Move ntlm_check.h into the common libcli/auth
[kai/samba.git] / libcli / auth / ntlm_check.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5    Copyright (C) Gerald Carter                             2003
6    Copyright (C) Luke Kenneth Casson Leighton         1996-2000
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "../lib/crypto/crypto.h"
24 #include "librpc/gen_ndr/netlogon.h"
25 #include "libcli/auth/libcli_auth.h"
26
27 /****************************************************************************
28  Core of smb password checking routine.
29 ****************************************************************************/
30
31 static bool smb_pwd_check_ntlmv1(TALLOC_CTX *mem_ctx,
32                                  const DATA_BLOB *nt_response,
33                                  const uint8_t *part_passwd,
34                                  const DATA_BLOB *sec_blob,
35                                  DATA_BLOB *user_sess_key)
36 {
37         /* Finish the encryption of part_passwd. */
38         uint8_t p24[24];
39         
40         if (part_passwd == NULL) {
41                 DEBUG(10,("No password set - DISALLOWING access\n"));
42                 /* No password set - always false ! */
43                 return false;
44         }
45         
46         if (sec_blob->length != 8) {
47                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect challenge size (%lu)\n", 
48                           (unsigned long)sec_blob->length));
49                 return false;
50         }
51         
52         if (nt_response->length != 24) {
53                 DEBUG(0, ("smb_pwd_check_ntlmv1: incorrect password length (%lu)\n", 
54                           (unsigned long)nt_response->length));
55                 return false;
56         }
57
58         SMBOWFencrypt(part_passwd, sec_blob->data, p24);
59         
60 #if DEBUG_PASSWORD
61         DEBUG(100,("Part password (P16) was |\n"));
62         dump_data(100, part_passwd, 16);
63         DEBUGADD(100,("Password from client was |\n"));
64         dump_data(100, nt_response->data, nt_response->length);
65         DEBUGADD(100,("Given challenge was |\n"));
66         dump_data(100, sec_blob->data, sec_blob->length);
67         DEBUGADD(100,("Value from encryption was |\n"));
68         dump_data(100, p24, 24);
69 #endif
70         if (memcmp(p24, nt_response->data, 24) == 0) {
71                 if (user_sess_key != NULL) {
72                         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
73                         SMBsesskeygen_ntv1(part_passwd, user_sess_key->data);
74                 }
75                 return true;
76         } 
77         return false;
78 }
79
80 /****************************************************************************
81  Core of smb password checking routine. (NTLMv2, LMv2)
82  Note:  The same code works with both NTLMv2 and LMv2.
83 ****************************************************************************/
84
85 static bool smb_pwd_check_ntlmv2(TALLOC_CTX *mem_ctx,
86                                  const DATA_BLOB *ntv2_response,
87                                  const uint8_t *part_passwd,
88                                  const DATA_BLOB *sec_blob,
89                                  const char *user, const char *domain,
90                                  bool upper_case_domain, /* should the domain be transformed into upper case? */
91                                  DATA_BLOB *user_sess_key)
92 {
93         /* Finish the encryption of part_passwd. */
94         uint8_t kr[16];
95         uint8_t value_from_encryption[16];
96         DATA_BLOB client_key_data;
97
98         if (part_passwd == NULL) {
99                 DEBUG(10,("No password set - DISALLOWING access\n"));
100                 /* No password set - always false */
101                 return false;
102         }
103
104         if (sec_blob->length != 8) {
105                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect challenge size (%lu)\n", 
106                           (unsigned long)sec_blob->length));
107                 return false;
108         }
109         
110         if (ntv2_response->length < 24) {
111                 /* We MUST have more than 16 bytes, or the stuff below will go
112                    crazy.  No known implementation sends less than the 24 bytes
113                    for LMv2, let alone NTLMv2. */
114                 DEBUG(0, ("smb_pwd_check_ntlmv2: incorrect password length (%lu)\n", 
115                           (unsigned long)ntv2_response->length));
116                 return false;
117         }
118
119         client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
120         /* 
121            todo:  should we be checking this for anything?  We can't for LMv2, 
122            but for NTLMv2 it is meant to contain the current time etc.
