#include "includes.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
/****************************************************************************
core of smb password checking routine.
****************************************************************************/
return (memcmp(p24, nt_response.data, 24) == 0);
}
+
/****************************************************************************
-core of smb password checking routine.
+core of smb password checking routine. (NTLMv2, LMv2)
+
+Note: The same code works with both NTLMv2 and LMv2.
****************************************************************************/
static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response,
const uchar *part_passwd,
}
client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16);
+ /*
+ todo: should we be checking this for anything? We can't for LMv2,
+ but for NTLMv2 it is meant to contain the current time etc.
+ */
+
memcpy(client_response, ntv2_response.data, sizeof(client_response));
- ntv2_owf_gen(part_passwd, user, domain, kr);
- SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, (char *)value_from_encryption);
+ if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
+ return False;
+ }
+
+ SMBOWFencrypt_ntv2(kr, sec_blob, client_key_data, value_from_encryption);
if (user_sess_key != NULL)
{
SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key);
}
}
- nt_pw = pdb_get_nt_passwd(sampass);
- lm_pw = pdb_get_lanman_passwd(sampass);
-
auth_flags = user_info->auth_flags;
- if (nt_pw == NULL) {
+ if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) {
DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n",
pdb_get_username(sampass)));
/* No return, we want to check the LM hash below in this case */
}
if (auth_flags & AUTH_FLAG_NTLMv2_RESP) {
+ nt_pw = pdb_get_nt_passwd(sampass);
/* We have the NT MD4 hash challenge available - see if we can
use it (ie. does it exist in the smbpasswd file).
*/
return NT_STATUS_WRONG_PASSWORD;
}
} else if (auth_flags & AUTH_FLAG_NTLM_RESP) {
- if (lp_ntlm_auth()) {
+ if (lp_ntlm_auth()) {
+ nt_pw = pdb_get_nt_passwd(sampass);
/* We have the NT MD4 hash challenge available - see if we can
use it (ie. does it exist in the smbpasswd file).
*/
}
} else {
DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass)));
- /* No return, we want to check the LM hash below in this case */
+ /* no return, becouse we might pick up LMv2 in the LM feild */
}
}
- if (lm_pw == NULL) {
- DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass)));
- auth_flags &= (~AUTH_FLAG_LM_RESP);
- }
-
if (auth_flags & AUTH_FLAG_LM_RESP) {
-
if (user_info->lm_resp.length != 24) {
DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n",
user_info->nt_resp.length, pdb_get_username(sampass)));
}
if (!lp_lanman_auth()) {
- DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass)));
- return NT_STATUS_LOGON_FAILURE;
+ DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass)));
+ } else if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) {
+ DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass)));
+ } else {
+ lm_pw = pdb_get_lanman_passwd(sampass);
+
+ DEBUG(4,("sam_password_ok: Checking LM password\n"));
+ if (smb_pwd_check_ntlmv1(user_info->lm_resp,
+ lm_pw, auth_context->challenge,
+ user_sess_key))
+ {
+ return NT_STATUS_OK;
+ }
}
+
+ if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) {
+ DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",pdb_get_username(sampass)));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
- DEBUG(4,("sam_password_ok: Checking LM password\n"));
- if (smb_pwd_check_ntlmv1(user_info->lm_resp,
- lm_pw, auth_context->challenge,
- user_sess_key))
+ nt_pw = pdb_get_nt_passwd(sampass);
+
+ /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
+ - related to Win9X, legacy NAS pass-though authentication
+ */
+ DEBUG(4,("sam_password_ok: Checking LMv2 password\n"));
+ if (smb_pwd_check_ntlmv2( user_info->lm_resp,
+ nt_pw, auth_context->challenge,
+ user_info->smb_name.str,
+ user_info->client_domain.str,
+ user_sess_key))
{
return NT_STATUS_OK;
+ }
+
+ /* Apparently NT accepts NT responses in the LM field
+ - I think this is related to Win9X pass-though authentication
+ */
+ DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n"));
+ if (lp_ntlm_auth())
+ {
+ if (smb_pwd_check_ntlmv1(user_info->lm_resp,
+ nt_pw, auth_context->challenge,
+ user_sess_key))
+ {
+ return NT_STATUS_OK;
+ }
+ DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass)));
+ return NT_STATUS_WRONG_PASSWORD;
} else {
- DEBUG(4,("sam_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass)));
+ DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",pdb_get_username(sampass)));
return NT_STATUS_WRONG_PASSWORD;
- }
+ }
+
}
-
+
/* Should not be reached, but if they send nothing... */
DEBUG(3,("sam_password_ok: NEITHER LanMan nor NT password supplied for user %s\n",pdb_get_username(sampass)));
return NT_STATUS_WRONG_PASSWORD;
if (*workstation_list) {
BOOL invalid_ws = True;
- char *s = workstation_list;
+ const char *s = workstation_list;
fstring tok;
return NT_STATUS_NO_SUCH_USER;
}
- nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key);
-
+ nt_status = sam_account_ok(mem_ctx, sampass, user_info);
+
if (!NT_STATUS_IS_OK(nt_status)) {
pdb_free_sam(&sampass);
return nt_status;
}
- nt_status = sam_account_ok(mem_ctx, sampass, user_info);
-
+ nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key);
+
if (!NT_STATUS_IS_OK(nt_status)) {
pdb_free_sam(&sampass);
return nt_status;
}
- if (!make_server_info_sam(server_info, sampass)) {
- DEBUG(0,("failed to malloc memory for server_info\n"));
- return NT_STATUS_NO_MEMORY;
+ if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {
+ DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
+ return nt_status;
}
lm_hash = pdb_get_lanman_passwd((*server_info)->sam_account);
}
/* module initialisation */
-BOOL auth_init_sam(struct auth_context *auth_context, auth_methods **auth_method)
+NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
- return False;
+ return NT_STATUS_NO_MEMORY;
}
- (*auth_method)->auth = check_sam_security;
- return True;
+ (*auth_method)->auth = check_sam_security;
+ (*auth_method)->name = "sam";
+ return NT_STATUS_OK;
}
attempt to check the password locally,
unless it is one of our aliases. */
- if (!is_netbios_alias_or_name(user_info->domain.str)) {
+ if (!is_myname(user_info->domain.str)) {
return NT_STATUS_NO_SUCH_USER;
}
}
/* module initialisation */
-BOOL auth_init_samstrict(struct auth_context *auth_context, auth_methods **auth_method)
+NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
- return False;
+ return NT_STATUS_NO_MEMORY;
}
(*auth_method)->auth = check_samstrict_security;
- return True;
+ (*auth_method)->name = "samstrict";
+ return NT_STATUS_OK;
}
git.samba.org / kai / samba.git / blobdiff