summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@samba.org>2013-04-24 15:27:21 +0200
committerAndreas Schneider <asn@cryptomilk.org>2013-04-24 17:14:48 +0200
commit4b97a19e584cb216194c5eca1270ef1926fc9006 (patch)
tree5d88fa9c31cdc3e87fdb5d7e9ceaf0fb27337b8f
parent19242b2916b55d2f1d97855e038395d5c87ca421 (diff)
downloadsamba-4b97a19e584cb216194c5eca1270ef1926fc9006.tar.gz
samba-4b97a19e584cb216194c5eca1270ef1926fc9006.tar.bz2
samba-4b97a19e584cb216194c5eca1270ef1926fc9006.zip
BUG 9817: Fix 'map untrusted to domain' with NTLMv2.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Apr 24 17:14:48 CEST 2013 on sn-devel-104
-rw-r--r--source3/auth/auth_winbind.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index d4ace2c919..2b5c84d276 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -62,9 +62,15 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
}
/* Send off request */
-
params.account_name = user_info->client.account_name;
- params.domain_name = user_info->mapped.domain_name;
+ /*
+ * We need to send the domain name from the client to the DC. With
+ * NTLMv2 the domain name is part of the hashed second challenge,
+ * if we change the domain name, the DC will fail to verify the
+ * challenge cause we changed the domain name, this is like a
+ * man in the middle attack.
+ */
+ params.domain_name = user_info->client.domain_name;
params.workstation_name = user_info->workstation_name;
params.flags = 0;