The Samba-Bugzilla – Attachment 11790 Details for
Bug 11694
wbclient.h does not expose MSV1_0_ALLOW_MSVCHAPV2
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch from github for master
0001-Added-MSV1_0_ALLOW_MSVCHAPV2-flag-to-ntlm_auth.patch (text/plain), 6.68 KB, created by
Andrew Bartlett
on 2016-01-26 18:52:30 UTC
(
hide
)
Description:
patch from github for master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2016-01-26 18:52:30 UTC
Size:
6.68 KB
patch
obsolete
>From 4cfda8f409580598885f814e36dfb2f74812ceec Mon Sep 17 00:00:00 2001 >From: Herwin Weststrate <herwin@quarantainenet.nl> >Date: Wed, 9 Dec 2015 18:47:47 +0100 >Subject: [PATCH] Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth > >An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented). > >It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2. > >It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected). > >After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected). > > $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= > Logon failure (0xc000006d) > $ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2 > NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > >The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694 >Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Kai Blin <kai@samba.org> >--- > docs-xml/manpages/ntlm_auth.1.xml | 5 +++++ > nsswitch/libwbclient/wbclient.h | 1 + > source3/utils/ntlm_auth.c | 6 ++++++ > source4/utils/ntlm_auth.c | 7 +++++++ > 4 files changed, 19 insertions(+) > >diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml >index 042893a..616d537 100644 >--- a/docs-xml/manpages/ntlm_auth.1.xml >+++ b/docs-xml/manpages/ntlm_auth.1.xml >@@ -381,6 +381,11 @@ > </varlistentry> > > <varlistentry> >+ <term>--allow-mschapv2</term> >+ <listitem><para>Explicitly allow MSCHAPv2.</para></listitem> >+ </varlistentry> >+ >+ <varlistentry> > <term>--offline-logon</term> > <listitem><para>Allow offline logons for plain text auth. > </para></listitem> >diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h >index adf8fe3..97be81f 100644 >--- a/nsswitch/libwbclient/wbclient.h >+++ b/nsswitch/libwbclient/wbclient.h >@@ -315,6 +315,7 @@ struct wbcChangePasswordParams { > #define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0x00000020 > #define WBC_MSV1_0_RETURN_PROFILE_PATH 0x00000200 > #define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0x00000800 >+#define WBC_MSV1_0_ALLOW_MSVCHAPV2 0x00010000 > > /* wbcAuthUserParams->flags */ > >diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c >index b90f927..1556e48 100644 >--- a/source3/utils/ntlm_auth.c >+++ b/source3/utils/ntlm_auth.c >@@ -167,6 +167,7 @@ static int request_lm_key; > static int request_user_session_key; > static int use_cached_creds; > static int offline_logon; >+static int opt_allow_mschapv2; > > static const char *require_membership_of; > static const char *require_membership_of_sid; >@@ -527,6 +528,9 @@ NTSTATUS contact_winbind_auth_crap(const char *username, > request.data.auth_crap.logon_parameters = extra_logon_parameters > | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT; > >+ if (opt_allow_mschapv2) >+ request.data.auth_crap.logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2; >+ > if (require_membership_of_sid) > fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid); > >@@ -2754,6 +2758,7 @@ enum { > OPT_DIAGNOSTICS, > OPT_REQUIRE_MEMBERSHIP, > OPT_USE_CACHED_CREDS, >+ OPT_ALLOW_MSCHAPV2, > OPT_PAM_WINBIND_CONF, > OPT_TARGET_SERVICE, > OPT_TARGET_HOSTNAME, >@@ -2794,6 +2799,7 @@ enum { > { "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"}, > { "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"}, > { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"}, >+ { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" }, > { "offline-logon", 0, POPT_ARG_NONE, &offline_logon, > OPT_OFFLINE_LOGON, > "Use cached passwords when DC is offline"}, >diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c >index f7c95eb..7f7a0e7 100644 >--- a/source4/utils/ntlm_auth.c >+++ b/source4/utils/ntlm_auth.c >@@ -104,6 +104,7 @@ static const char *opt_workstation; > static const char *opt_password; > static int opt_multiplex; > static int use_cached_creds; >+static int opt_allow_mschapv2; > > > static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3); >@@ -174,6 +175,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, > if (!mem_ctx) { > nt_status = NT_STATUS_NO_MEMORY; > } else { >+ uint32_t logon_parameters = 0; > > E_md4hash(opt_password, nt_pw.hash); > if (E_deshash(opt_password, lm_pw.hash)) { >@@ -183,10 +185,13 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, > } > nt_pwd = &nt_pw; > >+ if (opt_allow_mschapv2) >+ logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2; > > nt_status = ntlm_password_check(mem_ctx, > lpcfg_lanman_auth(lp_ctx), > lpcfg_ntlm_auth(lp_ctx), >+ logon_parameters | > MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | > MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, > challenge, >@@ -1043,6 +1048,7 @@ enum { > OPT_REQUIRE_MEMBERSHIP, > OPT_MULTIPLEX, > OPT_USE_CACHED_CREDS, >+ OPT_ALLOW_MSCHAPV2, > }; > > int main(int argc, const char **argv) >@@ -1069,6 +1075,7 @@ int main(int argc, const char **argv) > { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"}, > { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"}, > { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "silently ignored for compatibility reasons"}, >+ { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" }, > POPT_COMMON_SAMBA > POPT_COMMON_VERSION > { NULL } >-- >2.4.3 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11790">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 11694
: 11790