summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/auth.c6
-rw-r--r--source3/auth/auth_compat.c48
-rw-r--r--source3/auth/auth_domain.c4
-rw-r--r--source3/auth/auth_netlogond.c4
-rw-r--r--source3/auth/auth_ntlmssp.c2
-rw-r--r--source3/auth/auth_script.c8
-rw-r--r--source3/auth/auth_server.c26
-rw-r--r--source3/auth/auth_unix.c3
-rw-r--r--source3/auth/auth_util.c79
-rw-r--r--source3/auth/auth_wbc.c40
-rw-r--r--source3/auth/auth_winbind.c8
-rw-r--r--source3/auth/check_samsec.c55
-rw-r--r--source3/auth/pass_check.c8
-rw-r--r--source3/auth/user_info.c52
-rw-r--r--source3/include/auth.h25
-rw-r--r--source3/include/proto.h26
-rw-r--r--source3/web/cgi.c2
-rw-r--r--source3/winbindd/winbindd_pam.c2
18 files changed, 210 insertions, 188 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 5dc1d970d6..5c50bb8826 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -233,11 +233,11 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
#ifdef DEBUG_PASSWORD
DEBUG(100, ("user_info has passwords of length %d and %d\n",
- (int)user_info->lm_resp.length, (int)user_info->nt_resp.length));
+ (int)user_info->password.response.lanman.length, (int)user_info->password.response.nt.length));
DEBUG(100, ("lm:\n"));
- dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length);
+ dump_data(100, user_info->password.response.lanman.data, user_info->password.response.lanman.length);
DEBUG(100, ("nt:\n"));
- dump_data(100, user_info->nt_resp.data, user_info->nt_resp.length);
+ dump_data(100, user_info->password.response.nt.data, user_info->password.response.nt.length);
#endif
/* This needs to be sorted: If it doesn't match, what should we do? */
diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c
index cdd4096654..bd4c433ab9 100644
--- a/source3/auth/auth_compat.c
+++ b/source3/auth/auth_compat.c
@@ -30,13 +30,12 @@ extern bool global_encrypted_passwords_negotiated;
***************************************************************************/
/****************************************************************************
-check if a username/password is OK assuming the password is a 24 byte
-SMB hash
+check if a username/password is OK assuming the password is in plaintext
return True if the password is correct, False otherwise
****************************************************************************/
NTSTATUS check_plaintext_password(const char *smb_name,
- DATA_BLOB plaintext_password,
+ DATA_BLOB plaintext_blob,
struct auth_serversupplied_info **server_info)
{
struct auth_context *plaintext_auth_context = NULL;
@@ -52,7 +51,7 @@ NTSTATUS check_plaintext_password(const char *smb_name,
if (!make_user_info_for_reply(&user_info,
smb_name, lp_workgroup(), chal,
- plaintext_password)) {
+ plaintext_blob)) {
return NT_STATUS_NO_MEMORY;
}
@@ -68,27 +67,21 @@ static NTSTATUS pass_check_smb(struct auth_context *actx,
const char *smb_name,
const char *domain,
DATA_BLOB lm_pwd,
- DATA_BLOB nt_pwd,
- DATA_BLOB plaintext_password,
- bool encrypted)
+ DATA_BLOB nt_pwd)
{
NTSTATUS nt_status;
struct auth_serversupplied_info *server_info = NULL;
- if (encrypted) {
- struct auth_usersupplied_info *user_info = NULL;
- if (actx == NULL) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- make_user_info_for_reply_enc(&user_info, smb_name,
- domain,
- lm_pwd,
- nt_pwd);
- nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
- free_user_info(&user_info);
- } else {
- nt_status = check_plaintext_password(smb_name, plaintext_password, &server_info);
- }
+ struct auth_usersupplied_info *user_info = NULL;
+ if (actx == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ make_user_info_for_reply_enc(&user_info, smb_name,
+ domain,
+ lm_pwd,
+ nt_pwd);
+ nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
+ free_user_info(&user_info);
TALLOC_FREE(server_info);
return nt_status;
}
@@ -113,23 +106,26 @@ bool password_ok(struct auth_context *actx, bool global_encrypted,
* Vista sends NTLMv2 here - we need to try the client given workgroup.
