978f0fe1be99f3c5c908ec177eaf85ba2ce0a576
[ira/wip.git] / libcli / auth / ntlm_check.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5    Copyright (C) Gerald Carter                             2003
6    Copyright (C) Luke Kenneth Casson Leighton         1996-2000
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "../lib/crypto/crypto.h"
24 #include "librpc/gen_ndr/netlogon.h"
25 #include "libcli/auth/libcli_auth.h"
26
27 /****************************************************************************
28  Core of smb password checking routine.
29 ****************************************************************************/
30
31 static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx,
32                                  const DATA_BLOB *nt_response,
33                                  const uint8_t *part_passwd,
34                                  const DATA_BLOB *sec_blob,
35                                  DATA_BLOB *user_sess_key)
36 {
37         /* Finish the encryption of part_passwd. */
38         uint8_t p24[24];
39         
40         if (part_passwd == NULL) {
41                 DEBUG(10,("No password set - DISALLOWING access\n"));
42                 /* No password set - always false ! */
43                 return false;
44         }
45         
46         if (sec_blob->length != 8) {
47                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", 
48                           (unsigned long)sec_blob->length));
49                 return false;
50         }
51         
52         if (nt_response->length != 24) {
53                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", 
54                           (unsigned long)nt_response->length));
55                 return false;
56         }
57
58         SMBOWFencrypt(part_passwd, sec_blob->data, p24);
59         
60 #if DEBUG_PASSWORD
61         DEBUG(100,("Part password (P16) was |\n"));
62         dump_data(100, part_passwd, 16);
63         DEBUGADD(100,("Password from client was |\n"));
64         dump_data(100, nt_response->data, nt_response->length);
65         DEBUGADD(100,("Given challenge was |\n"));
66         dump_data(100, sec_blob->data, sec_blob->length);
67         DEBUGADD(100,("Value from encryption was |\n"));
68         dump_data(100, p24, 24);
69 #endif
70         if (memcmp(p24, nt_response->data, 24) == 0) {
71                 if (user_sess_key != NULL) {
72                         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
73                         SMBsesskeygen_ntv1(part_passwd, user_sess_key->data);
74                 }
75                 return true;
76         } 
77         return false;
78 }
79
80 /****************************************************************************
81  Core of smb password checking routine. (NTLMv2, LMv2)
82  Note:  The same code works with both NTLMv2 and LMv2.
83 ****************************************************************************/
84
85 static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
86                                  const DATA_BLOB *ntv2_response,
87                                  const uint8_t *part_passwd,
88                                  const DATA_BLOB *sec_blob,
89                                  const char *user, const char *domain,
90                                  bool upper_case_domain, /* should the domain be transformed into upper case? */
91                                  DATA_BLOB *user_sess_key)
92 {
93         /* Finish the encryption of part_passwd. */
94         uint8_t kr[16];
95         uint8_t value_from_encryption[16];
96         DATA_BLOB client_key_data;
97
98         if (part_passwd == NULL) {
99                 DEBUG(10,("No password set - DISALLOWING access\n"));
100                 /* No password set - always false */
101                 return false;
102         }
103
104         if (sec_blob->length != 8) {
105                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n", 
106                           (unsigned long)sec_blob->length));
107                 return false;
108         }
109         
110         if (ntv2_response->length < 24) {
111                 /* We MUST have more than 16 bytes, or the stuff below will go
112                    crazy.  No known implementation sends less than the 24 bytes
113                    for LMv2, let alone NTLMv2. */
114                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", 
115                           (unsigned long)ntv2_response->length));
116                 return false;
117         }
118
119         client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
120         /* 
121            todo:  should we be checking this for anything?  We can't for LMv2, 
122            but for NTLMv2 it is meant to contain the current time etc.
123         */
124
125         if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
126                 return false;
127         }
128
129         SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
130
131 #if DEBUG_PASSWORD
132         DEBUG(100,("Part password (P16) was |\n"));
133         dump_data(100, part_passwd, 16);
134         DEBUGADD(100,("Password from client was |\n"));
135         dump_data(100, ntv2_response->data, ntv2_response->length);
136         DEBUGADD(100,("Variable data from client was |\n"));
137         dump_data(100, client_key_data.data, client_key_data.length);
138         DEBUGADD(100,("Given challenge was |\n"));
139         dump_data(100, sec_blob->data, sec_blob->length);
140         DEBUGADD(100,("Value from encryption was |\n"));
141         dump_data(100, value_from_encryption, 16);
142 #endif
143         data_blob_clear_free(&client_key_data);
144         if (memcmp(value_from_encryption, ntv2_response->data, 16) == 0) { 
145                 if (user_sess_key != NULL) {
146                         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
147                         SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
148                 }
149                 return true;
150         }
151         return false;
152 }
153
154 /****************************************************************************
