r11366: Pass around the flags which indicate if we should support plaintext

logins and NTLM machine account logins.

Andrew Bartlett
(This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)

4 files changed, 26 insertions, 13 deletions

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 392703729f..55168a5beb 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -51,6 +51,8 @@ struct auth_usersupplied_info
 	const char *workstation_name;
 	const char *remote_host;
 
+	uint32_t logon_parameters;
+
 	BOOL mapped_state;
 	/* the values the client gives us */
 	struct {
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 7449e6cd25..e17eea8087 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -105,7 +105,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
 		break;
 		
 	case AUTH_PASSWORD_RESPONSE:
-		status = ntlm_password_check(mem_ctx, &auth_context->challenge.data, 
+		status = ntlm_password_check(mem_ctx, user_info->logon_parameters, 
+					     &auth_context->challenge.data, 
 					     &user_info->password.response.lanman, 
 					     &user_info->password.response.nt,
 					     user_info->mapped.account_name,
@@ -133,6 +134,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
  (ie not disabled, expired and the like).
 ****************************************************************************/
 static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
+				   uint32_t logon_parameters,
 				   uint16_t acct_flags,
 				   NTTIME acct_expiry,
 				   NTTIME must_change_time,
@@ -204,20 +206,23 @@ static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			return NT_STATUS_INVALID_WORKSTATION;
 		}
 	}
-
+	
 	if (acct_flags & ACB_DOMTRUST) {
 		DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name));
 		return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
 	}
-
-	if (acct_flags & ACB_SVRTRUST) {
-		DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
-		return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+	
+	if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+		if (acct_flags & ACB_SVRTRUST) {
+			DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
+			return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+		}
 	}
-
-	if (acct_flags & ACB_WSTRUST) {
-		DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
-		return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+	if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+		if (acct_flags & ACB_WSTRUST) {
+			DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
+			return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+		}
 	}
 
 	return NT_STATUS_OK;
@@ -381,7 +386,9 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
 
 	workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
 
-	nt_status = authsam_account_ok(mem_ctx, acct_flags, 
+	nt_status = authsam_account_ok(mem_ctx, 
+				       user_info->logon_parameters,
+				       acct_flags, 
 				       acct_expiry, 
 				       must_change_time, 
 				       last_set_time, 
diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c
index d033dfeb79..0856b82856 100644
--- a/source4/auth/ntlm_check.c
+++ b/source4/auth/ntlm_check.c
@@ -23,6 +23,7 @@
 #include "includes.h"
 #include "lib/crypto/crypto.h"
 #include "librpc/gen_ndr/ndr_samr.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
 
 /****************************************************************************
  Core of smb password checking routine.
@@ -274,6 +275,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
  */
 
 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+			     uint32_t logon_parameters,
 			     const DATA_BLOB *challenge,
 			     const DATA_BLOB *lm_response,
 			     const DATA_BLOB *nt_response,
@@ -297,8 +299,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 	*user_sess_key = data_blob(NULL, 0);
 
 	/* Check for cleartext netlogon. Used by Exchange 5.5. */
-	if (challenge->length == sizeof(zeros) && 
-	    (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+	if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
+	    && challenge->length == sizeof(zeros) 
+	    && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
 		struct samr_Password client_nt;
 		struct samr_Password client_lm;
 		uint8_t dospwd[14]; 
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 53c53d3cb9..ec3c9ba188 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -689,6 +689,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 	user_info->flags = 0;
 	user_info->mapped_state = False;
 	user_info->client.account_name = gensec_ntlmssp_state->user;