From b7868582413a346a71997b23587450588d59b9d0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 16 Feb 2003 22:10:48 +0000 Subject: Add the 'session key' output of the NTLMSSP exchange to the cli struct, so it can be used for 'net rpc join'. Also fix a bug in our server-side NTLMSSP code - a client without any domain trust links to us may calculate the NTLMv2 response with "" as the domain. Andrew Bartlett (This used to be commit ddaa42423bc952e59b95362f5f5aa7cca10d1ad4) --- source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_sam.c | 24 ++++++++++++++++++++++-- source3/include/client.h | 4 ++++ source3/libsmb/cliconnect.c | 11 +++++++++++ source3/utils/net_rpc_join.c | 8 +------- 5 files changed, 39 insertions(+), 10 deletions(-) diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 43542b2474..d32d248296 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -131,7 +131,7 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state) } NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state, - DATA_BLOB request, DATA_BLOB *reply) + const DATA_BLOB request, DATA_BLOB *reply) { return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply); } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 06e27f1d48..48fabba0a2 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -184,7 +184,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ - DEBUG(4,("sam_password_ok: Checking NTLMv2 password\n")); + DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", user_info->client_domain.str)); if (smb_pwd_check_ntlmv2( user_info->nt_resp, nt_pw, auth_context->challenge, user_info->smb_name.str, @@ -192,6 +192,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, user_sess_key)) { return NT_STATUS_OK; + } + + DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n")); + if (smb_pwd_check_ntlmv2( user_info->nt_resp, + nt_pw, auth_context->challenge, + user_info->smb_name.str, + "", + user_sess_key)) + { + return NT_STATUS_OK; } else { DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); return NT_STATUS_WRONG_PASSWORD; @@ -250,7 +260,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. - related to Win9X, legacy NAS pass-though authentication */ - DEBUG(4,("sam_password_ok: Checking LMv2 password\n")); + DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", user_info->client_domain.str)); if (smb_pwd_check_ntlmv2( user_info->lm_resp, nt_pw, auth_context->challenge, user_info->smb_name.str, @@ -260,6 +270,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, return NT_STATUS_OK; } + DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n")); + if (smb_pwd_check_ntlmv2( user_info->lm_resp, + nt_pw, auth_context->challenge, + user_info->smb_name.str, + "", + user_sess_key)) + { + return NT_STATUS_OK; + } + /* Apparently NT accepts NT responses in the LM field - I think this is related to Win9X pass-though authentication */ diff --git a/source3/include/client.h b/source3/include/client.h index ddb1772c26..73e29a1fff 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -122,6 +122,10 @@ struct cli_state { smb_sign_info sign_info; + /* the session key for this CLI, outside + any per-pipe authenticaion */ + unsigned char user_session_key[16]; + /* * Only used in NT domain calls. */ diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2b0b9abc9d..487b184dd6 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -248,6 +248,12 @@ static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16 } } +static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key) +{ + memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key))); +} + + static void set_temp_signing_on_cli(struct cli_state *cli) { if (cli->sign_info.negotiated_smb_signing) @@ -367,6 +373,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user, if (session_key.data) { /* Have plaintext orginal */ + set_cli_session_key(cli, session_key); set_signing_on_cli(cli, session_key.data, nt_response); } @@ -559,6 +566,10 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user, turn++; } while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)); + if (NT_STATUS_IS_OK(nt_status)) { + set_cli_session_key(cli, ntlmssp_state->session_key); + } + if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) { return False; } diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 1b711f7b43..b0eb335986 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -264,14 +264,8 @@ int net_rpc_join_newstyle(int argc, const char **argv) ctr.switch_value = 24; ctr.info.id24 = &p24; - /* I don't think this is quite the right place for this - calculation. It should be moved somewhere where the credentials - are calculated. )-: */ - - mdfour(sess_key, cli->pwd.smb_nt_pwd, 16); - CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, - sess_key, &ctr), + cli->user_session_key, &ctr), "error setting trust account password"); /* Why do we have to try to (re-)set the ACB to be the same as what -- cgit