Move our basic password checking code from inside the authentication
authorAndrew Bartlett <abartlet@samba.org>
Tue, 30 Dec 2003 07:33:58 +0000 (07:33 +0000)
committerAndrew Bartlett <abartlet@samba.org>
Tue, 30 Dec 2003 07:33:58 +0000 (07:33 +0000)
subsystem into a seperate file - ntlm_check.c.

This allows us to call these routines from ntlm_auth.  The purpose of this
exercise is to allow ntlm_auth (when operating as an NTLMSSP server) to
avoid talking to winbind.  This should allow for easier debugging.

ntlm_auth itself has been reorgainised, so as to share more code between
the SPNEGO-wrapped and 'raw' NTLMSSP modes.  A new 'client' NTLMSSP mode
has been added, for use with a Cyrus-SASL module I am writing (based on vl's
work)

Andrew Bartlett
(This used to be commit 48315e8fd227978e0161be293ad4411b45e3ea5b)

source3/Makefile.in
source3/auth/auth_sam.c
source3/libsmb/ntlm_check.c [new file with mode: 0644]
source3/utils/ntlm_auth.c

index e1087b9eb589343afd5f660744d5424392e005d8..3fa53c577dd3170a3616ae193e50c03b5084360b 100644 (file)
@@ -213,7 +213,8 @@ SECRETS_OBJ = passdb/secrets.o
 LIBNMB_OBJ = libsmb/unexpected.o libsmb/namecache.o libsmb/nmblib.o \
             libsmb/namequery.o libsmb/conncache.o 
 
-LIBSAMBA_OBJ = libsmb/nterr.o libsmb/smbdes.o libsmb/smbencrypt.o libsmb/ntlmssp.o libsmb/ntlmssp_parse.o libsmb/ntlmssp_sign.o
+LIBSAMBA_OBJ = libsmb/nterr.o libsmb/smbdes.o libsmb/smbencrypt.o libsmb/ntlm_check.o \
+       libsmb/ntlmssp.o libsmb/ntlmssp_parse.o libsmb/ntlmssp_sign.o
 
 LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
             libsmb/clikrb5.o libsmb/clispnego.o libsmb/asn1.o \
index 04b587343a39e9441f16c7d76d45c3aadf1fd852..ebb1e3d8614196a969ce1d6581d4f1f7636befb7 100644 (file)
@@ -3,7 +3,7 @@
    Password and authentication handling
    Copyright (C) Andrew Tridgell              1992-2000
    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
-   Copyright (C) Andrew Bartlett              2001
+   Copyright (C) Andrew Bartlett              2001-2003
    Copyright (C) Gerald Carter                2003
    
