/* We have the NT MD4 hash challenge available - see if we can
use it (ie. does it exist in the smbpasswd file).
*/
- DEBUG(4,("sam_password_ok: Checking NTLMv2 password\n"));
+ DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", user_info->client_domain.str));
if (smb_pwd_check_ntlmv2( user_info->nt_resp,
nt_pw, auth_context->challenge,
user_info->smb_name.str,
user_sess_key))
{
return NT_STATUS_OK;
+ }
+
+ DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n"));
+ if (smb_pwd_check_ntlmv2( user_info->nt_resp,
+ nt_pw, auth_context->challenge,
+ user_info->smb_name.str,
+ "",
+ user_sess_key))
+ {
+ return NT_STATUS_OK;
} else {
DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
return NT_STATUS_WRONG_PASSWORD;
/* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
- related to Win9X, legacy NAS pass-though authentication
*/
- DEBUG(4,("sam_password_ok: Checking LMv2 password\n"));
+ DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", user_info->client_domain.str));
if (smb_pwd_check_ntlmv2( user_info->lm_resp,
nt_pw, auth_context->challenge,
user_info->smb_name.str,
return NT_STATUS_OK;
}
+ DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n"));
+ if (smb_pwd_check_ntlmv2( user_info->lm_resp,
+ nt_pw, auth_context->challenge,
+ user_info->smb_name.str,
+ "",
+ user_sess_key))
+ {
+ return NT_STATUS_OK;
+ }
+
/* Apparently NT accepts NT responses in the LM field
- I think this is related to Win9X pass-though authentication
*/
}
}
+static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key)
+{
+ memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
+}
+
+
static void set_temp_signing_on_cli(struct cli_state *cli)
{
if (cli->sign_info.negotiated_smb_signing)
if (session_key.data) {
/* Have plaintext orginal */
+ set_cli_session_key(cli, session_key);
set_signing_on_cli(cli, session_key.data, nt_response);
}
turn++;
} while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED));
+ if (NT_STATUS_IS_OK(nt_status)) {
+ set_cli_session_key(cli, ntlmssp_state->session_key);
+ }
+
if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
return False;
}
ctr.switch_value = 24;
ctr.info.id24 = &p24;
- /* I don't think this is quite the right place for this
- calculation. It should be moved somewhere where the credentials
- are calculated. )-: */
-
- mdfour(sess_key, cli->pwd.smb_nt_pwd, 16);
-
CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24,
- sess_key, &ctr),
+ cli->user_session_key, &ctr),
"error setting trust account password");
/* Why do we have to try to (re-)set the ACB to be the same as what