[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Jan 7 06:42:02 UTC 2016
The branch, master has been updated
via 0cae227 selftest: Add tests for ntlm-server-1 and --password mode in ntlm_auth
via bfe4163 ntlm_auth: Allow --password force a local password check for ntlm-server-1 mode
from eda6aaf s3:smbd/oplock obey kernel oplock setting when releasing oplocks
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0cae2270089bfd8aa4b3f71ba6038ee3db766988
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jan 7 16:06:20 2016 +1300
selftest: Add tests for ntlm-server-1 and --password mode in ntlm_auth
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jan 7 07:41:22 CET 2016 on sn-devel-144
commit bfe4163f17d1c0fcf7167ebea0885d30b4a95ca1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Jan 7 12:33:11 2016 +1300
ntlm_auth: Allow --password force a local password check for ntlm-server-1 mode
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
source3/script/tests/test_ntlm_auth_s3.sh | 196 +++++++++++++++++++++++++++++-
source3/utils/ntlm_auth.c | 82 +++++++++----
2 files changed, 252 insertions(+), 26 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/script/tests/test_ntlm_auth_s3.sh b/source3/script/tests/test_ntlm_auth_s3.sh
index 655556b..a6f20ed 100755
--- a/source3/script/tests/test_ntlm_auth_s3.sh
+++ b/source3/script/tests/test_ntlm_auth_s3.sh
@@ -24,7 +24,7 @@ BADSID=`eval $BINDIR/wbinfo -n $USERNAME | cut -d ' ' -f1 | sed 's/..$//'`
failed=0
-test_interactive_prompt_stdout()
+test_plaintext_check_output_stdout()
{
tmpfile=$PREFIX/ntlm_commands
@@ -55,7 +55,7 @@ EOF
fi
}
-test_interactive_prompt_stdout_fail()
+test_plaintext_check_output_fail()
{
tmpfile=$PREFIX/ntlm_commands
@@ -86,6 +86,188 @@ EOF
fi
}
+test_ntlm_server_1_check_output()
+{
+ tmpfile=$PREFIX/ntlm_commands
+
+ cat > $tmpfile <<EOF
+LANMAN-Challenge: 0123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: TEST
+Username: testuser
+Request-User-Session-Key: Yes
+.
+EOF
+ cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --password=SecREt01< $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "command failed"
+ false
+ return
+ fi
+
+ echo "$out" | grep "User-Session-Key: 3F373EA8E4AF954F14FAA506F8EEBDC4" >/dev/null 2>&1
+
+ if [ $? = 0 ] ; then
+ # authenticated .. succeed
+ true
+ else
+ echo failed to get successful authentication
+ false
+ fi
+}
+
+test_ntlm_server_1_check_output_fail()
+{
+ tmpfile=$PREFIX/ntlm_commands
+
+ # Break the password with a leading A on the challenge
+ cat > $tmpfile <<EOF
+LANMAN-Challenge: A123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: TEST
+Username: testuser
+Request-User-Session-Key: Yes
+.
+EOF
+ cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --password=SecREt01 < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "command failed"
+ false
+ return
+ fi
+
+ echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+ if [ $? = 0 ] ; then
+ # failed to authenticate .. success
+ true
+ else
+ echo "incorrectly gave a successful authentication"
+ false
+ fi
+}
+
+test_ntlm_server_1_check_winbind_output()
+{
+ tmpfile=$PREFIX/ntlm_commands
+
+ # This isn't the correct password
+ cat > $tmpfile <<EOF
+Password: $PASSWORD
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+ cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$SID < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "command failed"
+ false
+ return
+ fi
+
+ echo "$out" | grep "Authenticated: Yes" >/dev/null 2>&1
+
+ if [ $? = 0 ] ; then
+ # authenticated .. success
+ true
+ else
+ echo "Failed to authenticate the user or match with SID $SID"
+ false
+ fi
+}
+
+test_ntlm_server_1_check_winbind_output_wrong_sid()
+{
+ tmpfile=$PREFIX/ntlm_commands
+
+ # This isn't the correct password
+ cat > $tmpfile <<EOF
+Password: $PASSWORD
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+ cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 --require-membership-of=$BADSID < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "command failed"
+ false
+ return
+ fi
+
+ echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+ if [ $? = 0 ] ; then
+ # failed to authenticate .. success
+ true
+ else
+ echo "incorrectly gave a successful authentication"
+ false
+ fi
+}
+
+test_ntlm_server_1_check_winbind_output_fail()
+{
+ tmpfile=$PREFIX/ntlm_commands
+
+ # This isn't the correct password
+ cat > $tmpfile <<EOF
+LANMAN-Challenge: 0123456789abcdef
+NT-Response: 25a98c1c31e81847466b29b2df4680f39958fb8c213a9cc6
+NT-Domain: $DOMAIN
+Username: $USERNAME
+Request-User-Session-Key: Yes
+.