    This program is free software; you can redistribute it and/or modify
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
-/****************************************************************************
- Core of smb password checking routine.
-****************************************************************************/
-
-static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
-                                const uchar *part_passwd,
-                                const DATA_BLOB *sec_blob,
-                                DATA_BLOB *user_sess_key)
-{
-       /* Finish the encryption of part_passwd. */
-       uchar p24[24];
-       
-       if (part_passwd == NULL) {
-               DEBUG(10,("No password set - DISALLOWING access\n"));
-               /* No password set - always false ! */
-               return False;
-       }
-       
-       if (sec_blob->length != 8) {
-               DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", (unsigned long)sec_blob->length));
-               return False;
-       }
-       
-       if (nt_response->length != 24) {
-               DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", (unsigned long)nt_response->length));
-               return False;
-       }
-
-       SMBOWFencrypt(part_passwd, sec_blob->data, p24);
-       if (user_sess_key != NULL) {
-               *user_sess_key = data_blob(NULL, 16);
-               SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data);
-       }
-       
-       
-       
-#if DEBUG_PASSWORD
-       DEBUG(100,("Part password (P16) was |\n"));
-       dump_data(100, part_passwd, 16);
-       DEBUGADD(100,("Password from client was |\n"));
-       dump_data(100, nt_response->data, nt_response->length);
-       DEBUGADD(100,("Given challenge was |\n"));
-       dump_data(100, sec_blob->data, sec_blob->length);
-       DEBUGADD(100,("Value from encryption was |\n"));
-       dump_data(100, p24, 24);
-#endif
-  return (memcmp(p24, nt_response->data, 24) == 0);
-}
-
-/****************************************************************************
- Core of smb password checking routine. (NTLMv2, LMv2)
- Note:  The same code works with both NTLMv2 and LMv2.
-****************************************************************************/
-
-static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
-                                const uchar *part_passwd,
-                                const DATA_BLOB *sec_blob,
-                                const char *user, const char *domain,
-                                DATA_BLOB *user_sess_key)
-{
-       /* Finish the encryption of part_passwd. */
-       uchar kr[16];
-       uchar value_from_encryption[16];
-       uchar client_response[16];
-       DATA_BLOB client_key_data;
-
-       if (part_passwd == NULL) {
-               DEBUG(10,("No password set - DISALLOWING access\n"));
-               /* No password set - always False */
-               return False;
-       }
-
-       if (ntv2_response->length < 24) {
-               /* We MUST have more than 16 bytes, or the stuff below will go
-                  crazy.  No known implementation sends less than the 24 bytes
-                  for LMv2, let alone NTLMv2. */
-               DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", 
-                         (unsigned long)ntv2_response->length));
-               return False;
-       }
-
-       client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16);
-       /* 
-          todo:  should we be checking this for anything?  We can't for LMv2, 
-          but for NTLMv2 it is meant to contain the current time etc.
-       */
-
-       memcpy(client_response, ntv2_response->data, sizeof(client_response));
-
-       if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
-               return False;
-       }
-
-       SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
-       if (user_sess_key != NULL) {
-               *user_sess_key = data_blob(NULL, 16);
-               SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
-       }
-
-#if DEBUG_PASSWORD
-       DEBUG(100,("Part password (P16) was |\n"));
-       dump_data(100, part_passwd, 16);
-       DEBUGADD(100,("Password from client was |\n"));
-       dump_data(100, ntv2_response->data, ntv2_response->length);
-       DEBUGADD(100,("Variable data from client was |\n"));
-       dump_data(100, client_key_data.data, client_key_data.length);
-       DEBUGADD(100,("Given challenge was |\n"));
-       dump_data(100, sec_blob->data, sec_blob->length);
-       DEBUGADD(100,("Value from encryption was |\n"));
-       dump_data(100, value_from_encryption, 16);
-#endif
-       data_blob_clear_free(&client_key_data);
-       return (memcmp(value_from_encryption, client_response, 16) == 0);
-}
-
-/**
- * Check a challenge-response password against the value of the NT or
- * LM password hash.
- *
- * @param mem_ctx talloc context
- * @param challenge 8-byte challenge.  If all zero, forces plaintext comparison
- * @param nt_response 'unicode' NT response to the challenge, or unicode password
- * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
- * @param username internal Samba username, for log messages
- * @param client_username username the client used
- * @param client_domain domain name the client used (may be mapped)
- * @param nt_pw MD4 unicode password from our passdb or similar
- * @param lm_pw LANMAN ASCII password from our passdb or similar
- * @param user_sess_key User session key
- * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
- */
-
-static NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
-                                   const DATA_BLOB *challenge,
-                                   const DATA_BLOB *lm_response,
-                                   const DATA_BLOB *nt_response,
-                                   const char *username, 
-                                   const char *client_username, 
-                                   const char *client_domain,
-                                   const uint8 *lm_pw, const uint8 *nt_pw, 
-                                   DATA_BLOB *user_sess_key, 
-                                   DATA_BLOB *lm_sess_key)
-{
-       static const unsigned char zeros[8];
-       if (nt_pw == NULL) {
-               DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", 
-                        username));
-       }
-
-       /* Check for cleartext netlogon. Used by Exchange 5.5. */
-       if (challenge->length == sizeof(zeros) && 
-           (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
-
