svn commit: samba r11401 - in branches/SAMBA_4_0/source/auth/credentials: .

abartlet at samba.org abartlet at samba.org
Mon Oct 31 00:23:39 GMT 2005 

Author: abartlet
Date: 2005-10-31 00:23:38 +0000 (Mon, 31 Oct 2005)
New Revision: 11401

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11401

Log:
A simple hack to have our central credentials system deny sending LM
authentication for user at realm logins and machine account logins.

This should avoid various protocol downgrade attacks.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/credentials/credentials.c
   branches/SAMBA_4_0/source/auth/credentials/credentials.h
   branches/SAMBA_4_0/source/auth/credentials/credentials_files.c
   branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.c
===================================================================
--- branches/SAMBA_4_0/source/auth/credentials/credentials.c	2005-10-30 10:39:52 UTC (rev 11400)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials.c	2005-10-31 00:23:38 UTC (rev 11401)
@@ -52,6 +52,7 @@
 	cred->old_password = NULL;
 	cred->smb_krb5_context = NULL;
 	cred->salt_principal = NULL;
+	cred->machine_account = False;
 
 	return cred;
 }

Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.h
===================================================================
--- branches/SAMBA_4_0/source/auth/credentials/credentials.h	2005-10-30 10:39:52 UTC (rev 11400)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials.h	2005-10-31 00:23:38 UTC (rev 11401)
@@ -84,4 +84,7 @@
 	 * secrets.ldb when we are asked for a username or password */
 
 	BOOL machine_account_pending;
+	
+	/* Is this a machine account? */
+	BOOL machine_account;
 };

Modified: branches/SAMBA_4_0/source/auth/credentials/credentials_files.c
===================================================================
--- branches/SAMBA_4_0/source/auth/credentials/credentials_files.c	2005-10-30 10:39:52 UTC (rev 11400)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials_files.c	2005-10-31 00:23:38 UTC (rev 11401)
@@ -197,6 +197,9 @@
 	/* ok, we are going to get it now, don't recurse back here */
 	cred->machine_account_pending = False;
 
+	/* some other parts of the system will key off this */
+	cred->machine_account = True;
+
 	mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
 	/* Local secrets are stored in secrets.ldb */
 	ldb = secrets_db_connect(mem_ctx);

Modified: branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c
===================================================================
--- branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c	2005-10-30 10:39:52 UTC (rev 11400)
+++ branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c	2005-10-31 00:23:38 UTC (rev 11401)
@@ -56,6 +56,18 @@
 
 	cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
 
+	/* If we are sending a username at realm login (see function
+	 * above), then we will not send LM, it will not be
+	 * accepted */
+	if (cred->principal_obtained > cred->username_obtained) {
+		*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+	}
+
+	/* Likewise if we are a machine account (avoid protocol downgrade attacks) */
+	if (cred->principal_obtained > cred->username_obtained) {
+		*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+	}
+
 	if (!nt_hash) {
 		static const uint8_t zeros[16];
 		/* do nothing - blobs are zero length */

More information about the samba-cvs mailing list