The Samba-Bugzilla – Attachment 460 Details for
Bug 169
Plaintext/interactive logon auth inconpatible with NTLMv2 only
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix this for interactive logons
ntlmv2-domain-logon.patch (text/plain), 17.47 KB, created by
Andrew Bartlett
on 2004-03-30 17:26:36 UTC
(
hide
)
Description:
Fix this for interactive logons
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2004-03-30 17:26:36 UTC
Size:
17.47 KB
patch
obsolete
>? 3.0-sec_chan_type.patch >? ntlmv2-response.patch >? docs/docbook/Makefile >? docs/docbook/config.cache >? docs/docbook/config.log >? docs/docbook/config.status >? docs/docbook/smbdotconf/security/clientlanmanauth.xml >? examples/pdb/mysql/Makefile >? examples/pdb/xml/Makefile >? examples/sam/Makefile >? source/config.abartlet >? source/passdb.xml >? source/auth/auth_util.idmap-conflict.c >? source/bin/stNDYv74 >? source/bin/t_strstr >? source/include/smb_ldap.h >? source/modules/developer.c >? source/modules/vfs_fake_perms-old.c >? source/passdb/pdb_ldap.c2 >Index: source/auth/auth_ntlmssp.c >=================================================================== >RCS file: /home/cvs/samba/source/auth/auth_ntlmssp.c,v >retrieving revision 1.4.2.6 >diff -u -r1.4.2.6 auth_ntlmssp.c >--- source/auth/auth_ntlmssp.c 22 Nov 2003 13:19:36 -0000 1.4.2.6 >+++ source/auth/auth_ntlmssp.c 31 Mar 2004 00:55:29 -0000 >@@ -78,21 +78,9 @@ > static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key) > { > AUTH_NTLMSSP_STATE *auth_ntlmssp_state = ntlmssp_state->auth_context; >- uint32 auth_flags = AUTH_FLAG_NONE; > auth_usersupplied_info *user_info = NULL; >- DATA_BLOB plaintext_password = data_blob(NULL, 0); > NTSTATUS nt_status; > >- if (auth_ntlmssp_state->ntlmssp_state->lm_resp.length) { >- auth_flags |= AUTH_FLAG_LM_RESP; >- } >- >- if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length == 24) { >- auth_flags |= AUTH_FLAG_NTLM_RESP; >- } else if (auth_ntlmssp_state->ntlmssp_state->nt_resp.length > 24) { >- auth_flags |= AUTH_FLAG_NTLMv2_RESP; >- } >- > /* the client has given us its machine name (which we otherwise would not get on port 445). > we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ > >@@ -108,10 +96,10 @@ > auth_ntlmssp_state->ntlmssp_state->user, > auth_ntlmssp_state->ntlmssp_state->domain, > auth_ntlmssp_state->ntlmssp_state->workstation, >- auth_ntlmssp_state->ntlmssp_state->lm_resp, >- auth_ntlmssp_state->ntlmssp_state->nt_resp, >- plaintext_password, >- auth_flags, True); >+ auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, >+ auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, >+ NULL, NULL, NULL, >+ True); > > if (!NT_STATUS_IS_OK(nt_status)) { > return nt_status; >Index: source/auth/auth_sam.c >=================================================================== >RCS file: /home/cvs/samba/source/auth/auth_sam.c,v >retrieving revision 1.36.2.28 >diff -u -r1.36.2.28 auth_sam.c >--- source/auth/auth_sam.c 21 Feb 2004 17:41:28 -0000 1.36.2.28 >+++ source/auth/auth_sam.c 31 Mar 2004 00:55:29 -0000 >@@ -57,7 +57,8 @@ > nt_pw = pdb_get_nt_passwd(sampass); > > return ntlm_password_check(mem_ctx, &auth_context->challenge, >- &user_info->lm_resp, &user_info->nt_resp, >+ &user_info->lm_resp, &user_info->nt_resp, >+ &user_info->lm_interactive_pwd, &user_info->nt_interactive_pwd, > username, > user_info->smb_name.str, > user_info->client_domain.str, >Index: source/auth/auth_util.c >=================================================================== >RCS file: /home/cvs/samba/source/auth/auth_util.c,v >retrieving revision 1.39.2.55 >diff -u -r1.39.2.55 auth_util.c >--- source/auth/auth_util.c 16 Mar 2004 20:28:47 -0000 1.39.2.55 >+++ source/auth/auth_util.c 31 Mar 2004 00:55:29 -0000 >@@ -124,9 +124,10 @@ > const char *client_domain, > const char *domain, > const char *wksta_name, >- DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, >- DATA_BLOB plaintext, >- uint32 auth_flags, BOOL encrypted) >+ DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, >+ DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, >+ DATA_BLOB *plaintext, >+ BOOL encrypted) > { > > DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); >@@ -183,12 +184,19 @@ > > DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); > >- (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); >- (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); >- (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); >+ if (lm_pwd) >+ (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length); >+ if (nt_pwd) >+ (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length); >+ if (lm_interactive_pwd) >+ (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length); >+ if (nt_interactive_pwd) >+ (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length); >+ >+ if (plaintext) >+ (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length); > > (*user_info)->encrypted = encrypted; >- (*user_info)->auth_flags = auth_flags; > > DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); > >@@ -203,9 +211,10 @@ > const char *smb_name, > const char *client_domain, > const char *wksta_name, >- DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, >- DATA_BLOB plaintext, >- uint32 ntlmssp_flags, BOOL encrypted) >+ DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, >+ DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, >+ DATA_BLOB *plaintext, >+ BOOL encrypted) > { > const char *domain; > fstring internal_username; >@@ -233,8 +242,10 @@ > /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ > > return make_user_info(user_info, smb_name, internal_username, >- client_domain, domain, wksta_name, lm_pwd, nt_pwd, >- plaintext, ntlmssp_flags, encrypted); >+ client_domain, domain, wksta_name, >+ lm_pwd, nt_pwd, >+ lm_interactive_pwd, nt_interactive_pwd, >+ plaintext, encrypted); > } > > /**************************************************************************** >@@ -253,23 +264,14 @@ > NTSTATUS nt_status; > DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); > DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); >- DATA_BLOB plaintext_blob = data_blob(NULL, 0); >- uint32 auth_flags = AUTH_FLAG_NONE; >- >- if (lm_pwd_len) >- auth_flags |= AUTH_FLAG_LM_RESP; >- if (nt_pwd_len == 24) { >- auth_flags |= AUTH_FLAG_NTLM_RESP; >- } else if (nt_pwd_len != 0) { >- auth_flags |= AUTH_FLAG_NTLMv2_RESP; >- } > > nt_status = make_user_info_map(user_info, >- smb_name, client_domain, >- wksta_name, >- lm_blob, nt_blob, >- plaintext_blob, >- auth_flags, True); >+ smb_name, client_domain, >+ wksta_name, >+ lm_pwd_len ? &lm_blob : NULL, >+ nt_pwd_len ? &nt_blob : NULL, >+ NULL, NULL, NULL, >+ True); > > ret = NT_STATUS_IS_OK(nt_status) ? True : False; > >@@ -297,7 +299,6 @@ > unsigned char local_lm_response[24]; > unsigned char local_nt_response[24]; > unsigned char key[16]; >- uint32 auth_flags = AUTH_FLAG_NONE; > > ZERO_STRUCT(key); > memcpy(key, dc_sess_key, 8); >@@ -316,8 +317,11 @@ > dump_data(100, nt_pwd, sizeof(nt_pwd)); > #endif > >- SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); >- SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); >+ if (lm_interactive_pwd) >+ SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); >+ >+ if (nt_interactive_pwd) >+ SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); > > #ifdef DEBUG_PASSWORD > DEBUG(100,("decrypt of lm owf password:")); >@@ -327,37 +331,49 @@ > dump_data(100, nt_pwd, sizeof(nt_pwd)); > #endif > >- SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); >- SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); >+ if (lm_interactive_pwd) >+ SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); >+ >+ if (nt_interactive_pwd) >+ SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); > > /* Password info paranoia */ >- ZERO_STRUCT(lm_pwd); >- ZERO_STRUCT(nt_pwd); > ZERO_STRUCT(key); > > { > BOOL ret; > NTSTATUS nt_status; >- DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); >- DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); >- DATA_BLOB