This is my 'Authentication Rewrite' version 1.01, mostly as submitted to

samba-technical a few weeks ago. The idea here is to standardize the checking of user names and passwords, thereby ensuring that all authtentications pass the same standards. The interface currently implemented in as nt_status = check_password(user_info, server_info) where user_info contains (mostly) the authentication data, and server_info contains things like the user-id they got, and their resolved user name. The current ugliness with the way the structures are created will be killed the next revision, when they will be created and malloced by creator functions. This patch also includes the first implementation of NTLMv2 in HEAD, but which needs some more testing. We also add a hack to allow plaintext passwords to be compared with smbpasswd, not the system password database. Finally, this patch probably reintroduces the PAM accounts bug we had in 2.2.0, I'll fix that once this hits the tree. (I've just finished testing it on a wide variety of platforms, so I want to get this patch in). (This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
author: Andrew Bartlett <abartlet@samba.org> 2001-08-03 13:09:23 +0000
committer: Andrew Bartlett <abartlet@samba.org> 2001-08-03 13:09:23 +0000
commit: 986372901e85a79343ba32f590a4a3e7658d2565 (patch)
tree: 19c863631c1c0da0535adf090dbb4c566e7e9d3b /source3/smbd/auth_smbpasswd.c
parent: 8dad2a1310c6dc908934ac836377cbfed8f7a010 (diff)
download: samba-986372901e85a79343ba32f590a4a3e7658d2565.tar.gz
samba-986372901e85a79343ba32f590a4a3e7658d2565.tar.bz2
samba-986372901e85a79343ba32f590a4a3e7658d2565.zip
1 files changed, 229 insertions, 0 deletions
diff --git a/source3/smbd/auth_smbpasswd.c b/source3/smbd/auth_smbpasswd.c
new file mode 100644
index 0000000000..ce0b03d942
--- /dev/null
+++ b/source3/smbd/auth_smbpasswd.c
@@ -0,0 +1,229 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 1.9.
+   Password and authentication handling
+   Copyright (C) Andrew Tridgell              1992-2000
+   Copyright (C) Luke Kenneth Casson Leighton 1996-2000
+   Copyright (C) Andrew Bartlett              2001
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+extern int DEBUGLEVEL;
+
+/****************************************************************************
+core of smb password checking routine.
+****************************************************************************/
+static BOOL smb_pwd_check_ntlmv1(const uchar *password,
+				const uchar *part_passwd,
+				const uchar *c8,
+				uchar user_sess_key[16])
+{
+  /* Finish the encryption of part_passwd. */
+  uchar p24[24];
+
+  if (part_passwd == NULL) {
+	  DEBUG(10,("No password set - DISALLOWING access\n"));
+	  /* No password set - always false ! */
+	  return False;
+  }
+
+  SMBOWFencrypt(part_passwd, c8, p24);
+	if (user_sess_key != NULL)
+	{
+		SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key);
+	}
+
+
+
+#if DEBUG_PASSWORD
+	DEBUG(100,("Part password (P16) was |"));
+	dump_data(100, part_passwd, 16);
+	DEBUG(100,("Password from client was |"));
+	dump_data(100, password, 24);
+	DEBUG(100,("Given challenge was |"));
+	dump_data(100, c8, 8);
+	DEBUG(100,("Value from encryption was |"));
+	dump_data(100, p24, 24);
+#endif
+  return (memcmp(p24, password, 24) == 0);
+}
+
+/****************************************************************************
+core of smb password checking routine.
+****************************************************************************/
+static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len,
+				uchar *part_passwd,
+				uchar const *c8,
+				const char *user, const char *domain,
+				char *user_sess_key)
+{
+	/* Finish the encryption of part_passwd. */
+	uchar kr[16];
+	uchar resp[16];
+
+	if (part_passwd == NULL)
+	{
+		DEBUG(10,("No password set - DISALLOWING access\n"));
+		/* No password set - always False */
+		return False;
+	}
+
+	ntv2_owf_gen(part_passwd, user, domain, kr);
+	SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, resp);
+	if (user_sess_key != NULL)
+	{
+		SMBsesskeygen_ntv2(kr, resp, user_sess_key);
+	}
+
+#if DEBUG_PASSWORD
+	DEBUG(100,("Part password (P16) was |"));
+	dump_data(100, part_passwd, 16);
+	DEBUG(100,("Password from client was |"));
+	dump_data(100, password, pwd_len);
+	DEBUG(100,("Given challenge was |"));
+	dump_data(100, c8, 8);
+	DEBUG(100,("Value from encryption was |"));
+	dump_data(100, resp, 16);
+#endif
+
+	return (memcmp(resp, password, 16) == 0);
+}
+
+
+/****************************************************************************
+ Do a specific test for an smb password being correct, given a smb_password and
+ the lanman and NT responses.
