diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-10-28 11:20:48 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:45:27 -0500 |
commit | 546f63df5b214a1419069887ecfd9118aae8030a (patch) | |
tree | 62e68bfa8708780546ccc28ac16f8f4ff1448c98 /source4/auth | |
parent | 134b2488c82ae13392121f71e4960178a38f3e01 (diff) | |
download | samba-546f63df5b214a1419069887ecfd9118aae8030a.tar.gz samba-546f63df5b214a1419069887ecfd9118aae8030a.tar.bz2 samba-546f63df5b214a1419069887ecfd9118aae8030a.zip |
r11370: Samba4 now passes it's own RPC-SAMLOGON test again.
This avoids the nasty user@DOMAIN test for now, as it has very odd
semantics with NTLMv2.
Allow only user accounts to do an interactive login.
Andrew Bartlett
(This used to be commit 690cad8083e176b2e58fc243a11a003a78ce4074)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/auth.h | 1 | ||||
-rw-r--r-- | source4/auth/auth_sam.c | 7 | ||||
-rw-r--r-- | source4/auth/ntlm_check.c | 27 |
3 files changed, 32 insertions, 3 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 55168a5beb..9f2e0b6a07 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -39,6 +39,7 @@ #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */ #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */ #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* dont check unix account status */ +#define USER_INFO_INTERACTIVE_LOGON 0x08 /* dont check unix account status */ enum auth_password_state { AUTH_PASSWORD_RESPONSE, diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index e17eea8087..44609bb7f8 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -370,6 +370,13 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, return NT_STATUS_ACCOUNT_LOCKED_OUT; } + /* You can only do an interactive login to normal accounts */ + if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) { + if (!(acct_flags & ACB_NORMAL)) { + return NT_STATUS_NO_SUCH_USER; + } + } + nt_status = samdb_result_passwords(mem_ctx, msgs[0], &lm_pwd, &nt_pwd); NT_STATUS_NOT_OK_RETURN(nt_status); diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c index 0856b82856..fc2a45efad 100644 --- a/source4/auth/ntlm_check.c +++ b/source4/auth/ntlm_check.c @@ -245,6 +245,9 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, username)); return NT_STATUS_WRONG_PASSWORD; } + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) { return NT_STATUS_OK; @@ -254,6 +257,9 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, return NT_STATUS_WRONG_PASSWORD; } } + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } return NT_STATUS_WRONG_PASSWORD; } @@ -304,20 +310,27 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, && (memcmp(challenge->data, zeros, challenge->length) == 0 )) { struct samr_Password client_nt; struct samr_Password client_lm; - uint8_t dospwd[14]; + uint8_t dospwd[15]; + char *unix_pw; DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n", username)); mdfour(client_nt.hash, nt_response->data, nt_response->length); ZERO_STRUCT(dospwd); - memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); + convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, + lm_response->data, lm_response->length, + (void **)&unix_pw); + /* Only the fisrt 14 chars are considered, password need not be null terminated. */ + push_ascii(dospwd, unix_pw, sizeof(dospwd), STR_UPPER); /* we *might* need to upper-case the string here */ E_P16((const uint8_t *)dospwd, client_lm.hash); - return hash_password_check(mem_ctx, &client_lm, &client_nt, + return hash_password_check(mem_ctx, + lm_response->length ? &client_lm : NULL, + nt_response->length ? &client_nt : NULL, username, stored_lanman, stored_nt); } @@ -424,6 +437,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, } else if (!stored_lanman) { DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n", username)); + } else if (strchr_m(username, '@')) { + DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n", + username)); } else { DEBUG(4,("ntlm_password_check: Checking LM password\n")); if (smb_pwd_check_ntlmv1(mem_ctx, @@ -572,6 +588,11 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, } else { DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username)); } + + /* Try and match error codes */ + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } return NT_STATUS_WRONG_PASSWORD; } |