source3/auth/auth_sam.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    Password and authentication handling
   5    Copyright (C) Andrew Tridgell              1992-2000
   6    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
   7    Copyright (C) Andrew Bartlett              2001
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25
  26 extern int DEBUGLEVEL;
  27
  28 /****************************************************************************
  29 core of smb password checking routine.
  30 ****************************************************************************/
  31 static BOOL smb_pwd_check_ntlmv1(const uchar *password,
  32                                 const uchar *part_passwd,
  33                                 const uchar *c8,
  34                                 uchar user_sess_key[16])
  35 {
  36   /* Finish the encryption of part_passwd. */
  37   uchar p24[24];
  38
  39   if (part_passwd == NULL) {
  40           DEBUG(10,("No password set - DISALLOWING access\n"));
  41           /* No password set - always false ! */
  42           return False;
  43   }
  44
  45   SMBOWFencrypt(part_passwd, c8, p24);
  46         if (user_sess_key != NULL)
  47         {
  48                 SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key);
  49         }
  50
  51
  52
  53 #if DEBUG_PASSWORD
  54         DEBUG(100,("Part password (P16) was |"));
  55         dump_data(100, part_passwd, 16);
  56         DEBUG(100,("Password from client was |"));
  57         dump_data(100, password, 24);
  58         DEBUG(100,("Given challenge was |"));
  59         dump_data(100, c8, 8);
  60         DEBUG(100,("Value from encryption was |"));
  61         dump_data(100, p24, 24);
  62 #endif
  63   return (memcmp(p24, password, 24) == 0);
  64 }
  65
  66 /****************************************************************************
  67 core of smb password checking routine.
  68 ****************************************************************************/
  69 static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len,
  70                                 uchar *part_passwd,
  71                                 uchar const *c8,
  72                                 const char *user, const char *domain,
  73                                 char *user_sess_key)
  74 {
  75         /* Finish the encryption of part_passwd. */
  76         uchar kr[16];
  77         uchar resp[16];
  78
  79         if (part_passwd == NULL)
  80         {
  81                 DEBUG(10,("No password set - DISALLOWING access\n"));
  82                 /* No password set - always False */
  83                 return False;
  84         }
  85
  86         ntv2_owf_gen(part_passwd, user, domain, kr);
  87         SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, resp);
  88         if (user_sess_key != NULL)
  89         {
  90                 SMBsesskeygen_ntv2(kr, resp, user_sess_key);
  91         }
  92
  93 #if DEBUG_PASSWORD
  94         DEBUG(100,("Part password (P16) was |"));
  95         dump_data(100, part_passwd, 16);
  96         DEBUG(100,("Password from client was |"));
  97         dump_data(100, password, pwd_len);
  98         DEBUG(100,("Given challenge was |"));
  99         dump_data(100, c8, 8);
 100         DEBUG(100,("Value from encryption was |"));
 101         dump_data(100, resp, 16);
 102 #endif
 103
 104         return (memcmp(resp, password, 16) == 0);
 105 }
 106
 107
 108 /****************************************************************************
 109  Do a specific test for an smb password being correct, given a smb_password and
 110  the lanman and NT responses.
 111 ****************************************************************************/
 112 uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
 113 {
 114         uint8 *nt_pw, *lm_pw;
 115
 116         /* Quit if the account was disabled. */
 117         if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
 118                 DEBUG(1,("Account for user '%s' was disabled.\n", user_info->smb_username.str));
 119                 return(NT_STATUS_ACCOUNT_DISABLED);
 120         }
 121
 122         if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)
 123         {
 124                 if (lp_null_passwords())
 125                 {
 126                         DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user_info->smb_username.str));
 127                         return(NT_STATUS_NOPROBLEMO);
 128                 }
 129                 else
 130                 {
 131                         DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user_info->smb_username.str));
 132                         return(NT_STATUS_LOGON_FAILURE);
 133                 }
 134         }
 135
 136         if (!user_info || !sampass)
 137                 return(NT_STATUS_LOGON_FAILURE);
 138
 139         DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_info->smb_username.str));
 140
 141         nt_pw = pdb_get_nt_passwd(sampass);
 142
 143         if (nt_pw != NULL) {
 144                 if ((user_info->nt_resp.len > 24 )) {
 145                         /* We have the NT MD4 hash challenge available - see if we can
 146                            use it (ie. does it exist in the smbpasswd file).
 147                         */
 148                         DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n"));
 149                         if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer,
 150                                                   user_info->nt_resp.len,
 151                                                   nt_pw,
 152                                                   user_info->chal, user_info->requested_username.str,
 153                                                   user_info->requested_domain.str,
 154                                                   server_info->session_key))
 155                         {
 156                                 return NT_STATUS_NOPROBLEMO;
 157                         }
 158                         DEBUG(4,("smb_password_ok: NT MD4 password check failed\n"));
 159
 160                 } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24 )) {
 161                                 /* We have the NT MD4 hash challenge available - see if we can
 162                                    use it (ie. does it exist in the smbpasswd file).
 163                                 */
 164                         DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
 165                         if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer,
 166                                                  nt_pw, user_info->chal,
 167                                                  server_info->session_key)) {
 168                                 DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n"));
 169                                 return NT_STATUS_NOPROBLEMO;
 170                         } else {
 171                                 DEBUG(4,("smb_password_ok: NT MD4 password check failed\n"));
 172                                 return NT_STATUS_WRONG_PASSWORD;
 173                         }
 174                 }
 175         }
 176
 177         lm_pw = pdb_get_lanman_passwd(sampass);
 178
 179         if(lp_lanman_auth() && (lm_pw != NULL) && (user_info->lm_resp.len == 24 )) {
 180                 DEBUG(4,("smb_password_ok: Checking LM password\n"));
 181                 if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer,
 182                                          lm_pw, user_info->chal,
 183                                          server_info->session_key)) {
 184                         DEBUG(4,("smb_password_ok: LM password check succeeded\n"));
 185                         return NT_STATUS_NOPROBLEMO;
 186                 } else {
 187                         DEBUG(4,("smb_password_ok: LM password check failed\n"));
 188                         return NT_STATUS_WRONG_PASSWORD;
 189                 }
 190         }
 191
 192         return NT_STATUS_LOGON_FAILURE;
 193 }
 194
 195
 196 /****************************************************************************
 197 check if a username/password is OK assuming the password is a 24 byte
 198 SMB hash
 199 return True if the password is correct, False otherwise
 200 ****************************************************************************/
 201
 202 uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
 203 {
 204         SAM_ACCOUNT *sampass=NULL;
 205         BOOL ret;
 206         uint32 nt_status;
 207
 208         pdb_init_sam(&sampass);
 209
 210         /* get the account information */
 211         ret = pdb_getsampwnam(sampass, user_info->smb_username.str);
 212         if (ret == False)
 213         {
 214                 DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str));
 215                 pdb_free_sam(sampass);
 216                 return(NT_STATUS_NO_SUCH_USER);
 217         }
 218
 219         if ((nt_status = smb_password_ok(sampass, user_info, server_info)) != NT_STATUS_NOPROBLEMO)
 220         {
 221                 pdb_free_sam(sampass);
 222                 return(nt_status);
 223         }
 224
 225         pdb_free_sam(sampass);
 226         return nt_status;
 227 }
 228
 229