*/
if (session_workgroup) {
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob, null_password, encrypted))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob))) {
return True;
}
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password, null_password, encrypted))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password))) {
return True;
}
}
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, password_blob))) {
return True;
}
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), password_blob, null_password, null_password, encrypted))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), password_blob, null_password))) {
return True;
}
} else {
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, null_password, password_blob, encrypted))) {
+ struct auth_serversupplied_info *server_info = NULL;
+ NTSTATUS nt_status = check_plaintext_password(smb_name, password_blob, &server_info);
+ TALLOC_FREE(server_info);
+ if (NT_STATUS_IS_OK(nt_status)) {
return True;
}
}
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 0fc6410fec..824618c63d 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -313,8 +313,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
user_info->client.domain_name, /* domain name */
user_info->workstation_name,/* workstation name */
chal, /* 8 byte challenge. */
- user_info->lm_resp, /* lanman 24 byte response */
- user_info->nt_resp, /* nt 24 byte response */
+ user_info->password.response.lanman, /* lanman 24 byte response */
+ user_info->password.response.nt, /* nt 24 byte response */
&info3); /* info3 out */
/* Let go as soon as possible so we avoid any potential deadlocks
diff --git a/source3/auth/auth_netlogond.c b/source3/auth/auth_netlogond.c
index 8be2c6a00c..446b9e2ee4 100644
--- a/source3/auth/auth_netlogond.c
+++ b/source3/auth/auth_netlogond.c
@@ -88,8 +88,8 @@ static NTSTATUS netlogond_validate(TALLOC_CTX *mem_ctx,
user_info->client.domain_name, /* domain name */
user_info->workstation_name, /* workstation name */
(uchar *)auth_context->challenge.data, /* 8 byte challenge. */
- user_info->lm_resp, /* lanman 24 byte response */
- user_info->nt_resp, /* nt 24 byte response */
+ user_info->password.response.lanman, /* lanman 24 byte response */
+ user_info->password.response.nt, /* nt 24 byte response */
&info3); /* info3 out */
DEBUG(10, ("rpccli_netlogon_sam_network_logon_ex returned %s\n",
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index bc0e9d276a..a910201fcf 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -131,7 +131,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
NULL, NULL, NULL,
- True);
+ AUTH_PASSWORD_RESPONSE);
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
diff --git a/source3/auth/auth_script.c b/source3/auth/auth_script.c
index 2b83f80d98..ee01733514 100644
--- a/source3/auth/auth_script.c
+++ b/source3/auth/auth_script.c
@@ -84,17 +84,17 @@ static NTSTATUS script_check_user_credentials(const struct auth_context *auth_co
safe_strcat( secret_str, hex_str, secret_str_len - 1);
safe_strcat( secret_str, "\n", secret_str_len - 1);
- if (user_info->lm_resp.data) {
+ if (user_info->password.response.lanman.data) {
for (i = 0; i < 24; i++) {
- slprintf(&hex_str[i*2], 3, "%02X", user_info->lm_resp.data[i]);
+ slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.lanman.data[i]);
}
safe_strcat( secret_str, hex_str, secret_str_len - 1);
}
safe_strcat( secret_str, "\n", secret_str_len - 1);
- if (user_info->nt_resp.data) {
+ if (user_info->password.response.nt.data) {
for (i = 0; i < 24; i++) {
- slprintf(&hex_str[i*2], 3, "%02X", user_info->nt_resp.data[i]);
+ slprintf(&hex_str[i*2], 3, "%02X", user_info->password.response.nt.data[i]);
}
safe_strcat( secret_str, hex_str, secret_str_len - 1);
}
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index 8f0f98b350..76cafc6d69 100644
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -297,7 +297,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
}
if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
- if (user_info->encrypted) {
+ if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost));
return NT_STATUS_LOGON_FAILURE;
}
@@ -326,8 +326,8 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
memset(badpass, 0x1f, sizeof(badpass));
- if((user_info->nt_resp.length == sizeof(badpass)) &&
- !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) {
+ if((user_info->password.response.nt.length == sizeof(badpass)) &&
+ !memcmp(badpass, user_info->password.response.nt.data, sizeof(badpass))) {
/*
* Very unlikely, our random bad password is the same as the users
* password.
