diff options
author | Andreas Schneider <asn@samba.org> | 2013-04-24 15:27:21 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2013-04-30 11:16:18 +0200 |
commit | ae3aa281ab43f67d4f8337bafdefc08bd44712ea (patch) | |
tree | 8555fc2a7fc019b5202eee3e781bce97fadaeba1 | |
parent | ad6f2896dc558e7020d2727ed559b71f1c857098 (diff) | |
download | samba-ae3aa281ab43f67d4f8337bafdefc08bd44712ea.tar.gz |
BUG 9817: Fix 'map untrusted to domain' with NTLMv2.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 24 17:14:48 CEST 2013 on sn-devel-104
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Tue Apr 30 11:16:19 CEST 2013 on sn-devel-104
-rw-r--r-- | source3/auth/auth_winbind.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index d4ace2c9193..2b5c84d2760 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -62,9 +62,15 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, } /* Send off request */ - params.account_name = user_info->client.account_name; - params.domain_name = user_info->mapped.domain_name; + /* + * We need to send the domain name from the client to the DC. With + * NTLMv2 the domain name is part of the hashed second challenge, + * if we change the domain name, the DC will fail to verify the + * challenge cause we changed the domain name, this is like a + * man in the middle attack. + */ + params.domain_name = user_info->client.domain_name; params.workstation_name = user_info->workstation_name; params.flags = 0; |