summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/lib/talloc.c18
-rw-r--r--source3/libsmb/cliconnect.c8
-rw-r--r--source3/libsmb/ntlm_check.c31
-rw-r--r--source3/libsmb/ntlmssp.c4
-rw-r--r--source3/libsmb/smbencrypt.c10
5 files changed, 61 insertions, 10 deletions
diff --git a/source3/lib/talloc.c b/source3/lib/talloc.c
index 485dc28f31..093a221fd3 100644
--- a/source3/lib/talloc.c
+++ b/source3/lib/talloc.c
@@ -276,6 +276,24 @@ char *talloc_strdup(TALLOC_CTX *t, const char *p)
return NULL;
}
+/** strdup_upper with a talloc */
+char *talloc_strdup_upper(TALLOC_CTX *t, const char *p)
+{
+ char *r;
+ if (p) {
+ char *q = strdup_upper(p);
+ if (q) {
+ r = talloc_strdup(t, q);
+ SAFE_FREE(q);
+ return r;
+ } else {
+ return NULL;
+ }
+ } else {
+ return NULL;
+ }
+}
+
/** strdup_w with a talloc */
smb_ucs2_t *talloc_strdup_w(TALLOC_CTX *t, const smb_ucs2_t *p)
{
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 63541e18b5..adfeec2290 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -358,7 +358,9 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
memcpy(p,nt_response.data, nt_response.length); p += nt_response.length;
}
p += clistr_push(cli, p, user, -1, STR_TERMINATE);
- p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE);
+
+ /* Upper case here might help some NTLMv2 implementations */
+ p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER);
p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE);
cli_setup_bcc(cli, p);
@@ -649,7 +651,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use
for checking the first reply from the server */
cli_calculate_sign_mac(cli);
- if (!cli_check_sign_mac(cli, True)) {
+ if (!cli_check_sign_mac(cli, False)) {
nt_status = NT_STATUS_ACCESS_DENIED;
}
}
@@ -874,7 +876,7 @@ BOOL cli_send_tconX(struct cli_state *cli,
if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) {
if (!lp_client_lanman_auth()) {
- DEBUG(1, ("Server requested LANMAN password but 'client use lanman auth'"
+ DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'"
" is disabled\n"));
return False;
}
diff --git a/source3/libsmb/ntlm_check.c b/source3/libsmb/ntlm_check.c
index 362b640f91..bc291b5128 100644
--- a/source3/libsmb/ntlm_check.c
+++ b/source3/libsmb/ntlm_check.c
@@ -85,6 +85,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
const uchar *part_passwd,
const DATA_BLOB *sec_blob,
const char *user, const char *domain,
+ BOOL upper_case_domain, /* should the domain be transformed into upper case? */
DATA_BLOB *user_sess_key)
{
/* Finish the encryption of part_passwd. */
@@ -122,7 +123,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response,
memcpy(client_response, ntv2_response->data, sizeof(client_response));
- if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
+ if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
return False;
}
@@ -235,13 +236,24 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
if (nt_response->length >= 24 && nt_pw) {
if (nt_response->length > 24) {
/* We have the NT MD4 hash challenge available - see if we can
- use it (ie. does it exist in the smbpasswd file).
+ use it
*/
DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n", client_domain));
if (smb_pwd_check_ntlmv2( nt_response,
nt_pw, challenge,
- client_username,
+ client_username,
+ client_domain,
+ False,
+ user_sess_key)) {
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [%s]\n", client_domain));
+ if (smb_pwd_check_ntlmv2( nt_response,
+ nt_pw, challenge,
+ client_username,
client_domain,
+ True,
user_sess_key)) {
return NT_STATUS_OK;
}
@@ -251,6 +263,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
nt_pw, challenge,
client_username,
"",
+ False,
user_sess_key)) {
return NT_STATUS_OK;
} else {
@@ -334,6 +347,17 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
nt_pw, challenge,
client_username,
client_domain,
+ False,
+ NULL)) {
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(4,("ntlm_password_check: Checking LMv2 password with upper-cased version of domain %s\n", client_domain));
+ if (smb_pwd_check_ntlmv2( lm_response,
+ nt_pw, challenge,
+ client_username,
+ client_domain,
+ True,
NULL)) {
return NT_STATUS_OK;
}
@@ -343,6 +367,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
nt_pw, challenge,
client_username,
"",
+ False,
NULL)) {
return NT_STATUS_OK;
}
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index 60523ddf9d..82eafc4cd5 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -168,7 +168,9 @@ NTSTATUS ntlmssp_set_password(NTLMSSP_STATE *ntlmssp_state, const char *password
*/
NTSTATUS ntlmssp_set_domain(NTLMSSP_STATE *ntlmssp_state, const char *domain)
{
- ntlmssp_state->domain = talloc_strdup(ntlmssp_state->mem_ctx, domain);
+ /* Possibly make our NTLMv2 client more robust by always having
+ an uppercase domain */
+ ntlmssp_state->domain = talloc_strdup_upper(ntlmssp_state->mem_ctx, domain);
if (!ntlmssp_state->domain) {
return NT_STATUS_NO_MEMORY;
}
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index c5acedae51..270a659e57 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -127,7 +127,9 @@ void nt_lm_owf_gen(const char *pwd, uchar nt_p16[16], uchar p16[16])
/* Does both the NTLMv2 owfs of a user's password */
BOOL ntv2_owf_gen(const uchar owf[16],
- const char *user_in, const char *domain_in, uchar kr_buf[16])
+ const char *user_in, const char *domain_in,
+ BOOL upper_case_domain, /* Transform the domain into UPPER case */
+ uchar kr_buf[16])
{
smb_ucs2_t *user;
smb_ucs2_t *domain;
@@ -150,7 +152,9 @@ BOOL ntv2_owf_gen(const uchar owf[16],
}
strupper_w(user);
- strupper_w(domain);
+
+ if (upper_case_domain)
+ strupper_w(domain);
SMB_ASSERT(user_byte_len >= 2);
SMB_ASSERT(domain_byte_len >= 2);
@@ -426,7 +430,7 @@ BOOL SMBNTLMv2encrypt(const char *user, const char *domain, const char *password
the username and domain.
This prevents username swapping during the auth exchange
*/
- if (!ntv2_owf_gen(nt_hash, user, domain, ntlm_v2_hash)) {
+ if (!ntv2_owf_gen(nt_hash, user, domain, True, ntlm_v2_hash)) {
return False;
}