1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/nsswitch/libwbclient
Herwin Weststrate 0b500d413c Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-11 22:58:18 +01:00
..
ABI libwbclient: Implement wbc[Ctx]UnixIdsToSids 2016-02-22 20:29:15 +01:00
tests libwbclient: Fix a few resource leak CIDs 2016-02-04 09:29:17 +01:00
Doxyfile nsswitch: Move source3 files to top level dir. 2008-12-16 13:02:45 +01:00
libwbclient.h libwbclient: Talloc is no longer used 2010-04-25 10:16:11 +02:00
wbc_err_internal.h nsswitch: Fix wbclient BAIL macros. 2012-12-21 13:56:00 +01:00
wbc_guid.c libwbclient: Make wbcGuidToString not use talloc 2010-04-19 14:27:16 +02:00
wbc_idmap.c libwbclient: Use wbcCtxUnixIdsToSids in wbcCtxGidToSid 2016-02-22 20:29:16 +01:00
wbc_pam.c Add context versions of wbclient functions 2015-03-10 00:50:10 +01:00
wbc_pwd.c Move wbc global variables into global context instead 2015-03-10 00:50:10 +01:00
wbc_sid.c Add context versions of wbclient functions 2015-03-10 00:50:10 +01:00
wbc_util.c Add context versions of wbclient functions 2015-03-10 00:50:10 +01:00
wbclient_internal.h Move wbc global variables into global context instead 2015-03-10 00:50:10 +01:00
wbclient.c Move wbc global variables into global context instead 2015-03-10 00:50:10 +01:00
wbclient.h Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth 2016-03-11 22:58:18 +01:00
wbclient.pc.in wbclient: Add pkg-config file. 2011-08-21 03:22:04 +02:00
wscript libwbclient: Implement wbc[Ctx]UnixIdsToSids 2016-02-22 20:29:15 +01:00