123         */
124
125         if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
126                 return false;
127         }
128
129         SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
130
131 #if DEBUG_PASSWORD
132         DEBUG(100,("Part password (P16) was |\n"));
133         dump_data(100, part_passwd, 16);
134         DEBUGADD(100,("Password from client was |\n"));
135         dump_data(100, ntv2_response->data, ntv2_response->length);
136         DEBUGADD(100,("Variable data from client was |\n"));
137         dump_data(100, client_key_data.data, client_key_data.length);
138         DEBUGADD(100,("Given challenge was |\n"));
139         dump_data(100, sec_blob->data, sec_blob->length);
140         DEBUGADD(100,("Value from encryption was |\n"));
141         dump_data(100, value_from_encryption, 16);
142 #endif
143         data_blob_clear_free(&client_key_data);
144         if (memcmp(value_from_encryption, ntv2_response->data, 16) == 0) { 
145                 if (user_sess_key != NULL) {
146                         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
147                         SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
148                 }
149                 return true;
150         }
151         return false;
152 }
153
154 /****************************************************************************
155  Core of smb password checking routine. (NTLMv2, LMv2)
156  Note:  The same code works with both NTLMv2 and LMv2.
157 ****************************************************************************/
158
159 static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
160                                 const DATA_BLOB *ntv2_response,
161                                 const uint8_t *part_passwd,
162                                 const DATA_BLOB *sec_blob,
163                                 const char *user, const char *domain,
164                                 bool upper_case_domain, /* should the domain be transformed into upper case? */
165                                 DATA_BLOB *user_sess_key)
166 {
167         /* Finish the encryption of part_passwd. */
168         uint8_t kr[16];
169         uint8_t value_from_encryption[16];
170         DATA_BLOB client_key_data;
171
172         if (part_passwd == NULL) {
173                 DEBUG(10,("No password set - DISALLOWING access\n"));
174                 /* No password set - always false */
175                 return false;
176         }
177
178         if (sec_blob->length != 8) {
179                 DEBUG(0, ("smb_sess_key_ntlmv2: incorrect challenge size (%lu)\n", 
180                           (unsigned long)sec_blob->length));
181                 return false;
182         }
183         
184         if (ntv2_response->length < 24) {
185                 /* We MUST have more than 16 bytes, or the stuff below will go
186                    crazy.  No known implementation sends less than the 24 bytes
187                    for LMv2, let alone NTLMv2. */
188                 DEBUG(0, ("smb_sess_key_ntlmv2: incorrect password length (%lu)\n", 
189                           (unsigned long)ntv2_response->length));
190                 return false;
191         }
192
193         client_key_data = data_blob_talloc(mem_ctx, ntv2_response->data+16, ntv2_response->length-16);
194
195         if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
196                 return false;
197         }
198
199         SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption);
200         *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
201         SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key->data);
202         return true;
203 }
204
205 /**
206  * Compare password hashes against those from the SAM
207  *
208  * @param mem_ctx talloc context
209  * @param client_lanman LANMAN password hash, as supplied by the client
210  * @param client_nt NT (MD4) password hash, as supplied by the client
211  * @param username internal Samba username, for log messages
212  * @param client_username username the client used
213  * @param client_domain domain name the client used (may be mapped)
214  * @param stored_lanman LANMAN password hash, as stored on the SAM
215  * @param stored_nt NT (MD4) password hash, as stored on the SAM
216  * @param user_sess_key User session key
217  * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
218  */
219
220 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
221                                  bool lanman_auth,
222                              const struct samr_Password *client_lanman,
223                              const struct samr_Password *client_nt,
224                              const char *username, 
225                              const struct samr_Password *stored_lanman, 
226                              const struct samr_Password *stored_nt)
227 {
228         if (stored_nt == NULL) {
229                 DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
230                          username));
231         }
232
233         if (client_nt && stored_nt) {
234                 if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
235                         return NT_STATUS_OK;
236                 } else {
237                         DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
238                                  username));
239                         return NT_STATUS_WRONG_PASSWORD;
240                 }
241
242         } else if (client_lanman && stored_lanman) {
243                 if (!lanman_auth) {
244                         DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
245                                  username));
246                         return NT_STATUS_WRONG_PASSWORD;
247                 }
248                 if (strchr_m(username, '@')) {
249                         return NT_STATUS_NOT_FOUND;
250                 }
251
252                 if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
253                         return NT_STATUS_OK;
254                 } else {
255                         DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
256                                  username));
257                         return NT_STATUS_WRONG_PASSWORD;
258                 }
259         }
260         if (strchr_m(username, '@')) {
261                 return NT_STATUS_NOT_FOUND;
262         }
263         return NT_STATUS_WRONG_PASSWORD;
264 }
265
266 /**
267  * Check a challenge-response password against the value of the NT or
268  * LM password hash.
