diff options
author | Andrew Bartlett <abartlet@samba.org> | 2002-01-11 05:29:09 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2002-01-11 05:29:09 +0000 |
commit | 5047a66d39fdd56a5895037de8c519a828a03b19 (patch) | |
tree | 5e60c94008f3d1254447aad9e97fbef30906e49b /source3 | |
parent | 348f1784289ac1e15cc8cd6e543734f414b88f66 (diff) | |
download | samba-5047a66d39fdd56a5895037de8c519a828a03b19.tar.gz samba-5047a66d39fdd56a5895037de8c519a828a03b19.tar.bz2 samba-5047a66d39fdd56a5895037de8c519a828a03b19.zip |
Back out the crazy notion that the NTLMSSP flags actually mean anything...
Replace this with some flags that *we* define. We can do a mapping later
if we actually get some more reliable info about what passwords are actually
valid.
Andrew Bartlett
(This used to be commit 7f7a42c3e4d5798ac87ea16a42e4976c3778a76b)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/auth/auth_sam.c | 14 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 42 | ||||
-rw-r--r-- | source3/include/auth.h | 8 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 13 |
4 files changed, 47 insertions, 30 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index f1bcae461e..107e33c600 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -140,7 +140,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, { uint16 acct_ctrl; const uint8 *nt_pw, *lm_pw; - uint32 ntlmssp_flags; + uint32 auth_flags; acct_ctrl = pdb_get_acct_ctrl(sampass); if (acct_ctrl & ACB_PWNOTREQ) @@ -160,16 +160,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw = pdb_get_nt_passwd(sampass); lm_pw = pdb_get_lanman_passwd(sampass); - ntlmssp_flags = user_info->ntlmssp_flags; + auth_flags = user_info->auth_flags; if (nt_pw == NULL) { DEBUG(3,("sam_password_ok: NO NT password stored for user %s.\n", pdb_get_username(sampass))); /* No return, we want to check the LM hash below in this case */ - ntlmssp_flags &= (~(NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_NTLM2)); + auth_flags &= (~(AUTH_FLAG_NTLMv2_RESP | AUTH_FLAG_NTLM_RESP)); } - if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM2) { + if (auth_flags & AUTH_FLAG_NTLMv2_RESP) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ @@ -185,7 +185,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); return NT_STATUS_WRONG_PASSWORD; } - } else if (ntlmssp_flags & NTLMSSP_NEGOTIATE_NTLM) { + } else if (auth_flags & AUTH_FLAG_NTLM_RESP) { if (lp_ntlm_auth()) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). @@ -208,10 +208,10 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, if (lm_pw == NULL) { DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); - ntlmssp_flags &= (~NTLMSSP_NEGOTIATE_OEM); + auth_flags &= (~AUTH_FLAG_LM_RESP); } - if (ntlmssp_flags & NTLMSSP_NEGOTIATE_OEM) { + if (auth_flags & AUTH_FLAG_LM_RESP) { if (user_info->lm_resp.length != 24) { DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a479f52ab2..a747cf8a35 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -111,7 +111,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, const char *wksta_name, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) + uint32 auth_flags, BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -173,7 +173,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); (*user_info)->encrypted = encrypted; - (*user_info)->ntlmssp_flags = ntlmssp_flags; + (*user_info)->auth_flags = auth_flags; DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); @@ -248,14 +248,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; if (lm_pwd_len) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; if (nt_pwd_len == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; } else if (nt_pwd_len != 0) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + auth_flags |= AUTH_FLAG_NTLMv2_RESP; } ret = make_user_info_map(user_info, @@ -263,7 +263,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, wksta_name, lm_blob, nt_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); data_blob_free(&lm_blob); data_blob_free(&nt_blob); @@ -289,7 +289,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); @@ -334,9 +334,9 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, DATA_BLOB plaintext_blob = data_blob(NULL, 0); if (lm_interactive_pwd) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; if (nt_interactive_pwd) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; ret = make_user_info_map(user_info, smb_name, client_domain, @@ -344,7 +344,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, local_lm_blob, local_nt_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); @@ -367,7 +367,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; BOOL ret = False; - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; /* * Not encrypted - do so. @@ -390,7 +390,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, case insensitive */ local_nt_blob = data_blob(NULL, 0); - ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM; + auth_flags = (AUTH_FLAG_PLAINTEXT | AUTH_FLAG_LM_RESP); } else { local_lm_blob = data_blob(NULL, 0); local_nt_blob = data_blob(NULL, 0); @@ -402,7 +402,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, local_lm_blob, local_nt_blob, plaintext_password, - ntlmssp_flags, False); + auth_flags, False); data_blob_free(&local_lm_blob); return ret; @@ -417,18 +417,18 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, char *client_domain, DATA_BLOB lm_resp, DATA_BLOB nt_resp) { - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); if (lm_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; } if (nt_resp.length == 0) { } else if (nt_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; } else { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + auth_flags |= AUTH_FLAG_NTLMv2_RESP; } return make_user_info_map(user_info, smb_name, @@ -437,7 +437,7 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, lm_resp, nt_resp, no_plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); } /**************************************************************************** @@ -449,7 +449,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) DATA_BLOB lm_blob = data_blob(NULL, 0); DATA_BLOB nt_blob = data_blob(NULL, 0); DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; return make_user_info(user_info, "","", @@ -457,7 +457,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) "", nt_blob, lm_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); } /*************************************************************************** diff --git a/source3/include/auth.h b/source3/include/auth.h index fb48616273..ed0a4e45f3 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -41,6 +41,12 @@ typedef struct interactive_password OWF_INFO nt_owf; /* NT OWF Password */ } auth_interactive_password; +#define AUTH_FLAG_NONE 0x000000 +#define AUTH_FLAG_PLAINTEXT 0x000001 +#define AUTH_FLAG_LM_RESP 0x000002 +#define AUTH_FLAG_NTLM_RESP 0x000004 +#define AUTH_FLAG_NTLMv2_RESP 0x000008 + typedef struct auth_usersupplied_info { @@ -51,7 +57,7 @@ typedef struct auth_usersupplied_info BOOL encrypted; - uint32 ntlmssp_flags; + uint32 auth_flags; AUTH_STR client_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index f809f9ca0c..519817432d 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -346,6 +346,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf, NTSTATUS nt_status; int sess_vuid; BOOL as_guest; + uint32 auth_flags = AUTH_FLAG_NONE; auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; @@ -382,12 +383,22 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf, file_save("lmhash1.dat", lmhash.data, lmhash.length); #endif + if (lmhash.length) { + auth_flags |= AUTH_FLAG_LM_RESP; + } + + if (nthash.length == 24) { + auth_flags |= AUTH_FLAG_NTLM_RESP; + } else if (nthash.length > 24) { + auth_flags |= AUTH_FLAG_NTLMv2_RESP; + } + if (!make_user_info_map(&user_info, user, workgroup, machine, lmhash, nthash, plaintext_password, - neg_flags, True)) { + auth_flags, True)) { return ERROR_NT(NT_STATUS_NO_MEMORY); } |