diff options
Diffstat (limited to 'source4/auth/ntlm_check.c')
-rw-r--r-- | source4/auth/ntlm_check.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c index 0856b82856..fc2a45efad 100644 --- a/source4/auth/ntlm_check.c +++ b/source4/auth/ntlm_check.c @@ -245,6 +245,9 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, username)); return NT_STATUS_WRONG_PASSWORD; } + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) { return NT_STATUS_OK; @@ -254,6 +257,9 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, return NT_STATUS_WRONG_PASSWORD; } } + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } return NT_STATUS_WRONG_PASSWORD; } @@ -304,20 +310,27 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, && (memcmp(challenge->data, zeros, challenge->length) == 0 )) { struct samr_Password client_nt; struct samr_Password client_lm; - uint8_t dospwd[14]; + uint8_t dospwd[15]; + char *unix_pw; DEBUG(4,("ntlm_password_check: checking plaintext passwords for user %s\n", username)); mdfour(client_nt.hash, nt_response->data, nt_response->length); ZERO_STRUCT(dospwd); - memcpy(dospwd, lm_response->data, MIN(lm_response->length, sizeof(dospwd))); + convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, + lm_response->data, lm_response->length, + (void **)&unix_pw); + /* Only the fisrt 14 chars are considered, password need not be null terminated. */ + push_ascii(dospwd, unix_pw, sizeof(dospwd), STR_UPPER); /* we *might* need to upper-case the string here */ E_P16((const uint8_t *)dospwd, client_lm.hash); - return hash_password_check(mem_ctx, &client_lm, &client_nt, + return hash_password_check(mem_ctx, + lm_response->length ? &client_lm : NULL, + nt_response->length ? &client_nt : NULL, username, stored_lanman, stored_nt); } @@ -424,6 +437,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, } else if (!stored_lanman) { DEBUG(3,("ntlm_password_check: NO LanMan password set for user %s (and no NT password supplied)\n", username)); + } else if (strchr_m(username, '@')) { + DEBUG(3,("ntlm_password_check: NO LanMan password allowed for username@realm logins (user: %s)\n", + username)); } else { DEBUG(4,("ntlm_password_check: Checking LM password\n")); if (smb_pwd_check_ntlmv1(mem_ctx, @@ -572,6 +588,11 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, } else { DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username)); } + + /* Try and match error codes */ + if (strchr_m(username, '@')) { + return NT_STATUS_NOT_FOUND; + } return NT_STATUS_WRONG_PASSWORD; } |