svn commit: samba r11366 - in branches/SAMBA_4_0/source: auth auth/ntlmssp rpc_server/netlogon

abartlet at samba.org abartlet at samba.org
Fri Oct 28 08:54:38 GMT 2005


Author: abartlet
Date: 2005-10-28 08:54:37 +0000 (Fri, 28 Oct 2005)
New Revision: 11366

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11366

Log:
Pass around the flags which indicate if we should support plaintext
logins and NTLM machine account logins.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/auth.h
   branches/SAMBA_4_0/source/auth/auth_sam.c
   branches/SAMBA_4_0/source/auth/ntlm_check.c
   branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c
   branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/auth.h
===================================================================
--- branches/SAMBA_4_0/source/auth/auth.h	2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/auth/auth.h	2005-10-28 08:54:37 UTC (rev 11366)
@@ -51,6 +51,8 @@
 	const char *workstation_name;
 	const char *remote_host;
 
+	uint32_t logon_parameters;
+
 	BOOL mapped_state;
 	/* the values the client gives us */
 	struct {

Modified: branches/SAMBA_4_0/source/auth/auth_sam.c
===================================================================
--- branches/SAMBA_4_0/source/auth/auth_sam.c	2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/auth/auth_sam.c	2005-10-28 08:54:37 UTC (rev 11366)
@@ -105,7 +105,8 @@
 		break;
 		
 	case AUTH_PASSWORD_RESPONSE:
-		status = ntlm_password_check(mem_ctx, &auth_context->challenge.data, 
+		status = ntlm_password_check(mem_ctx, user_info->logon_parameters, 
+					     &auth_context->challenge.data, 
 					     &user_info->password.response.lanman, 
 					     &user_info->password.response.nt,
 					     user_info->mapped.account_name,
@@ -133,6 +134,7 @@
  (ie not disabled, expired and the like).
 ****************************************************************************/
 static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
+				   uint32_t logon_parameters,
 				   uint16_t acct_flags,
 				   NTTIME acct_expiry,
 				   NTTIME must_change_time,
@@ -204,20 +206,23 @@
 			return NT_STATUS_INVALID_WORKSTATION;
 		}
 	}
-
+	
 	if (acct_flags & ACB_DOMTRUST) {
 		DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name));
 		return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
 	}
-
-	if (acct_flags & ACB_SVRTRUST) {
-		DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
-		return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+	
+	if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+		if (acct_flags & ACB_SVRTRUST) {
+			DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name));
+			return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+		}
 	}
-
-	if (acct_flags & ACB_WSTRUST) {
-		DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
-		return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+	if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+		if (acct_flags & ACB_WSTRUST) {
+			DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name));
+			return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+		}
 	}
 
 	return NT_STATUS_OK;
@@ -381,7 +386,9 @@
 
 	workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
 
-	nt_status = authsam_account_ok(mem_ctx, acct_flags, 
+	nt_status = authsam_account_ok(mem_ctx, 
+				       user_info->logon_parameters,
+				       acct_flags, 
 				       acct_expiry, 
 				       must_change_time, 
 				       last_set_time, 

Modified: branches/SAMBA_4_0/source/auth/ntlm_check.c
===================================================================
--- branches/SAMBA_4_0/source/auth/ntlm_check.c	2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/auth/ntlm_check.c	2005-10-28 08:54:37 UTC (rev 11366)
@@ -23,6 +23,7 @@
 #include "includes.h"
 #include "lib/crypto/crypto.h"
 #include "librpc/gen_ndr/ndr_samr.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
 
 /****************************************************************************
  Core of smb password checking routine.
@@ -274,6 +275,7 @@
  */
 
 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+			     uint32_t logon_parameters,
 			     const DATA_BLOB *challenge,
 			     const DATA_BLOB *lm_response,
 			     const DATA_BLOB *nt_response,
@@ -297,8 +299,9 @@
 	*user_sess_key = data_blob(NULL, 0);
 
 	/* Check for cleartext netlogon. Used by Exchange 5.5. */
-	if (challenge->length == sizeof(zeros) && 
-	    (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+	if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
+	    && challenge->length == sizeof(zeros) 
+	    && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
 		struct samr_Password client_nt;
 		struct samr_Password client_lm;
 		uint8_t dospwd[14]; 

Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c
===================================================================
--- branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c	2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c	2005-10-28 08:54:37 UTC (rev 11366)
@@ -689,6 +689,7 @@
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 	user_info->flags = 0;
 	user_info->mapped_state = False;
 	user_info->client.account_name = gensec_ntlmssp_state->user;

Modified: branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c	2005-10-28 07:05:56 UTC (rev 11365)
+++ branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c	2005-10-28 08:54:37 UTC (rev 11366)
@@ -400,9 +400,10 @@
 						dce_call->event_ctx);
 		NT_STATUS_NOT_OK_RETURN(nt_status);
 
-		user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
-		user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
-		user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
+		user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control;
+		user_info->client.account_name = r->in.logon.password->identity_info.account_name.string;
+		user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string;
+		user_info->workstation_name = r->in.logon.password->identity_info.workstation.string;
 		
 		user_info->password_state = AUTH_PASSWORD_HASH;
 		user_info->password.hash.lanman = talloc(user_info, struct samr_Password);
@@ -428,6 +429,7 @@
 		nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags");
 		NT_STATUS_NOT_OK_RETURN(nt_status);
 
+		user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control;
 		user_info->client.account_name = r->in.logon.network->identity_info.account_name.string;
 		user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string;
 		user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;



More information about the samba-cvs mailing list