         }
262         return NT_STATUS_WRONG_PASSWORD;
263 }
264
265 /**
266  * Check a challenge-response password against the value of the NT or
267  * LM password hash.
268  *
269  * @param mem_ctx talloc context
270  * @param challenge 8-byte challenge.  If all zero, forces plaintext comparison
271  * @param nt_response 'unicode' NT response to the challenge, or unicode password
272  * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
273  * @param username internal Samba username, for log messages
274  * @param client_username username the client used
275  * @param client_domain domain name the client used (may be mapped)
276  * @param stored_lanman LANMAN ASCII password from our passdb or similar
277  * @param stored_nt MD4 unicode password from our passdb or similar
278  * @param user_sess_key User session key
279  * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
280  */
281
282 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
283                              uint32_t logon_parameters,
284                              const DATA_BLOB *challenge,
285                              const DATA_BLOB *lm_response,
286                              const DATA_BLOB *nt_response,
287                              const char *username, 
288                              const char *client_username, 
289                              const char *client_domain,
290                              const struct samr_Password *stored_lanman, 
291                              const struct samr_Password *stored_nt, 
292                              DATA_BLOB *user_sess_key, 
293                              DATA_BLOB *lm_sess_key)
294 {
295         static const uint8_t zeros[8];
296         DATA_BLOB tmp_sess_key;
297
298         if (stored_nt == NULL) {
299                 DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
300                          username));
301         }
302
303         *lm_sess_key = data_blob(NULL, 0);
304         *user_sess_key = data_blob(NULL, 0);
305
306         /* Check for cleartext netlogon. Used by Exchange 5.5. */
307         if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
308             && challenge->length == sizeof(zeros) 
309             && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
310                 struct samr_Password client_nt;
311                 struct samr_Password client_lm;
312                 char *unix_pw = NULL;
313                 BOOL lm_ok;
314
315                 DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
316                          username));
317                 mdfour(client_nt.hash, nt_response->data, nt_response->length);
318                 
319                 if (lm_response->length && 
320                     (convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, 
321                                           lm_response->data, lm_response->length, 
322                                            (void **)&unix_pw) != -1)) {
323                         if (E_deshash(unix_pw, client_lm.hash)) {
324                                 lm_ok = True;
325                         } else {
326                                 lm_ok = False;
327                         }
328                 } else {
329                         lm_ok = False;
330                 }
331                 return hash_password_check(mem_ctx, 
332                                            lm_ok ? &client_lm : NULL, 
333                                            nt_response->length ? &client_nt : NULL, 
334                                            username,  
335                                            stored_lanman, stored_nt);
336         }
337
338         if (nt_response->length != 0 && nt_response->length < 24) {
339                 DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n", 
340                          (unsigned long)nt_response->length, username));                
341         }
342         
343         if (nt_response->length > 24 && stored_nt) {
344                 /* We have the NT MD4 hash challenge available - see if we can
345                    use it 
346                 */
347                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
348                 if (smb_pwd_check_ntlmv2(mem_ctx,
349                                          nt_response, 
350                                          stored_nt->hash, challenge, 
351                                          client_username, 
352                                          client_domain,
353                                          False,
354                                          user_sess_key)) {
355                         *lm_sess_key = *user_sess_key;
356                         if (user_sess_key->length) {
357                                 lm_sess_key->length = 8;
358                         }
359                         return NT_STATUS_OK;
360                 }
361                 
362                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
363                 if (smb_pwd_check_ntlmv2(mem_ctx,
364                                          nt_response, 
365                                          stored_nt->hash, challenge, 
366                                          client_username, 
367                                          client_domain,
368                                          True,
369                                          user_sess_key)) {
370                         *lm_sess_key = *user_sess_key;
371                         if (user_sess_key->length) {
372                                 lm_sess_key->length = 8;
373                         }
374                         return NT_STATUS_OK;
375                 }
376                 
377                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
378                 if (smb_pwd_check_ntlmv2(mem_ctx,
379                                          nt_response, 
380                                          stored_nt->hash, challenge, 
381                                          client_username, 
382                                          "",
383                                          False,
384                                          user_sess_key)) {
385                         *lm_sess_key = *user_sess_key;
386                         if (user_sess_key->length) {
387                                 lm_sess_key->length = 8;
388                         }
389                         return NT_STATUS_OK;
390                 } else {
391                         DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
392                 }
393         } else if (nt_response->length == 24 && stored_nt) {
394                 if (lp_ntlm_auth()) {           
395                         /* We have the NT MD4 hash challenge available - see if we can
396                            use it (ie. does it exist in the smbpasswd file).
397                         */
398                         DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
399                         if (smb_pwd_check_ntlmv1(mem_ctx, 
400                                                  nt_response, 
401                                                  stored_nt->hash, challenge,
402                                                  user_sess_key)) {
403                                 /* The LM session key for this response is not very secure, 
404                                    so use it only if we otherwise allow LM authentication */
405                                 
406                                 if (lp_lanman_auth() && stored_lanman) {
407                                         *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
408                                 }
409                                 return NT_STATUS_OK;
410                         } else {
411                                 DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
412                                          username));
413                                 return NT_STATUS_WRONG_PASSWORD;
414                         }
415                 } else {
416                         DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
417                                  username));                    
418                         /* no return, becouse we might pick up LMv2 in the LM field */
419                 }
420         }
421         
422         if (lm_response->length == 0) {
423                 DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
424                          username));
425                 return NT_STATUS_WRONG_PASSWORD;
426         }
427         
428         if (lm_response->length < 24) {
429                 DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n", 
430                          (unsigned long)nt_response->length, username));                
431                 return NT_STATUS_WRONG_PASSWORD;
432         }
433                 
434         if (!lp_lanman_auth()) {
435                 DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
436                          username));
437         } else if (!stored_lanman) {
438                 DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
439                          username));
440         } else if (strchr_m(username, '@')) {
441                 DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n",
442                          username));
443         } else {
444                 DEBUG(4,("ntlm_password_check: Checking LM password\n"));
445                 if (smb_pwd_check_ntlmv1(mem_ctx,
446                                          lm_response, 
447                                          stored_lanman->hash, challenge,
448                                          NULL)) {
449                         /* The session key for this response is still very odd.  
