mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
Allow an NTLM response to be specified into the auth subsystem.
This allows it to be proxied for NTLM pass-though authentication (aka
security=server and associated man-in-the-middle attacks).
Andrew Bartlett
(This used to be commit 6ffabb38d0
)
This commit is contained in:
parent
f8fb5d8c4d
commit
fe7d460671
@ -306,6 +306,8 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
|
||||
cli_credentials_invalidate_ccache(cred, cred->password_obtained);
|
||||
|
||||
cred->nt_hash = NULL;
|
||||
cred->lm_response = data_blob(NULL, 0);
|
||||
cred->nt_response = data_blob(NULL, 0);
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -376,24 +378,6 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
|
||||
}
|
||||
}
|
||||
|
||||
_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
|
||||
const struct samr_Password *nt_hash,
|
||||
enum credentials_obtained obtained)
|
||||
{
|
||||
if (obtained >= cred->password_obtained) {
|
||||
cli_credentials_set_password(cred, NULL, obtained);
|
||||
if (nt_hash) {
|
||||
cred->nt_hash = talloc(cred, struct samr_Password);
|
||||
*cred->nt_hash = *nt_hash;
|
||||
} else {
|
||||
cred->nt_hash = NULL;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Obtain the 'short' or 'NetBIOS' domain for this credentials context.
|
||||
* @param cred credentials context
|
||||
|
@ -80,8 +80,13 @@ struct cli_credentials {
|
||||
|
||||
const char *bind_dn;
|
||||
|
||||
/* Allows authentication from a keytab or similar */
|
||||
struct samr_Password *nt_hash;
|
||||
|
||||
/* Allows NTLM pass-though authentication */
|
||||
DATA_BLOB lm_response;
|
||||
DATA_BLOB nt_response;
|
||||
|
||||
struct ccache_container *ccache;
|
||||
struct gssapi_creds_container *client_gss_creds;
|
||||
struct keytab_container *keytab;
|
||||
@ -221,6 +226,10 @@ void cli_credentials_set_kvno(struct cli_credentials *cred,
|
||||
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
|
||||
const struct samr_Password *nt_hash,
|
||||
enum credentials_obtained obtained);
|
||||
bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
|
||||
const DATA_BLOB *lm_response,
|
||||
const DATA_BLOB *nt_response,
|
||||
enum credentials_obtained obtained);
|
||||
int cli_credentials_set_keytab_name(struct cli_credentials *cred,
|
||||
struct event_context *event_ctx,
|
||||
struct loadparm_context *lp_ctx,
|
||||
|
@ -52,6 +52,20 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
|
||||
const struct samr_Password *nt_hash;
|
||||
lm_session_key = data_blob(NULL, 0);
|
||||
|
||||
/* We may already have an NTLM response we prepared earlier.
|
||||
* This is used for NTLM pass-though authentication */
|
||||
if (cred->nt_response.data || cred->lm_response.data) {
|
||||
*_nt_response = cred->nt_response;
|
||||
*_lm_response = cred->lm_response;
|
||||
|
||||
if (!cred->lm_response.data) {
|
||||
*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
|
||||
}
|
||||
*_lm_session_key = data_blob(NULL, 0);
|
||||
*_session_key = data_blob(NULL, 0);
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
nt_hash = cli_credentials_get_nt_hash(cred, mem_ctx);
|
||||
|
||||
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
|
||||
@ -215,3 +229,41 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
|
||||
const struct samr_Password *nt_hash,
|
||||
enum credentials_obtained obtained)
|
||||
{
|
||||
if (obtained >= cred->password_obtained) {
|
||||
cli_credentials_set_password(cred, NULL, obtained);
|
||||
if (nt_hash) {
|
||||
cred->nt_hash = talloc(cred, struct samr_Password);
|
||||
*cred->nt_hash = *nt_hash;
|
||||
} else {
|
||||
cred->nt_hash = NULL;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
_PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred,
|
||||
const DATA_BLOB *lm_response,
|
||||
const DATA_BLOB *nt_response,
|
||||
enum credentials_obtained obtained)
|
||||
{
|
||||
if (obtained >= cred->password_obtained) {
|
||||
cli_credentials_set_password(cred, NULL, obtained);
|
||||
if (nt_response) {
|
||||
cred->nt_response = data_blob_talloc(cred, nt_response->data, nt_response->length);
|
||||
talloc_steal(cred, cred->nt_response.data);
|
||||
}
|
||||
if (nt_response) {
|
||||
cred->lm_response = data_blob_talloc(cred, lm_response->data, lm_response->length);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user