mirror of
https://github.com/samba-team/samba.git
synced 2025-02-07 01:58:28 +03:00
Add the 'session key' output of the NTLMSSP exchange to the cli struct, so
it can be used for 'net rpc join'. Also fix a bug in our server-side NTLMSSP code - a client without any domain trust links to us may calculate the NTLMv2 response with "" as the domain. Andrew Bartlett
This commit is contained in:
Andrew Bartlett
-
parent
5040b49867
commit
ddaa42423b
@ -131,7 +131,7 @@ NTSTATUS auth_ntlmssp_end(AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
|
|||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state,
|
NTSTATUS auth_ntlmssp_update(AUTH_NTLMSSP_STATE *auth_ntlmssp_state,
|
||||||
DATA_BLOB request, DATA_BLOB *reply)
|
const DATA_BLOB request, DATA_BLOB *reply)
|
||||||
{
|
{
|
||||||
return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
|
return ntlmssp_server_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -184,7 +184,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
|
|||||||
/* We have the NT MD4 hash challenge available - see if we can
|
/* We have the NT MD4 hash challenge available - see if we can
|
||||||
use it (ie. does it exist in the smbpasswd file).
|
use it (ie. does it exist in the smbpasswd file).
|
||||||
*/
|
*/
|
||||||
DEBUG(4,("sam_password_ok: Checking NTLMv2 password\n"));
|
DEBUG(4,("sam_password_ok: Checking NTLMv2 password with domain [%s]\n", user_info->client_domain.str));
|
||||||
if (smb_pwd_check_ntlmv2( user_info->nt_resp,
|
if (smb_pwd_check_ntlmv2( user_info->nt_resp,
|
||||||
nt_pw, auth_context->challenge,
|
nt_pw, auth_context->challenge,
|
||||||
user_info->smb_name.str,
|
user_info->smb_name.str,
|
||||||
@ -192,6 +192,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
|
|||||||
user_sess_key))
|
user_sess_key))
|
||||||
{
|
{
|
||||||
return NT_STATUS_OK;
|
return NT_STATUS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
DEBUG(4,("sam_password_ok: Checking NTLMv2 password without a domain\n"));
|
||||||
|
if (smb_pwd_check_ntlmv2( user_info->nt_resp,
|
||||||
|
nt_pw, auth_context->challenge,
|
||||||
|
user_info->smb_name.str,
|
||||||
|
"",
|
||||||
|
user_sess_key))
|
||||||
|
{
|
||||||
|
return NT_STATUS_OK;
|
||||||
} else {
|
} else {
|
||||||
DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
|
DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n"));
|
||||||
return NT_STATUS_WRONG_PASSWORD;
|
return NT_STATUS_WRONG_PASSWORD;
|
||||||
@ -250,7 +260,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
|
|||||||
/* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
|
/* This is for 'LMv2' authentication. almost NTLMv2 but limited to 24 bytes.
|
||||||
- related to Win9X, legacy NAS pass-though authentication
|
- related to Win9X, legacy NAS pass-though authentication
|
||||||
*/
|
*/
|
||||||
DEBUG(4,("sam_password_ok: Checking LMv2 password\n"));
|
DEBUG(4,("sam_password_ok: Checking LMv2 password with domain %s\n", user_info->client_domain.str));
|
||||||
if (smb_pwd_check_ntlmv2( user_info->lm_resp,
|
if (smb_pwd_check_ntlmv2( user_info->lm_resp,
|
||||||
nt_pw, auth_context->challenge,
|
nt_pw, auth_context->challenge,
|
||||||
user_info->smb_name.str,
|
user_info->smb_name.str,
|
||||||
@ -260,6 +270,16 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
|
|||||||
return NT_STATUS_OK;
|
return NT_STATUS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
DEBUG(4,("sam_password_ok: Checking LMv2 password without a domain\n"));
|
||||||
|
if (smb_pwd_check_ntlmv2( user_info->lm_resp,
|
||||||
|
nt_pw, auth_context->challenge,
|
||||||
|
user_info->smb_name.str,
|
||||||
|
"",
|
||||||
|
user_sess_key))
|
||||||
|
{
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
/* Apparently NT accepts NT responses in the LM field
|
/* Apparently NT accepts NT responses in the LM field
|
||||||
- I think this is related to Win9X pass-though authentication
|
- I think this is related to Win9X pass-though authentication
|
||||||
*/
|
*/
|
||||||
|
|||||||
@ -122,6 +122,10 @@ struct cli_state {
|
|||||||
|
|
||||||
smb_sign_info sign_info;
|
smb_sign_info sign_info;
|
||||||
|
|
||||||
|
/* the session key for this CLI, outside
|
||||||
|
any per-pipe authenticaion */
|
||||||
|
unsigned char user_session_key[16];
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Only used in NT domain calls.
|
* Only used in NT domain calls.
|
||||||
*/
|
*/
|
||||||
|
|||||||
@ -248,6 +248,12 @@ static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key)
|
||||||
|
{
|
||||||
|
memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static void set_temp_signing_on_cli(struct cli_state *cli)
|
static void set_temp_signing_on_cli(struct cli_state *cli)
|
||||||
{
|
{
|
||||||
if (cli->sign_info.negotiated_smb_signing)
|
if (cli->sign_info.negotiated_smb_signing)
|
||||||
@ -367,6 +373,7 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
|
|||||||
|
|
||||||
if (session_key.data) {
|
if (session_key.data) {
|
||||||
/* Have plaintext orginal */
|
/* Have plaintext orginal */
|
||||||
|
set_cli_session_key(cli, session_key);
|
||||||
set_signing_on_cli(cli, session_key.data, nt_response);
|
set_signing_on_cli(cli, session_key.data, nt_response);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -559,6 +566,10 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
|
|||||||
turn++;
|
turn++;
|
||||||
} while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED));
|
} while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED));
|
||||||
|
|
||||||
|
if (NT_STATUS_IS_OK(nt_status)) {
|
||||||
|
set_cli_session_key(cli, ntlmssp_state->session_key);
|
||||||
|
}
|
||||||
|
|
||||||
if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
|
if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
|
||||||
return False;
|
return False;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -264,14 +264,8 @@ int net_rpc_join_newstyle(int argc, const char **argv)
|
|||||||
ctr.switch_value = 24;
|
ctr.switch_value = 24;
|
||||||
ctr.info.id24 = &p24;
|
ctr.info.id24 = &p24;
|
||||||
|
|
||||||
/* I don't think this is quite the right place for this
|
|
||||||
calculation. It should be moved somewhere where the credentials
|
|
||||||
are calculated. )-: */
|
|
||||||
|
|
||||||
mdfour(sess_key, cli->pwd.smb_nt_pwd, 16);
|
|
||||||
|
|
||||||
CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24,
|
CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24,
|
||||||
sess_key, &ctr),
|
cli->user_session_key, &ctr),
|
||||||
"error setting trust account password");
|
"error setting trust account password");
|
||||||
|
|
||||||
/* Why do we have to try to (re-)set the ACB to be the same as what
|
/* Why do we have to try to (re-)set the ACB to be the same as what
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user