From 152988a828ee958b9452474885460e9e46f65e79 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 28 Oct 2005 08:54:37 +0000
Subject: r11366: Pass around the flags which indicate if we should support
 plaintext logins and NTLM machine account logins.

Andrew Bartlett
(This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
---
 source4/auth/auth.h                           |  2 ++
 source4/auth/auth_sam.c                       | 29 +++++++++++++++++----------
 source4/auth/ntlm_check.c                     |  7 +++++--
 source4/auth/ntlmssp/ntlmssp_server.c         |  1 +
 source4/rpc_server/netlogon/dcerpc_netlogon.c |  8 +++++---
 5 files changed, 31 insertions(+), 16 deletions(-)

(limited to 'source4')

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 392703729f..55168a5beb 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -51,6 +51,8 @@ struct auth_usersupplied_info
 	const char *workstation_name;
 	const char *remote_host;
 
+	uint32_t logon_parameters;
+
 	BOOL mapped_state;
 	/* the values the client gives us */
 	struct {
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 7449e6cd25..e17eea8087 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -105,7 +105,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
 		break;
 		
 	case AUTH_PASSWORD_RESPONSE:
-		status = ntlm_password_check(mem_ctx, &auth_context->challenge.data, 
+		status = ntlm_password_check(mem_ctx, user_info->logon_parameters, 
+					     &auth_context->challenge.data, 
 					     &user_info->password.response.lanman, 
 					     &user_info->password.response.nt,
 					     user_info->mapped.account_name,
@@ -133,6 +134,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
  (ie not disabled, expired and the like).
 ****************************************************************************/
 static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
+				   uint32_t logon_parameters,
 				   uint16_t acct_flags,
 				   NTTIME acct_expiry,
 				   NTTIME must_change_time,
@@ -204,20 +206,23 @@ static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			return NT_STATUS_INVALID_WORKSTATION;
 		}
 	}
-
+	
 	if (acct_flags & ACB_DOMTRUST) {
 		DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name));
 		return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
 	}
-
-	if (acct_flags & ACB_SVRTRUST) {
-		DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
-		return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+	
+	if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+		if (acct_flags & ACB_SVRTRUST) {
+			DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
+			return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+		}
 	}
-
-	if (acct_flags & ACB_WSTRUST) {
-		DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
-		return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+	if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+		if (acct_flags & ACB_WSTRUST) {
+			DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
+			return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+		}
 	}
 
 	return NT_STATUS_OK;
@@ -381,7 +386,9 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
 
 	workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
 
-	nt_status = authsam_account_ok(mem_ctx, acct_flags, 
+	nt_status = authsam_account_ok(mem_ctx, 
+				       user_info->logon_parameters,
+				       acct_flags, 
 				       acct_expiry, 
 				       must_change_time, 
 				       last_set_time, 
diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm_check.c
index d033dfeb79..0856b82856 100644
--- a/source4/auth/ntlm_check.c
+++ b/source4/auth/ntlm_check.c
@@ -23,6 +23,7 @@
 #include "includes.h"
 #include "lib/crypto/crypto.h"
 #include "librpc/gen_ndr/ndr_samr.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
 
 /****************************************************************************
  Core of smb password checking routine.
@@ -274,6 +275,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
  */
 
 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+			     uint32_t logon_parameters,
 			     const DATA_BLOB *challenge,
 			     const DATA_BLOB *lm_response,
 			     const DATA_BLOB *nt_response,
@@ -297,8 +299,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 	*user_sess_key = data_blob(NULL, 0);
 
 	/* Check for cleartext netlogon. Used by Exchange 5.5. */
-	if (challenge->length == sizeof(zeros) && 
-	    (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+	if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
+	    && challenge->length == sizeof(zeros) 
+	    && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
 		struct samr_Password client_nt;
 		struct samr_Password client_lm;
 		uint8_t dospwd[14]; 
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 53c53d3cb9..ec3c9ba188 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -689,6 +689,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 	user_info->flags = 0;
 	user_info->mapped_state = False;
 	user_info->client.account_name = gensec_ntlmssp_state->user;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 200cfd79db..6366a58f4a 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -400,9 +400,10 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
 						dce_call->event_ctx);
 		NT_STATUS_NOT_OK_RETURN(nt_status);
 
-		user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
-		user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
-		user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
+		user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control;
+		user_info->client.account_name = r->in.logon.password->identity_info.account_name.string;
+		user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string;
+		user_info->workstation_name = r->in.logon.password->identity_info.workstation.string;
 		
 		user_info->password_state = AUTH_PASSWORD_HASH;
 		user_info->password.hash.lanman = talloc(user_info, struct samr_Password);
@@ -428,6 +429,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
 		nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags");
 		NT_STATUS_NOT_OK_RETURN(nt_status);
 
+		user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control;
 		user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
 		user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
 		user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
-- 
cgit