-               DEBUG(4,("sam_password_ok: checking plaintext passwords for user %s\n",
-                        username));
-               if (nt_pw && nt_response->length) {
-                       unsigned char pwhash[16];
-                       mdfour(pwhash, nt_response->data, nt_response->length);
-                       if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) {
-                               return NT_STATUS_OK;
-                       } else {
-                               DEBUG(3,("sam_password_ok: NT (Unicode) plaintext password check failed for user %s\n",
-                                        username));
-                               return NT_STATUS_WRONG_PASSWORD;
-                       }
-
-               } else if (!lp_lanman_auth()) {
-                       DEBUG(3,("sam_password_ok: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n",
-                                username));
-
-               } else if (lm_pw && lm_response->length) {
-                       uchar dospwd[14]; 
-                       uchar p16[16]; 
-                       ZERO_STRUCT(dospwd);
-                       
-                       DEBUG(100, ("DOS password: %s\n"));
-                       memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
-                       /* Only the fisrt 14 chars are considered, password need not be null terminated. */
-                       E_P16((const unsigned char *)dospwd, p16);
-
-                       dump_data_pw("DOS password (first buffer)\n", dospwd, 14);
-                       dump_data_pw("DOS password (wire DES hash)\n", p16, 16);
-                       dump_data_pw("DOS password (passdb DES hash)\n", lm_pw, 16);
-                       if (memcmp(p16, lm_pw, sizeof(p16)) == 0) {
-                               return NT_STATUS_OK;
-                       } else {
-                               DEBUG(3,("sam_password_ok: LANMAN (ASCII) plaintext password check failed for user %s\n",
-                                        username));
-                               return NT_STATUS_WRONG_PASSWORD;
-                       }
-               } else {
-                       DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username));
-                       return NT_STATUS_WRONG_PASSWORD;
-               }
-       }
-
-       if (nt_response->length != 0 && nt_response->length < 24) {
-               DEBUG(2,("sam_password_ok: invalid NT password length (%lu) for user %s\n", 
-                        (unsigned long)nt_response->length, username));                
-       }
-       
-       if (nt_response->length >= 24 && nt_pw) {
-               if (nt_response->length > 24) {
-                       /* We have the NT MD4 hash challenge available - see if we can
-                          use it (ie. does it exist in the smbpasswd file).
-                       */
-                       DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", client_domain));
-                       if (smb_pwd_check_ntlmv2( nt_response, 
-                                                 nt_pw, challenge, 
-                                         client_username, 
-                                                 client_domain,
-                                                 user_sess_key)) {
-                               return NT_STATUS_OK;
-                       }
-                       
-                       DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n"));
-                       if (smb_pwd_check_ntlmv2( nt_response, 
-                                                 nt_pw, challenge, 
-                                                 client_username, 
-                                                 "",
-                                                 user_sess_key)) {
-                               return NT_STATUS_OK;
-                       } else {
-                               DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
-                               return NT_STATUS_WRONG_PASSWORD;
-                       }
-               }
-
-               if (lp_ntlm_auth()) {           
-                       /* We have the NT MD4 hash challenge available - see if we can
-                          use it (ie. does it exist in the smbpasswd file).
-                       */
-                       DEBUG(4,("sam_password_ok: Checking NT MD4 password\n"));
-                       if (smb_pwd_check_ntlmv1(nt_response, 
-                                                nt_pw, challenge,
-                                                user_sess_key)) {
-                               /* The LM session key for this response is not very secure, 
-                                  so use it only if we otherwise allow LM authentication */
-
-                               if (lp_lanman_auth() && lm_pw) {
-                                       uint8 first_8_lm_hash[16];
-                                       memcpy(first_8_lm_hash, lm_pw, 8);
-                                       memset(first_8_lm_hash + 8, '\0', 8);
-                                       *lm_sess_key = data_blob(first_8_lm_hash, 16);
-                               }
-                               return NT_STATUS_OK;
-                       } else {
-                               DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n",
-                                        username));
-                               return NT_STATUS_WRONG_PASSWORD;
-                       }
-               } else {
-                       DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",
-                                username));                    
-                       /* no return, becouse we might pick up LMv2 in the LM field */
-               }
-       }
-       
-       if (lm_response->length == 0) {
-               DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",
-                        username));
-               return NT_STATUS_WRONG_PASSWORD;
-       }
-       
-       if (lm_response->length < 24) {
-               DEBUG(2,("sam_password_ok: invalid LanMan password length (%lu) for user %s\n", 
-                        (unsigned long)nt_response->length, username));                
-               return NT_STATUS_WRONG_PASSWORD;
-       }
-               
-       if (!lp_lanman_auth()) {
-               DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",
-                        username));
-       } else if (!lm_pw) {
-               DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",
-                        username));
-       } else {
