diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-10-28 11:20:48 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:27 -0500 |
| commit | 546f63df5b214a1419069887ecfd9118aae8030a (patch) | |
| tree | 62e68bfa8708780546ccc28ac16f8f4ff1448c98 /source4/auth/ntlm_check.c | |
| parent | 134b2488c82ae13392121f71e4960178a38f3e01 (diff) | |
| download | samba-546f63df5b214a1419069887ecfd9118aae8030a.tar.gz samba-546f63df5b214a1419069887ecfd9118aae8030a.tar.bz2 samba-546f63df5b214a1419069887ecfd9118aae8030a.zip | |
r11370: Samba4 now passes it's own RPC-SAMLOGON test again.
This avoids the nasty user@DOMAIN test for now, as it has very odd
semantics with NTLMv2.
Allow only user accounts to do an interactive login.
Andrew Bartlett
(This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
Diffstat (limited to 'source4/auth/ntlm_check.c')
| -rw-r--r-- | source4/auth/ntlm_check.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c index 0856b82856..fc2a45efad 100644 --- a/source4/auth/ntlm_check.c +++ b/source4/auth/ntlm_check.c @@ -245,6 +245,9 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, username)); return NT_STATUS_WRONG_PASSWORD; } + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) { return NT_STATUS_OK; @@ -254,6 +257,9 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, return NT_STATUS_WRONG_PASSWORD; } } + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } return NT_STATUS_WRONG_PASSWORD; } @@ -304,20 +310,27 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, && (memcmp(challenge->data, zeros, challenge->length) == 0 )) { struct samr_Password client_nt; struct samr_Password client_lm; - uint8_t dospwd[14]; + uint8_t dospwd[15]; + char *unix_pw; DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n", username)); mdfour(client_nt.hash, nt_response->data, nt_response->length); ZERO_STRUCT(dospwd); - memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); + convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, + lm_response->data, lm_response->length, + (void **)&unix_pw); + /* Only the fisrt 14 chars are considered, password need not be null terminated. */ + push_ascii(dospwd, unix_pw, sizeof(dospwd), STR_UPPER); /* we *might* need to upper-case the string here */ E_P16((const uint8_t *)dospwd, client_lm.hash); - return hash_password_check(mem_ctx, &client_lm, &client_nt, + return hash_password_check(mem_ctx, + lm_response->length ? &client_lm : NULL, + nt_response->length ? &client_nt : NULL, username, stored_lanman, stored_nt); } @@ -424,6 +437,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, } else if (!stored_lanman) { DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n", username)); + } else if (strchr_m(username, '@')) { + DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n", + username)); } else { DEBUG(4,("ntlm_password_check: Checking LM password\n")); if (smb_pwd_check_ntlmv1(mem_ctx, @@ -572,6 +588,11 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, } else { DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username)); } + + /* Try and match error codes */ + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } return NT_STATUS_WRONG_PASSWORD; } |