diff options
| -rw-r--r-- | source4/auth/auth.h | 2 | ||||
| -rw-r--r-- | source4/auth/auth_sam.c | 29 | ||||
| -rw-r--r-- | source4/auth/ntlm_check.c | 7 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 1 | ||||
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 |
5 files changed, 31 insertions, 16 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 392703729f..55168a5beb 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -51,6 +51,8 @@ struct auth_usersupplied_info const char *workstation_name; const char *remote_host; + uint32_t logon_parameters; + BOOL mapped_state; /* the values the client gives us */ struct { diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 7449e6cd25..e17eea8087 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -105,7 +105,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, break; case AUTH_PASSWORD_RESPONSE: - status = ntlm_password_check(mem_ctx, &auth_context->challenge.data, + status = ntlm_password_check(mem_ctx, user_info->logon_parameters, + &auth_context->challenge.data, &user_info->password.response.lanman, &user_info->password.response.nt, user_info->mapped.account_name, @@ -133,6 +134,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, (ie not disabled, expired and the like). ****************************************************************************/ static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, + uint32_t logon_parameters, uint16_t acct_flags, NTTIME acct_expiry, NTTIME must_change_time, @@ -204,20 +206,23 @@ static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_WORKSTATION; } } - + if (acct_flags & ACB_DOMTRUST) { DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name)); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } - - if (acct_flags & ACB_SVRTRUST) { - DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name)); - return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + + if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) { + if (acct_flags & ACB_SVRTRUST) { + DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name)); + return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + } } - - if (acct_flags & ACB_WSTRUST) { - DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name)); - return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) { + if (acct_flags & ACB_WSTRUST) { + DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name)); + return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + } } return NT_STATUS_OK; @@ -381,7 +386,9 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL); - nt_status = authsam_account_ok(mem_ctx, acct_flags, + nt_status = authsam_account_ok(mem_ctx, + user_info->logon_parameters, + acct_flags, acct_expiry, must_change_time, last_set_time, diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c index d033dfeb79..0856b82856 100644 --- a/source4/auth/ntlm_check.c +++ b/source4/auth/ntlm_check.c @@ -23,6 +23,7 @@ #include "includes.h" #include "lib/crypto/crypto.h" #include "librpc/gen_ndr/ndr_samr.h" +#include "librpc/gen_ndr/ndr_netlogon.h" /**************************************************************************** Core of smb password checking routine. @@ -274,6 +275,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, */ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, + uint32_t logon_parameters, const DATA_BLOB *challenge, const DATA_BLOB *lm_response, const DATA_BLOB *nt_response, @@ -297,8 +299,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, *user_sess_key = data_blob(NULL, 0); /* Check for cleartext netlogon. Used by Exchange 5.5. */ - if (challenge->length == sizeof(zeros) && - (memcmp(challenge->data, zeros, challenge->length) == 0 )) { + if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED) + && challenge->length == sizeof(zeros) + && (memcmp(challenge->data, zeros, challenge->length) == 0 )) { struct samr_Password client_nt; struct samr_Password client_lm; uint8_t dospwd[14]; diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 53c53d3cb9..ec3c9ba188 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -689,6 +689,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ return NT_STATUS_NO_MEMORY; } + user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; user_info->flags = 0; user_info->mapped_state = False; user_info->client.account_name = gensec_ntlmssp_state->user; diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 200cfd79db..6366a58f4a 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -400,9 +400,10 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ dce_call->event_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); - user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; - user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; - user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; + user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control; + user_info->client.account_name = r->in.logon.password->identity_info.account_name.string; + user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string; + user_info->workstation_name = r->in.logon.password->identity_info.workstation.string; user_info->password_state = AUTH_PASSWORD_HASH; user_info->password.hash.lanman = talloc(user_info, struct samr_Password); @@ -428,6 +429,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_ nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags"); NT_STATUS_NOT_OK_RETURN(nt_status); + user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control; user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; |