plaintext_blob = data_blob(NULL, 0); >- >- if (lm_interactive_pwd) >- auth_flags |= AUTH_FLAG_LM_RESP; >- if (nt_interactive_pwd) >- auth_flags |= AUTH_FLAG_NTLM_RESP; >+ DATA_BLOB local_lm_blob; >+ DATA_BLOB local_nt_blob; >+ >+ DATA_BLOB lm_interactive_blob; >+ DATA_BLOB nt_interactive_blob; >+ >+ if (lm_interactive_pwd) { >+ local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); >+ lm_interactive_blob = data_blob(lm_pwd, sizeof(lm_pwd)); >+ } >+ >+ if (nt_interactive_pwd) { >+ local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); >+ nt_interactive_blob = data_blob(nt_pwd, sizeof(nt_pwd)); >+ } > > nt_status = make_user_info_map(user_info, > smb_name, client_domain, > wksta_name, >- local_lm_blob, >- local_nt_blob, >- plaintext_blob, >- auth_flags, True); >- >+ lm_interactive_pwd ? &local_lm_blob : NULL, >+ nt_interactive_pwd ? &local_nt_blob : NULL, >+ lm_interactive_pwd ? &lm_interactive_blob : NULL, >+ nt_interactive_pwd ? &nt_interactive_blob : NULL, >+ NULL, >+ True); >+ > ret = NT_STATUS_IS_OK(nt_status) ? True : False; > data_blob_free(&local_lm_blob); > data_blob_free(&local_nt_blob); >+ data_blob_free(&lm_interactive_blob); >+ data_blob_free(&nt_interactive_blob); > return ret; > } > } >@@ -377,7 +393,6 @@ > DATA_BLOB local_lm_blob; > DATA_BLOB local_nt_blob; > NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; >- uint32 auth_flags = AUTH_FLAG_NONE; > > /* > * Not encrypted - do so. >@@ -400,7 +415,6 @@ > case insensitive */ > local_nt_blob = data_blob(NULL, 0); > >- auth_flags = (AUTH_FLAG_PLAINTEXT | AUTH_FLAG_LM_RESP); > } else { > local_lm_blob = data_blob(NULL, 0); > local_nt_blob = data_blob(NULL, 0); >@@ -409,10 +423,11 @@ > ret = make_user_info_map(user_info, smb_name, > client_domain, > get_remote_machine_name(), >- local_lm_blob, >- local_nt_blob, >- plaintext_password, >- auth_flags, False); >+ local_lm_blob.data ? &local_lm_blob : NULL, >+ local_nt_blob.data ? &local_nt_blob : NULL, >+ NULL, NULL, >+ plaintext_password.data ? &plaintext_password : NULL, >+ False); > > data_blob_free(&local_lm_blob); > return NT_STATUS_IS_OK(ret) ? True : False; >@@ -427,27 +442,13 @@ > const char *client_domain, > DATA_BLOB lm_resp, DATA_BLOB nt_resp) > { >- uint32 auth_flags = AUTH_FLAG_NONE; >- >- DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); >- >- if (lm_resp.length == 24) { >- auth_flags |= AUTH_FLAG_LM_RESP; >- } >- if (nt_resp.length == 0) { >- } else if (nt_resp.length == 24) { >- auth_flags |= AUTH_FLAG_NTLM_RESP; >- } else { >- auth_flags |= AUTH_FLAG_NTLMv2_RESP; >- } >- > return make_user_info_map(user_info, smb_name, >- client_domain, >- get_remote_machine_name(), >- lm_resp, >- nt_resp, >- no_plaintext_blob, >- auth_flags, True); >+ client_domain, >+ get_remote_machine_name(), >+ lm_resp.data ? &lm_resp : NULL, >+ nt_resp.data ? &nt_resp : NULL, >+ NULL, NULL, NULL, >+ True); > } > > /**************************************************************************** >@@ -456,19 +457,16 @@ > > BOOL make_user_info_guest(auth_usersupplied_info **user_info) > { >- DATA_BLOB lm_blob = data_blob(NULL, 0); >- DATA_BLOB nt_blob = data_blob(NULL, 0); >- DATA_BLOB plaintext_blob = data_blob(NULL, 0); >- uint32 auth_flags = AUTH_FLAG_NONE; > NTSTATUS nt_status; > > nt_status = make_user_info(user_info, >- "","", >- "","", >- "", >- nt_blob, lm_blob, >- plaintext_blob, >- auth_flags, True); >+ "","", >+ "","", >+ "", >+ NULL, NULL, >+ NULL, NULL, >+ NULL, >+ True); > > return NT_STATUS_IS_OK(nt_status) ? True : False; > } >@@ -1307,7 +1305,8 @@ > SAFE_FREE((*user_info)->wksta_name.str); > data_blob_free(&(*user_info)->lm_resp); > data_blob_free(&(*user_info)->nt_resp); >- SAFE_FREE((*user_info)->interactive_password); >+ data_blob_clear_free(&(*user_info)->lm_interactive_pwd); >+ data_blob_clear_free(&(*user_info)->nt_interactive_pwd); > data_blob_clear_free(&(*user_info)->plaintext_password); > ZERO_STRUCT(**user_info); > } >Index: source/include/auth.h >=================================================================== >RCS