@@ -391,22 +391,24 @@ use this machine as the password server.\n"));
* Now we know the password server will correctly set the guest bit, or is
* not guest enabled, we can try with the real password.
*/
-
- if (!user_info->encrypted) {
+ switch (user_info->password_state) {
+ case AUTH_PASSWORD_PLAIN:
/* Plaintext available */
nt_status = cli_session_setup(
cli, user_info->client.account_name,
- (char *)user_info->plaintext_password.data,
- user_info->plaintext_password.length,
+ user_info->password.plaintext,
+ strlen(user_info->password.plaintext),
NULL, 0, user_info->mapped.domain_name);
- } else {
+ /* currently the hash values include a challenge-response as well */
+ case AUTH_PASSWORD_HASH:
+ case AUTH_PASSWORD_RESPONSE:
nt_status = cli_session_setup(
cli, user_info->client.account_name,
- (char *)user_info->lm_resp.data,
- user_info->lm_resp.length,
- (char *)user_info->nt_resp.data,
- user_info->nt_resp.length,
+ (char *)user_info->password.response.lanman.data,
+ user_info->password.response.lanman.length,
+ (char *)user_info->password.response.nt.data,
+ user_info->password.response.nt.length,
user_info->mapped.domain_name);
}
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index 053cad9707..a9a4c53704 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -101,8 +101,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
done. We may need to revisit this **/
nt_status = pass_check(pass,
pass ? pass->pw_name : user_info->mapped.account_name,
- (char *)user_info->plaintext_password.data,
- user_info->plaintext_password.length-1,
+ user_info->password.plaintext,
lp_update_encrypted() ?
update_smbpassword_file : NULL,
True);
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 16fa421f8b..371087e449 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -86,10 +86,10 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
const char *workstation_name,
DATA_BLOB *lm_pwd,
DATA_BLOB *nt_pwd,
- DATA_BLOB *lm_interactive_pwd,
- DATA_BLOB *nt_interactive_pwd,
- DATA_BLOB *plaintext,
- bool encrypted)
+ const struct samr_Password *lm_interactive_pwd,
+ const struct samr_Password *nt_interactive_pwd,
+ const char *plaintext,
+ enum auth_password_state password_state)
{
const char *domain;
NTSTATUS result;
@@ -131,8 +131,11 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
client_domain, domain, workstation_name,
lm_pwd, nt_pwd,
lm_interactive_pwd, nt_interactive_pwd,
- plaintext, encrypted);
+ plaintext, password_state);
if (NT_STATUS_IS_OK(result)) {
+ /* We have tried mapping */
+ (*user_info)->mapped_state = True;
+ /* did we actually map the user to a different name? */
(*user_info)->was_mapped = was_mapped;
}
return result;
@@ -164,7 +167,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
lm_pwd_len ? &lm_blob : NULL,
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
- True);
+ AUTH_PASSWORD_RESPONSE);
if (NT_STATUS_IS_OK(status)) {
(*user_info)->logon_parameters = logon_parameters;
@@ -191,8 +194,8 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
const uchar nt_interactive_pwd[16],
const uchar *dc_sess_key)
{
- unsigned char lm_pwd[16];
- unsigned char nt_pwd[16];
+ struct samr_Password lm_pwd;
+ struct samr_Password nt_pwd;
