[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Jan 7 06:42:02 UTC 2016 

The branch, master has been updated
       via  0cae227 selftest: Add tests for ntlm-server-1 and --password mode in ntlm_auth
       via  bfe4163 ntlm_auth: Allow --password force a local password check for ntlm-server-1 mode
      from  eda6aaf s3:smbd/oplock obey kernel oplock setting when releasing oplocks

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0cae2270089bfd8aa4b3f71ba6038ee3db766988
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jan 7 16:06:20 2016 +1300

    selftest: Add tests for ntlm-server-1 and --password mode in ntlm_auth
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Thu Jan  7 07:41:22 CET 2016 on sn-devel-144

commit bfe4163f17d1c0fcf7167ebea0885d30b4a95ca1
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu Jan 7 12:33:11 2016 +1300

    ntlm_auth: Allow --password force a local password check for ntlm-server-1 mode
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 source3/script/tests/test_ntlm_auth_s3.sh | 196 +++++++++++++++++++++++++++++-
 source3/utils/ntlm_auth.c                 |  82 +++++++++----
 2 files changed, 252 insertions(+), 26 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 655556b..a6f20ed 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,7 +24,7 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
 
 failed=0
 
-test_interactive_prompt_stdout()
+test_plaintext_check_output_stdout()
 {
 	tmpfile=$PREFIX/ntlm_commands
 
@@ -55,7 +55,7 @@ EOF
 	fi
 }
 
-test_interactive_prompt_stdout_fail()
+test_plaintext_check_output_fail()
 {
 	tmpfile=$PREFIX/ntlm_commands
 
@@ -86,6 +86,188 @@ EOF
 	fi
 }
 
+test_ntlm_server_1_check_output()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	cat > $tmpfile <<EOF
+LANMAN-Challenge: 0123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: TEST
+Username: testuser
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1  --password=SecREt01< $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# authenticated .. succeed
+		true
+	else
+		echo failed to get successful authentication
+		false
+	fi
+}
+
+test_ntlm_server_1_check_output_fail()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	# Break the password with a leading A on the challenge
+	cat > $tmpfile <<EOF
+LANMAN-Challenge: A123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: TEST
+Username: testuser
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --password=SecREt01 < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# failed to authenticate .. success
+		true
+	else
+		echo "incorrectly gave a successful authentication"
+		false
+	fi
+}
+
+test_ntlm_server_1_check_winbind_output()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	# This isn't the correct password
+	cat > $tmpfile <<EOF
+Password: $PASSWORD
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$SID < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "Authenticated: Yes" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# authenticated .. success
+		true
+	else
+		echo "Failed to authenticate the user or match with SID $SID"
+		false
+	fi
+}
+
+test_ntlm_server_1_check_winbind_output_wrong_sid()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	# This isn't the correct password
+	cat > $tmpfile <<EOF
+Password: $PASSWORD
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$BADSID < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# failed to authenticate .. success
+		true
+	else
+		echo "incorrectly gave a successful authentication"
+		false
+	fi
+}
+
+test_ntlm_server_1_check_winbind_output_fail()
+{
+	tmpfile=$PREFIX/ntlm_commands
+
+	# This isn't the correct password
+	cat > $tmpfile <<EOF
+LANMAN-Challenge: 0123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+	cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 < $tmpfile 2>&1'
+	eval echo "$cmd"
+	out=`eval $cmd`
+	ret=$?
+	rm -f $tmpfile
+
+	if [ $ret != 0 ] ; then
+		echo "$out"
+		echo "command failed"
+		false
+		return
+	fi
+
+	echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+	if [ $? = 0 ] ; then
+		# failed to authenticate .. success
+		true
+	else
+		echo "incorrectly gave a successful authentication"
+		false
+	fi
+}
+
 testit "ntlm_auth" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS || failed=`expr $failed + 1`
 # This should work even with NTLMv2
 testit "ntlm_auth with specified domain" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo || failed=`expr $failed + 1`
@@ -101,7 +283,13 @@ testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against w
 testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
 