-               DEBUG(4,("sam_password_ok: Checking LM password\n"));
-               if (smb_pwd_check_ntlmv1(lm_response, 
-                                        lm_pw, challenge,
-                                        NULL)) {
-                       uint8 first_8_lm_hash[16];
-                       memcpy(first_8_lm_hash, lm_pw, 8);
-                       memset(first_8_lm_hash + 8, '\0', 8);
-                       *user_sess_key = data_blob(first_8_lm_hash, 16);
-                       *lm_sess_key = data_blob(first_8_lm_hash, 16);
-                       return NT_STATUS_OK;
-               }
-       }
-       
-       if (!nt_pw) {
-               DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",username));
-               return NT_STATUS_WRONG_PASSWORD;
-       }
-       
-       /* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
-          - related to Win9X, legacy NAS pass-though authentication
-       */
-       DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", client_domain));
-       if (smb_pwd_check_ntlmv2( lm_response, 
-                                 nt_pw, challenge, 
-                                 client_username,
-                                 client_domain,
-                                 NULL)) {
-               return NT_STATUS_OK;
-       }
-       
-       DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n"));
-       if (smb_pwd_check_ntlmv2( lm_response, 
-                                 nt_pw, challenge, 
-                                 client_username,
-                                 "",
-                                 NULL)) {
-               return NT_STATUS_OK;
-       }
-
-       /* Apparently NT accepts NT responses in the LM field
-          - I think this is related to Win9X pass-though authentication
-       */
-       DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n"));
-       if (lp_ntlm_auth()) {
-               if (smb_pwd_check_ntlmv1(lm_response, 
-                                        nt_pw, challenge,
-                                        NULL)) {
-                       /* The session key for this response is still very odd.  
-                          It not very secure, so use it only if we otherwise 
-                          allow LM authentication */
-
-                       if (lp_lanman_auth() && lm_pw) {
-                               uint8 first_8_lm_hash[16];
-                               memcpy(first_8_lm_hash, lm_pw, 8);
-                               memset(first_8_lm_hash + 8, '\0', 8);
-                               *user_sess_key = data_blob(first_8_lm_hash, 16);
-                               *lm_sess_key = data_blob(first_8_lm_hash, 16);
-                       }
-                       return NT_STATUS_OK;
-               }
-               DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
-       } else {
-               DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
-       }
-       return NT_STATUS_WRONG_PASSWORD;
-}
-
 /****************************************************************************
  Do a specific test for an smb password being correct, given a smb_password and
  the lanman and NT responses.
diff --git a/source3/libsmb/ntlm_check.c b/source3/libsmb/ntlm_check.c
new file mode 100644 (file)
index 0000000..362b640
--- /dev/null
@@ -0,0 +1,377 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Password and authentication handling
+   Copyright (C) Andrew Tridgell              1992-2000
+   Copyright (C) Luke Kenneth Casson Leighton 1996-2000
+   Copyright (C) Andrew Bartlett              2001-2003
+   Copyright (C) Gerald Carter                2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
+/****************************************************************************
+ Core of smb password checking routine.
+****************************************************************************/
+
+static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response,
+                                const uchar *part_passwd,
+                                const DATA_BLOB *sec_blob,
+                                DATA_BLOB *user_sess_key)
+{
+       /* Finish the encryption of part_passwd. */
+       uchar p24[24];
+       
+       if (part_passwd == NULL) {
+               DEBUG(10,("No password set - DISALLOWING access\n"));
+               /* No password set - always false ! */
+               return False;
+       }
+       
+       if (sec_blob->length != 8) {
+               DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", 
+                         (unsigned long)sec_blob->length));
+               return False;
+       }
+       
+       if (nt_response->length != 24) {
+               DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", 
+                         (unsigned long)nt_response->length));
+               return False;
+       }
+
+       SMBOWFencrypt(part_passwd, sec_blob->data, p24);
+       if (user_sess_key != NULL) {
+               *user_sess_key = data_blob(NULL, 16);
+               SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key->data);
+       }
+       
+       
+#if DEBUG_PASSWORD
+       DEBUG(100,("Part password (P16) was |\n"));
+       dump_data(100, part_passwd, 16);
+       DEBUGADD(100,("Password from client was |\n"));
+       dump_data(100, nt_response->data, nt_response->length);
+       DEBUGADD(100,("Given challenge was |\n"));
+       dump_data(100, sec_blob->data, sec_blob->length);
+       DEBUGADD(100,("Value from encryption was |\n"));
+       dump_data(100, p24, 24);
+#endif
+       return (memcmp(p24, nt_response->data, 24) == 0);
+}
+
+/****************************************************************************
+ Core of smb password checking routine. (NTLMv2, LMv2)
+ Note:  The same code works with both NTLMv2 and LMv2.
+****************************************************************************/
+
+static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
+                                const uchar *part_passwd,
+                                const DATA_BLOB *sec_blob,
+                                const char *user, const char *domain,
+                                DATA_BLOB *user_sess_key)
+{
+       /* Finish the encryption of part_passwd. */
+       uchar kr[16];
+       uchar value_from_encryption[16];
+       uchar client_response[16];
+       DATA_BLOB client_key_data;
+
+       if (part_passwd == NULL) {
+               DEBUG(10,("No password set - DISALLOWING access\n"));
+               /* No password set - always False */
+               return False;
+       }
+
+       if (sec_blob->length != 8) {