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
unsigned char key[16];
@@ -200,42 +203,42 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
memcpy(key, dc_sess_key, 16);
if (lm_interactive_pwd)
- memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
+ memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
if (nt_interactive_pwd)
- memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
+ memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
#ifdef DEBUG_PASSWORD
DEBUG(100,("key:"));
dump_data(100, key, sizeof(key));
DEBUG(100,("lm owf password:"));
- dump_data(100, lm_pwd, sizeof(lm_pwd));
+ dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
DEBUG(100,("nt owf password:"));
- dump_data(100, nt_pwd, sizeof(nt_pwd));
+ dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
#endif
if (lm_interactive_pwd)
- arcfour_crypt(lm_pwd, key, sizeof(lm_pwd));
+ arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
if (nt_interactive_pwd)
- arcfour_crypt(nt_pwd, key, sizeof(nt_pwd));
+ arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
#ifdef DEBUG_PASSWORD
DEBUG(100,("decrypt of lm owf password:"));
- dump_data(100, lm_pwd, sizeof(lm_pwd));
+ dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
DEBUG(100,("decrypt of nt owf password:"));
- dump_data(100, nt_pwd, sizeof(nt_pwd));
+ dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
#endif
if (lm_interactive_pwd)
- SMBOWFencrypt(lm_pwd, chal,
+ SMBOWFencrypt(lm_pwd.hash, chal,
local_lm_response);
if (nt_interactive_pwd)
- SMBOWFencrypt(nt_pwd, chal,
+ SMBOWFencrypt(nt_pwd.hash, chal,
local_nt_response);
/* Password info paranoia */
@@ -247,23 +250,14 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
DATA_BLOB local_lm_blob;
DATA_BLOB local_nt_blob;
- DATA_BLOB lm_interactive_blob;
- DATA_BLOB nt_interactive_blob;
-
if (lm_interactive_pwd) {
local_lm_blob = data_blob(local_lm_response,
sizeof(local_lm_response));
- lm_interactive_blob = data_blob(lm_pwd,
- sizeof(lm_pwd));
- ZERO_STRUCT(lm_pwd);
}
if (nt_interactive_pwd) {
local_nt_blob = data_blob(local_nt_response,
sizeof(local_nt_response));
- nt_interactive_blob = data_blob(nt_pwd,
- sizeof(nt_pwd));
- ZERO_STRUCT(nt_pwd);
}
nt_status = make_user_info_map(
@@ -271,9 +265,9 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
smb_name, client_domain, workstation_name,
lm_interactive_pwd ? &local_lm_blob : NULL,
nt_interactive_pwd ? &local_nt_blob : NULL,
- lm_interactive_pwd ? &lm_interactive_blob : NULL,
- nt_interactive_pwd ? &nt_interactive_blob : NULL,
- NULL, True);
+ lm_interactive_pwd ? &lm_pwd : NULL,
+ nt_interactive_pwd ? &nt_pwd : NULL,
+ NULL, AUTH_PASSWORD_HASH);
if (NT_STATUS_IS_OK(nt_status)) {
(*user_info)->logon_parameters = logon_parameters;
@@ -282,8 +276,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
data_blob_free(&local_lm_blob);
data_blob_free(&local_nt_blob);
- data_blob_free(&lm_interactive_blob);
- data_blob_free(&nt_interactive_blob);
return ret;
}
}
@@ -303,14 +295,13 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
DATA_BLOB local_lm_blob;
DATA_BLOB local_nt_blob;
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
+ char *plaintext_password_string;
/*
* Not encrypted - do so.
