summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-10-28 08:54:37 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:26 -0500
commit152988a828ee958b9452474885460e9e46f65e79 (patch)
treee47d19417306a5fb8b556f82e48f47367754c1f8 /source4
parentea4ad9152a0cea08914580a71c3e4987d65ba284 (diff)
downloadsamba-152988a828ee958b9452474885460e9e46f65e79.tar.gz
samba-152988a828ee958b9452474885460e9e46f65e79.tar.bz2
samba-152988a828ee958b9452474885460e9e46f65e79.zip
r11366: Pass around the flags which indicate if we should support plaintext
logins and NTLM machine account logins. Andrew Bartlett (This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth.h2
-rw-r--r--source4/auth/auth_sam.c29
-rw-r--r--source4/auth/ntlm_check.c7
-rw-r--r--source4/auth/ntlmssp/ntlmssp_server.c1
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c8
5 files changed, 31 insertions, 16 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 392703729f..55168a5beb 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -51,6 +51,8 @@ struct auth_usersupplied_info
const char *workstation_name;
const char *remote_host;
+ uint32_t logon_parameters;
+
BOOL mapped_state;
/* the values the client gives us */
struct {
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 7449e6cd25..e17eea8087 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -105,7 +105,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
break;
case AUTH_PASSWORD_RESPONSE:
- status = ntlm_password_check(mem_ctx, &auth_context->challenge.data,
+ status = ntlm_password_check(mem_ctx, user_info->logon_parameters,
+ &auth_context->challenge.data,
&user_info->password.response.lanman,
&user_info->password.response.nt,
user_info->mapped.account_name,
@@ -133,6 +134,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
(ie not disabled, expired and the like).
****************************************************************************/
static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
uint16_t acct_flags,
NTTIME acct_expiry,
NTTIME must_change_time,
@@ -204,20 +206,23 @@ static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_WORKSTATION;
}
}
-
+
if (acct_flags & ACB_DOMTRUST) {
DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
-
- if (acct_flags & ACB_SVRTRUST) {
- DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
- return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+
+ if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+ if (acct_flags & ACB_SVRTRUST) {
+ DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
+ return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+ }
}
-
- if (acct_flags & ACB_WSTRUST) {
- DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
- return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+ if (acct_flags & ACB_WSTRUST) {
+ DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
+ return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ }
}
return NT_STATUS_OK;
@@ -381,7 +386,9 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
- nt_status = authsam_account_ok(mem_ctx, acct_flags,
+ nt_status = authsam_account_ok(mem_ctx,
+ user_info->logon_parameters,
+ acct_flags,
acct_expiry,
must_change_time,
last_set_time,
diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c
index d033dfeb79..0856b82856 100644
--- a/source4/auth/ntlm_check.c
+++ b/source4/auth/ntlm_check.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "lib/crypto/crypto.h"
#include "librpc/gen_ndr/ndr_samr.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
/****************************************************************************
Core of smb password checking routine.
@@ -274,6 +275,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
*/
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
const DATA_BLOB *challenge,
const DATA_BLOB *lm_response,
const DATA_BLOB *nt_response,
@@ -297,8 +299,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
*user_sess_key = data_blob(NULL, 0);
/* Check for cleartext netlogon. Used by Exchange 5.5. */
- if (challenge->length == sizeof(zeros) &&
- (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+ if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
+ && challenge->length == sizeof(zeros)
+ && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
struct samr_Password client_nt;
struct samr_Password client_lm;
uint8_t dospwd[14];
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 53c53d3cb9..ec3c9ba188 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -689,6 +689,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_
return NT_STATUS_NO_MEMORY;
}
+ user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
user_info->flags = 0;
user_info->mapped_state = False;
user_info->client.account_name = gensec_ntlmssp_state->user;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 200cfd79db..6366a58f4a 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -400,9 +400,10 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
dce_call->event_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
- user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
- user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
- user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
+ user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control;
+ user_info->client.account_name = r->in.logon.password->identity_info.account_name.string;
+ user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string;
+ user_info->workstation_name = r->in.logon.password->identity_info.workstation.string;
user_info->password_state = AUTH_PASSWORD_HASH;
user_info->password.hash.lanman = talloc(user_info, struct samr_Password);
@@ -428,6 +429,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags");
NT_STATUS_NOT_OK_RETURN(nt_status);
+ user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control;
user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;