summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-01-05 07:32:08 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-01-05 07:32:08 +0000
commit9bc442abeb62c0a9985b43cf8475027ced7ec777 (patch)
tree8531e056c8f55b703af0ae17a91d0830e5583e23
parentef553ab81460f9c424e13ff3b8c158c3b950b7f1 (diff)
downloadsamba-9bc442abeb62c0a9985b43cf8475027ced7ec777.tar.gz
samba-9bc442abeb62c0a9985b43cf8475027ced7ec777.tar.bz2
samba-9bc442abeb62c0a9985b43cf8475027ced7ec777.zip
Clear up the auth_sam password checking code (the core of our password checking
routines). In particular, we now better support the NT# in LM feild, and the LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly more secure, and in the LM feild for compatiblity). Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this algorithm, and to MS for a solution that seems to actually make sense for once :-). Andrew Bartlett (This used to be commit 5c2e34b5b6a2241b8d2fd68458eb73bb65ade6fd)
-rw-r--r--source3/auth/auth_sam.c91
1 files changed, 58 insertions, 33 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 02f8511d6a..79fded870e 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -73,8 +73,11 @@ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response,
return (memcmp(p24, nt_response.data, 24) == 0);
}
+
/****************************************************************************
-core of smb password checking routine.
+core of smb password checking routine. (NTLMv2, LMv2)
+
+Note: The same code works with both NTLMv2 and LMv2.
****************************************************************************/
static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response,
const uchar *part_passwd,
@@ -104,6 +107,11 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response,
}
client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16);
+ /*
+ todo: should we be checking this for anything? We can't for LMv2,
+ but for NTLMv2 it is meant to contain the current time etc.
+ */
+
memcpy(client_response, ntv2_response.data, sizeof(client_response));
if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
@@ -206,54 +214,71 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
}
} else {
DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass)));
- /* No return, we want to check the LM hash below in this case */
+ /* no return, becouse we might pick up LMv2 in the LM feild */
}
}
- if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) {
- DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass)));
- auth_flags &= (~AUTH_FLAG_LM_RESP);
- }
-
if (auth_flags & AUTH_FLAG_LM_RESP) {
- lm_pw = pdb_get_lanman_passwd(sampass);
-
if (user_info->lm_resp.length != 24) {
DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n",
user_info->nt_resp.length, pdb_get_username(sampass)));
}
if (!lp_lanman_auth()) {
- DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass)));
- return NT_STATUS_LOGON_FAILURE;
+ DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass)));
+ } else if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) {
+ DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass)));
+ } else {
+ lm_pw = pdb_get_lanman_passwd(sampass);
+
+ DEBUG(4,("sam_password_ok: Checking LM password\n"));
+ if (smb_pwd_check_ntlmv1(user_info->lm_resp,
+ lm_pw, auth_context->challenge,
+ user_sess_key))
+ {
+ return NT_STATUS_OK;
+ }
}
+
+ if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) {
+ DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",pdb_get_username(sampass)));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
- DEBUG(4,("sam_password_ok: Checking LM password\n"));
- if (smb_pwd_check_ntlmv1(user_info->lm_resp,
- lm_pw, auth_context->challenge,
- user_sess_key))
+ nt_pw = pdb_get_nt_passwd(sampass);
+
+ /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
+ - related to Win9X, legacy NAS pass-though authentication
+ */
+ DEBUG(4,("sam_password_ok: Checking LMv2 password\n"));
+ if (smb_pwd_check_ntlmv2( user_info->lm_resp,
+ nt_pw, auth_context->challenge,
+ user_info->smb_name.str,
+ user_info->client_domain.str,
+ user_sess_key))
{
return NT_STATUS_OK;
- } else {
- if (lp_ntlm_auth() && (!IS_SAM_DEFAULT(sampass, PDB_NTPASSWD))) {
- nt_pw = pdb_get_nt_passwd(sampass);
- /* Apparently NT accepts NT responses in the LM field
- - I think this is related to Win9X pass-though authentication
- */
- DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n"));
- if (smb_pwd_check_ntlmv1(user_info->lm_resp,
- nt_pw, auth_context->challenge,
- user_sess_key))
- {
- return NT_STATUS_OK;
- } else {
- DEBUG(3,("sam_password_ok: NT MD4 password in LM field failed for user %s\n",pdb_get_username(sampass)));
- return NT_STATUS_WRONG_PASSWORD;
- }
+ }
+
+ /* Apparently NT accepts NT responses in the LM field
+ - I think this is related to Win9X pass-though authentication
+ */
+ DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n"));
+ if (lp_ntlm_auth())
+ {
+ if (smb_pwd_check_ntlmv1(user_info->lm_resp,
+ nt_pw, auth_context->challenge,
+ user_sess_key))
+ {
+ return NT_STATUS_OK;
}
- DEBUG(4,("sam_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass)));
+ DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass)));
return NT_STATUS_WRONG_PASSWORD;
- }
+ } else {
+ DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",pdb_get_username(sampass)));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
}
/* Should not be reached, but if they send nothing... */