From fe7d46067133131189faf7aebae62fa9c48626d9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 May 2008 12:58:15 +1000 Subject: Allow an NTLM response to be specified into the auth subsystem. This allows it to be proxied for NTLM pass-though authentication (aka security=server and associated man-in-the-middle attacks). Andrew Bartlett (This used to be commit 6ffabb38d03ad90d8731ab3e0eb692438db967ee) --- source4/auth/credentials/credentials.c | 20 ++--------- source4/auth/credentials/credentials.h | 9 +++++ source4/auth/credentials/credentials_ntlm.c | 52 +++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 18 deletions(-) (limited to 'source4') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index bfed451689..adabe49cb4 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -306,6 +306,8 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred, cli_credentials_invalidate_ccache(cred, cred->password_obtained); cred->nt_hash = NULL; + cred->lm_response = data_blob(NULL, 0); + cred->nt_response = data_blob(NULL, 0); return true; } @@ -376,24 +378,6 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred } } -_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, - const struct samr_Password *nt_hash, - enum credentials_obtained obtained) -{ - if (obtained >= cred->password_obtained) { - cli_credentials_set_password(cred, NULL, obtained); - if (nt_hash) { - cred->nt_hash = talloc(cred, struct samr_Password); - *cred->nt_hash = *nt_hash; - } else { - cred->nt_hash = NULL; - } - return true; - } - - return false; -} - /** * Obtain the 'short' or 'NetBIOS' domain for this credentials context. * @param cred credentials context diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 2514b5b1ce..79c50ae5af 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -80,8 +80,13 @@ struct cli_credentials { const char *bind_dn; + /* Allows authentication from a keytab or similar */ struct samr_Password *nt_hash; + /* Allows NTLM pass-though authentication */ + DATA_BLOB lm_response; + DATA_BLOB nt_response; + struct ccache_container *ccache; struct gssapi_creds_container *client_gss_creds; struct keytab_container *keytab; @@ -221,6 +226,10 @@ void cli_credentials_set_kvno(struct cli_credentials *cred, bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained); +bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, + const DATA_BLOB *lm_response, + const DATA_BLOB *nt_response, + enum credentials_obtained obtained); int cli_credentials_set_keytab_name(struct cli_credentials *cred, struct event_context *event_ctx, struct loadparm_context *lp_ctx, diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c index b88f2018df..22e273c35a 100644 --- a/source4/auth/credentials/credentials_ntlm.c +++ b/source4/auth/credentials/credentials_ntlm.c @@ -52,6 +52,20 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred const struct samr_Password *nt_hash; lm_session_key = data_blob(NULL, 0); + /* We may already have an NTLM response we prepared earlier. + * This is used for NTLM pass-though authentication */ + if (cred->nt_response.data || cred->lm_response.data) { + *_nt_response = cred->nt_response; + *_lm_response = cred->lm_response; + + if (!cred->lm_response.data) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + *_lm_session_key = data_blob(NULL, 0); + *_session_key = data_blob(NULL, 0); + return NT_STATUS_OK; + } + nt_hash = cli_credentials_get_nt_hash(cred, mem_ctx); cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain); @@ -215,3 +229,41 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred return NT_STATUS_OK; } +_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash, + enum credentials_obtained obtained) +{ + if (obtained >= cred->password_obtained) { + cli_credentials_set_password(cred, NULL, obtained); + if (nt_hash) { + cred->nt_hash = talloc(cred, struct samr_Password); + *cred->nt_hash = *nt_hash; + } else { + cred->nt_hash = NULL; + } + return true; + } + + return false; +} + +_PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, + const DATA_BLOB *lm_response, + const DATA_BLOB *nt_response, + enum credentials_obtained obtained) +{ + if (obtained >= cred->password_obtained) { + cli_credentials_set_password(cred, NULL, obtained); + if (nt_response) { + cred->nt_response = data_blob_talloc(cred, nt_response->data, nt_response->length); + talloc_steal(cred, cred->nt_response.data); + } + if (nt_response) { + cred->lm_response = data_blob_talloc(cred, lm_response->data, lm_response->length); + } + return true; + } + + return false; +} + -- cgit