*/
DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
"format.\n"));
-
if (plaintext_password.data && plaintext_password.length) {
unsigned char local_lm_response[24];
@@ -333,14 +324,26 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
local_nt_blob = data_blob_null;
}
+ plaintext_password_string = talloc_strndup(talloc_tos(),
+ (const char *)plaintext_password.data,
+ plaintext_password.length);
+ if (!plaintext_password_string) {
+ return False;
+ }
+
ret = make_user_info_map(
user_info, smb_name, client_domain,
get_remote_machine_name(),
local_lm_blob.data ? &local_lm_blob : NULL,
local_nt_blob.data ? &local_nt_blob : NULL,
NULL, NULL,
- plaintext_password.data && plaintext_password.length ? &plaintext_password : NULL,
- False);
+ plaintext_password_string,
+ AUTH_PASSWORD_PLAIN);
+
+ if (plaintext_password_string) {
+ memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
+ talloc_free(plaintext_password_string);
+ }
data_blob_free(&local_lm_blob);
return NT_STATUS_IS_OK(ret) ? True : False;
@@ -361,7 +364,7 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
NULL, NULL, NULL,
- True);
+ AUTH_PASSWORD_RESPONSE);
}
/****************************************************************************
@@ -379,7 +382,7 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info)
NULL, NULL,
NULL, NULL,
NULL,
- True);
+ AUTH_PASSWORD_RESPONSE);
return NT_STATUS_IS_OK(nt_status) ? True : False;
}
diff --git a/source3/auth/auth_wbc.c b/source3/auth/auth_wbc.c
index 05097ee39f..e4fffc7cf8 100644
--- a/source3/auth/auth_wbc.c
+++ b/source3/auth/auth_wbc.c
@@ -71,13 +71,18 @@ static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
params.parameter_control= user_info->logon_parameters;
/* Handle plaintext */
- if (!user_info->encrypted) {
+ switch (user_info->password_state) {
+ case AUTH_PASSWORD_PLAIN:
+ {
DEBUG(3,("Checking plaintext password for %s.\n",
user_info->mapped.account_name));
params.level = WBC_AUTH_USER_LEVEL_PLAIN;
- params.password.plaintext = (char *)user_info->plaintext_password.data;
- } else {
+ params.password.plaintext = user_info->password.plaintext;
+ }
+ case AUTH_PASSWORD_RESPONSE:
+ case AUTH_PASSWORD_HASH:
+ {
DEBUG(3,("Checking encrypted password for %s.\n",
user_info->mapped.account_name));
params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
@@ -86,12 +91,33 @@ static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
auth_context->challenge.data,
sizeof(params.password.response.challenge));
- params.password.response.nt_length = user_info->nt_resp.length;
- params.password.response.nt_data = user_info->nt_resp.data;
- params.password.response.lm_length = user_info->lm_resp.length;
- params.password.response.lm_data = user_info->lm_resp.data;
+ params.password.response.nt_length = user_info->password.response.nt.length;
+ params.password.response.nt_data = user_info->password.response.nt.data;
+ params.password.response.lm_length = user_info->password.response.lanman.length;
+ params.password.response.lm_data = user_info->password.response.lanman.data;
+ }
+#if 0
+ case AUTH_PASSWORD_HASH:
+ {
+ DEBUG(3,("Checking logon (hash) password for %s.\n",
+ user_info->mapped.account_name));
+ params.level = WBC_AUTH_USER_LEVEL_HASH;
+
+ if (user_info->password.hash.nt) {
+ memcpy(params.password.hash.nt_hash, user_info->password.hash.nt, sizeof(* user_info->password.hash.nt));
+ } else {
+ memset(params.password.hash.nt_hash, '\0', sizeof(params.password.hash.nt_hash));
+ }
+
+ if (user_info->password.hash.lanman) {
+ memcpy(params.password.hash.lm_hash, user_info->password.hash.lanman, sizeof(* user_info->password.hash.lanman));
+ } else {
+ memset(params.password.hash.lm_hash, '\0', sizeof(params.password.hash.lm_hash));
+ }
}
+#endif
+ }
/* we are contacting the privileged pipe */
become_root();
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index f8678d5aed..dcf7e419c1 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -72,10 +72,10 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