file: /home/cvs/samba/source/include/auth.h,v >retrieving revision 1.14.2.7 >diff -u -r1.14.2.7 auth.h >--- source/include/auth.h 22 Nov 2003 13:19:36 -0000 1.14.2.7 >+++ source/include/auth.h 31 Mar 2004 00:55:30 -0000 >@@ -27,37 +27,17 @@ > char *str; > } AUTH_STR; > >-/* AUTH_UNISTR - unicode string or buffer */ >-typedef struct unicode_string >-{ >- int len; >- uchar *unistr; >-} AUTH_UNISTR; >- >-typedef struct interactive_password >-{ >- OWF_INFO lm_owf; /* LM OWF Password */ >- OWF_INFO nt_owf; /* NT OWF Password */ >-} auth_interactive_password; >- >-#define AUTH_FLAG_NONE 0x000000 >-#define AUTH_FLAG_PLAINTEXT 0x000001 >-#define AUTH_FLAG_LM_RESP 0x000002 >-#define AUTH_FLAG_NTLM_RESP 0x000004 >-#define AUTH_FLAG_NTLMv2_RESP 0x000008 >- > typedef struct auth_usersupplied_info > { > > DATA_BLOB lm_resp; > DATA_BLOB nt_resp; >- auth_interactive_password * interactive_password; >+ DATA_BLOB lm_interactive_pwd; >+ DATA_BLOB nt_interactive_pwd; > DATA_BLOB plaintext_password; > > BOOL encrypted; > >- uint32 auth_flags; >- > AUTH_STR client_domain; /* domain name string */ > AUTH_STR domain; /* domain name after mapping */ > AUTH_STR internal_username; /* username after mapping */ >Index: source/libsmb/ntlm_check.c >=================================================================== >RCS file: /home/cvs/samba/source/libsmb/ntlm_check.c,v >retrieving revision 1.1.2.2 >diff -u -r1.1.2.2 ntlm_check.c >--- source/libsmb/ntlm_check.c 27 Mar 2004 07:53:47 -0000 1.1.2.2 >+++ source/libsmb/ntlm_check.c 31 Mar 2004 00:55:30 -0000 >@@ -170,6 +170,8 @@ > const DATA_BLOB *challenge, > const DATA_BLOB *lm_response, > const DATA_BLOB *nt_response, >+ const DATA_BLOB *lm_interactive_pwd, >+ const DATA_BLOB *nt_interactive_pwd, > const char *username, > const char *client_username, > const char *client_domain, >@@ -181,6 +183,47 @@ > if (nt_pw == NULL) { > DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", > username)); >+ } >+ >+ if (nt_interactive_pwd && nt_interactive_pwd->length && nt_pw) { >+ if (nt_interactive_pwd->length != 16) { >+ DEBUG(3,("ntlm_password_check: Interactive logon: Invalid NT password length (%d) supplied for user %s\n", (int)nt_interactive_pwd->length, >+ username)); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) { >+ if (user_sess_key) { >+ *user_sess_key = data_blob(NULL, 16); >+ SMBsesskeygen_ntv1(nt_pw, NULL, user_sess_key->data); >+ } >+ return NT_STATUS_OK; >+ } else { >+ DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", >+ username)); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ } else if (lm_interactive_pwd && lm_interactive_pwd->length && lm_pw) { >+ if (lm_interactive_pwd->length != 16) { >+ DEBUG(3,("ntlm_password_check: Interactive logon: Invalid LANMAN password length (%d) supplied for user %s\n", (int)lm_interactive_pwd->length, >+ username)); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ if (!lp_lanman_auth()) { >+ DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", >+ username)); >+ return NT_STATUS_WRONG_PASSWORD; >+ } >+ >+ if (memcmp(lm_interactive_pwd->data, lm_pw, 16) == 0) { >+ return NT_STATUS_OK; >+ } else { >+ DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n", >+ username)); >+ return NT_STATUS_WRONG_PASSWORD; >+ } > } > > /* Check for cleartext netlogon. Used by Exchange 5.5. */ >Index: source/utils/ntlm_auth.c >=================================================================== >RCS file: /home/cvs/samba/source/utils/ntlm_auth.c,v >retrieving revision 1.6.2.44 >diff -u -r1.6.2.44 ntlm_auth.c >--- source/utils/ntlm_auth.c 24 Mar 2004 17:32:55 -0000 1.6.2.44 >+++ source/utils/ntlm_auth.c 31 Mar 2004 00:55:31 -0000 >@@ -366,6 +366,7 @@ > &ntlmssp_state->chal, > &ntlmssp_state->lm_resp, > &ntlmssp_state->nt_resp, >+ NULL, NULL, > ntlmssp_state->user, > ntlmssp_state->user, > ntlmssp_state->domain,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=460">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 169
: 460