svn commit: samba r11366 - in branches/SAMBA_4_0/source: auth
auth/ntlmssp rpc_server/netlogon
abartlet at samba.org
abartlet at samba.org
Fri Oct 28 08:54:38 GMT 2005
Author: abartlet
Date: 2005-10-28 08:54:37 +0000 (Fri, 28 Oct 2005)
New Revision: 11366
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11366
Log:
Pass around the flags which indicate if we should support plaintext
logins and NTLM machine account logins.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/auth.h
branches/SAMBA_4_0/source/auth/auth_sam.c
branches/SAMBA_4_0/source/auth/ntlm_check.c
branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c
branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth.h
===================================================================
--- branches/SAMBA_4_0/source/auth/auth.h 2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/auth/auth.h 2005-10-28 08:54:37 UTC (rev 11366)
@@ -51,6 +51,8 @@
const char *workstation_name;
const char *remote_host;
+ uint32_t logon_parameters;
+
BOOL mapped_state;
/* the values the client gives us */
struct {
Modified: branches/SAMBA_4_0/source/auth/auth_sam.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_sam.c 2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/auth/auth_sam.c 2005-10-28 08:54:37 UTC (rev 11366)
@@ -105,7 +105,8 @@
break;
case AUTH_PASSWORD_RESPONSE:
- status = ntlm_password_check(mem_ctx, &auth_context->challenge.data,
+ status = ntlm_password_check(mem_ctx, user_info->logon_parameters,
+ &auth_context->challenge.data,
&user_info->password.response.lanman,
&user_info->password.response.nt,
user_info->mapped.account_name,
@@ -133,6 +134,7 @@
(ie not disabled, expired and the like).
****************************************************************************/
static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
uint16_t acct_flags,
NTTIME acct_expiry,
NTTIME must_change_time,
@@ -204,20 +206,23 @@
return NT_STATUS_INVALID_WORKSTATION;
}
}
-
+
if (acct_flags & ACB_DOMTRUST) {
DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name));
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
-
- if (acct_flags & ACB_SVRTRUST) {
- DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
- return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+
+ if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+ if (acct_flags & ACB_SVRTRUST) {
+ DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
+ return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+ }
}
-
- if (acct_flags & ACB_WSTRUST) {
- DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
- return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+ if (acct_flags & ACB_WSTRUST) {
+ DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
+ return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ }
}
return NT_STATUS_OK;
@@ -381,7 +386,9 @@
workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
- nt_status = authsam_account_ok(mem_ctx, acct_flags,
+ nt_status = authsam_account_ok(mem_ctx,
+ user_info->logon_parameters,
+ acct_flags,
acct_expiry,
must_change_time,
last_set_time,
Modified: branches/SAMBA_4_0/source/auth/ntlm_check.c
===================================================================
--- branches/SAMBA_4_0/source/auth/ntlm_check.c 2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/auth/ntlm_check.c 2005-10-28 08:54:37 UTC (rev 11366)
@@ -23,6 +23,7 @@
#include "includes.h"
#include "lib/crypto/crypto.h"
#include "librpc/gen_ndr/ndr_samr.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
/****************************************************************************
Core of smb password checking routine.
@@ -274,6 +275,7 @@
*/
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
const DATA_BLOB *challenge,
const DATA_BLOB *lm_response,
const DATA_BLOB *nt_response,
@@ -297,8 +299,9 @@
*user_sess_key = data_blob(NULL, 0);
/* Check for cleartext netlogon. Used by Exchange 5.5. */
- if (challenge->length == sizeof(zeros) &&
- (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+ if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
+ && challenge->length == sizeof(zeros)
+ && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
struct samr_Password client_nt;
struct samr_Password client_lm;
uint8_t dospwd[14];
Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c
===================================================================
--- branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c 2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c 2005-10-28 08:54:37 UTC (rev 11366)
@@ -689,6 +689,7 @@
return NT_STATUS_NO_MEMORY;
}
+ user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
user_info->flags = 0;
user_info->mapped_state = False;
user_info->client.account_name = gensec_ntlmssp_state->user;
Modified: branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 2005-10-28 08:54:37 UTC (rev 11366)
@@ -400,9 +400,10 @@
dce_call->event_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
- user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
- user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
- user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
+ user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control;
+ user_info->client.account_name = r->in.logon.password->identity_info.account_name.string;
+ user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string;
+ user_info->workstation_name = r->in.logon.password->identity_info.workstation.string;
user_info->password_state = AUTH_PASSWORD_HASH;
user_info->password.hash.lanman = talloc(user_info, struct samr_Password);
@@ -428,6 +429,7 @@
nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags");
NT_STATUS_NOT_OK_RETURN(nt_status);
+ user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control;
user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
More information about the samba-cvs
mailing list