From 9bc442abeb62c0a9985b43cf8475027ced7ec777 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 5 Jan 2003 07:32:08 +0000 Subject: Clear up the auth_sam password checking code (the core of our password checking routines). In particular, we now better support the NT# in LM feild, and the LMv2 password scheme. (LMv2 is basicly NTLMv2 capped at 24 bytes, slightly more secure, and in the LM feild for compatiblity). Thanks to the Samba-TNG team and Luke Leighton for various descriptions of this algorithm, and to MS for a solution that seems to actually make sense for once :-). Andrew Bartlett (This used to be commit 5c2e34b5b6a2241b8d2fd68458eb73bb65ade6fd) --- source3/auth/auth_sam.c | 91 +++++++++++++++++++++++++++++++------------------ 1 file changed, 58 insertions(+), 33 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 02f8511d6a..79fded870e 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -73,8 +73,11 @@ static BOOL smb_pwd_check_ntlmv1(DATA_BLOB nt_response, return (memcmp(p24, nt_response.data, 24) == 0); } + /**************************************************************************** -core of smb password checking routine. +core of smb password checking routine. (NTLMv2, LMv2) + +Note: The same code works with both NTLMv2 and LMv2. ****************************************************************************/ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, const uchar *part_passwd, @@ -104,6 +107,11 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, } client_key_data = data_blob(ntv2_response.data+16, ntv2_response.length-16); + /* + todo: should we be checking this for anything? We can't for LMv2, + but for NTLMv2 it is meant to contain the current time etc. + */ + memcpy(client_response, ntv2_response.data, sizeof(client_response)); if (!ntv2_owf_gen(part_passwd, user, domain, kr)) { @@ -206,54 +214,71 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, } } else { DEBUG(2,("sam_password_ok: NTLMv1 passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - /* No return, we want to check the LM hash below in this case */ + /* no return, becouse we might pick up LMv2 in the LM feild */ } } - if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { - DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); - auth_flags &= (~AUTH_FLAG_LM_RESP); - } - if (auth_flags & AUTH_FLAG_LM_RESP) { - lm_pw = pdb_get_lanman_passwd(sampass); - if (user_info->lm_resp.length != 24) { DEBUG(2,("sam_password_ok: invalid LanMan password length (%d) for user %s\n", user_info->nt_resp.length, pdb_get_username(sampass))); } if (!lp_lanman_auth()) { - DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_LOGON_FAILURE; + DEBUG(3,("sam_password_ok: Lanman passwords NOT PERMITTED for user %s\n",pdb_get_username(sampass))); + } else if (IS_SAM_DEFAULT(sampass, PDB_LMPASSWD)) { + DEBUG(3,("sam_password_ok: NO LanMan password set for user %s (and no NT password supplied)\n",pdb_get_username(sampass))); + } else { + lm_pw = pdb_get_lanman_passwd(sampass); + + DEBUG(4,("sam_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + lm_pw, auth_context->challenge, + user_sess_key)) + { + return NT_STATUS_OK; + } } + + if (IS_SAM_DEFAULT(sampass, PDB_NTPASSWD)) { + DEBUG(4,("sam_password_ok: LM password check failed for user, no NT password %s\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } - DEBUG(4,("sam_password_ok: Checking LM password\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp, - lm_pw, auth_context->challenge, - user_sess_key)) + nt_pw = pdb_get_nt_passwd(sampass); + + /* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes. + - related to Win9X, legacy NAS pass-though authentication + */ + DEBUG(4,("sam_password_ok: Checking LMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->lm_resp, + nt_pw, auth_context->challenge, + user_info->smb_name.str, + user_info->client_domain.str, + user_sess_key)) { return NT_STATUS_OK; - } else { - if (lp_ntlm_auth() && (!IS_SAM_DEFAULT(sampass, PDB_NTPASSWD))) { - nt_pw = pdb_get_nt_passwd(sampass); - /* Apparently NT accepts NT responses in the LM field - - I think this is related to Win9X pass-though authentication - */ - DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); - if (smb_pwd_check_ntlmv1(user_info->lm_resp, - nt_pw, auth_context->challenge, - user_sess_key)) - { - return NT_STATUS_OK; - } else { - DEBUG(3,("sam_password_ok: NT MD4 password in LM field failed for user %s\n",pdb_get_username(sampass))); - return NT_STATUS_WRONG_PASSWORD; - } + } + + /* Apparently NT accepts NT responses in the LM field + - I think this is related to Win9X pass-though authentication + */ + DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); + if (lp_ntlm_auth()) + { + if (smb_pwd_check_ntlmv1(user_info->lm_resp, + nt_pw, auth_context->challenge, + user_sess_key)) + { + return NT_STATUS_OK; } - DEBUG(4,("sam_password_ok: LM password check failed for user %s\n",pdb_get_username(sampass))); + DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass))); return NT_STATUS_WRONG_PASSWORD; - } + } else { + DEBUG(3,("sam_password_ok: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",pdb_get_username(sampass))); + return NT_STATUS_WRONG_PASSWORD; + } + } /* Should not be reached, but if they send nothing... */ -- cgit