269  *
270  * @param mem_ctx talloc context
271  * @param challenge 8-byte challenge.  If all zero, forces plaintext comparison
272  * @param nt_response 'unicode' NT response to the challenge, or unicode password
273  * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page
274  * @param username internal Samba username, for log messages
275  * @param client_username username the client used
276  * @param client_domain domain name the client used (may be mapped)
277  * @param stored_lanman LANMAN ASCII password from our passdb or similar
278  * @param stored_nt MD4 unicode password from our passdb or similar
279  * @param user_sess_key User session key
280  * @param lm_sess_key LM session key (first 8 bytes of the LM hash)
281  */
282
283 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
284                                  bool lanman_auth,
285                                  bool ntlm_auth,
286                              uint32_t logon_parameters,
287                              const DATA_BLOB *challenge,
288                              const DATA_BLOB *lm_response,
289                              const DATA_BLOB *nt_response,
290                              const char *username, 
291                              const char *client_username, 
292                              const char *client_domain,
293                              const struct samr_Password *stored_lanman, 
294                              const struct samr_Password *stored_nt, 
295                              DATA_BLOB *user_sess_key, 
296                              DATA_BLOB *lm_sess_key)
297 {
298         const static uint8_t zeros[8];
299         DATA_BLOB tmp_sess_key;
300
301         if (stored_nt == NULL) {
302                 DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
303                          username));
304         }
305
306         *lm_sess_key = data_blob(NULL, 0);
307         *user_sess_key = data_blob(NULL, 0);
308
309         /* Check for cleartext netlogon. Used by Exchange 5.5. */
310         if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
311             && challenge->length == sizeof(zeros) 
312             && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
313                 struct samr_Password client_nt;
314                 struct samr_Password client_lm;
315                 char *unix_pw = NULL;
316                 bool lm_ok;
317
318                 DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n",
319                          username));
320                 mdfour(client_nt.hash, nt_response->data, nt_response->length);
321                 
322                 if (lm_response->length && 
323                     (convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, 
324                                           lm_response->data, lm_response->length, 
325                                            (void **)&unix_pw, NULL, false))) {
326                         if (E_deshash(unix_pw, client_lm.hash)) {
327                                 lm_ok = true;
328                         } else {
329                                 lm_ok = false;
330                         }
331                 } else {
332                         lm_ok = false;
333                 }
334                 return hash_password_check(mem_ctx, 
335                                            lanman_auth,
336                                            lm_ok ? &client_lm : NULL, 
337                                            nt_response->length ? &client_nt : NULL, 
338                                            username,  
339                                            stored_lanman, stored_nt);
340         }
341
342         if (nt_response->length != 0 && nt_response->length < 24) {
343                 DEBUG(2,("ntlm_password_check: invalid NT password length (%lu) for user %s\n", 
344                          (unsigned long)nt_response->length, username));                
345         }
346         
347         if (nt_response->length > 24 && stored_nt) {
348                 /* We have the NT MD4 hash challenge available - see if we can
349                    use it 
350                 */
351                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
352                 if (smb_pwd_check_ntlmv2(mem_ctx,
353                                          nt_response, 
354                                          stored_nt->hash, challenge, 
355                                          client_username, 
356                                          client_domain,
357                                          false,
358                                          user_sess_key)) {
359                         *lm_sess_key = *user_sess_key;
360                         if (user_sess_key->length) {
361                                 lm_sess_key->length = 8;
362                         }
363                         return NT_STATUS_OK;
364                 }
365                 
366                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
367                 if (smb_pwd_check_ntlmv2(mem_ctx,
368                                          nt_response, 
369                                          stored_nt->hash, challenge, 
370                                          client_username, 
371                                          client_domain,
372                                          true,
373                                          user_sess_key)) {
374                         *lm_sess_key = *user_sess_key;
375                         if (user_sess_key->length) {
376                                 lm_sess_key->length = 8;
377                         }
378                         return NT_STATUS_OK;
379                 }
380                 
381                 DEBUG(4,("ntlm_password_check: Checking NTLMv2 password without a domain\n"));
382                 if (smb_pwd_check_ntlmv2(mem_ctx,
383                                          nt_response, 
384                                          stored_nt->hash, challenge, 
385                                          client_username, 
386                                          "",
387                                          false,
388                                          user_sess_key)) {
389                         *lm_sess_key = *user_sess_key;
390                         if (user_sess_key->length) {
391                                 lm_sess_key->length = 8;
392                         }
393                         return NT_STATUS_OK;
394                 } else {
395                         DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
396                 }
397         } else if (nt_response->length == 24 && stored_nt) {
398                 if (ntlm_auth) {                
399                         /* We have the NT MD4 hash challenge available - see if we can
400                            use it (ie. does it exist in the smbpasswd file).