+****************************************************************************/
+uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
+{
+	uint8 *nt_pw, *lm_pw;
+
+	/* Quit if the account was disabled. */
+	if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
+		DEBUG(1,("Account for user '%s' was disabled.\n", user_info->smb_username.str));
+		return(NT_STATUS_ACCOUNT_DISABLED);
+	}
+
+	if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) 
+	{
+		if (lp_null_passwords()) 
+		{
+			DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user_info->smb_username.str));
+			return(NT_STATUS_NOPROBLEMO);
+		} 
+		else 
+		{
+			DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user_info->smb_username.str));
+			return(NT_STATUS_LOGON_FAILURE);
+		}		
+	}
+
+	if (!user_info || !sampass) 
+		return(NT_STATUS_LOGON_FAILURE);
+
+	DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_info->smb_username.str));
+
+	nt_pw = pdb_get_nt_passwd(sampass);
+
+	if (nt_pw != NULL) {
+		if ((user_info->nt_resp.len > 24 )) {
+			/* We have the NT MD4 hash challenge available - see if we can
+			   use it (ie. does it exist in the smbpasswd file).
+			*/
+			DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n"));
+			if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, 
+						  user_info->nt_resp.len, 
+						  nt_pw, 
+						  user_info->chal, user_info->requested_username.str, 
+						  user_info->requested_domain.str,
+						  server_info->session_key))
+			{
+				return NT_STATUS_NOPROBLEMO;
+			}
+			DEBUG(4,("smb_password_ok: NT MD4 password check failed\n"));
+
+		} else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24 )) {
+				/* We have the NT MD4 hash challenge available - see if we can
+				   use it (ie. does it exist in the smbpasswd file).
+				*/
+			DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
+			if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, 
+						 nt_pw, user_info->chal,
+						 server_info->session_key)) {
+				DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n"));
+				return NT_STATUS_NOPROBLEMO;
+			} else { 
+				DEBUG(4,("smb_password_ok: NT MD4 password check failed\n"));
+				return NT_STATUS_WRONG_PASSWORD;
+			}
+		}
+	}
+	
+	lm_pw = pdb_get_lanman_passwd(sampass);
+	
+	if(lp_lanman_auth() && (lm_pw != NULL) && (user_info->lm_resp.len == 24 )) {
+		DEBUG(4,("smb_password_ok: Checking LM password\n"));
+		if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, 
+					 lm_pw, user_info->chal,
+					 server_info->session_key)) {
+			DEBUG(4,("smb_password_ok: LM password check succeeded\n"));
+			return NT_STATUS_NOPROBLEMO;
+		} else {
+			DEBUG(4,("smb_password_ok: LM password check failed\n"));
+			return NT_STATUS_WRONG_PASSWORD;
+		}
+	}
+	
+	return NT_STATUS_LOGON_FAILURE;
+}
+
+
+/****************************************************************************
+check if a username/password is OK assuming the password is a 24 byte
+SMB hash
+return True if the password is correct, False otherwise
+****************************************************************************/
+
+uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
+{
+	SAM_ACCOUNT *sampass=NULL;
+	BOOL ret;
+	uint32 nt_status;
+
+	pdb_init_sam(&sampass);
+
+	/* get the account information */
+	ret = pdb_getsampwnam(sampass, user_info->smb_username.str);
+	if (ret == False)
+	{
+		DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str));
+		pdb_free_sam(sampass);
+		return(NT_STATUS_NO_SUCH_USER);
+	}
+
+	if ((nt_status = smb_password_ok(sampass, user_info, server_info)) != NT_STATUS_NOPROBLEMO)
+	{
+		pdb_free_sam(sampass);
+		return(nt_status);
+	}
+	
+	pdb_free_sam(sampass);
+	return nt_status;
+}
+
+
author	Andrew Bartlett <abartlet@samba.org>	2001-08-03 13:09:23 +0000
committer	Andrew Bartlett <abartlet@samba.org>	2001-08-03 13:09:23 +0000
commit	986372901e85a79343ba32f590a4a3e7658d2565 (patch)
tree	19c863631c1c0da0535adf090dbb4c566e7e9d3b /source3/smbd/auth_smbpasswd.c
parent	8dad2a1310c6dc908934ac836377cbfed8f7a010 (diff)
download	samba-986372901e85a79343ba32f590a4a3e7658d2565.tar.gz samba-986372901e85a79343ba32f590a4a3e7658d2565.tar.bz2 samba-986372901e85a79343ba32f590a4a3e7658d2565.zip