155  Core of smb password checking routine. (NTLMv2, LMv2)
156  Note:  The same code works with both NTLMv2 and LMv2.
157 ****************************************************************************/
158
159 static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
160                                 const DATA_BLOB *ntv2_response,
161                                 const uint8_t *part_passwd,
162                                 const DATA_BLOB *sec_blob,
163                                 const char *user, const char *domain,
164                                 bool upper_case_domain, /* should the domain be transformed into upper case? */
165                                 DATA_BLOB *user_sess_key)
166 {
167         /* Finish the encryption of part_passwd. */
168         uint8_t kr[16];
169         uint8_t value_from_encryption[16];
170         DATA_BLOB client_key_data;
171
172         if (part_passwd == NULL) {
173                 DEBUG(10,("No password set - DISALLOWING access\n"));
174                 /* No password set - always false */
175                 return false;
176         }
177
178         if (sec_blob->length != 8) {
179                 DEBUG(0, ("smb_sess_key_ntlmv2: incorrect challenge size (%lu)\n", 
180                           (unsigned long)sec_blob->length));
181                 return false;
182         }
183         
184         if (ntv2_response->length < 24) {
185                 /* We MUST have more than 16 bytes, or the stuff below will go
186                    crazy.  No known implementation sends less than the 24 bytes
187                    for LMv2, let alone NTLMv2. */
188                 DEBUG(0, ("smb_sess_key_ntlmv2: incorrect password length (%lu)\n", 
189                           (unsigned long)ntv2_response->length));
190                 return false;
191         }
192
193         client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
194
195         if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
196                 return false;
197         }
198
199         SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
200         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
201         SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
202         return true;
203 }
204
205 /**
206  * Compare password hashes against those from the SAM
207  *
208  * @param mem_ctx talloc context
209  * @param client_lanman LANMAN password hash, as supplied by the client
210  * @param client_nt NT (MD4) password hash, as supplied by the client
211  * @param username internal Samba username, for log messages
212  * @param client_username username the client used
213  * @param client_domain domain name the client used (may be mapped)
214  * @param stored_lanman LANMAN password hash, as stored on the SAM
215  * @param stored_nt NT (MD4) password hash, as stored on the SAM
216  * @param user_sess_key User session key
217  * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
218  */
219
220 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
221                                  bool lanman_auth,
222                              const struct samr_Password *client_lanman,
223                              const struct samr_Password *client_nt,
224                              const char *username, 
225                              const struct samr_Password *stored_lanman, 
226                              const struct samr_Password *stored_nt)
227 {
228         if (stored_nt == NULL) {
229                 DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
230                          username));
231         }
232
233         if (client_nt && stored_nt) {
234                 if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
235                         return NT_STATUS_OK;
236                 } else {
237                         DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
238                                  username));
239                         return NT_STATUS_WRONG_PASSWORD;
240                 }
241
242         } else if (client_lanman && stored_lanman) {
243                 if (!lanman_auth) {
244                         DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
245                                  username));
246                         return NT_STATUS_WRONG_PASSWORD;
247                 }
248                 if (strchr_m(username, '@')) {
249                         return NT_STATUS_NOT_FOUND;
250                 }
251
252                 if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
253                         return NT_STATUS_OK;
254                 } else {
255                         DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
256                                  username));
257                         return NT_STATUS_WRONG_PASSWORD;
258                 }
259         }
260         if (strchr_m(username, '@')) {
261                 return NT_STATUS_NOT_FOUND;
262         }
263         return NT_STATUS_WRONG_PASSWORD;
264 }
265
266 /**
267  * Check a challenge-response password against the value of the NT or
268  * LM password hash.