401                         */
402                         DEBUG(4,("ntlm_password_check: Checking NT MD4 password\n"));
403                         if (smb_pwd_check_ntlmv1(mem_ctx, 
404                                                  nt_response, 
405                                                  stored_nt->hash, challenge,
406                                                  user_sess_key)) {
407                                 /* The LM session key for this response is not very secure, 
408                                    so use it only if we otherwise allow LM authentication */
409                                 
410                                 if (lanman_auth && stored_lanman) {
411                                         *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
412                                 }
413                                 return NT_STATUS_OK;
414                         } else {
415                                 DEBUG(3,("ntlm_password_check: NT MD4 password check failed for user %s\n",
416                                          username));
417                                 return NT_STATUS_WRONG_PASSWORD;
418                         }
419                 } else {
420                         DEBUG(2,("ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user %s\n",
421                                  username));                    
422                         /* no return, becouse we might pick up LMv2 in the LM field */
423                 }
424         }
425         
426         if (lm_response->length == 0) {
427                 DEBUG(3,("ntlm_password_check: NEITHER LanMan nor NT password supplied for user %s\n",
428                          username));
429                 return NT_STATUS_WRONG_PASSWORD;
430         }
431         
432         if (lm_response->length < 24) {
433                 DEBUG(2,("ntlm_password_check: invalid LanMan password length (%lu) for user %s\n", 
434                          (unsigned long)nt_response->length, username));                
435                 return NT_STATUS_WRONG_PASSWORD;
436         }
437                 
438         if (!lanman_auth) {
439                 DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
440                          username));
441         } else if (!stored_lanman) {
442                 DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n",
443                          username));
444         } else if (strchr_m(username, '@')) {
445                 DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n",
446                          username));
447         } else {
448                 DEBUG(4,("ntlm_password_check: Checking LM password\n"));
449                 if (smb_pwd_check_ntlmv1(mem_ctx,
450                                          lm_response, 
451                                          stored_lanman->hash, challenge,
452                                          NULL)) {
453                         /* The session key for this response is still very odd.  
