1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/nsswitch
Herwin Weststrate 0b500d413c Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
  Logon failure (0xc000006d)
  $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
  NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-11 22:58:18 +01:00
..
libwbclient Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth 2016-03-11 22:58:18 +01:00
tests nsswitch: Extend idmap_rfc2307 testcase for reverse lookup 2015-06-05 01:24:32 +02:00
nsstest.c Fix bug 10025 - Lack of Sanity Checking in calls to malloc()/calloc(). 2013-07-17 16:12:19 -07:00
nsstest.h nsstest: Relicense header file to LGPLv3+ 2009-06-04 20:15:31 +02:00
pam_winbind.c pam_winbind: check != PAM_SUCCESS and != NULL explicitly 2016-01-13 10:57:09 +01:00
pam_winbind.h Replace all uses of iniparser with tiniparser. 2014-08-14 21:27:13 +02:00
wb_common.c Fix various spelling errors 2015-11-06 13:43:45 +01:00
wb_reqtrans.c nsswitch: make wb_reqtrans a common subsystem. 2011-02-17 00:52:42 +01:00
wb_reqtrans.h nsswitch: make wb_reqtrans a common subsystem. 2011-02-17 00:52:42 +01:00
wbinfo.c wbinfo: Add --unix-ids-to-sids 2016-02-22 20:29:15 +01:00
winbind_client.h Make winbind client library thread-safe by adding context 2015-03-10 00:50:09 +01:00
winbind_krb5_locator.c krb5_locator: Slightly simplify code 2014-02-20 11:43:08 -08:00
winbind_nss_aix.c nss_aix: Hack away WINBINDD_UID_TO_SID 2016-02-22 20:29:16 +01:00
winbind_nss_config.h Remove special socket_wrapper code. 2014-04-17 14:56:06 +02:00
winbind_nss_freebsd.c nss_winbind: add getgroupmembership for FreeBSD 2014-10-20 12:20:04 +02:00
winbind_nss_hpux.h s3: readd h_errno struct member but rename it 2010-06-10 23:22:49 +02:00
winbind_nss_irix.c
winbind_nss_irix.h
winbind_nss_linux.c nss_linux: Remove non-nss functions 2016-02-11 01:32:23 +01:00
winbind_nss_linux.h
winbind_nss_netbsd.c nss_netbsd: Remove unimplemented prototypes 2016-02-11 04:43:53 +01:00
winbind_nss_netbsd.h
winbind_nss_solaris.c nss_winbind: fix hang on Solaris on big groups 2015-09-11 00:34:30 +02:00
winbind_nss_solaris.h s3-nsswitch: Fix warnings on Solaris. 2012-02-06 18:28:53 +01:00
winbind_nss.h
winbind_struct_protocol.h winbind: Remove unused WINBINDD_UID_TO_SID 2016-02-22 23:39:12 +01:00
wins_freebsd.c nss_wins: add module for FreeBSD 2015-09-11 00:34:30 +02:00
wins.c nss_wins: Use libwbclient to query wins server 2015-10-26 21:23:21 +01:00
wscript_build nss_wins: Use libwbclient to query wins server 2015-10-26 21:23:21 +01:00
wscript_configure nsswitch: Add waf tests for solaris special cases 2012-09-26 11:50:10 +02:00