auth_context->challenge.data,
sizeof(params.password.response.challenge));
- params.password.response.nt_length = user_info->nt_resp.length;
- params.password.response.nt_data = user_info->nt_resp.data;
- params.password.response.lm_length = user_info->lm_resp.length;
- params.password.response.lm_data = user_info->lm_resp.data;
+ params.password.response.nt_length = user_info->password.response.nt.length;
+ params.password.response.nt_data = user_info->password.response.nt.data;
+ params.password.response.lm_length = user_info->password.response.lanman.length;
+ params.password.response.lm_data = user_info->password.response.lanman.data;
/* we are contacting the privileged pipe */
become_root();
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 5228811422..df5dc31b9c 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -41,11 +41,10 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key)
{
- struct samr_Password _lm_hash, _nt_hash, _client_lm_hash, _client_nt_hash;
+ NTSTATUS status;
+ struct samr_Password _lm_hash, _nt_hash;
struct samr_Password *lm_hash = NULL;
struct samr_Password *nt_hash = NULL;
- struct samr_Password *client_lm_hash = NULL;
- struct samr_Password *client_nt_hash = NULL;
*user_sess_key = data_blob_null;
*lm_sess_key = data_blob_null;
@@ -68,36 +67,35 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
memcpy(_nt_hash.hash, nt_pw, sizeof(_nt_hash.hash));
nt_hash = &_nt_hash;
}
- if (user_info->lm_interactive_pwd.data && sizeof(_client_lm_hash.hash) == user_info->lm_interactive_pwd.length) {
- memcpy(_client_lm_hash.hash, user_info->lm_interactive_pwd.data, sizeof(_lm_hash.hash));
- client_lm_hash = &_client_lm_hash;
- }
- if (user_info->nt_interactive_pwd.data && sizeof(_client_nt_hash.hash) == user_info->nt_interactive_pwd.length) {
- memcpy(_client_nt_hash.hash, user_info->nt_interactive_pwd.data, sizeof(_nt_hash.hash));
- client_nt_hash = &_client_nt_hash;
- }
-
- if (client_lm_hash || client_nt_hash) {
- if (!nt_pw) {
- return NT_STATUS_WRONG_PASSWORD;
- }
- *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
- if (!user_sess_key->data) {
- return NT_STATUS_NO_MEMORY;
+ switch (user_info->password_state) {
+ case AUTH_PASSWORD_HASH:
+ status = hash_password_check(mem_ctx, lp_lanman_auth(),
+ user_info->password.hash.lanman,
+ user_info->password.hash.nt,
+ username,
+ lm_hash,
+ nt_hash);
+ if (NT_STATUS_IS_OK(status)) {
+ if (nt_pw) {
+ *user_sess_key = data_blob_talloc(mem_ctx, NULL, 16);
+ if (!user_sess_key->data) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ SMBsesskeygen_ntv1(nt_pw, user_sess_key->data);
+ }
}
- SMBsesskeygen_ntv1(nt_pw, user_sess_key->data);
- return hash_password_check(mem_ctx, lp_lanman_auth(),
- client_lm_hash,
- client_nt_hash,
- username,
- lm_hash,
- nt_hash);
- } else {
+ return status;
+
+ /* Eventually we should test plaintext passwords in their own
+ * function, not assuming the caller has done a
+ * mapping */
+ case AUTH_PASSWORD_PLAIN:
+ case AUTH_PASSWORD_RESPONSE:
return ntlm_password_check(mem_ctx, lp_lanman_auth(),
lp_ntlm_auth(),
user_info->logon_parameters,
challenge,
- &user_info->lm_resp, &user_info->nt_resp,
+ &user_info->password.response.lanman, &user_info->password.response.nt,
username,
user_info->client.account_name,
user_info->client.domain_name,
@@ -105,6 +103,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
nt_hash,
user_sess_key, lm_sess_key);
}
+ return NT_STATUS_INVALID_PARAMETER;
}
/****************************************************************************
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 813540d9fa..d1b720c922 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -648,7 +648,7 @@ return NT_STATUS_OK on correct match, appropriate error otherwise
****************************************************************************/
NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password,
- int pwlen, bool (*fn) (const char *, const char *), bool run_cracker)
+ bool (*fn) (const char *, const char *), bool run_cracker)