+EOF
+ cmd='$NTLM_AUTH "$@" --helper-protocol=ntlm-server-1 < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=`eval $cmd`
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret != 0 ] ; then
+ echo "$out"
+ echo "command failed"
+ false
+ return
+ fi
+
+ echo "$out" | grep "Authenticated: No" >/dev/null 2>&1
+
+ if [ $? = 0 ] ; then
+ # failed to authenticate .. success
+ true
+ else
+ echo "incorrectly gave a successful authentication"
+ false
+ fi
+}
+
testit "ntlm_auth" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS || failed=`expr $failed + 1`
# This should work even with NTLMv2
testit "ntlm_auth with specified domain" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH $ADDARGS --client-domain=fOo --server-domain=fOo || failed=`expr $failed + 1`
@@ -101,7 +283,13 @@ testit "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against w
testit_expect_failure "ntlm_auth against winbindd with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
testit_expect_failure "ntlm_auth with NTLMSSP gss-spnego-client and gss-spnego server against winbind with failed require-membership-of" $PYTHON $SRC3DIR/torture/test_ntlm_auth.py $NTLM_AUTH --client-username=$USERNAME --client-domain=$DOMAIN --client-password=$PASSWORD --server-use-winbindd --client-helper=gss-spnego-client --server-helper=gss-spnego $ADDARGS --require-membership-of=$BADSID && failed=`expr $failed + 1`
-testit "ntlm_auth plaintext authentication with require-membership-of" test_interactive_prompt_stdout || failed=`expr $failed + 1`
-testit "ntlm_auth plaintext authentication with failed require-membership-of" test_interactive_prompt_stdout_fail || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with require-membership-of" test_plaintext_check_output_stdout || failed=`expr $failed + 1`
+testit "ntlm_auth plaintext authentication with failed require-membership-of" test_plaintext_check_output_fail || failed=`expr $failed + 1`
+
+testit "ntlm_auth ntlm-server-1 with fixed password" test_ntlm_server_1_check_output || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with incorrect fixed password" test_ntlm_server_1_check_output_fail || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with plaintext password against winbind" test_ntlm_server_1_check_winbind_output || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with plaintext password against winbind but wrong sid" test_ntlm_server_1_check_winbind_output_wrong_sid || failed=`expr $failed + 1`
+testit "ntlm_auth ntlm-server-1 with incorrect fixed password against winbind" test_ntlm_server_1_check_winbind_output_fail || failed=`expr $failed + 1`
testok $0 $failed
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 4878aa1..b90f927 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -2175,7 +2175,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
uchar lm_key[8];
uchar user_session_key[16];
uint32_t flags = 0;
-
+ NTSTATUS nt_status;
if (full_username && !username) {
fstring fstr_user;
fstring fstr_domain;
@@ -2190,29 +2190,67 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
domain = smb_xstrdup(fstr_domain);
}
- if (!domain) {
- domain = smb_xstrdup(get_winbind_domain());
- }
+ if (opt_password) {
+ DATA_BLOB nt_session_key, lm_session_key;
+ struct samr_Password lm_pw, nt_pw;
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ ZERO_STRUCT(user_session_key);
+ ZERO_STRUCT(lm_key);
+
+ nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
+ nt_status = ntlm_password_check(mem_ctx,
+ true, true, 0,
+ &challenge,
+ &lm_response,
+ &nt_response,
+ username,
+ username,
+ domain,
+ &lm_pw, &nt_pw,
+ &nt_session_key,
+ &lm_session_key);
+ error_string = smb_xstrdup(get_friendly_nt_error_msg(nt_status));
+ if (ntlm_server_1_user_session_key) {
+ if (nt_session_key.length == sizeof(user_session_key)) {
+ memcpy(user_session_key,
+ nt_session_key.data,
+ sizeof(user_session_key));
+ }
+ }
+ if (ntlm_server_1_lm_session_key) {
+ if (lm_session_key.length == sizeof(lm_key)) {
+ memcpy(lm_key,
+ lm_session_key.data,
+ sizeof(lm_key));
+ }
+ }
+ TALLOC_FREE(mem_ctx);
- if (ntlm_server_1_lm_session_key)
- flags |= WBFLAG_PAM_LMKEY;
-
- if (ntlm_server_1_user_session_key)
- flags |= WBFLAG_PAM_USER_SESSION_KEY;
-
- if (!NT_STATUS_IS_OK(
- contact_winbind_auth_crap(username,
- domain,
- lp_netbios_name(),
- &challenge,
- &lm_response,
- &nt_response,
- flags, 0,
- lm_key,
- user_session_key,
- &error_string,
- NULL))) {
+ } else {
+ if (!domain) {
+ domain = smb_xstrdup(get_winbind_domain());
+ }
+
+ if (ntlm_server_1_lm_session_key)
+ flags |= WBFLAG_PAM_LMKEY;
+
+ if (ntlm_server_1_user_session_key)
+ flags |= WBFLAG_PAM_USER_SESSION_KEY;
+
+ nt_status = contact_winbind_auth_crap(username,
+ domain,
+ lp_netbios_name(),
+ &challenge,
+ &lm_response,
+ &nt_response,
+ flags, 0,
+ lm_key,
+ user_session_key,
+ &error_string,
+ NULL);
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
x_fprintf(x_stdout, "Authenticated: No\n");
x_fprintf(x_stdout, "Authentication-Error: %s\n.\n", error_string);
} else {
--
Samba Shared Repository
More information about the samba-cvs
mailing list