269  *
270  * @param mem_ctx talloc context
271  * @param challenge 8-byte challenge.  If all zero, forces plaintext comparison
272  * @param nt_response 'unicode' NT response to the challenge, or unicode password
273  * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
274  * @param username internal Samba username, for log messages
275  * @param client_username username the client used
276  * @param client_domain domain name the client used (may be mapped)
277  * @param stored_lanman LANMAN ASCII password from our passdb or similar
278  * @param stored_nt MD4 unicode password from our passdb or similar
279  * @param user_sess_key User session key
280  * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
281  */
282
283 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
284                                  bool lanman_auth,
285                                  bool ntlm_auth,
286                              uint32_t logon_parameters,
287                              const DATA_BLOB *challenge,
288                              const DATA_BLOB *lm_response,
289                              const DATA_BLOB *nt_response,
290                              const char *username, 
291                              const char *client_username, 
292                              const char *client_domain,
293                              const struct samr_Password *stored_lanman, 
294                              const struct samr_Password *stored_nt, 
295                              DATA_BLOB *user_sess_key, 
296                              DATA_BLOB *lm_sess_key)
297 {
298         const static uint8_t zeros[8];
299         DATA_BLOB tmp_sess_key;
300
301         if (stored_nt == NULL) {
302                 DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
303                          username));
304         }
305
306         *lm_sess_key = data_blob(NULL, 0);
307         *user_sess_key = data_blob(NULL, 0);
308
309         /* Check for cleartext netlogon. Used by Exchange 5.5. */
310         if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
311             && challenge->length == sizeof(zeros) 
312             && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
313                 struct samr_Password client_nt;
314                 struct samr_Password client_lm;
315                 char *unix_pw = NULL;
316                 bool lm_ok;
317
318                 DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
319                          username));
320                 mdfour(client_nt.hash, nt_response->data, nt_response->length);
321                 
322                 if (lm_response->length && 
323                     (convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, 
324                                           lm_response->data, lm_response->length, 
325                                            (void *)&unix_pw, NULL, false))) {
326                         if (E_deshash(unix_pw, client_lm.hash)) {
327                                 lm_ok = true;
328                         } else {
329                                 lm_ok = false;
330                         }
331                 } else {
332                         lm_ok = false;
333                 }
334                 return hash_password_check(mem_ctx, 
335                                            lanman_auth,
336                                            lm_ok ? &client_lm : NULL, 
337                                            nt_response->length ? &client_nt : NULL, 
338                                            username,  
339                                            stored_lanman, stored_nt);
340         }
341
342         if (nt_response->length != 0 && nt_response->length < 24) {
343                 DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n", 
344                          (unsigned long)nt_response->length, username));                
345         }
346         
347         if (nt_response->length > 24 && stored_nt) {
348                 /* We have the NT MD4 hash challenge available - see if we can
349                    use it 
350                 */
351                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
352                 if (smb_pwd_check_ntlmv2(mem_ctx,
353                                          nt_response, 
354                                          stored_nt->hash, challenge, 
355                                          client_username, 
356                                          client_domain,
357                                          false,
358                                          user_sess_key)) {
359                         if (user_sess_key->length) {
360                                 *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
361                         }
362                         return NT_STATUS_OK;
363                 }
364                 
365                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
366                 if (smb_pwd_check_ntlmv2(mem_ctx,
367                                          nt_response, 
368                                          stored_nt->hash, challenge, 
369                                          client_username, 
370                                          client_domain,
371                                          true,
372                                          user_sess_key)) {
373                         if (user_sess_key->length) {
374                                 *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
375                         }
376                         return NT_STATUS_OK;
377                 }
378                 
379                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
380                 if (smb_pwd_check_ntlmv2(mem_ctx,
381                                          nt_response, 
382                                          stored_nt->hash, challenge, 
383                                          client_username, 
384                                          "",
385                                          false,
386                                          user_sess_key)) {
387                         if (user_sess_key->length) {
388                                 *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
389                         }
390                         return NT_STATUS_OK;
391                 } else {
392                         DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
393                 }
394         } else if (nt_response->length == 24 && stored_nt) {
395                 if (ntlm_auth) {                
396                         /* We have the NT MD4 hash challenge available - see if we can
397                            use it (ie. does it exist in the smbpasswd file).
398                         */
399                         DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
400                         if (smb_pwd_check_ntlmv1(mem_ctx, 
401                                                  nt_response, 
402                                                  stored_nt->hash, challenge,
403                                                  user_sess_key)) {
404                                 /* The LM session key for this response is not very secure, 
405                                    so use it only if we otherwise allow LM authentication */
406                                 
407                                 if (lanman_auth && stored_lanman) {
408                                         *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, MIN(8, user_sess_key->length));
409                                 }
410                                 return NT_STATUS_OK;
411                         } else {
412                                 DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
413                                          username));
414                                 return NT_STATUS_WRONG_PASSWORD;
415                         }
416                 } else {
417                         DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
418                                  username));                    
419                         /* no return, becouse we might pick up LMv2 in the LM field */
420                 }
421         }
422         
423         if (lm_response->length == 0) {
424                 DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
425                          username));
426                 return NT_STATUS_WRONG_PASSWORD;
427         }
428         
429         if (lm_response->length < 24) {
430                 DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n", 
431                          (unsigned long)nt_response->length, username));                
432                 return NT_STATUS_WRONG_PASSWORD;
433         }
434                 
435         if (!lanman_auth) {
436                 DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
437                          username));
438         } else if (!stored_lanman) {
439                 DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
440                          username));
441         } else if (strchr_m(username, '@')) {
442                 DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n",
443                          username));
444         } else {
445                 DEBUG(4,("ntlm_password_check: Checking LM password\n"));
446                 if (smb_pwd_check_ntlmv1(mem_ctx,
447                                          lm_response, 
448                                          stored_lanman->hash, challenge,
449                                          NULL)) {
450                         /* The session key for this response is still very odd.  
