summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs-xml/manpages/ntlm_auth.1.xml5
-rw-r--r--nsswitch/libwbclient/wbclient.h1
-rw-r--r--source3/utils/ntlm_auth.c7
-rw-r--r--source4/utils/ntlm_auth.c8
4 files changed, 21 insertions, 0 deletions
diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml
index 042893acbac..616d537890d 100644
--- a/docs-xml/manpages/ntlm_auth.1.xml
+++ b/docs-xml/manpages/ntlm_auth.1.xml
@@ -381,6 +381,11 @@
</varlistentry>
<varlistentry>
+ <term>--allow-mschapv2</term>
+ <listitem><para>Explicitly allow MSCHAPv2.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>--offline-logon</term>
<listitem><para>Allow offline logons for plain text auth.
</para></listitem>
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index 6ec83778fd3..8c1803b7a05 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -316,6 +316,7 @@ struct wbcChangePasswordParams {
#define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0x00000020
#define WBC_MSV1_0_RETURN_PROFILE_PATH 0x00000200
#define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0x00000800
+#define WBC_MSV1_0_ALLOW_MSVCHAPV2 0x00010000
/* wbcAuthUserParams->flags */
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index f37cfa3a41e..25c20d86834 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -169,6 +169,7 @@ static int request_lm_key;
static int request_user_session_key;
static int use_cached_creds;
static int offline_logon;
+static int opt_allow_mschapv2;
static const char *require_membership_of;
static const char *require_membership_of_sid;
@@ -533,6 +534,10 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
request.data.auth_crap.logon_parameters = extra_logon_parameters
| MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+ if (opt_allow_mschapv2) {
+ request.data.auth_crap.logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
+ }
+
if (require_membership_of_sid)
fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
@@ -2185,6 +2190,7 @@ enum {
OPT_DIAGNOSTICS,
OPT_REQUIRE_MEMBERSHIP,
OPT_USE_CACHED_CREDS,
+ OPT_ALLOW_MSCHAPV2,
OPT_PAM_WINBIND_CONF,
OPT_TARGET_SERVICE,
OPT_TARGET_HOSTNAME,
@@ -2225,6 +2231,7 @@ enum {
{ "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"},
{ "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"},
{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
+ { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
{ "offline-logon", 0, POPT_ARG_NONE, &offline_logon,
OPT_OFFLINE_LOGON,
"Use cached passwords when DC is offline"},
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index f7c95ebff70..08160247745 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -104,6 +104,7 @@ static const char *opt_workstation;
static const char *opt_password;
static int opt_multiplex;
static int use_cached_creds;
+static int opt_allow_mschapv2;
static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3);
@@ -174,6 +175,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
if (!mem_ctx) {
nt_status = NT_STATUS_NO_MEMORY;
} else {
+ uint32_t logon_parameters = 0;
E_md4hash(opt_password, nt_pw.hash);
if (E_deshash(opt_password, lm_pw.hash)) {
@@ -183,10 +185,14 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
}
nt_pwd = &nt_pw;
+ if (opt_allow_mschapv2) {
+ logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
+ }
nt_status = ntlm_password_check(mem_ctx,
lpcfg_lanman_auth(lp_ctx),
lpcfg_ntlm_auth(lp_ctx),
+ logon_parameters |
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
challenge,
@@ -1043,6 +1049,7 @@ enum {
OPT_REQUIRE_MEMBERSHIP,
OPT_MULTIPLEX,
OPT_USE_CACHED_CREDS,
+ OPT_ALLOW_MSCHAPV2,
};
int main(int argc, const char **argv)
@@ -1069,6 +1076,7 @@ int main(int argc, const char **argv)
{ "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},
{ "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"},
{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "silently ignored for compatibility reasons"},
+ { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
POPT_COMMON_SAMBA
POPT_COMMON_VERSION
{ NULL }
View Lorry Controller Status