454                            It not very secure, so use it only if we otherwise 
455                            allow LM authentication */
456
457                         if (lanman_auth && stored_lanman) {
458                                 uint8_t first_8_lm_hash[16];
459                                 memcpy(first_8_lm_hash, stored_lanman->hash, 8);
460                                 memset(first_8_lm_hash + 8, '\0', 8);
461                                 *user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
462                                 *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
463                         }
464                         return NT_STATUS_OK;
465                 }
466         }
467         
468         if (!stored_nt) {
469                 DEBUG(4,("ntlm_password_check: LM password check failed for user, no NT password %s\n",username));
470                 return NT_STATUS_WRONG_PASSWORD;
471         }
472         
473         /* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
474            - related to Win9X, legacy NAS pass-though authentication
475         */
476         DEBUG(4,("ntlm_password_check: Checking LMv2 password with domain %s\n", client_domain));
477         if (smb_pwd_check_ntlmv2(mem_ctx,
478                                  lm_response, 
479                                  stored_nt->hash, challenge, 
480                                  client_username,
481                                  client_domain,
482                                  false,
483                                  &tmp_sess_key)) {
484                 if (nt_response->length > 24) {
485                         /* If NTLMv2 authentication has preceeded us
486                          * (even if it failed), then use the session
487                          * key from that.  See the RPC-SAMLOGON
488                          * torture test */
489                         smb_sess_key_ntlmv2(mem_ctx,
490                                             nt_response, 
491                                             stored_nt->hash, challenge, 
492                                             client_username,
493                                             client_domain,
494                                             false,
495                                             user_sess_key);
496                 } else {
497                         /* Otherwise, use the LMv2 session key */
498                         *user_sess_key = tmp_sess_key;
499                 }
500                 *lm_sess_key = *user_sess_key;
501                 if (user_sess_key->length) {
502                         lm_sess_key->length = 8;
503                 }
504                 return NT_STATUS_OK;
505         }
506         
507         DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
508         if (smb_pwd_check_ntlmv2(mem_ctx,
509                                  lm_response, 
510                                  stored_nt->hash, challenge, 
511                                  client_username,
512                                  client_domain,
513                                  true,
514                                  &tmp_sess_key)) {
515                 if (nt_response->length > 24) {
516                         /* If NTLMv2 authentication has preceeded us
517                          * (even if it failed), then use the session
518                          * key from that.  See the RPC-SAMLOGON
519                          * torture test */
520                         smb_sess_key_ntlmv2(mem_ctx,
521                                             nt_response, 
522                                             stored_nt->hash, challenge, 
523                                             client_username,
524                                             client_domain,
525                                             true,
526                                             user_sess_key);
527                 } else {
528                         /* Otherwise, use the LMv2 session key */
529                         *user_sess_key = tmp_sess_key;
530                 }
531                 *lm_sess_key = *user_sess_key;
532                 if (user_sess_key->length) {
533                         lm_sess_key->length = 8;
534                 }
535                 return NT_STATUS_OK;
536         }
537         
538         DEBUG(4,("ntlm_password_check: Checking LMv2 password without a domain\n"));
539         if (smb_pwd_check_ntlmv2(mem_ctx,
540                                  lm_response, 
541                                  stored_nt->hash, challenge, 
542                                  client_username,
543                                  "",
544                                  false,
545                                  &tmp_sess_key)) {
546                 if (nt_response->length > 24) {
547                         /* If NTLMv2 authentication has preceeded us
548                          * (even if it failed), then use the session
549                          * key from that.  See the RPC-SAMLOGON
550                          * torture test */
551                         smb_sess_key_ntlmv2(mem_ctx,
552                                             nt_response, 
553                                             stored_nt->hash, challenge, 
554                                             client_username,
555                                             "",
556                                             false,
557                                             user_sess_key);
558                 } else {
559                         /* Otherwise, use the LMv2 session key */
560                         *user_sess_key = tmp_sess_key;
561                 }
562                 *lm_sess_key = *user_sess_key;
563                 if (user_sess_key->length) {
564                         lm_sess_key->length = 8;
565                 }
566                 return NT_STATUS_OK;
567         }
568
569         /* Apparently NT accepts NT responses in the LM field
570            - I think this is related to Win9X pass-though authentication
571         */
572         DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
573         if (ntlm_auth) {
574                 if (smb_pwd_check_ntlmv1(mem_ctx, 
575                                          lm_response, 
576                                          stored_nt->hash, challenge,
577                                          NULL)) {
578                         /* The session key for this response is still very odd.  
579                            It not very secure, so use it only if we otherwise 
580                            allow LM authentication */
581
582                         if (lanman_auth && stored_lanman) {
583                                 uint8_t first_8_lm_hash[16];
584                                 memcpy(first_8_lm_hash, stored_lanman->hash, 8);
585                                 memset(first_8_lm_hash + 8, '\0', 8);
586                                 *user_sess_key = data_blob_talloc(mem_ctx, first_8_lm_hash, 16);
587                                 *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
588                         }
589                         return NT_STATUS_OK;
590                 }
591                 DEBUG(3,("ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",username));
592         } else {
593                 DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
594         }
595
596         /* Try and match error codes */
597         if (strchr_m(username, '@')) {
598                 return NT_STATUS_NOT_FOUND;
599         }
600         return NT_STATUS_WRONG_PASSWORD;
601 }
602