diff options
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/password.c | 73 | ||||
-rw-r--r-- | source3/smbd/reply.c | 109 |
2 files changed, 128 insertions, 54 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c index c347f2de0d..04a1795e7f 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -31,6 +31,8 @@ extern int Protocol; /* users from session setup */ static pstring session_users=""; +extern pstring myname; + /* these are kept here to keep the string_combinations function simple */ static char this_user[100]=""; static char this_salt[100]=""; @@ -1860,3 +1862,74 @@ use this machine as the password server.\n")); return(True); } + +#ifdef DOMAIN_CLIENT +BOOL domain_client_validate( char *user, char *domain, + char *smb_apasswd, int smb_apasslen, + char *smb_ntpasswd, int smb_ntpasslen) +{ + unsigned char local_lm_hash[21]; + unsigned char local_nt_hash[21]; + unsigned char local_challenge[8]; + unsigned char local_lm_response[24]; + unsigned char local_nt_reponse[24]; + BOOL encrypted = True; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal( domain, myname)) { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return False; + } + + /* + * Next, check that the passwords given were encrypted. + */ + + if(smb_apasslen != 24 || smb_ntpasslen != 24) { + + /* + * Not encrypted - do so. + */ + + DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n")); + encrypted = False; + memset(local_lm_hash, '\0', sizeof(local_lm_hash)); + E_P16((uchar *) smb_apasswd, local_lm_hash); + memset(local_nt_hash, '\0', sizeof(local_nt_hash)); + E_md4hash((uchar *) smb_ntpasswd, local_nt_hash); + generate_random_buffer( local_challenge, 8, False); + E_P24(local_lm_hash, local_challenge, local_lm_response); + E_P24(local_nt_hash, local_challenge, local_nt_reponse); + smb_apasslen = 24; + smb_ntpasslen = 24; + smb_apasswd = (char *)local_lm_response; + smb_ntpasswd = (char *)local_nt_reponse; + } else { + + /* + * Encrypted - get the challenge we sent for these + * responses. + */ + + if (!last_challenge(local_challenge)) { + DEBUG(0,("domain_client_validate: no challenge done - password failed\n")); + return False; + } + } + + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ + + return False; +} +#endif /* DOMAIN_CLIENT */ diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 2f3b3660fc..4472aa16e6 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -377,65 +377,66 @@ static int session_trust_account(char *inbuf, char *outbuf, char *user, char *smb_passwd, int smb_passlen, char *smb_nt_passwd, int smb_nt_passlen) { - struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */ - if (lp_security() == SEC_USER) - { - smb_trust_acct = getsmbpwnam(user); - } - else - { - DEBUG(3,("Trust account %s only supported with security = user\n", user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); - } + struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */ + if (lp_security() == SEC_USER) + { + smb_trust_acct = getsmbpwnam(user); + } + else + { + DEBUG(0,("session_trust_account: Trust account %s only supported with security = user\n", user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); + } - if (smb_trust_acct == NULL) - { - /* lkclXXXX: workstation entry doesn't exist */ - DEBUG(4,("Trust account %s user doesn't exist\n",user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER)); - } - else - { - if ((smb_passlen != 24) || (smb_nt_passlen != 24)) - { - DEBUG(4,("Trust account %s - password length wrong.\n", user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); - } + if (smb_trust_acct == NULL) + { + /* lkclXXXX: workstation entry doesn't exist */ + DEBUG(0,("session_trust_account: Trust account %s user doesn't exist\n",user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER)); + } + else + { + if ((smb_passlen != 24) || (smb_nt_passlen != 24)) + { + DEBUG(0,("session_trust_account: Trust account %s - password length wrong.\n", user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); + } - if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd)) - { - DEBUG(4,("Trust Account %s - password failed\n", user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); - } + if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd)) + { + DEBUG(0,("session_trust_account: Trust Account %s - password failed\n", user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); + } - if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST)) - { - DEBUG(4,("Domain trust account %s denied by server\n",user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)); - } + if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST)) + { + DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n",user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)); + } - if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST)) - { - DEBUG(4,("Server trust account %s denied by server\n",user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)); - } - if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST)) - { - DEBUG(4,("Wksta trust account %s denied by server\n", user)); - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)); - } - } + if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST)) + { + DEBUG(0,("session_trust_account: Server trust account %s denied by server\n",user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)); + } + + if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST)) + { + DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", user)); + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)); + } + } - /* don't know what to do: indicate logon failure */ - SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); - return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); + /* don't know what to do: indicate logon failure */ + SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); + return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); } |