sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-24 13:57:43 +03:00
Code

r11366: Pass around the flags which indicate if we should support plaintext

Browse Source 
logins and NTLM machine account logins.

Andrew Bartlett
(This used to be commit 421e64c2b4192bb13d2857d6c8648ff687ed653e)
This commit is contained in:
Andrew Bartlett 2005-10-28 08:54:37 +00:00 committed by Gerald (Jerry) Carter
parent ea4ad9152a
commit 152988a828
5 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source4/auth/auth.h
View File

@ -51,6 +51,8 @@ struct auth_usersupplied_info
const char *workstation_name; const char *workstation_name;
const char *remote_host; const char *remote_host;
uint32_t logon_parameters;
BOOL mapped_state; BOOL mapped_state;
/* the values the client gives us */ /* the values the client gives us */
struct { struct {

29
source4/auth/auth_sam.c
View File

@ -105,7 +105,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
break; break;
case AUTH_PASSWORD_RESPONSE: case AUTH_PASSWORD_RESPONSE:
status = ntlm_password_check(mem_ctx, &auth_context->challenge.data, status = ntlm_password_check(mem_ctx, user_info->logon_parameters,
&auth_context->challenge.data,
&user_info->password.response.lanman, &user_info->password.response.lanman,
&user_info->password.response.nt, &user_info->password.response.nt,
user_info->mapped.account_name, user_info->mapped.account_name,
@ -133,6 +134,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
(ie not disabled, expired and the like). (ie not disabled, expired and the like).
****************************************************************************/ ****************************************************************************/
static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
uint32_t logon_parameters,
uint16_t acct_flags, uint16_t acct_flags,
NTTIME acct_expiry, NTTIME acct_expiry,
NTTIME must_change_time, NTTIME must_change_time,
@ -204,20 +206,23 @@ static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_WORKSTATION; return NT_STATUS_INVALID_WORKSTATION;
} }
} }
if (acct_flags & ACB_DOMTRUST) { if (acct_flags & ACB_DOMTRUST) {
DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name)); DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
} }
if (acct_flags & ACB_SVRTRUST) { if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name)); if (acct_flags & ACB_SVRTRUST) {
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
}
} }
if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
if (acct_flags & ACB_WSTRUST) { if (acct_flags & ACB_WSTRUST) {
DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name)); DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
}
} }
return NT_STATUS_OK; return NT_STATUS_OK;
@ -381,7 +386,9 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL); workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
nt_status = authsam_account_ok(mem_ctx, acct_flags, nt_status = authsam_account_ok(mem_ctx,
user_info->logon_parameters,
acct_flags,
acct_expiry, acct_expiry,
must_change_time, must_change_time,
last_set_time, last_set_time,

7
source4/auth/ntlm_check.c
View File

@ -23,6 +23,7 @@
#include "includes.h" #include "includes.h"
#include "lib/crypto/crypto.h" #include "lib/crypto/crypto.h"
#include "librpc/gen_ndr/ndr_samr.h" #include "librpc/gen_ndr/ndr_samr.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
/**************************************************************************** /****************************************************************************
Core of smb password checking routine. Core of smb password checking routine.
@ -274,6 +275,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
*/ */
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
uint32_t logon_parameters,
const DATA_BLOB *challenge, const DATA_BLOB *challenge,
const DATA_BLOB *lm_response, const DATA_BLOB *lm_response,
const DATA_BLOB *nt_response, const DATA_BLOB *nt_response,
@ -297,8 +299,9 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
*user_sess_key = data_blob(NULL, 0); *user_sess_key = data_blob(NULL, 0);
/* Check for cleartext netlogon. Used by Exchange 5.5. */ /* Check for cleartext netlogon. Used by Exchange 5.5. */
if (challenge->length == sizeof(zeros) && if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
(memcmp(challenge->data, zeros, challenge->length) == 0 )) { && challenge->length == sizeof(zeros)
&& (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
struct samr_Password client_nt; struct samr_Password client_nt;
struct samr_Password client_lm; struct samr_Password client_lm;
uint8_t dospwd[14]; uint8_t dospwd[14];

1
source4/auth/ntlmssp/ntlmssp_server.c
View File

@ -689,6 +689,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_
return NT_STATUS_NO_MEMORY; return NT_STATUS_NO_MEMORY;
} }
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
user_info->flags = 0; user_info->flags = 0;
user_info->mapped_state = False; user_info->mapped_state = False;
user_info->client.account_name = gensec_ntlmssp_state->user; user_info->client.account_name = gensec_ntlmssp_state->user;

8
source4/rpc_server/netlogon/dcerpc_netlogon.c
View File

@ -400,9 +400,10 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
dce_call->event_ctx); dce_call->event_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status); NT_STATUS_NOT_OK_RETURN(nt_status);
user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control;
user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; user_info->client.account_name = r->in.logon.password->identity_info.account_name.string;
user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string;
user_info->workstation_name = r->in.logon.password->identity_info.workstation.string;
user_info->password_state = AUTH_PASSWORD_HASH; user_info->password_state = AUTH_PASSWORD_HASH;
user_info->password.hash.lanman = talloc(user_info, struct samr_Password); user_info->password.hash.lanman = talloc(user_info, struct samr_Password);
@ -428,6 +429,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags"); nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags");
NT_STATUS_NOT_OK_RETURN(nt_status); NT_STATUS_NOT_OK_RETURN(nt_status);
user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control;
user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;