diff options
author | Herwin Weststrate <herwin@quarantainenet.nl> | 2015-12-09 18:47:47 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-03-11 22:58:18 +0100 |
commit | 0b500d413c5b76188c0c566318be7079b777237c (patch) | |
tree | a6482ad1bbc5efb00d012ca166a44c160b86b36b /source4/utils | |
parent | ad5b9c3df2f2e3c93642fb1c069a6f4c56eb94f4 (diff) | |
download | samba-0b500d413c5b76188c0c566318be7079b777237c.tar.gz |
Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).
It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.
It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).
After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
Logon failure (0xc000006d)
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin@quarantainenet.nl>
Reviewed-by: Kai Blin <kai@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/utils')
-rw-r--r-- | source4/utils/ntlm_auth.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index f7c95ebff70..08160247745 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -104,6 +104,7 @@ static const char *opt_workstation; static const char *opt_password; static int opt_multiplex; static int use_cached_creds; +static int opt_allow_mschapv2; static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3); @@ -174,6 +175,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, if (!mem_ctx) { nt_status = NT_STATUS_NO_MEMORY; } else { + uint32_t logon_parameters = 0; E_md4hash(opt_password, nt_pw.hash); if (E_deshash(opt_password, lm_pw.hash)) { @@ -183,10 +185,14 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx, } nt_pwd = &nt_pw; + if (opt_allow_mschapv2) { + logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2; + } nt_status = ntlm_password_check(mem_ctx, lpcfg_lanman_auth(lp_ctx), lpcfg_ntlm_auth(lp_ctx), + logon_parameters | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, challenge, @@ -1043,6 +1049,7 @@ enum { OPT_REQUIRE_MEMBERSHIP, OPT_MULTIPLEX, OPT_USE_CACHED_CREDS, + OPT_ALLOW_MSCHAPV2, }; int main(int argc, const char **argv) @@ -1069,6 +1076,7 @@ int main(int argc, const char **argv) { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"}, { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"}, { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "silently ignored for compatibility reasons"}, + { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" }, POPT_COMMON_SAMBA POPT_COMMON_VERSION { NULL } |