Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth

An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

docs-xml/manpages/ntlm_auth.1.xml

@@ -380,6 +380,11 @@
 	<listitem><para>Whether to use credentials cached by winbindd.</para></listitem>
 	</varlistentry>
 
+	<varlistentry>
+	<term>--allow-mschapv2</term>
+	<listitem><para>Explicitly allow MSCHAPv2.</para></listitem>
+	</varlistentry>
+
 	<varlistentry>
 	<term>--offline-logon</term>
 	<listitem><para>Allow offline logons for plain text auth.

nsswitch/libwbclient/wbclient.h

@@ -316,6 +316,7 @@ struct wbcChangePasswordParams {
 #define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT		0x00000020
 #define WBC_MSV1_0_RETURN_PROFILE_PATH			0x00000200
 #define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT	0x00000800
+#define WBC_MSV1_0_ALLOW_MSVCHAPV2			0x00010000
 
 /* wbcAuthUserParams->flags */
 

source3/utils/ntlm_auth.c

@@ -169,6 +169,7 @@ static int request_lm_key;
 static int request_user_session_key;
 static int use_cached_creds;
 static int offline_logon;
+static int opt_allow_mschapv2;
 
 static const char *require_membership_of;
 static const char *require_membership_of_sid;
@@ -533,6 +534,10 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 	request.data.auth_crap.logon_parameters = extra_logon_parameters
 		| MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
 
+	if (opt_allow_mschapv2) {
+			request.data.auth_crap.logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
+	}
+
 	if (require_membership_of_sid)
 		fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
 
@@ -2185,6 +2190,7 @@ enum {
 	OPT_DIAGNOSTICS,
 	OPT_REQUIRE_MEMBERSHIP,
 	OPT_USE_CACHED_CREDS,
+	OPT_ALLOW_MSCHAPV2,
 	OPT_PAM_WINBIND_CONF,
 	OPT_TARGET_SERVICE,
 	OPT_TARGET_HOSTNAME,
@@ -2225,6 +2231,7 @@ enum {
 		{ "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"},
 		{ "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"},
 		{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
+		{ "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
 		{ "offline-logon", 0, POPT_ARG_NONE, &offline_logon,
 		  OPT_OFFLINE_LOGON,
 		  "Use cached passwords when DC is offline"},

source4/utils/ntlm_auth.c

@@ -104,6 +104,7 @@ static const char *opt_workstation;
 static const char *opt_password;
 static int opt_multiplex;
 static int use_cached_creds;
+static int opt_allow_mschapv2;
 
 
 static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3);
@@ -174,6 +175,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
 	if (!mem_ctx) {
 		nt_status = NT_STATUS_NO_MEMORY;
 	} else {
+		uint32_t logon_parameters = 0;
 		
 		E_md4hash(opt_password, nt_pw.hash);
 		if (E_deshash(opt_password, lm_pw.hash)) {
@@ -183,10 +185,14 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
 		}
 		nt_pwd = &nt_pw;
 		
+		if (opt_allow_mschapv2) {
+			logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
+		}
 		
 		nt_status = ntlm_password_check(mem_ctx, 
 						lpcfg_lanman_auth(lp_ctx),
 						lpcfg_ntlm_auth(lp_ctx),
+						logon_parameters |
 						MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
 						MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
 						challenge,
@@ -1043,6 +1049,7 @@ enum {
 	OPT_REQUIRE_MEMBERSHIP,
 	OPT_MULTIPLEX,
 	OPT_USE_CACHED_CREDS,
+	OPT_ALLOW_MSCHAPV2,
 };
 
 int main(int argc, const char **argv)
@@ -1069,6 +1076,7 @@ int main(int argc, const char **argv)
 		{ "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},		
 		{ "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"},
 		{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "silently ignored for compatibility reasons"},
+		{ "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
 		POPT_COMMON_SAMBA
 		POPT_COMMON_VERSION
 		{ NULL }