[Samba] Vista password being rejected on share security mode

Tue Feb 6 18:53:30 GMT 2007

On Tue, Feb 06, 2007 at 11:37:09AM -0600, Schaefer Jr, Thomas R. wrote:
> I'm using Windows Vista Enterprise and also am having great difficulty
> with security = share and 3.0.23d (as well as 3.0.11 and 3.0.14a).  It
> seems as though Vista will randomly, occasionally work with it, but in
> general it just won't work at all.  I wish I had your problem of a 10
> second connection delay, far better than no connection at all.  Did you
> have to do anything special to get it working, albiet with the 10 second
> delay?

You need the attached patch. It'll be up on the Vista
patches page later this week or early next.

Jeremy
-------------- next part --------------
Index: smbd/sesssetup.c
===================================================================

--- smbd/sesssetup.c	(revision 21127)
+++ smbd/sesssetup.c	(working copy)
@@ -1035,6 +1035,7 @@
 
 		map_username(sub_user);
 		add_session_user(sub_user);
+		add_session_workgroup(domain);
 		/* Then force it to null for the benfit of the code below */
 		*user = 0;
 	}
Index: smbd/password.c
===================================================================
--- smbd/password.c	(revision 21127)
+++ smbd/password.c	(working copy)
@@ -23,6 +23,8 @@
 /* users from session setup */
 static char *session_userlist = NULL;
 static int len_session_userlist = 0;
+/* workgroup from session setup. */
+static char *session_workgroup = NULL;
 
 /* this holds info on user ids that are already validated for this VC */
 static user_struct *validated_users;
@@ -406,6 +408,29 @@
 }
 
 /****************************************************************************
+ In security=share mode we need to store the client workgroup, as that's
+  what Vista uses for the NTLMv2 calculation.
+****************************************************************************/
+
+void add_session_workgroup(const char *workgroup)
+{
+	if (session_workgroup) {
+		SAFE_FREE(session_workgroup);
+	}
+	session_workgroup = smb_xstrdup(workgroup);
+}
+
+/****************************************************************************
+ In security=share mode we need to return the client workgroup, as that's
+  what Vista uses for the NTLMv2 calculation.
+****************************************************************************/
+
+const char *get_session_workgroup(void)
+{
+	return session_workgroup;
+}
+
+/****************************************************************************
  Check if a user is in a netgroup user list. If at first we don't succeed,
  try lower case.
 ****************************************************************************/
Index: auth/auth_compat.c
===================================================================
--- auth/auth_compat.c	(revision 21127)
+++ auth/auth_compat.c	(working copy)
@@ -92,18 +92,25 @@
 check if a username/password pair is ok via the auth subsystem.
 return True if the password is correct, False otherwise
 ****************************************************************************/
+
 BOOL password_ok(char *smb_name, DATA_BLOB password_blob)
 {
 
 	DATA_BLOB null_password = data_blob(NULL, 0);
-	BOOL encrypted = (global_encrypted_passwords_negotiated && password_blob.length == 24);
+	BOOL encrypted = (global_encrypted_passwords_negotiated && (password_blob.length == 24 || password_blob.length > 46));
 	
 	if (encrypted) {
 		/* 
 		 * The password could be either NTLM or plain LM.  Try NTLM first, 
 		 * but fall-through as required.
-		 * NTLMv2 makes no sense here.
+		 * Vista sends NTLMv2 here - we need to try the client given workgroup.
 		 */
+		if (get_session_workgroup()) {
+			if (NT_STATUS_IS_OK(pass_check_smb(smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) {
+				return True;
+			}
+		}
+
 		if (NT_STATUS_IS_OK(pass_check_smb(smb_name, lp_workgroup(), null_password, password_blob, null_password, encrypted))) {
 			return True;
 		}
@@ -119,5 +126,3 @@
 
 	return False;
 }
-
-