{
char *pass2 = NULL;
int level = lp_passwordlevel();
@@ -662,7 +662,7 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
if (!password)
return NT_STATUS_LOGON_FAILURE;
- if (((!*password) || (!pwlen)) && !lp_null_passwords())
+ if ((!*password) && !lp_null_passwords())
return NT_STATUS_LOGON_FAILURE;
#if defined(WITH_PAM)
@@ -676,11 +676,11 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
return NT_STATUS_NO_MEMORY;
}
- DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen));
+ DEBUG(4, ("pass_check: Checking (PAM) password for user %s\n", user));
#else /* Not using PAM */
- DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen));
+ DEBUG(4, ("pass_check: Checking password for user %s\n", user));
if (!pass) {
DEBUG(3, ("Couldn't find user %s\n", user));
diff --git a/source3/auth/user_info.c b/source3/auth/user_info.c
index ea0073ad0c..55a6f96e40 100644
--- a/source3/auth/user_info.c
+++ b/source3/auth/user_info.c
@@ -34,10 +34,10 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
const char *workstation_name,
const DATA_BLOB *lm_pwd,
const DATA_BLOB *nt_pwd,
- const DATA_BLOB *lm_interactive_pwd,
- const DATA_BLOB *nt_interactive_pwd,
- const DATA_BLOB *plaintext,
- bool encrypted)
+ const struct samr_Password *lm_interactive_pwd,
+ const struct samr_Password *nt_interactive_pwd,
+ const char *plaintext_password,
+ enum auth_password_state password_state)
{
DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
@@ -85,22 +85,27 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
if (lm_pwd)
- (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
+ (*user_info)->password.response.lanman = data_blob(lm_pwd->data, lm_pwd->length);
if (nt_pwd)
- (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
- if (lm_interactive_pwd)
- (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
- if (nt_interactive_pwd)
- (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
+ (*user_info)->password.response.nt = data_blob(nt_pwd->data, nt_pwd->length);
+ if (lm_interactive_pwd) {
+ (*user_info)->password.hash.lanman = SMB_MALLOC_P(struct samr_Password);
+ memcpy((*user_info)->password.hash.lanman->hash, lm_interactive_pwd->hash, sizeof((*user_info)->password.hash.lanman->hash));
+ }
+
+ if (nt_interactive_pwd) {
+ (*user_info)->password.hash.nt = SMB_MALLOC_P(struct samr_Password);
+ memcpy((*user_info)->password.hash.nt->hash, nt_interactive_pwd->hash, sizeof((*user_info)->password.hash.nt->hash));
+ }
- if (plaintext)
- (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
+ if (plaintext_password)
+ (*user_info)->password.plaintext = SMB_STRDUP(plaintext_password);
- (*user_info)->encrypted = encrypted;
+ (*user_info)->password_state = password_state;
(*user_info)->logon_parameters = 0;
- DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
+ DEBUG(10,("made a user_info for %s (%s)\n", internal_username, smb_name));
return NT_STATUS_OK;
}
@@ -122,11 +127,20 @@ void free_user_info(struct auth_usersupplied_info **user_info)
SAFE_FREE((*user_info)->client.domain_name);
SAFE_FREE((*user_info)->mapped.domain_name);
SAFE_FREE((*user_info)->workstation_name);
- data_blob_free(&(*user_info)->lm_resp);
- data_blob_free(&(*user_info)->nt_resp);
- data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
- data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
- data_blob_clear_free(&(*user_info)->plaintext_password);
+ data_blob_free(&(*user_info)->password.response.lanman);
+ data_blob_free(&(*user_info)->password.response.nt);
+ if ((*user_info)->password.hash.lanman) {
+ ZERO_STRUCTP((*user_info)->password.hash.lanman);
+ SAFE_FREE((*user_info)->password.hash.lanman);
+ }
+ if ((*user_info)->password.hash.nt) {
+ ZERO_STRUCTP((*user_info)->password.hash.nt);
+ SAFE_FREE((*user_info)->password.hash.nt);
+ }
+ if ((*user_info)->password.plaintext) {
+ memset((*user_info)->password.plaintext, '\0', strlen(((*user_info)->password.plaintext)));
+ SAFE_FREE((*user_info)->password.plaintext);
+ }
ZERO_STRUCT(**user_info);