+               DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n", 
+                         (unsigned long)sec_blob->length));
+               return False;
+       }
+       
+       if (ntv2_response->length < 24) {
+               /* We MUST have more than 16 bytes, or the stuff below will go
+                  crazy.  No known implementation sends less than the 24 bytes
+                  for LMv2, let alone NTLMv2. */
+               DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", 
+                         (unsigned long)ntv2_response->length));
+               return False;
+       }
+
+       client_key_data = data_blob(ntv2_response->data+16, ntv2_response->length-16);
+       /* 
+          todo:  should we be checking this for anything?  We can't for LMv2, 
+          but for NTLMv2 it is meant to contain the current time etc.
+       */
+
+       memcpy(client_response, ntv2_response->data, sizeof(client_response));
+
+       if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
+               return False;
+       }
+
+       SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
+       if (user_sess_key != NULL) {
+               *user_sess_key = data_blob(NULL, 16);
+               SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
+       }
+
+#if DEBUG_PASSWORD
+       DEBUG(100,("Part password (P16) was |\n"));
+       dump_data(100, part_passwd, 16);
+       DEBUGADD(100,("Password from client was |\n"));
+       dump_data(100, ntv2_response->data, ntv2_response->length);
+       DEBUGADD(100,("Variable data from client was |\n"));
+       dump_data(100, client_key_data.data, client_key_data.length);
+       DEBUGADD(100,("Given challenge was |\n"));
+       dump_data(100, sec_blob->data, sec_blob->length);
+       DEBUGADD(100,("Value from encryption was |\n"));
+       dump_data(100, value_from_encryption, 16);
+#endif
+       data_blob_clear_free(&client_key_data);
+       return (memcmp(value_from_encryption, client_response, 16) == 0);
+}
+
+/**
+ * Check a challenge-response password against the value of the NT or
+ * LM password hash.
+ *
+ * @param mem_ctx talloc context
+ * @param challenge 8-byte challenge.  If all zero, forces plaintext comparison
+ * @param nt_response 'unicode' NT response to the challenge, or unicode password
+ * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
+ * @param username internal Samba username, for log messages
+ * @param client_username username the client used
+ * @param client_domain domain name the client used (may be mapped)
+ * @param nt_pw MD4 unicode password from our passdb or similar
+ * @param lm_pw LANMAN ASCII password from our passdb or similar
+ * @param user_sess_key User session key
+ * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
+ */
+
+NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+                            const DATA_BLOB *challenge,
+                            const DATA_BLOB *lm_response,
+                            const DATA_BLOB *nt_response,
+                            const char *username, 
+                            const char *client_username, 
+                            const char *client_domain,
+                            const uint8 *lm_pw, const uint8 *nt_pw, 
+                            DATA_BLOB *user_sess_key, 
+                            DATA_BLOB *lm_sess_key)
+{
+       static const unsigned char zeros[8];
+       if (nt_pw == NULL) {
+               DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
+                        username));
+       }
+
+       /* Check for cleartext netlogon. Used by Exchange 5.5. */
+       if (challenge->length == sizeof(zeros) && 
+           (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+
+               DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
+                        username));
+               if (nt_pw && nt_response->length) {
+                       unsigned char pwhash[16];
+                       mdfour(pwhash, nt_response->data, nt_response->length);
+                       if (memcmp(pwhash, nt_pw, sizeof(pwhash)) == 0) {
+                               return NT_STATUS_OK;
+                       } else {
+                               DEBUG(3,("ntlm_password_check: NT (Unicode) plaintext password check failed for user %s\n",
+                                        username));
+                               return NT_STATUS_WRONG_PASSWORD;
+                       }
+
+               } else if (!lp_lanman_auth()) {
+                       DEBUG(3,("ntlm_password_check: (plaintext password check) LANMAN passwords NOT PERMITTED for user %s\n",
+                                username));
+
+               } else if (lm_pw && lm_response->length) {
+                       uchar dospwd[14]; 
+                       uchar p16[16]; 
+                       ZERO_STRUCT(dospwd);
+                       
+                       memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd)));
+                       /* Only the fisrt 14 chars are considered, password need not be null terminated. */
+
+                       /* we *might* need to upper-case the string here */
+                       E_P16((const unsigned char *)dospwd, p16);
+
+                       if (memcmp(p16, lm_pw, sizeof(p16)) == 0) {
+                               return NT_STATUS_OK;
+                       } else {
+                               DEBUG(3,("ntlm_password_check: LANMAN (ASCII) plaintext password check failed for user %s\n",
+                                        username));
+                               return NT_STATUS_WRONG_PASSWORD;
+                       }
+               } else {
+                       DEBUG(3, ("Plaintext authentication for user %s attempted, but neither NT nor LM passwords available\n", username));
+                       return NT_STATUS_WRONG_PASSWORD;
+               }
+       }
+
+       if (nt_response->length != 0 && nt_response->length < 24) {
+               DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n", 
+                        (unsigned long)nt_response->length, username));                
+       }
+       
+       if (nt_response->length >= 24 && nt_pw) {
+               if (nt_response->length > 24) {
+                       /* We have the NT MD4 hash challenge available - see if we can
+                          use it (ie. does it exist in the smbpasswd file).
+                       */
+                       DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
+                       if (smb_pwd_check_ntlmv2( nt_response, 