451                            It not very secure, so use it only if we otherwise 
452                            allow LM authentication */
453
454                         if (lanman_auth && stored_lanman) {
455                                 uint8_t first_8_lm_hash[16];
456                                 memcpy(first_8_lm_hash, stored_lanman->hash, 8);
457                                 memset(first_8_lm_hash + 8, '\0', 8);
458                                 *user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
459                                 *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
460                         }
461                         return NT_STATUS_OK;
462                 }
463         }
464         
465         if (!stored_nt) {
466                 DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
467                 return NT_STATUS_WRONG_PASSWORD;
468         }
469         
470         /* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
471            - related to Win9X, legacy NAS pass-though authentication
472         */
473         DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
474         if (smb_pwd_check_ntlmv2(mem_ctx,
475                                  lm_response, 
476                                  stored_nt->hash, challenge, 
477                                  client_username,
478                                  client_domain,
479                                  false,
480                                  &tmp_sess_key)) {
481                 if (nt_response->length > 24) {
482                         /* If NTLMv2 authentication has preceeded us
483                          * (even if it failed), then use the session
484                          * key from that.  See the RPC-SAMLOGON
485                          * torture test */
486                         smb_sess_key_ntlmv2(mem_ctx,
487                                             nt_response, 
488                                             stored_nt->hash, challenge, 
489                                             client_username,
490                                             client_domain,
491                                             false,
492                                             user_sess_key);
493                 } else {
494                         /* Otherwise, use the LMv2 session key */
495                         *user_sess_key = tmp_sess_key;
496                 }
497                 if (user_sess_key->length) {
498                         *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
499                 }
500                 return NT_STATUS_OK;
501         }
502         
503         DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
504         if (smb_pwd_check_ntlmv2(mem_ctx,
505                                  lm_response, 
506                                  stored_nt->hash, challenge, 
507                                  client_username,
508                                  client_domain,
509                                  true,
510                                  &tmp_sess_key)) {
511                 if (nt_response->length > 24) {
512                         /* If NTLMv2 authentication has preceeded us
513                          * (even if it failed), then use the session
514                          * key from that.  See the RPC-SAMLOGON
515                          * torture test */
516                         smb_sess_key_ntlmv2(mem_ctx,
517                                             nt_response, 
518                                             stored_nt->hash, challenge, 
519                                             client_username,
520                                             client_domain,
521                                             true,
522                                             user_sess_key);
523                 } else {
524                         /* Otherwise, use the LMv2 session key */
525                         *user_sess_key = tmp_sess_key;
526                 }
527                 if (user_sess_key->length) {
528                         *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
529                 }
530                 return NT_STATUS_OK;
531         }
532         
533         DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
534         if (smb_pwd_check_ntlmv2(mem_ctx,
535                                  lm_response, 
536                                  stored_nt->hash, challenge, 
537                                  client_username,
538                                  "",
539                                  false,
540                                  &tmp_sess_key)) {
541                 if (nt_response->length > 24) {
542                         /* If NTLMv2 authentication has preceeded us
543                          * (even if it failed), then use the session
544                          * key from that.  See the RPC-SAMLOGON
545                          * torture test */
546                         smb_sess_key_ntlmv2(mem_ctx,
547                                             nt_response, 
548                                             stored_nt->hash, challenge, 
549                                             client_username,
550                                             "",
551                                             false,
552                                             user_sess_key);
553                 } else {
554                         /* Otherwise, use the LMv2 session key */
555                         *user_sess_key = tmp_sess_key;
556                 }
557                 if (user_sess_key->length) {
558                         *lm_sess_key = data_blob_talloc(mem_ctx, user_sess_key->data, MIN(8, user_sess_key->length));
559                 }
560                 return NT_STATUS_OK;
561         }
562
563         /* Apparently NT accepts NT responses in the LM field
564            - I think this is related to Win9X pass-though authentication
565         */
566         DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
567         if (ntlm_auth) {
568                 if (smb_pwd_check_ntlmv1(mem_ctx, 
569                                          lm_response, 
570                                          stored_nt->hash, challenge,
571                                          NULL)) {
572                         /* The session key for this response is still very odd.  
573                            It not very secure, so use it only if we otherwise 
574                            allow LM authentication */
575
576                         if (lanman_auth && stored_lanman) {
577                                 uint8_t first_8_lm_hash[16];
578                                 memcpy(first_8_lm_hash, stored_lanman->hash, 8);
579                                 memset(first_8_lm_hash + 8, '\0', 8);
580                                 *user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
581                                 *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
582                         }
583                         return NT_STATUS_OK;
584                 }
585                 DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
586         } else {
587                 DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
588         }
589
590         /* Try and match error codes */
591         if (strchr_m(username, '@')) {
592                 return NT_STATUS_NOT_FOUND;
593         }
594         return NT_STATUS_WRONG_PASSWORD;
595 }
596