Author: abartlet Date: 2005-10-28 08:54:37 +0000 (Fri, 28 Oct 2005) New Revision: 11366
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11366 Log: Pass around the flags which indicate if we should support plaintext logins and NTLM machine account logins. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/auth.h branches/SAMBA_4_0/source/auth/auth_sam.c branches/SAMBA_4_0/source/auth/ntlm_check.c branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c Changeset: Modified: branches/SAMBA_4_0/source/auth/auth.h =================================================================== --- branches/SAMBA_4_0/source/auth/auth.h 2005-10-28 07:05:56 UTC (rev 11365) +++ branches/SAMBA_4_0/source/auth/auth.h 2005-10-28 08:54:37 UTC (rev 11366) @@ -51,6 +51,8 @@ const char *workstation_name; const char *remote_host; + uint32_t logon_parameters; + BOOL mapped_state; /* the values the client gives us */ struct { Modified: branches/SAMBA_4_0/source/auth/auth_sam.c =================================================================== --- branches/SAMBA_4_0/source/auth/auth_sam.c 2005-10-28 07:05:56 UTC (rev 11365) +++ branches/SAMBA_4_0/source/auth/auth_sam.c 2005-10-28 08:54:37 UTC (rev 11366) @@ -105,7 +105,8 @@ break; case AUTH_PASSWORD_RESPONSE: - status = ntlm_password_check(mem_ctx, &auth_context->challenge.data, + status = ntlm_password_check(mem_ctx, user_info->logon_parameters, + &auth_context->challenge.data, &user_info->password.response.lanman, &user_info->password.response.nt, user_info->mapped.account_name, @@ -133,6 +134,7 @@ (ie not disabled, expired and the like). ****************************************************************************/ static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, + uint32_t logon_parameters, uint16_t acct_flags, NTTIME acct_expiry, NTTIME must_change_time, @@ -204,20 +206,23 @@ return NT_STATUS_INVALID_WORKSTATION; } } - + if (acct_flags & ACB_DOMTRUST) { DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info->mapped.account_name)); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } - - if (acct_flags & ACB_SVRTRUST) { - DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name)); - return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + + if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) { + if (acct_flags & ACB_SVRTRUST) { + DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info->mapped.account_name)); + return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + } } - - if (acct_flags & ACB_WSTRUST) { - DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name)); - return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) { + if (acct_flags & ACB_WSTRUST) { + DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info->mapped.account_name)); + return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + } } return NT_STATUS_OK; @@ -381,7 +386,9 @@ workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL); - nt_status = authsam_account_ok(mem_ctx, acct_flags, + nt_status = authsam_account_ok(mem_ctx, + user_info->logon_parameters, + acct_flags, acct_expiry, must_change_time, last_set_time, Modified: branches/SAMBA_4_0/source/auth/ntlm_check.c =================================================================== --- branches/SAMBA_4_0/source/auth/ntlm_check.c 2005-10-28 07:05:56 UTC (rev 11365) +++ branches/SAMBA_4_0/source/auth/ntlm_check.c 2005-10-28 08:54:37 UTC (rev 11366) @@ -23,6 +23,7 @@ #include "includes.h" #include "lib/crypto/crypto.h" #include "librpc/gen_ndr/ndr_samr.h" +#include "librpc/gen_ndr/ndr_netlogon.h" /**************************************************************************** Core of smb password checking routine. @@ -274,6 +275,7 @@ */ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, + uint32_t logon_parameters, const DATA_BLOB *challenge, const DATA_BLOB *lm_response, const DATA_BLOB *nt_response, @@ -297,8 +299,9 @@ *user_sess_key = data_blob(NULL, 0); /* Check for cleartext netlogon. Used by Exchange 5.5. */ - if (challenge->length == sizeof(zeros) && - (memcmp(challenge->data, zeros, challenge->length) == 0 )) { + if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED) + && challenge->length == sizeof(zeros) + && (memcmp(challenge->data, zeros, challenge->length) == 0 )) { struct samr_Password client_nt; struct samr_Password client_lm; uint8_t dospwd[14]; Modified: branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c =================================================================== --- branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c 2005-10-28 07:05:56 UTC (rev 11365) +++ branches/SAMBA_4_0/source/auth/ntlmssp/ntlmssp_server.c 2005-10-28 08:54:37 UTC (rev 11366) @@ -689,6 +689,7 @@ return NT_STATUS_NO_MEMORY; } + user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; user_info->flags = 0; user_info->mapped_state = False; user_info->client.account_name = gensec_ntlmssp_state->user; Modified: branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c =================================================================== --- branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 2005-10-28 07:05:56 UTC (rev 11365) +++ branches/SAMBA_4_0/source/rpc_server/netlogon/dcerpc_netlogon.c 2005-10-28 08:54:37 UTC (rev 11366) @@ -400,9 +400,10 @@ dce_call->event_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); - user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; - user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; - user_info->workstation_name = r->in.logon.network->identity_info.workstation.string; + user_info->logon_parameters = r->in.logon.password->identity_info.parameter_control; + user_info->client.account_name = r->in.logon.password->identity_info.account_name.string; + user_info->client.domain_name = r->in.logon.password->identity_info.domain_name.string; + user_info->workstation_name = r->in.logon.password->identity_info.workstation.string; user_info->password_state = AUTH_PASSWORD_HASH; user_info->password.hash.lanman = talloc(user_info, struct samr_Password); @@ -428,6 +429,7 @@ nt_status = auth_context_set_challenge(auth_context, r->in.logon.network->challenge, "netr_LogonSamLogonWithFlags"); NT_STATUS_NOT_OK_RETURN(nt_status); + user_info->logon_parameters = r->in.logon.network->identity_info.parameter_control; user_info->client.account_name = r->in.logon.network->identity_info.account_name.string; user_info->client.domain_name = r->in.logon.network->identity_info.domain_name.string; user_info->workstation_name = r->in.logon.network->identity_info.workstation.string;