}
SAFE_FREE(*user_info);
diff --git a/source3/include/auth.h b/source3/include/auth.h
index b7089b8c0a..659c6be103 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -19,27 +19,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-struct auth_usersupplied_info {
- DATA_BLOB lm_resp;
- DATA_BLOB nt_resp;
- DATA_BLOB lm_interactive_pwd;
- DATA_BLOB nt_interactive_pwd;
- DATA_BLOB plaintext_password;
-
- bool encrypted;
- struct {
- char *account_name; /* username before/after mapping */
- char *domain_name; /* username before/after mapping */
- } client, mapped;
-
- bool was_mapped; /* Did the username map actually match? */
- char *internal_username; /* username after mapping */
- const char *workstation_name; /* workstation name (netbios calling
- * name) unicode string */
-
- uint32 logon_parameters;
-
-};
+#include "../auth/common_auth.h"
struct extra_auth_info {
struct dom_sid user_sid;
@@ -155,6 +135,7 @@ struct auth_init_function_entry {
struct auth_ntlmssp_state;
/* Changed from 1 -> 2 to add the logon_parameters field. */
-#define AUTH_INTERFACE_VERSION 2
+/* Changed from 2 -> 3 when we reworked many auth structures to use IDL or be in common with Samba4 */
+#define AUTH_INTERFACE_VERSION 3
#endif /* _SMBAUTH_H_ */
diff --git a/source3/include/proto.h b/source3/include/proto.h
index bc55eaff07..02faf880ec 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -79,13 +79,15 @@ NTSTATUS auth_unix_init(void);
/* The following definitions come from auth/auth_util.c */
NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
- DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
- DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
- DATA_BLOB *plaintext,
- bool encrypted);
+ DATA_BLOB *lm_pwd,
+ DATA_BLOB *nt_pwd,
+ const struct samr_Password *lm_interactive_pwd,
+ const struct samr_Password *nt_interactive_pwd,
+ const char *plaintext,
+ enum auth_password_state password_state);
bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
@@ -160,7 +162,7 @@ bool is_trusted_domain(const char* dom_name);
/* The following definitions come from auth/user_info.c */
-NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
+NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
const char *smb_name,
const char *internal_username,
const char *client_domain,
@@ -168,10 +170,10 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
const char *workstation_name,
const DATA_BLOB *lm_pwd,
const DATA_BLOB *nt_pwd,
- const DATA_BLOB *lm_interactive_pwd,
- const DATA_BLOB *nt_interactive_pwd,
- const DATA_BLOB *plaintext,
- bool encrypted);
+ const struct samr_Password *lm_interactive_pwd,
+ const struct samr_Password *nt_interactive_pwd,
+ const char *plaintext_password,
+ enum auth_password_state password_state);
void free_user_info(struct auth_usersupplied_info **user_info);
/* The following definitions come from auth/auth_winbind.c */
@@ -226,7 +228,7 @@ bool smb_pam_close_session(char *in_user, char *tty, char *rhost);
void dfs_unlogin(void);
NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password,
- int pwlen, bool (*fn) (const char *, const char *), bool run_cracker);
+ bool (*fn) (const char *, const char *), bool run_cracker);
/* The following definitions come from auth/token_util.c */
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index c81ef87e1a..0c1c80e724 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -374,7 +374,7 @@ static bool cgi_handle_authorization(char *line)
*/
if NT_STATUS_IS_OK(pass_check(pass, user, user_pass,
- strlen(user_pass), NULL, False)) {
+ NULL, False)) {
if (pass) {
/*
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 70adc29b1e..e2c1d0d1b9 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1139,7 +1139,7 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
status = make_user_info(&user_info, user, user, domain, domain,
global_myname(), lm_resp, nt_resp, NULL, NULL,
- NULL, True);
+ NULL, AUTH_PASSWORD_RESPONSE);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
return status;