This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
/*
Unix SMB / Netbios implementation .
Version 1.9 .
Password and authentication handling
Copyright ( C ) Andrew Tridgell 1992 - 2000
Copyright ( C ) Luke Kenneth Casson Leighton 1996 - 2000
Copyright ( C ) Andrew Bartlett 2001
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
/****************************************************************************
Check user is in correct domain if required
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static BOOL check_domain_match ( char * user , char * domain )
{
/*
* If we aren ' t serving to trusted domains , we must make sure that
* the validation request comes from an account in the same domain
* as the Samba server
*/
if ( ! lp_allow_trusted_domains ( ) & &
! strequal ( lp_workgroup ( ) , domain ) ) {
DEBUG ( 1 , ( " check_domain_match: Attempt to connect as user %s from domain %s denied. \n " , user , domain ) ) ;
return False ;
} else {
return True ;
}
}
0001-01-01 02:30:17 +02:30
/****************************************************************************
Check a users password , as given in the user - info struct and return various
interesting details in the server_info struct .
This functions does NOT need to be in a become_root ( ) / unbecome_root ( ) pair
as it makes the calls itself when needed .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
0001-01-01 02:30:17 +02:30
NTSTATUS check_password ( const auth_usersupplied_info * user_info ,
auth_serversupplied_info * server_info )
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
{
0001-01-01 02:30:17 +02:30
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE ;
0001-01-01 02:30:17 +02:30
BOOL done_pam = False ;
0001-01-01 02:30:17 +02:30
DEBUG ( 3 , ( " check_password: Checking password for smb user %s \\ %s@%s with the new password interface \n " ,
user_info - > smb_username . str , user_info - > requested_domain . str , user_info - > wksta_name . str ) ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
if ( ! check_domain_match ( user_info - > smb_username . str , user_info - > domain . str ) ) {
return NT_STATUS_LOGON_FAILURE ;
}
0001-01-01 02:30:17 +02:30
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
0001-01-01 02:30:17 +02:30
nt_status = check_rhosts_security ( user_info , server_info ) ;
}
0001-01-01 02:30:17 +02:30
if ( ( lp_security ( ) = = SEC_DOMAIN ) & & ! NT_STATUS_IS_OK ( nt_status ) ) {
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
nt_status = check_domain_security ( user_info , server_info ) ;
}
0001-01-01 02:30:17 +02:30
if ( ( lp_security ( ) = = SEC_SERVER ) & & ! NT_STATUS_IS_OK ( nt_status ) ) {
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
nt_status = check_server_security ( user_info , server_info ) ;
}
if ( lp_security ( ) > = SEC_SERVER ) {
0001-01-01 02:30:17 +02:30
smb_user_control ( user_info - > unix_username . str , nt_status ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
}
0001-01-01 02:30:17 +02:30
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
0001-01-01 02:30:17 +02:30
if ( ( user_info - > plaintext_password . len > 0 )
& & ( ! lp_plaintext_to_smbpasswd ( ) ) ) {
nt_status = check_unix_security ( user_info , server_info ) ;
done_pam = True ;
} else {
nt_status = check_smbpasswd_security ( user_info , server_info ) ;
}
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
}
0001-01-01 02:30:17 +02:30
0001-01-01 02:30:17 +02:30
if ( NT_STATUS_IS_OK ( nt_status ) & & ! done_pam ) {
0001-01-01 02:30:17 +02:30
/* We might not be root if we are an RPC call */
become_root ( ) ;
0001-01-01 02:30:17 +02:30
nt_status = smb_pam_accountcheck ( user_info - > unix_username . str ) ;
0001-01-01 02:30:17 +02:30
unbecome_root ( ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
}
0001-01-01 02:30:17 +02:30
0001-01-01 02:30:17 +02:30
if ( NT_STATUS_IS_OK ( nt_status ) ) {
0001-01-01 02:30:17 +02:30
DEBUG ( 5 , ( " check_password: Password for smb user %s suceeded \n " , user_info - > smb_username . str ) ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
} else {
0001-01-01 02:30:17 +02:30
DEBUG ( 3 , ( " check_password: Password for smb user %s FAILED with error %s \n " , user_info - > smb_username . str , get_nt_error_msg ( nt_status ) ) ) ;
0001-01-01 02:30:17 +02:30
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
}
return nt_status ;
}
/****************************************************************************
COMPATABILITY INTERFACES :
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/****************************************************************************
check if a username / password is OK assuming the password is a 24 byte
SMB hash
return True if the password is correct , False otherwise
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
0001-01-01 02:30:17 +02:30
NTSTATUS pass_check_smb_with_chal ( char * smb_user , char * unix_user ,
0001-01-01 02:30:17 +02:30
char * domain , char * workstation ,
uchar chal [ 8 ] ,
0001-01-01 02:30:17 +02:30
uchar * lm_pwd , int lm_pwd_len ,
uchar * nt_pwd , int nt_pwd_len )
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
{
auth_usersupplied_info user_info ;
auth_serversupplied_info server_info ;
0001-01-01 02:30:17 +02:30
AUTH_STR ourdomain , theirdomain , unix_username , smb_username ,
