summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/password.c73
-rw-r--r--source3/smbd/reply.c109
2 files changed, 128 insertions, 54 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index c347f2de0d..04a1795e7f 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -31,6 +31,8 @@ extern int Protocol;
/* users from session setup */
static pstring session_users="";
+extern pstring myname;
+
/* these are kept here to keep the string_combinations function simple */
static char this_user[100]="";
static char this_salt[100]="";
@@ -1860,3 +1862,74 @@ use this machine as the password server.\n"));
return(True);
}
+
+#ifdef DOMAIN_CLIENT
+BOOL domain_client_validate( char *user, char *domain,
+ char *smb_apasswd, int smb_apasslen,
+ char *smb_ntpasswd, int smb_ntpasslen)
+{
+ unsigned char local_lm_hash[21];
+ unsigned char local_nt_hash[21];
+ unsigned char local_challenge[8];
+ unsigned char local_lm_response[24];
+ unsigned char local_nt_reponse[24];
+ BOOL encrypted = True;
+
+ /*
+ * Check that the requested domain is not our own machine name.
+ * If it is, we should never check the PDC here, we use our own local
+ * password file.
+ */
+
+ if(strequal( domain, myname)) {
+ DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
+ return False;
+ }
+
+ /*
+ * Next, check that the passwords given were encrypted.
+ */
+
+ if(smb_apasslen != 24 || smb_ntpasslen != 24) {
+
+ /*
+ * Not encrypted - do so.
+ */
+
+ DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
+ encrypted = False;
+ memset(local_lm_hash, '\0', sizeof(local_lm_hash));
+ E_P16((uchar *) smb_apasswd, local_lm_hash);
+ memset(local_nt_hash, '\0', sizeof(local_nt_hash));
+ E_md4hash((uchar *) smb_ntpasswd, local_nt_hash);
+ generate_random_buffer( local_challenge, 8, False);
+ E_P24(local_lm_hash, local_challenge, local_lm_response);
+ E_P24(local_nt_hash, local_challenge, local_nt_reponse);
+ smb_apasslen = 24;
+ smb_ntpasslen = 24;
+ smb_apasswd = (char *)local_lm_response;
+ smb_ntpasswd = (char *)local_nt_reponse;
+ } else {
+
+ /*
+ * Encrypted - get the challenge we sent for these
+ * responses.
+ */
+
+ if (!last_challenge(local_challenge)) {
+ DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
+ return False;
+ }
+ }
+
+ /*
+ * At this point, smb_apasswd points to the lanman response to
+ * the challenge in local_challenge, and smb_ntpasswd points to
+ * the NT response to the challenge in local_challenge. Ship
+ * these over the secure channel to a domain controller and
+ * see if they were valid.
+ */
+
+ return False;
+}
+#endif /* DOMAIN_CLIENT */
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 2f3b3660fc..4472aa16e6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -377,65 +377,66 @@ static int session_trust_account(char *inbuf, char *outbuf, char *user,
char *smb_passwd, int smb_passlen,
char *smb_nt_passwd, int smb_nt_passlen)
{
- struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */
- if (lp_security() == SEC_USER)
- {
- smb_trust_acct = getsmbpwnam(user);
- }
- else
- {
- DEBUG(3,("Trust account %s only supported with security = user\n", user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
- }
+ struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */
+ if (lp_security() == SEC_USER)
+ {
+ smb_trust_acct = getsmbpwnam(user);
+ }
+ else
+ {
+ DEBUG(0,("session_trust_account: Trust account %s only supported with security = user\n", user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+ }
- if (smb_trust_acct == NULL)
- {
- /* lkclXXXX: workstation entry doesn't exist */
- DEBUG(4,("Trust account %s user doesn't exist\n",user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER));
- }
- else
- {
- if ((smb_passlen != 24) || (smb_nt_passlen != 24))
- {
- DEBUG(4,("Trust account %s - password length wrong.\n", user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
- }
+ if (smb_trust_acct == NULL)
+ {
+ /* lkclXXXX: workstation entry doesn't exist */
+ DEBUG(0,("session_trust_account: Trust account %s user doesn't exist\n",user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER));
+ }
+ else
+ {
+ if ((smb_passlen != 24) || (smb_nt_passlen != 24))
+ {
+ DEBUG(0,("session_trust_account: Trust account %s - password length wrong.\n", user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+ }
- if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd))
- {
- DEBUG(4,("Trust Account %s - password failed\n", user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
- }
+ if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd))
+ {
+ DEBUG(0,("session_trust_account: Trust Account %s - password failed\n", user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+ }
- if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST))
- {
- DEBUG(4,("Domain trust account %s denied by server\n",user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT));
- }
+ if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST))
+ {
+ DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n",user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT));
+ }
- if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST))
- {
- DEBUG(4,("Server trust account %s denied by server\n",user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT));
- }
- if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST))
- {
- DEBUG(4,("Wksta trust account %s denied by server\n", user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT));
- }
- }
+ if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST))
+ {
+ DEBUG(0,("session_trust_account: Server trust account %s denied by server\n",user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT));
+ }
+
+ if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST))
+ {
+ DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT));
+ }
+ }
- /* don't know what to do: indicate logon failure */
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+ /* don't know what to do: indicate logon failure */
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
}