svn commit: samba r2755 - in branches/SAMBA_3_0/source/nsswitch: .
abartlet at samba.org
abartlet at samba.org
Thu Sep 30 00:49:41 GMT 2004
Author: abartlet
Date: 2004-09-30 00:49:41 +0000 (Thu, 30 Sep 2004)
New Revision: 2755
WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_3_0/source/nsswitch&rev=2755&nolog=1
Log:
Fix NTLMv2 for use with pam_winbind, the plaintext ntlm_auth modes,
and the wbinfo -a test tool.
If 'client ntlmv2 auth' is set, then we will send an NTLMv2, rather
than an NT/LM response to the server.
Andrew Bartlett
Modified:
branches/SAMBA_3_0/source/nsswitch/wbinfo.c
branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/wbinfo.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/wbinfo.c 2004-09-29 17:37:59 UTC (rev 2754)
+++ branches/SAMBA_3_0/source/nsswitch/wbinfo.c 2004-09-30 00:49:41 UTC (rev 2755)
@@ -582,14 +582,55 @@
generate_random_buffer(request.data.auth_crap.chal, 8);
- SMBencrypt(pass, request.data.auth_crap.chal,
- (uchar *)request.data.auth_crap.lm_resp);
- SMBNTencrypt(pass, request.data.auth_crap.chal,
- (uchar *)request.data.auth_crap.nt_resp);
+ if (lp_client_ntlmv2_auth()) {
+ DATA_BLOB server_chal;
+ DATA_BLOB names_blob;
- request.data.auth_crap.lm_resp_len = 24;
- request.data.auth_crap.nt_resp_len = 24;
+ DATA_BLOB lm_response;
+ DATA_BLOB nt_response;
+ server_chal = data_blob(request.data.auth_crap.chal, 8);
+
+ /* Pretend this is a login to 'us', for blob purposes */
+ names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
+
+ if (!SMBNTLMv2encrypt(name_user, name_domain, pass, &server_chal,
+ &names_blob,
+ &lm_response, &nt_response, NULL)) {
+ data_blob_free(&names_blob);
+ data_blob_free(&server_chal);
+ return False;
+ }
+ data_blob_free(&names_blob);
+ data_blob_free(&server_chal);
+
+ memcpy(request.data.auth_crap.nt_resp, nt_response.data,
+ MIN(nt_response.length,
+ sizeof(request.data.auth_crap.nt_resp)));
+ request.data.auth_crap.nt_resp_len = nt_response.length;
+
+ memcpy(request.data.auth_crap.lm_resp, lm_response.data,
+ MIN(lm_response.length,
+ sizeof(request.data.auth_crap.lm_resp)));
+ request.data.auth_crap.lm_resp_len = lm_response.length;
+
+ data_blob_free(&nt_response);
+ data_blob_free(&lm_response);
+
+ } else {
+ if (lp_client_lanman_auth()
+ && SMBencrypt(pass, request.data.auth_crap.chal,
+ (uchar *)request.data.auth_crap.lm_resp)) {
+ request.data.auth_crap.lm_resp_len = 24;
+ } else {
+ request.data.auth_crap.lm_resp_len = 0;
+ }
+ SMBNTencrypt(pass, request.data.auth_crap.chal,
+ (uchar *)request.data.auth_crap.nt_resp);
+
+ request.data.auth_crap.nt_resp_len = 24;
+ }
+
result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response);
/* Display response */
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2004-09-29 17:37:59 UTC (rev 2754)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2004-09-30 00:49:41 UTC (rev 2755)
@@ -190,13 +190,59 @@
/* do password magic */
+
generate_random_buffer(chal, 8);
- SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
+ if (lp_client_ntlmv2_auth()) {
+ DATA_BLOB server_chal;
+ DATA_BLOB names_blob;
+ DATA_BLOB nt_response;
+ DATA_BLOB lm_response;
+ server_chal = data_blob_talloc(mem_ctx, chal, 8);
- SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
+ /* note that the 'workgroup' here is a best guess - we don't know
+ the server's domain at this point. The 'server name' is also
+ dodgy...
+ */
+ names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
+
+ if (!SMBNTLMv2encrypt(name_user, name_domain,
+ state->request.data.auth.pass,
+ &server_chal,
+ &names_blob,
+ &lm_response, &nt_response, NULL)) {
+ data_blob_free(&names_blob);
+ data_blob_free(&server_chal);
+ DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ data_blob_free(&names_blob);
+ data_blob_free(&server_chal);
+ lm_resp = data_blob_talloc(mem_ctx, lm_response.data, lm_response.length);
+ nt_resp = data_blob_talloc(mem_ctx, nt_response.data, nt_response.length);
+ data_blob_free(&lm_response);
+ data_blob_free(&nt_response);
- lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
- nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
+ } else {
+ if (lp_client_lanman_auth()
+ && SMBencrypt(state->request.data.auth.pass,
+ chal,
+ local_lm_response)) {
+ lm_resp = data_blob_talloc(mem_ctx,
+ local_lm_response,
+ sizeof(local_lm_response));
+ } else {
+ lm_resp = data_blob(NULL, 0);
+ }
+ SMBNTencrypt(state->request.data.auth.pass,
+ chal,
+ local_nt_response);
+
+ nt_resp = data_blob_talloc(mem_ctx,
+ local_nt_response,
+ sizeof(local_nt_response));
+ }
+
/* what domain should we contact? */
More information about the samba-cvs
mailing list