NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
void **server_returned_info,
DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
{
struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
struct auth_context);
struct auth_usersupplied_info *mapped_user_info = NULL;
struct auth_serversupplied_info *server_info;
NTSTATUS nt_status;
bool username_was_mapped;
/* The client has given us its machine name (which we only get over NBT transport).
We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
set_remote_machine_name(user_info->workstation_name, True);
/* setup the string used by %U */
/* sub_set_smb_name checks for weird internally */
sub_set_smb_name(user_info->client.account_name);
lp_load_with_shares(get_dyn_CONFIGFILE());
nt_status = make_user_info_map(talloc_tos(),
&mapped_user_info,
user_info->client.account_name,
user_info->client.domain_name,
user_info->workstation_name,
user_info->remote_host,
user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL,
user_info->password.response.nt.data ? &user_info->password.response.nt : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
mapped_user_info->logon_parameters = user_info->logon_parameters;
mapped_user_info->flags = user_info->flags;
nt_status = auth_check_ntlm_password(mem_ctx,
auth_context,
mapped_user_info,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n",
user_info->client.domain_name,
user_info->client.account_name,
nt_errstr(nt_status)));
}
username_was_mapped = mapped_user_info->was_mapped;
TALLOC_FREE(mapped_user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
nt_status = do_map_to_guest_server_info(mem_ctx,
nt_status,
user_info->client.account_name,
user_info->client.domain_name,
&server_info);
*server_returned_info = talloc_steal(mem_ctx, server_info);
return nt_status;
}
server_info->nss_token |= username_was_mapped;
/* Clear out the session keys, and pass them to the caller.
* They will not be used in this form again - instead the
* NTLMSSP code will decide on the final correct session key,
* and supply it to create_local_token() */
if (session_key) {
DEBUG(10, ("Got NT session key of length %u\n",
(unsigned int)server_info->session_key.length));
*session_key = server_info->session_key;
talloc_steal(mem_ctx, server_info->session_key.data);
server_info->session_key = data_blob_null;
}
if (lm_session_key) {
DEBUG(10, ("Got LM session key of length %u\n",
(unsigned int)server_info->lm_session_key.length));
*lm_session_key = server_info->lm_session_key;
talloc_steal(mem_ctx, server_info->lm_session_key.data);
server_info->lm_session_key = data_blob_null;
}
*server_returned_info = talloc_steal(mem_ctx, server_info);
return nt_status;
}
static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
(struct gensec_ntlmssp_context *)ntlmssp_state->callback_private;
struct auth_usersupplied_info *user_info = NULL;
NTSTATUS nt_status;
bool username_was_mapped;
/* the client has given us its machine name (which we otherwise would not get on port 445).
we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
set_remote_machine_name(gensec_ntlmssp->ntlmssp_state->client.netbios_name, True);
/* setup the string used by %U */
/* sub_set_smb_name checks for weird internally */
sub_set_smb_name(gensec_ntlmssp->ntlmssp_state->user);
lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
nt_status = make_user_info_map(&user_info,
gensec_ntlmssp->ntlmssp_state->user,
gensec_ntlmssp->ntlmssp_state->domain,
gensec_ntlmssp->ntlmssp_state->client.netbios_name,
gensec_get_remote_address(gensec_ntlmssp->gensec_security),
gensec_ntlmssp->ntlmssp_state->lm_resp.data ? &gensec_ntlmssp->ntlmssp_state->lm_resp : NULL,
gensec_ntlmssp->ntlmssp_state->nt_resp.data ? &gensec_ntlmssp->ntlmssp_state->nt_resp : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
nt_status = gensec_ntlmssp->auth_context->check_ntlm_password(gensec_ntlmssp->auth_context,
user_info, &gensec_ntlmssp->server_info);
username_was_mapped = user_info->was_mapped;
free_user_info(&user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
nt_status = do_map_to_guest_server_info(nt_status,
&gensec_ntlmssp->server_info,
gensec_ntlmssp->ntlmssp_state->user,
gensec_ntlmssp->ntlmssp_state->domain);
return nt_status;
}
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
gensec_ntlmssp->server_info->nss_token |= username_was_mapped;
/* Clear out the session keys, and pass them to the caller.
* They will not be used in this form again - instead the
* NTLMSSP code will decide on the final correct session key,
* and supply it to create_local_token() */
if (gensec_ntlmssp->server_info->session_key.length) {
DEBUG(10, ("Got NT session key of length %u\n",
(unsigned int)gensec_ntlmssp->server_info->session_key.length));
*session_key = gensec_ntlmssp->server_info->session_key;
talloc_steal(mem_ctx, gensec_ntlmssp->server_info->session_key.data);
gensec_ntlmssp->server_info->session_key = data_blob_null;
}
if (gensec_ntlmssp->server_info->lm_session_key.length) {
DEBUG(10, ("Got LM session key of length %u\n",
(unsigned int)gensec_ntlmssp->server_info->lm_session_key.length));
*lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
talloc_steal(mem_ctx, gensec_ntlmssp->server_info->lm_session_key.data);
gensec_ntlmssp->server_info->lm_session_key = data_blob_null;
}
return nt_status;
}