+                                                 nt_pw, challenge, 
+                                         client_username, 
+                                                 client_domain,
+                                                 user_sess_key)) {
+                               return NT_STATUS_OK;
+                       }
+                       
+                       DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
+                       if (smb_pwd_check_ntlmv2( nt_response, 
+                                                 nt_pw, challenge, 
+                                                 client_username, 
+                                                 "",
+                                                 user_sess_key)) {
+                               return NT_STATUS_OK;
+                       } else {
+                               DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
+                               return NT_STATUS_WRONG_PASSWORD;
+                       }
+               }
+
+               if (lp_ntlm_auth()) {           
+                       /* We have the NT MD4 hash challenge available - see if we can
+                          use it (ie. does it exist in the smbpasswd file).
+                       */
+                       DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
+                       if (smb_pwd_check_ntlmv1(nt_response, 
+                                                nt_pw, challenge,
+                                                user_sess_key)) {
+                               /* The LM session key for this response is not very secure, 
+                                  so use it only if we otherwise allow LM authentication */
+
+                               if (lp_lanman_auth() && lm_pw) {
+                                       uint8 first_8_lm_hash[16];
+                                       memcpy(first_8_lm_hash, lm_pw, 8);
+                                       memset(first_8_lm_hash + 8, '\0', 8);
+                                       *lm_sess_key = data_blob(first_8_lm_hash, 16);
+                               }
+                               return NT_STATUS_OK;
+                       } else {
+                               DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
+                                        username));
+                               return NT_STATUS_WRONG_PASSWORD;
+                       }
+               } else {
+                       DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
+                                username));                    
+                       /* no return, becouse we might pick up LMv2 in the LM field */
+               }
+       }
+       
+       if (lm_response->length == 0) {
+               DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
+                        username));
+               return NT_STATUS_WRONG_PASSWORD;
+       }
+       
+       if (lm_response->length < 24) {
+               DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n", 
+                        (unsigned long)nt_response->length, username));                
+               return NT_STATUS_WRONG_PASSWORD;
+       }
+               
+       if (!lp_lanman_auth()) {
+               DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
+                        username));
+       } else if (!lm_pw) {
+               DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
+                        username));
+       } else {
+               DEBUG(4,("ntlm_password_check: Checking LM password\n"));
+               if (smb_pwd_check_ntlmv1(lm_response, 
+                                        lm_pw, challenge,
+                                        NULL)) {
+                       uint8 first_8_lm_hash[16];
+                       memcpy(first_8_lm_hash, lm_pw, 8);
+                       memset(first_8_lm_hash + 8, '\0', 8);
+                       *user_sess_key = data_blob(first_8_lm_hash, 16);
+                       *lm_sess_key = data_blob(first_8_lm_hash, 16);
+                       return NT_STATUS_OK;
+               }
+       }
+       
+       if (!nt_pw) {
+               DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
+               return NT_STATUS_WRONG_PASSWORD;
+       }
+       
+       /* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
+          - related to Win9X, legacy NAS pass-though authentication
+       */
+       DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
+       if (smb_pwd_check_ntlmv2( lm_response, 
+                                 nt_pw, challenge, 
+                                 client_username,
+                                 client_domain,
+                                 NULL)) {
+               return NT_STATUS_OK;
+       }
+       
+       DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
+       if (smb_pwd_check_ntlmv2( lm_response, 
+                                 nt_pw, challenge, 
+                                 client_username,
+                                 "",
+                                 NULL)) {
+               return NT_STATUS_OK;
+       }
+
+       /* Apparently NT accepts NT responses in the LM field
+          - I think this is related to Win9X pass-though authentication
+       */
+       DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
+       if (lp_ntlm_auth()) {
+               if (smb_pwd_check_ntlmv1(lm_response, 
+                                        nt_pw, challenge,
+                                        NULL)) {
+                       /* The session key for this response is still very odd.  
+                          It not very secure, so use it only if we otherwise 
+                          allow LM authentication */
+
+                       if (lp_lanman_auth() && lm_pw) {
+                               uint8 first_8_lm_hash[16];
+                               memcpy(first_8_lm_hash, lm_pw, 8);
+                               memset(first_8_lm_hash + 8, '\0', 8);
+                               *user_sess_key = data_blob(first_8_lm_hash, 16);
+                               *lm_sess_key = data_blob(first_8_lm_hash, 16);
+                       }
+                       return NT_STATUS_OK;
+               }
+               DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
+       } else {
+               DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
+       }
+       return NT_STATUS_WRONG_PASSWORD;
+}
+
index e33f4c4dee30c593fe19d9438fb69f6a3df7b12f..8c02b2741ab0b0e3bc0e81b883891659d0680dcb 100644 (file)
@@ -24,6 +24,8 @@
 
