diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-04-03 15:41:32 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2004-04-03 15:41:32 +0000 |
| commit | 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba (patch) | |
| tree | 42a908a47e09f28232324d577bfa6f603cb503c7 /source/libsmb/ntlm_check.c | |
| parent | 58b39942444e62c9d0f98c2ba6f434d74c244a2b (diff) | |
| download | samba-9598593bcf2d877b1d08cd6a7323ee0bc160d4ba.tar.gz samba-9598593bcf2d877b1d08cd6a7323ee0bc160d4ba.tar.xz samba-9598593bcf2d877b1d08cd6a7323ee0bc160d4ba.zip | |
Fix most of bug #169.
For a (very) long time, we have had a bug in Samba were an NTLMv2-only
PDC would fail, because it converted the password into NTLM format for
checking.
This patch performs the direct comparison required for interactive
logons to function in this situation. It also removes the 'auth flags', which
simply where not ever used.
Natrually, this plays with the size of structures, so rebuild, rebuild
rebuild...
Andrew Bartlett
Diffstat (limited to 'source/libsmb/ntlm_check.c')
| -rw-r--r-- | source/libsmb/ntlm_check.c | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/source/libsmb/ntlm_check.c b/source/libsmb/ntlm_check.c index bc291b51286..a7764f9e986 100644 --- a/source/libsmb/ntlm_check.c +++ b/source/libsmb/ntlm_check.c @@ -170,6 +170,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, const DATA_BLOB *challenge, const DATA_BLOB *lm_response, const DATA_BLOB *nt_response, + const DATA_BLOB *lm_interactive_pwd, + const DATA_BLOB *nt_interactive_pwd, const char *username, const char *client_username, const char *client_domain, @@ -183,6 +185,47 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, username)); } + if (nt_interactive_pwd && nt_interactive_pwd->length && nt_pw) { + if (nt_interactive_pwd->length != 16) { + DEBUG(3,("ntlm_password_check: Interactive logon: Invalid NT password length (%d) supplied for user %s\n", (int)nt_interactive_pwd->length, + username)); + return NT_STATUS_WRONG_PASSWORD; + } + + if (memcmp(nt_interactive_pwd->data, nt_pw, 16) == 0) { + if (user_sess_key) { + *user_sess_key = data_blob(NULL, 16); + SMBsesskeygen_ntv1(nt_pw, NULL, user_sess_key->data); + } + return NT_STATUS_OK; + } else { + DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", + username)); + return NT_STATUS_WRONG_PASSWORD; + } + + } else if (lm_interactive_pwd && lm_interactive_pwd->length && lm_pw) { + if (lm_interactive_pwd->length != 16) { + DEBUG(3,("ntlm_password_check: Interactive logon: Invalid LANMAN password length (%d) supplied for user %s\n", (int)lm_interactive_pwd->length, + username)); + return NT_STATUS_WRONG_PASSWORD; + } + + if (!lp_lanman_auth()) { + DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", + username)); + return NT_STATUS_WRONG_PASSWORD; + } + + if (memcmp(lm_interactive_pwd->data, lm_pw, 16) == 0) { + return NT_STATUS_OK; + } else { + DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n", + username)); + return NT_STATUS_WRONG_PASSWORD; + } + } + /* Check for cleartext netlogon. Used by Exchange 5.5. */ if (challenge->length == sizeof(zeros) && (memcmp(challenge->data, zeros, challenge->length) == 0 )) { |