summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-05-05 12:58:15 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-05-05 12:58:15 +1000
commitfe7d46067133131189faf7aebae62fa9c48626d9 (patch)
treec167d18a67dc50f242940dd668203fd9cb11c7e0 /source4
parentf8fb5d8c4da11cdb8ac79649fd74047d4cc42c68 (diff)
downloadsamba-fe7d46067133131189faf7aebae62fa9c48626d9.tar.gz
samba-fe7d46067133131189faf7aebae62fa9c48626d9.tar.bz2
samba-fe7d46067133131189faf7aebae62fa9c48626d9.zip
Allow an NTLM response to be specified into the auth subsystem.
This allows it to be proxied for NTLM pass-though authentication (aka security=server and associated man-in-the-middle attacks). Andrew Bartlett (This used to be commit 6ffabb38d03ad90d8731ab3e0eb692438db967ee)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/credentials/credentials.c20
-rw-r--r--source4/auth/credentials/credentials.h9
-rw-r--r--source4/auth/credentials/credentials_ntlm.c52
3 files changed, 63 insertions, 18 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index bfed451689..adabe49cb4 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -306,6 +306,8 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
cli_credentials_invalidate_ccache(cred, cred->password_obtained);
cred->nt_hash = NULL;
+ cred->lm_response = data_blob(NULL, 0);
+ cred->nt_response = data_blob(NULL, 0);
return true;
}
@@ -376,24 +378,6 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
}
}
-_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
- const struct samr_Password *nt_hash,
- enum credentials_obtained obtained)
-{
- if (obtained >= cred->password_obtained) {
- cli_credentials_set_password(cred, NULL, obtained);
- if (nt_hash) {
- cred->nt_hash = talloc(cred, struct samr_Password);
- *cred->nt_hash = *nt_hash;
- } else {
- cred->nt_hash = NULL;
- }
- return true;
- }
-
- return false;
-}
-
/**
* Obtain the 'short' or 'NetBIOS' domain for this credentials context.
* @param cred credentials context
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index 2514b5b1ce..79c50ae5af 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -80,8 +80,13 @@ struct cli_credentials {
const char *bind_dn;
+ /* Allows authentication from a keytab or similar */
struct samr_Password *nt_hash;
+ /* Allows NTLM pass-though authentication */
+ DATA_BLOB lm_response;
+ DATA_BLOB nt_response;
+
struct ccache_container *ccache;
struct gssapi_creds_container *client_gss_creds;
struct keytab_container *keytab;
@@ -221,6 +226,10 @@ void cli_credentials_set_kvno(struct cli_credentials *cred,
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained);
+bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
+ const DATA_BLOB *lm_response,
+ const DATA_BLOB *nt_response,
+ enum credentials_obtained obtained);
int cli_credentials_set_keytab_name(struct cli_credentials *cred,
struct event_context *event_ctx,
struct loadparm_context *lp_ctx,
diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c
index b88f2018df..22e273c35a 100644
--- a/source4/auth/credentials/credentials_ntlm.c
+++ b/source4/auth/credentials/credentials_ntlm.c
@@ -52,6 +52,20 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
const struct samr_Password *nt_hash;
lm_session_key = data_blob(NULL, 0);
+ /* We may already have an NTLM response we prepared earlier.
+ * This is used for NTLM pass-though authentication */
+ if (cred->nt_response.data || cred->lm_response.data) {
+ *_nt_response = cred->nt_response;
+ *_lm_response = cred->lm_response;
+
+ if (!cred->lm_response.data) {
+ *flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+ }
+ *_lm_session_key = data_blob(NULL, 0);
+ *_session_key = data_blob(NULL, 0);
+ return NT_STATUS_OK;
+ }
+
nt_hash = cli_credentials_get_nt_hash(cred, mem_ctx);
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
@@ -215,3 +229,41 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
return NT_STATUS_OK;
}
+_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
+ const struct samr_Password *nt_hash,
+ enum credentials_obtained obtained)
+{
+ if (obtained >= cred->password_obtained) {
+ cli_credentials_set_password(cred, NULL, obtained);
+ if (nt_hash) {
+ cred->nt_hash = talloc(cred, struct samr_Password);
+ *cred->nt_hash = *nt_hash;
+ } else {
+ cred->nt_hash = NULL;
+ }
+ return true;
+ }
+
+ return false;
+}
+
+_PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
+ const DATA_BLOB *lm_response,
+ const DATA_BLOB *nt_response,
+ enum credentials_obtained obtained)
+{
+ if (obtained >= cred->password_obtained) {
+ cli_credentials_set_password(cred, NULL, obtained);
+ if (nt_response) {
+ cred->nt_response = data_blob_talloc(cred, nt_response->data, nt_response->length);
+ talloc_steal(cred, cred->nt_response.data);
+ }
+ if (nt_response) {
+ cred->lm_response = data_blob_talloc(cred, lm_response->data, lm_response->length);
+ }
+ return true;
+ }
+
+ return false;
+}
+