 #include "includes.h"
 
+#undef HAVE_KRB5
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
@@ -33,6 +35,7 @@ enum stdio_helper_mode {
        SQUID_2_4_BASIC,
        SQUID_2_5_BASIC,
        SQUID_2_5_NTLMSSP,
+       CLIENT_NTLMSSP_1,
        GSS_SPNEGO,
        GSS_SPNEGO_CLIENT,
        NUM_HELPER_MODES
@@ -55,6 +58,9 @@ static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode
 static void manage_squid_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, 
                                          char *buf, int length);
 
+static void manage_client_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, 
+                                          char *buf, int length);
+
 static void manage_gss_spnego_request (enum stdio_helper_mode stdio_helper_mode, 
                                       char *buf, int length);
 
@@ -69,6 +75,7 @@ static const struct {
        { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request},
        { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request},
        { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request},
+       { CLIENT_NTLMSSP_1, "client-ntlmssp-1", manage_client_ntlmssp_request},
        { GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request},
        { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request},
        { NUM_HELPER_MODES, NULL, NULL}
@@ -335,6 +342,112 @@ static NTSTATUS winbind_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB
        return nt_status;
 }
 
+static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key) 
+{
+       static const char zeros[16];
+       NTSTATUS nt_status;
+       uint8 lm_key[8]; 
+       uint8 nt_key[16]; 
+       uint8 lm_pw[16], nt_pw[16];
+
+       nt_lm_owf_gen (opt_password, nt_pw, lm_pw);
+       
+       nt_status = ntlm_password_check(ntlmssp_state->mem_ctx, 
+                                       &ntlmssp_state->chal,
+                                       &ntlmssp_state->lm_resp,
+                                       &ntlmssp_state->nt_resp, 
+                                       ntlmssp_state->user, 
+                                       ntlmssp_state->user, 
+                                       ntlmssp_state->domain,
+                                       lm_pw, nt_pw, nt_session_key, lm_session_key);
+       
+       if (NT_STATUS_IS_OK(nt_status)) {
+               if (memcmp(lm_key, zeros, 8) != 0) {
+                       *lm_session_key = data_blob(NULL, 16);
+                       memcpy(lm_session_key->data, lm_key, 8);
+                       memset(lm_session_key->data+8, '\0', 8);
+               }
+               
+               if (memcmp(nt_key, zeros, 16) != 0) {
+                       *nt_session_key = data_blob(nt_key, 16);
+               }
+       } else {
+               DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n", 
+                         ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation, 
+                         nt_errstr(nt_status)));
+       }
+       return nt_status;
+}
+
+static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_state) 
+{
+       NTSTATUS status;
+       if ( (opt_username == NULL) || (opt_domain == NULL) ) {
+               DEBUG(1, ("Need username and domain for NTLMSSP\n"));
+               return status;
+       }
+
+       status = ntlmssp_client_start(client_ntlmssp_state);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Could not start NTLMSSP client: %s\n",
+                         nt_errstr(status)));
+               ntlmssp_end(client_ntlmssp_state);
+               return status;
+       }
+
+       status = ntlmssp_set_username(*client_ntlmssp_state, opt_username);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Could not set username: %s\n",
+                         nt_errstr(status)));
+               ntlmssp_end(client_ntlmssp_state);
+               return status;
+       }
+
+       status = ntlmssp_set_domain(*client_ntlmssp_state, opt_domain);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Could not set domain: %s\n",
+                         nt_errstr(status)));
+               ntlmssp_end(client_ntlmssp_state);
+               return status;
+       }
+
+       status = ntlmssp_set_password(*client_ntlmssp_state, opt_password);
+       
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Could not set password: %s\n",
+                         nt_errstr(status)));
+               ntlmssp_end(client_ntlmssp_state);
+               return status;
+       }
+       return NT_STATUS_OK;
+}
+
+static NTSTATUS ntlm_auth_start_ntlmssp_server(NTLMSSP_STATE **ntlmssp_state) 
+{
+       NTSTATUS status = ntlmssp_server_start(ntlmssp_state);
+       
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(1, ("Could not start NTLMSSP client: %s\n",
+                         nt_errstr(status)));
+               return status;
+       }
+
+       /* Have we been given a local password, or should we ask winbind? */
+       if (opt_password) {
+               (*ntlmssp_state)->check_password = local_pw_check;
+               (*ntlmssp_state)->get_domain = lp_workgroup;
+               (*ntlmssp_state)->get_global_myname = global_myname;
+       } else {
+               (*ntlmssp_state)->check_password = winbind_pw_check;
+               (*ntlmssp_state)->get_domain = get_winbind_domain;
+               (*ntlmssp_state)->get_global_myname = get_winbind_netbios_name;
+       }
+       return NT_STATUS_OK;
+}
+
 static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, 
                                         char *buf, int length) 
 {
@@ -348,6 +461,29 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
                return;
        }
 
+       if (strlen(buf) > 3) {
+               request = base64_decode_data_blob(buf + 3);
+       } else {
+               request = data_blob(NULL, 0);
+       }
+
+       if ((strncmp(buf, "PW ", 3) == 0)) {
+               /* The calling application wants us to use a local password (rather than winbindd) */
+
+               opt_password = strndup((const char *)request.data, request.length);
+
+               if (opt_password == NULL) {
+                       DEBUG(1, ("Out of memory\n"));
+                       x_fprintf(x_stdout, "BH\n");
+                       data_blob_free(&request);
+                       return;
+               }
+
+               x_fprintf(x_stdout, "OK\n");
+               data_blob_free(&request);
+               return;
+       }
+
        if (strncmp(buf, "YR", 2) == 0) {
                if (ntlmssp_state)
                        ntlmssp_end(&ntlmssp_state);
@@ -359,17 +495,11 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
                return;
        }
 
-       if (strlen(buf) > 3) {
-               request = base64_decode_data_blob(buf + 3);
-       } else {
-               request = data_blob(NULL, 0);
-       }
-
        if (!ntlmssp_state) {
-               ntlmssp_server_start(&ntlmssp_state);
-               ntlmssp_state->check_password = winbind_pw_check;
-               ntlmssp_state->get_domain = get_winbind_domain;
-               ntlmssp_state->get_global_myname = get_winbind_netbios_name;
+               if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) {
+                       x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
+                       return;
+               }
        }
 
        DEBUG(10, ("got NTLMSSP packet:\n"));
@@ -386,6 +516,8 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
        } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
                x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
                DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
+
+               ntlmssp_end(&ntlmssp_state);
        } else if (!NT_STATUS_IS_OK(nt_status)) {
                x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status));
                DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status)));
@@ -397,6 +529,102 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod
        data_blob_free(&request);
 }
 