wksta_name ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
ZERO_STRUCT ( user_info ) ;
ZERO_STRUCT ( ourdomain ) ;
ZERO_STRUCT ( theirdomain ) ;
ZERO_STRUCT ( smb_username ) ;
ZERO_STRUCT ( wksta_name ) ;
ourdomain . str = lp_workgroup ( ) ;
ourdomain . len = strlen ( ourdomain . str ) ;
theirdomain . str = domain ;
theirdomain . len = strlen ( theirdomain . str ) ;
user_info . requested_domain = theirdomain ;
user_info . domain = ourdomain ;
0001-01-01 02:30:17 +02:30
smb_username . str = smb_user ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
smb_username . len = strlen ( smb_username . str ) ;
0001-01-01 02:30:17 +02:30
/* If unix user is NULL, use smb user */
unix_username . str = unix_user ? unix_user : smb_user ;
unix_username . len = strlen ( unix_username . str ) ;
user_info . unix_username = unix_username ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
user_info . smb_username = smb_username ;
0001-01-01 02:30:17 +02:30
wksta_name . str = workstation ;
wksta_name . len = strlen ( workstation ) ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
user_info . wksta_name = wksta_name ;
memcpy ( user_info . chal , chal , 8 ) ;
0001-01-01 02:30:17 +02:30
if ( ( lm_pwd_len > = 24 | | nt_pwd_len > = 24 ) | |
( lp_encrypted_passwords ( ) & & ( lm_pwd_len = = 0 ) & & lp_null_passwords ( ) ) ) {
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
/* if 24 bytes long assume it is an encrypted password */
user_info . lm_resp . buffer = ( uint8 * ) lm_pwd ;
user_info . lm_resp . len = lm_pwd_len ;
user_info . nt_resp . buffer = ( uint8 * ) nt_pwd ;
user_info . nt_resp . len = nt_pwd_len ;
} else {
unsigned char local_lm_response [ 24 ] ;
unsigned char local_nt_response [ 24 ] ;
/*
* Not encrypted - do so .
*/
DEBUG ( 5 , ( " pass_check_smb: User passwords not in encrypted format. \n " ) ) ;
if ( lm_pwd_len > 0 ) {
SMBencrypt ( ( uchar * ) lm_pwd , user_info . chal , local_lm_response ) ;
user_info . lm_resp . buffer = ( uint8 * ) local_lm_response ;
user_info . lm_resp . len = 24 ;
0001-01-01 02:30:17 +02:30
/* WATCH OUT. This doesn't work if the incoming password is incorrectly cased.
We might want to add a check here and only do an LM in that case */
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
/* This encrypts the lm_pwd feild, which actualy contains the password
rather than the nt_pwd field becouse that contains nothing */
SMBNTencrypt ( ( uchar * ) lm_pwd , user_info . chal , local_nt_response ) ;
user_info . nt_resp . buffer = ( uint8 * ) local_nt_response ;
user_info . nt_resp . len = 24 ;
}
0001-01-01 02:30:17 +02:30
user_info . plaintext_password . str = ( char * ) lm_pwd ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
user_info . plaintext_password . len = lm_pwd_len ;
}
return check_password ( & user_info , & server_info ) ;
}
0001-01-01 02:30:17 +02:30
NTSTATUS pass_check_smb ( char * smb_user , char * unix_user ,
char * domain , char * workstation ,
0001-01-01 02:30:17 +02:30
uchar * lm_pwd , int lm_pwd_len ,
uchar * nt_pwd , int nt_pwd_len )
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
{
uchar chal [ 8 ] ;
if ( ! last_challenge ( chal ) ) {
generate_random_buffer ( chal , 8 , False ) ;
}
0001-01-01 02:30:17 +02:30
return pass_check_smb_with_chal ( smb_user , unix_user ,
domain , workstation , chal ,
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
lm_pwd , lm_pwd_len ,
nt_pwd , nt_pwd_len ) ;
}
/****************************************************************************
check if a username / password pair is OK either via the system password
database or the encrypted SMB password database
return True if the password is correct , False otherwise
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
BOOL password_ok ( char * user , char * password , int pwlen )
{
0001-01-01 02:30:17 +02:30
extern fstring remote_machine ;
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
/*
* This hack must die ! But until I rewrite the rest of samba
* it must stay - abartlet 2001 - 08 - 03
*/
if ( ( pwlen = = 0 ) & & ! lp_null_passwords ( ) ) {
DEBUG ( 4 , ( " Null passwords not allowed. \n " ) ) ;
return False ;
}
0001-01-01 02:30:17 +02:30
/* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as
required . */
0001-01-01 02:30:17 +02:30
if ( NT_STATUS_IS_OK ( pass_check_smb ( user , NULL , remote_machine , lp_workgroup ( ) , NULL , 0 , ( unsigned char * ) password , pwlen ) ) ) {
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
return True ;
}
0001-01-01 02:30:17 +02:30
if ( NT_STATUS_IS_OK ( pass_check_smb ( user , NULL , remote_machine , lp_workgroup ( ) , ( unsigned char * ) password , pwlen , NULL , 0 ) ) ) {
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago.
The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards. The
interface currently implemented in as
nt_status = check_password(user_info, server_info)
where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.
The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.
This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing. We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.
Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree. (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
0001-01-01 02:30:17 +02:30
return True ;
}
return False ;
}