-testit "ntlm_auth plaintext authentication with require-membership-of" test_interactive_prompt_stdout || failed=`expr $failed + 1`
-testit "ntlm_auth plaintext authentication with failed require-membership-of" test_interactive_prompt_stdout_fail || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with require-membership-of" test_plaintext_check_output_stdout || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with failed require-membership-of" test_plaintext_check_output_fail || failed=`expr $failed + 1`
+
+testit "ntlm_auth ntlm-server-1 with fixed password" test_ntlm_server_1_check_output || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with incorrect fixed password" test_ntlm_server_1_check_output_fail || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
 
 testok $0 $failed
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 4878aa1..b90f927 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -2175,7 +2175,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
 			uchar lm_key[8];
 			uchar user_session_key[16];
 			uint32_t flags = 0;
-
+			NTSTATUS nt_status;
 			if (full_username && !username) {
 				fstring fstr_user;
 				fstring fstr_domain;
@@ -2190,29 +2190,67 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
 				domain = smb_xstrdup(fstr_domain);
 			}
 
-			if (!domain) {
-				domain = smb_xstrdup(get_winbind_domain());
-			}
+			if (opt_password) {
+				DATA_BLOB nt_session_key, lm_session_key;
+				struct samr_Password lm_pw, nt_pw;
+				TALLOC_CTX *mem_ctx = talloc_new(NULL);
+				ZERO_STRUCT(user_session_key);
+				ZERO_STRUCT(lm_key);
+
+				nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
+				nt_status = ntlm_password_check(mem_ctx,
+								true, true, 0,
+								&challenge,
+								&lm_response,
+								&nt_response,
+								username,
+								username,
+								domain,
+								&lm_pw, &nt_pw,
+								&nt_session_key,
+								&lm_session_key);
+				error_string = smb_xstrdup(get_friendly_nt_error_msg(nt_status));
+				if (ntlm_server_1_user_session_key) {
+					if (nt_session_key.length == sizeof(user_session_key)) {
+						memcpy(user_session_key,
+						       nt_session_key.data,
+						       sizeof(user_session_key));
+					}
+				}
+				if (ntlm_server_1_lm_session_key) {
+					if (lm_session_key.length == sizeof(lm_key)) {
+						memcpy(lm_key,
+						       lm_session_key.data,
+						       sizeof(lm_key));
+					}
+				}
+				TALLOC_FREE(mem_ctx);
 
-			if (ntlm_server_1_lm_session_key) 
-				flags |= WBFLAG_PAM_LMKEY;
-
-			if (ntlm_server_1_user_session_key) 
-				flags |= WBFLAG_PAM_USER_SESSION_KEY;
-
-			if (!NT_STATUS_IS_OK(
-				    contact_winbind_auth_crap(username, 
-							      domain, 
-							      lp_netbios_name(),
-							      &challenge, 
-							      &lm_response, 
-							      &nt_response, 
-							      flags, 0,
-							      lm_key, 
-							      user_session_key,
-							      &error_string,
-							      NULL))) {
+			} else {
+				if (!domain) {
+					domain = smb_xstrdup(get_winbind_domain());
+				}
+
+				if (ntlm_server_1_lm_session_key)
+					flags |= WBFLAG_PAM_LMKEY;
+
+				if (ntlm_server_1_user_session_key)
+					flags |= WBFLAG_PAM_USER_SESSION_KEY;
+
+				nt_status = contact_winbind_auth_crap(username,
+								      domain,
+								      lp_netbios_name(),
+								      &challenge,
+								      &lm_response,
+								      &nt_response,
+								      flags, 0,
+								      lm_key,
+								      user_session_key,
+								      &error_string,
+								      NULL);
+			}
 
+			if (!NT_STATUS_IS_OK(nt_status)) {
 				x_fprintf(x_stdout, "Authenticated: No\n");
 				x_fprintf(x_stdout, "Authentication-Error: %s\n.\n", error_string);
 			} else {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list