450                            It not very secure, so use it only if we otherwise 
451                            allow LM authentication */
452
453                         if (lp_lanman_auth() && stored_lanman) {
454                                 uint8_t first_8_lm_hash[16];
455                                 memcpy(first_8_lm_hash, stored_lanman->hash, 8);
456                                 memset(first_8_lm_hash + 8, '\0', 8);
457                                 *user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
458                                 *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
459                         }
460                         return NT_STATUS_OK;
461                 }
462         }
463         
464         if (!stored_nt) {
465                 DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
466                 return NT_STATUS_WRONG_PASSWORD;
467         }
468         
469         /* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
470            - related to Win9X, legacy NAS pass-though authentication
471         */
472         DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
473         if (smb_pwd_check_ntlmv2(mem_ctx,
474                                  lm_response, 
475                                  stored_nt->hash, challenge, 
476                                  client_username,
477                                  client_domain,
478                                  False,
479                                  &tmp_sess_key)) {
480                 if (nt_response->length > 24) {
481                         /* If NTLMv2 authentication has preceeded us
482                          * (even if it failed), then use the session
483                          * key from that.  See the RPC-SAMLOGON
484                          * torture test */
485                         smb_sess_key_ntlmv2(mem_ctx,
486                                             nt_response, 
487                                             stored_nt->hash, challenge, 
488                                             client_username,
489                                             client_domain,
490                                             False,
491                                             user_sess_key);
492                 } else {
493                         /* Otherwise, use the LMv2 session key */
494                         *user_sess_key = tmp_sess_key;
495                 }
496                 *lm_sess_key = *user_sess_key;
497                 if (user_sess_key->length) {
498                         lm_sess_key->length = 8;
499                 }
500                 return NT_STATUS_OK;
501         }
502         
503         DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
504         if (smb_pwd_check_ntlmv2(mem_ctx,
505                                  lm_response, 
506                                  stored_nt->hash, challenge, 
507                                  client_username,
508                                  client_domain,
509                                  True,
510                                  &tmp_sess_key)) {
511                 if (nt_response->length > 24) {
512                         /* If NTLMv2 authentication has preceeded us
513                          * (even if it failed), then use the session
514                          * key from that.  See the RPC-SAMLOGON
515                          * torture test */
516                         smb_sess_key_ntlmv2(mem_ctx,
517                                             nt_response, 
518                                             stored_nt->hash, challenge, 
519                                             client_username,
520                                             client_domain,
521                                             True,
522                                             user_sess_key);
523                 } else {
524                         /* Otherwise, use the LMv2 session key */
525                         *user_sess_key = tmp_sess_key;
526                 }
527                 *lm_sess_key = *user_sess_key;
528                 if (user_sess_key->length) {
529                         lm_sess_key->length = 8;
530                 }
531                 return NT_STATUS_OK;
532         }
533         
534         DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
535         if (smb_pwd_check_ntlmv2(mem_ctx,
536                                  lm_response, 
537                                  stored_nt->hash, challenge, 
538                                  client_username,
539                                  "",
540                                  False,
541                                  &tmp_sess_key)) {
542                 if (nt_response->length > 24) {
543                         /* If NTLMv2 authentication has preceeded us
544                          * (even if it failed), then use the session
545                          * key from that.  See the RPC-SAMLOGON
546                          * torture test */
547                         smb_sess_key_ntlmv2(mem_ctx,
548                                             nt_response, 
549                                             stored_nt->hash, challenge, 
550                                             client_username,
551                                             "",
552                                             False,
553                                             user_sess_key);
554                 } else {
555                         /* Otherwise, use the LMv2 session key */
556                         *user_sess_key = tmp_sess_key;
557                 }
558                 *lm_sess_key = *user_sess_key;
559                 if (user_sess_key->length) {
560                         lm_sess_key->length = 8;
561                 }
562                 return NT_STATUS_OK;
563         }
564
565         /* Apparently NT accepts NT responses in the LM field
566            - I think this is related to Win9X pass-though authentication
567         */
568         DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
569         if (lp_ntlm_auth()) {
570                 if (smb_pwd_check_ntlmv1(mem_ctx, 
571                                          lm_response, 
572                                          stored_nt->hash, challenge,
573                                          NULL)) {
574                         /* The session key for this response is still very odd.  
575                            It not very secure, so use it only if we otherwise 
576                            allow LM authentication */
577
578                         if (lp_lanman_auth() && stored_lanman) {
579                                 uint8_t first_8_lm_hash[16];
580                                 memcpy(first_8_lm_hash, stored_lanman->hash, 8);
581                                 memset(first_8_lm_hash + 8, '\0', 8);
582                                 *user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
583                                 *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
584                         }
585                         return NT_STATUS_OK;
586                 }
587                 DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
588         } else {
589                 DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
590         }
591
592         /* Try and match error codes */
593         if (strchr_m(username, '@')) {
594                 return NT_STATUS_NOT_FOUND;
595         }
596         return NT_STATUS_WRONG_PASSWORD;
597 }
598