Domain-login "bug" found

Dejan Ilic svedja at lysator.liu.se
Mon Apr 5 21:44:26 GMT 1999 

I finaly tracked down an "unwanted" feature in Samba's domain-code.
The users could log into a machine that was in the domain as long as they
had the correct letters & numbers in the right place in their password, but
wrong capitalization (!= correct password).

The login sequence would pass then pass the first phase of of checking the
user and let the user log in to the machine. This part is done in the
RPC-code entirely, if I understood it correctly.

Then the other part of login would start, the NT4 tries to mount the
NETLOGON, the user homedir, and start the login-script. All would fail
because the password is incorrect in the NTMAN-passwd. As a result the
login would be totaly messed up, many programs would be set up incorrectly
and users would be told to talk to sysadmin in a 30-second message (that
you can't pause. MS thinks the whole world read english fluently!).

I'm sure more people than I have had this problem. And the problem does NOT
exist in a NT4wks with NT4server combination. It's a Samba problem and
potentialy a security problem as people can get access to workstations
without knowing the correct capitalization, even if NT4 (NT3.x ?) send the
correct in NT-hash.

I don't have to tell you how many strange problems this has lead to. It
took several months until an users pointed out the way to reproduce the
problem with missing shares. Just log in on a NT4 with a correct username
and wrong capitalization in password and you got it! You get access to the
machine but no shares on the samba-server.

The "bug" is in an "and" statement that I changed to "or" to get the wanted
effect.

source/rpc_server/srv_netlog.c (in Samba-2.0.3) in the function
net_login_interactive has this code:

	if (memcmp(smb_pass->smb_passwd   , lm_pwd, 16) != 0 &&
	    memcmp(smb_pass->smb_nt_passwd, nt_pwd, 16) != 0)
	{
		status = 0xC0000000 | NT_STATUS_WRONG_PASSWORD;
	}

Note that the "&&" statement is the problematic part as BOTH the lanman and
the ntman passwords have to fail to generate the "incorrect password"
error. It the NT4-user logs in with "correct" password with wrong
capitalization, the lanman-password would be correct, effectivly telling
the system that password is OK. Then in the non-RPC part it would fail in
"phase-2" of domain-login.

The quick solution for NT-only domains:
By changing the code from "&&" to "||" the code enforce that BOTH lanman
and ntman password has to be correct to avoid the "incorrect password"
message. Incorrect capitalization will not be accepted any more in
domain-login!

The kludge only affects domain-login and not workgroup-logins as it is in
the RPC-code. Also, it is useless in mixed NT4/Win9* domains as Win9*
generates only lanman-passwords and will allways fail in the code as ntman
is allways incorrect.

The real solution would be to make samba check only lanman-passwd on Win9*
domain-logins and in NT4-case lanman and if needed ntman as generating it 
is optional on NT4.

The non-rpc part of code does like that today and that is why is fails on
subsequent mounting of shares in "phase-2" due to incorrect ntman-password,
yes ?


Dejan
-- 
=====================================================================
Dejan Ilic, Tech Univ. of Linkoping, Sweden    Phone:+46-13-473 01 06
Email: svedja at lysator.liu.se   Web: http://www.lysator.liu.se/~svedja
=====================================================================
[finger -l svedja at lysator.liu.se for public PGP key]


--- source/rpc_server/srv_netlog.c.ORIG	Tue Dec 15 02:21:11 1998
+++ source/rpc_server/srv_netlog.c	Mon Apr  5 22:17:46 1999
@@ -531,7 +531,7 @@
 	dump_data(100, nt_pwd, 16);
 #endif
 
-	if (memcmp(smb_pass->smb_passwd   , lm_pwd, 16) != 0 &&
+	if (memcmp(smb_pass->smb_passwd   , lm_pwd, 16) != 0 ||
 	    memcmp(smb_pass->smb_nt_passwd, nt_pwd, 16) != 0)
 	{
 		status = 0xC0000000 | NT_STATUS_WRONG_PASSWORD;

More information about the samba-ntdom mailing list