diff options
-rw-r--r-- | source3/include/proto.h | 5 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_util.c | 2 | ||||
-rw-r--r-- | source3/smbd/ipc.c | 2 | ||||
-rw-r--r-- | source3/smbd/password.c | 59 | ||||
-rw-r--r-- | source3/smbd/reply.c | 4 |
6 files changed, 43 insertions, 31 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 2a61a05f6d..63f4d624dc 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1259,7 +1259,7 @@ BOOL change_trust_account_password( char *domain, char *remote_machine_list); BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num, prs_struct *data, prs_struct *rdata); -BOOL cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs); +void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs); BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name); void cli_nt_session_close(struct cli_state *cli); @@ -2196,6 +2196,9 @@ void add_session_user(char *user); BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8); BOOL smb_password_ok(struct smb_passwd *smb_pass, uchar lm_pass[24], uchar nt_pass[24]); +BOOL pass_check_smb(char *user, char *domain, + char *challenge, char *lm_pwd, char *nt_pwd, + struct passwd *pwd); BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd); BOOL user_ok(char *user,int snum); BOOL authorise_login(int snum,char *user,char *password, int pwlen, diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 9a54e15dae..0fe248068e 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -957,7 +957,7 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, set ntlmssp negotiation flags ****************************************************************************/ -BOOL cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs) +void cli_nt_set_ntlmssp_flgs(struct cli_state *cli, uint32 ntlmssp_flgs) { cli->ntlmssp_cli_flgs = ntlmssp_flgs; } diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index dc0918f1bf..76f113374d 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -244,7 +244,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p) memcpy(nt_owf, p->ntlmssp_resp.nt_resp, sizeof(nt_owf)); #ifdef DEBUG_PASSWORD - DEBUG(100,"lm, nt owfs:\n")); + DEBUG(100,("lm, nt owfs:\n")); dump_data(100, lm_owf, sizeof(lm_owf)); dump_data(100, nt_owf, sizeof(nt_owf)); #endif diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index bfd618f325..df04cd82a0 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -1653,7 +1653,7 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param * Older versions of Windows seem to do this. */ - if (password_ok(user,pass1,strlen(pass1),NULL) && + if (password_ok(user, pass1,strlen(pass1),NULL) && chgpasswd(user,pass1,pass2,False)) { SSVAL(*rparam,0,NERR_Success); diff --git a/source3/smbd/password.c b/source3/smbd/password.c index ac8210abf8..4df359f46c 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -449,39 +449,38 @@ check if a username/password is OK assuming the password is a 24 byte SMB hash return True if the password is correct, False otherwise ****************************************************************************/ -static BOOL pass_check_smb(char *user,char *password, struct passwd *pwd) +BOOL pass_check_smb(char *user, char *domain, + char *challenge, char *lm_pwd, char *nt_pwd, + struct passwd *pwd) { struct passwd *pass; - uchar challenge[8]; struct smb_passwd *smb_pass; - BOOL challenge_done; - if (!password) { + if (!lm_pwd || !nt_pwd) + { return(False); } - challenge_done = last_challenge(challenge); - - if (!challenge_done) { - DEBUG(0,("Error: challenge not done for user=%s\n", user)); - return False; - } - - if (pwd && !user) { + if (pwd != NULL && user == NULL) + { pass = (struct passwd *) pwd; user = pass->pw_name; - } else { + } + else + { pass = Get_Pwnam(user,True); } - if (!pass) { + if (pass != NULL) + { DEBUG(3,("Couldn't find user %s\n",user)); return(False); } smb_pass = getsmbpwnam(user); - if (!smb_pass) { + if (smb_pass != NULL) + { DEBUG(3,("Couldn't find user %s in smb_passwd file.\n", user)); return(False); } @@ -493,19 +492,20 @@ static BOOL pass_check_smb(char *user,char *password, struct passwd *pwd) } /* Ensure the uid's match */ - if (smb_pass->smb_userid != pass->pw_uid) { + if (smb_pass->smb_userid != pass->pw_uid) + { DEBUG(3,("Error : UNIX and SMB uids in password files do not match !\n")); return(False); } - if(password[0] == '\0' && smb_pass->acct_ctrl & ACB_PWNOTREQ && lp_null_passwords()) { + if (lm_pwd[0] == '\0' && IS_BITS_SET_ALL(smb_pass->acct_ctrl, ACB_PWNOTREQ) && lp_null_passwords()) + { DEBUG(3,("account for user %s has no password and null passwords are allowed.\n", smb_pass->smb_name)); return(True); } - if (smb_password_ok(smb_pass, - (unsigned char *)password, - (uchar *)password)) { + if (smb_password_ok(smb_pass, (uchar *)lm_pwd, (uchar *)nt_pwd)) + { return(True); } @@ -518,12 +518,21 @@ check if a username/password pair is OK either via the system password database or the encrypted SMB password database return True if the password is correct, False otherwise ****************************************************************************/ -BOOL password_ok(char *user,char *password, int pwlen, struct passwd *pwd) +BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd) { - if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords())) { - /* if it is 24 bytes long then assume it is an encrypted - password */ - return pass_check_smb(user, password, pwd); + if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords())) + { + /* if 24 bytes long assume it is an encrypted password */ + uchar challenge[8]; + + if (!last_challenge(challenge)) + { + DEBUG(0,("Error: challenge not done for user=%s\n", user)); + return False; + } + + return pass_check_smb(user, global_myworkgroup, + challenge, password, password, pwd); } return pass_check(user, password, pwlen, pwd, diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 7cbd0520d9..5afc4593e6 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -651,12 +651,12 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int 128 length unicode */ if(smb_ntpasslen) { - if(!password_ok(user,smb_ntpasswd,smb_ntpasslen,NULL)) + if(!password_ok(user, smb_ntpasswd,smb_ntpasslen,NULL)) DEBUG(0,("NT Password did not match ! Defaulting to Lanman\n")); else valid_nt_password = True; } - if (!valid_nt_password && !password_ok(user,smb_apasswd,smb_apasslen,NULL)) + if (!valid_nt_password && !password_ok(user, smb_apasswd,smb_apasslen,NULL)) { if (lp_security() >= SEC_USER) { #if (GUEST_SESSSETUP == 0) |