Special handling of "@" libcli/auth/ntlm_check.c
Ralph Böhme
slow at samba.org
Fri Aug 5 15:10:04 UTC 2016
Hi Andrew!
I ran into an interesting issue when using email address-style
usernames *and* a username map, mapping from standard username to
email address-style name, auth works nicely when entering the correct
password, but returns the wrong error code NT_STATUS_NOT_FOUND
(instead of NT_STATUS_WRONG_PASSWORD) when entering a wrong password.
This is triggered by commit 546f63df5b214a1419069887ecfd9118aae8030a
from 2007. Reverting the special handling of "@" introduced by this
commit fixes the issue with the wrong error return.
More complete example:
smb.conf
==========
[global]
username map = /tmp/user.map
/tmp/user.map
==========
slow at samba.org = slow1
slow_samba.org = slow2
1) Add both UNIX and PDB accounts for slow at samba.org and slow_samba.org with password 'x'.
2) Log in as slow1 with the correct password:
# smbclient -Uslow1%x -L localhost
check_ntlm_password: authentication for user [slow1] -> [slow at samba.org] -> [slow at samba.org] succeeded
3) Log in as slow1 with an incorrect password:
# smbclient -Uslow1%y -L localhost
session setup failed: NT_STATUS_NOT_FOUND
[2016/07/20 17:34:39.580899, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [slow1] -> [slow at samba.org] FAILED with error NT_STATUS_NOT_FOUND
Do you remember why 546f63df5b214a1419069887ecfd9118aae8030a added the
special @ handling?
Cheerio!
-slow
-------------- next part --------------
From 32f78e54cc8870dcac8e9909445ec5601335c0ca Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow at samba.org>
Date: Wed, 27 Jul 2016 13:32:10 +0200
Subject: [PATCH] HACK: libcli/auth/ntlm: remove special handling of "@" in
usernames
546f63df5b214a1419069887ecfd9118aae8030a introduced this. Why?
---
libcli/auth/ntlm_check.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 7f91b52..9ac44ac 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -243,9 +243,6 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
username));
return NT_STATUS_WRONG_PASSWORD;
}
- if (strchr_m(username, '@')) {
- return NT_STATUS_NOT_FOUND;
- }
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
return NT_STATUS_OK;
@@ -255,9 +252,6 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
return NT_STATUS_WRONG_PASSWORD;
}
}
- if (strchr_m(username, '@')) {
- return NT_STATUS_NOT_FOUND;
- }
return NT_STATUS_WRONG_PASSWORD;
}
@@ -589,10 +583,6 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
DEBUG(3,("ntlm_password_check: LM password and LMv2 failed for user %s, and NT MD4 password in LM field not permitted\n",username));
}
- /* Try and match error codes */
- if (strchr_m(username, '@')) {
- return NT_STATUS_NOT_FOUND;
- }
return NT_STATUS_WRONG_PASSWORD;
}
--
2.7.4
More information about the samba-technical
mailing list