+static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, 
+                                        char *buf, int length) 
+{
+       static NTLMSSP_STATE *ntlmssp_state = NULL;
+       DATA_BLOB request, reply;
+       NTSTATUS nt_status;
+       BOOL first = False;
+       
+       if (strlen(buf) < 2) {
+               DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
+               x_fprintf(x_stdout, "BH\n");
+               return;
+       }
+
+       if (strlen(buf) > 3) {
+               request = base64_decode_data_blob(buf + 3);
+       } else {
+               request = data_blob(NULL, 0);
+       }
+
+       if (strncmp(buf, "PW ", 3) == 0) {
+               /* We asked for a password and obviously got it :-) */
+
+               opt_password = strndup((const char *)request.data, request.length);
+
+               if (opt_password == NULL) {
+                       DEBUG(1, ("Out of memory\n"));
+                       x_fprintf(x_stdout, "BH\n");
+                       data_blob_free(&request);
+                       return;
+               }
+
+               x_fprintf(x_stdout, "OK\n");
+               data_blob_free(&request);
+               return;
+       }
+
+       if (opt_password == NULL) {
+               
+               /* Request a password from the calling process.  After
+                  sending it, the calling process should retry asking for the negotiate. */
+               
+               DEBUG(10, ("Requesting password\n"));
+               x_fprintf(x_stdout, "PW\n");
+               return;
+       }
+
+       if (strncmp(buf, "YR", 2) == 0) {
+               if (ntlmssp_state)
+                       ntlmssp_end(&ntlmssp_state);
+       } else if (strncmp(buf, "TT", 2) == 0) {
+               
+       } else {
+               DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
+               x_fprintf(x_stdout, "BH\n");
+               return;
+       }
+
+       if (!ntlmssp_state) {
+               if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_client(&ntlmssp_state))) {
+                       x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
+                       return;
+               }
+               first = True;
+       }
+
+       DEBUG(10, ("got NTLMSSP packet:\n"));
+       dump_data(10, (const char *)request.data, request.length);
+
+       nt_status = ntlmssp_update(ntlmssp_state, request, &reply);
+       
+       if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+               char *reply_base64 = base64_encode_data_blob(reply);
+               if (first) {
+                       x_fprintf(x_stdout, "YR %s\n", reply_base64);
+               } else { 
+                       x_fprintf(x_stdout, "KK %s\n", reply_base64);
+               }
+               SAFE_FREE(reply_base64);
+               data_blob_free(&reply);
+               DEBUG(10, ("NTLMSSP challenge\n"));
+       } else if (NT_STATUS_IS_OK(nt_status)) {
+               x_fprintf(x_stdout, "AF\n");
+               DEBUG(10, ("NTLMSSP OK!\n"));
+               if (ntlmssp_state)
+                       ntlmssp_end(&ntlmssp_state);
+       } else {
+               x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
+               DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
+               if (ntlmssp_state)
+                       ntlmssp_end(&ntlmssp_state);
+       }
+
+       data_blob_free(&request);
+}
+
 static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, 
                                       char *buf, int length) 
 {
@@ -561,10 +789,10 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode,
                                return;
                        }
 
-                       ntlmssp_server_start(&ntlmssp_state);
-                       ntlmssp_state->check_password = winbind_pw_check;
-                       ntlmssp_state->get_domain = get_winbind_domain;
-                       ntlmssp_state->get_global_myname = get_winbind_netbios_name;
+                       if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) {
+                               x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
+                               return;
+                       }
 
                        DEBUG(10, ("got NTLMSSP packet:\n"));
                        dump_data(10, (const char *)request.negTokenInit.mechToken.data,
@@ -720,11 +948,14 @@ static BOOL manage_client_ntlmssp_init(SPNEGO_DATA spnego)
                return False;
        }
 
-       if ( (opt_username == NULL) || (opt_domain == NULL) ) {
-               DEBUG(1, ("Need username and domain for NTLMSSP\n"));
-               return False;
+       if (!client_ntlmssp_state) {
+               if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_client(&client_ntlmssp_state))) {
+                       x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
+                       return False;
+               }
        }
 
+
        if (opt_password == NULL) {
 
                /* Request a password from the calling process.  After
@@ -736,42 +967,6 @@ static BOOL manage_client_ntlmssp_init(SPNEGO_DATA spnego)
                return True;
        }
 
-       status = ntlmssp_client_start(&client_ntlmssp_state);
-
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Could not start NTLMSSP client: %s\n",
-                         nt_errstr(status)));
-               ntlmssp_end(&client_ntlmssp_state);
-               return False;
-       }
-
-       status = ntlmssp_set_username(client_ntlmssp_state, opt_username);
-
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Could not set username: %s\n",
-                         nt_errstr(status)));
-               ntlmssp_end(&client_ntlmssp_state);
-               return False;
-       }
-
-       status = ntlmssp_set_domain(client_ntlmssp_state, opt_domain);
-
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Could not set domain: %s\n",
-                         nt_errstr(status)));
-               ntlmssp_end(&client_ntlmssp_state);
-               return False;
-       }
-
-       status = ntlmssp_set_password(client_ntlmssp_state, opt_password);
-       
-       if (!NT_STATUS_IS_OK(status)) {
-               DEBUG(1, ("Could not set password: %s\n",
-                         nt_errstr(status)));
-               ntlmssp_end(&client_ntlmssp_state);
-               return False;
-       }
-
        spnego.type = SPNEGO_NEG_TOKEN_INIT;
        spnego.negTokenInit.mechTypes = my_mechs;
        spnego.negTokenInit.reqFlags = 0;
@@ -1915,7 +2110,12 @@ enum {
                                exit(0);
                        }
                }
-               x_fprintf(x_stderr, "unknown helper protocol [%s]\n", helper_protocol);
+               x_fprintf(x_stderr, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol);
+
+               for (i=0; i<NUM_HELPER_MODES; i++) {
+                       x_fprintf(x_stderr, "%s\n", stdio_helper_protocols[i].name);
+               }
+
                exit(1);
        }