Add the 'session key' output of the NTLMSSP exchange to the cli struct, so

author Andrew Bartlett <abartlet@samba.org>

Sun, 16 Feb 2003 22:10:48 +0000 (22:10 +0000)

committer Andrew Bartlett <abartlet@samba.org>

Sun, 16 Feb 2003 22:10:48 +0000 (22:10 +0000)
author Andrew Bartlett <abartlet@samba.org>
Sun, 16 Feb 2003 22:10:48 +0000 (22:10 +0000)
committer Andrew Bartlett <abartlet@samba.org>
Sun, 16 Feb 2003 22:10:48 +0000 (22:10 +0000)
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c

index 43542b24744660e117c28d5f0c3d8d54246a6dd4..d32d2482966992e293629276ad3450a53be15a88 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -131,7 +131,7 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
  }
  
  NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, 
-                            DATA_BLOB request, DATA_BLOB *reply) 
+                            const DATA_BLOB request, DATA_BLOB *reply) 
  {
         return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
  }
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c

index 06e27f1d48df25e05fb92d2379e4d503ea79bcaa..48fabba0a22262d2159e61bf27fbfd22a532957b 100644 (file)
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -184,7 +184,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
                 /* We have the NT MD4 hash challenge available - see if we can
                    use it (ie. does it exist in the smbpasswd file).
                 */
-               DEBUG(4,("sam_password_ok: Checking NTLMv2 password\n"));
+               DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", user_info->client_domain.str));
                 if (smb_pwd_check_ntlmv2( user_info->nt_resp, 
                                           nt_pw, auth_context->challenge, 
                                           user_info->smb_name.str, 
@@ -192,6 +192,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
                                           user_sess_key))
                 {
                         return NT_STATUS_OK;
+               }
+
+               DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n"));
+               if (smb_pwd_check_ntlmv2( user_info->nt_resp, 
+                                         nt_pw, auth_context->challenge, 
+                                         user_info->smb_name.str, 
+                                         "",
+                                         user_sess_key))
+               {
+                       return NT_STATUS_OK;
                 } else {
                         DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
                         return NT_STATUS_WRONG_PASSWORD;
@@ -250,7 +260,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
                 /* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
                    - related to Win9X, legacy NAS pass-though authentication
                 */
-               DEBUG(4,("sam_password_ok: Checking LMv2 password\n"));
+               DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", user_info->client_domain.str));
                 if (smb_pwd_check_ntlmv2( user_info->lm_resp, 
                                           nt_pw, auth_context->challenge, 
                                           user_info->smb_name.str, 
@@ -260,6 +270,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
                         return NT_STATUS_OK;
                 }
  
+               DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n"));
+               if (smb_pwd_check_ntlmv2( user_info->lm_resp, 
+                                         nt_pw, auth_context->challenge, 
+                                         user_info->smb_name.str, 
+                                         "",
+                                         user_sess_key))
+               {
+                       return NT_STATUS_OK;
+               }
+
                 /* Apparently NT accepts NT responses in the LM field
                    - I think this is related to Win9X pass-though authentication
                 */
diff --git a/source3/include/client.h b/source3/include/client.h

index ddb1772c2601e33466f792f9b33ee80474ec8adb..73e29a1fff8079931f550d3b3aeedebc73076ed2 100644 (file)
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -122,6 +122,10 @@ struct cli_state {
  
         smb_sign_info sign_info;
  
+       /* the session key for this CLI, outside 
+          any per-pipe authenticaion */
+       unsigned char user_session_key[16];
+
         /*
          * Only used in NT domain calls.
          */
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c

index 2b0b9abc9d1d85ac2d4e588bbc606ee6424752ef..487b184dd656c87599c692d322c0a893d57bd5d7 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -248,6 +248,12 @@ static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16
         }
  }
  
+static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) 
+{
+       memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
+}
+
+
  static void set_temp_signing_on_cli(struct cli_state *cli) 
  {
         if (cli->sign_info.negotiated_smb_signing)
@@ -367,6 +373,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
  
         if (session_key.data) {
                 /* Have plaintext orginal */
+               set_cli_session_key(cli, session_key);
                 set_signing_on_cli(cli, session_key.data, nt_response);
         }
  
@@ -559,6 +566,10 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
                 turn++;
         } while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED));
  
+       if (NT_STATUS_IS_OK(nt_status)) {
+               set_cli_session_key(cli, ntlmssp_state->session_key);
+       }
+
         if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
                 return False;
         }
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c

index 1b711f7b432a7b6907cf1f5055a86eb65e432e1d..b0eb335986942e6fe2b3f5712e60baf1acca3c49 100644 (file)
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -264,14 +264,8 @@ int net_rpc_join_newstyle(int argc, const char **argv)
         ctr.switch_value = 24;
         ctr.info.id24 = &p24;
  
-       /* I don't think this is quite the right place for this
-          calculation.  It should be moved somewhere where the credentials
-          are calculated. )-: */
-
-       mdfour(sess_key, cli->pwd.smb_nt_pwd, 16);
-
         CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, 
-                                           sess_key, &ctr),
+                                           cli->user_session_key, &ctr),
                       "error setting trust account password");
  
         /* Why do we have to try to (re-)set the ACB to be the same as what
author	Andrew Bartlett <abartlet@samba.org>
	Sun, 16 Feb 2003 22:10:48 +0000 (22:10 +0000)
committer	Andrew Bartlett <abartlet@samba.org>
	Sun, 16 Feb 2003 22:10:48 +0000 (22:10 +0000)
source3/auth/auth_ntlmssp.c		patch \| blob \| history
source3/auth/auth_sam.c		patch \| blob \| history
source3/include/client.h		patch \| blob \| history
source3/libsmb/cliconnect.c		patch \| blob \| history
source3/utils/net_rpc_join.c		patch \| blob \| history