Add the 'session key' output of the NTLMSSP exchange to the cli struct, so

it can be used for 'net rpc join'.

Also fix a bug in our server-side NTLMSSP code - a client without any domain
trust links to us may calculate the NTLMv2 response with "" as the domain.

Andrew Bartlett
(This used to be commit ddaa42423bc952e59b95362f5f5aa7cca10d1ad4)

5 files changed, 39 insertions, 10 deletions

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 43542b2474..d32d248296 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -131,7 +131,7 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
 }
 
 NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, 
-			     DATA_BLOB request, DATA_BLOB *reply) 
+			     const DATA_BLOB request, DATA_BLOB *reply) 
 {
 	return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
 }
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 06e27f1d48..48fabba0a2 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -184,7 +184,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 		/* We have the NT MD4 hash challenge available - see if we can
 		   use it (ie. does it exist in the smbpasswd file).
 		*/
-		DEBUG(4,("sam_password_ok: Checking NTLMv2 password\n"));
+		DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", user_info->client_domain.str));
 		if (smb_pwd_check_ntlmv2( user_info->nt_resp, 
 					  nt_pw, auth_context->challenge, 
 					  user_info->smb_name.str, 
@@ -192,6 +192,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 					  user_sess_key))
 		{
 			return NT_STATUS_OK;
+		}
+
+		DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n"));
+		if (smb_pwd_check_ntlmv2( user_info->nt_resp, 
+					  nt_pw, auth_context->challenge, 
+					  user_info->smb_name.str, 
+					  "",
+					  user_sess_key))
+		{
+			return NT_STATUS_OK;
 		} else {
 			DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
 			return NT_STATUS_WRONG_PASSWORD;
@@ -250,7 +260,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 		/* This is for 'LMv2' authentication.  almost NTLMv2 but limited to 24 bytes.
 		   - related to Win9X, legacy NAS pass-though authentication
 		*/
-		DEBUG(4,("sam_password_ok: Checking LMv2 password\n"));
+		DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", user_info->client_domain.str));
 		if (smb_pwd_check_ntlmv2( user_info->lm_resp, 
 					  nt_pw, auth_context->challenge, 
 					  user_info->smb_name.str, 
@@ -260,6 +270,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
 			return NT_STATUS_OK;
 		}
 
+		DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n"));
+		if (smb_pwd_check_ntlmv2( user_info->lm_resp, 
+					  nt_pw, auth_context->challenge, 
+					  user_info->smb_name.str, 
+					  "",
+					  user_sess_key))
+		{
+			return NT_STATUS_OK;
+		}
+
 		/* Apparently NT accepts NT responses in the LM field
 		   - I think this is related to Win9X pass-though authentication
 		*/
diff --git a/source3/include/client.h b/source3/include/client.h
index ddb1772c26..73e29a1fff 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -122,6 +122,10 @@ struct cli_state {
 
 	smb_sign_info sign_info;
 
+	/* the session key for this CLI, outside 
+	   any per-pipe authenticaion */
+	unsigned char user_session_key[16];
+
 	/*
 	 * Only used in NT domain calls.
 	 */
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 2b0b9abc9d..487b184dd6 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -248,6 +248,12 @@ static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16
 	}
 }
 
+static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) 
+{
+	memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
+}
+
+
 static void set_temp_signing_on_cli(struct cli_state *cli) 
 {
 	if (cli->sign_info.negotiated_smb_signing)
@@ -367,6 +373,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
 
 	if (session_key.data) {
 		/* Have plaintext orginal */
+		set_cli_session_key(cli, session_key);
 		set_signing_on_cli(cli, session_key.data, nt_response);
 	}
 
@@ -559,6 +566,10 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 		turn++;
 	} while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED));
 
+	if (NT_STATUS_IS_OK(nt_status)) {
+		set_cli_session_key(cli, ntlmssp_state->session_key);
+	}
+
 	if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
 		return False;
 	}
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index 1b711f7b43..b0eb335986 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -264,14 +264,8 @@ int net_rpc_join_newstyle(int argc, const char **argv)
 	ctr.switch_value = 24;
 	ctr.info.id24 = &p24;
 
-	/* I don't think this is quite the right place for this
-	   calculation.  It should be moved somewhere where the credentials
-	   are calculated. )-: */
-
-	mdfour(sess_key, cli->pwd.smb_nt_pwd, 16);
-
 	CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, 
-					    sess_key, &ctr),
+					    cli->user_session_key, &ctr),
 		      "error setting trust account password");
 
 	/* Why do we have to try to (re-)set the ACB to be the same as what