NTSTATUS make_user_info_for_reply_enc(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
bool allow_raw = lp_raw_ntlmv2_auth();
if (!allow_raw && nt_resp.length >= 48) {
/*
* NTLMv2_RESPONSE has at least 48 bytes
* and should only be supported via NTLMSSP.
*/
DEBUG(2,("Rejecting raw NTLMv2 authentication with "
"user [%s\\%s] from[%s]\n",
client_domain, smb_name,
tsocket_address_string(remote_address, mem_ctx)));
return NT_STATUS_INVALID_PARAMETER;
}
return make_user_info(mem_ctx,
user_info, smb_name, smb_name,
client_domain, client_domain,
get_remote_machine_name(),
remote_address,
lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
}
bool make_user_info_guest(struct auth_usersupplied_info **user_info)
{
NTSTATUS nt_status;
nt_status = make_user_info(user_info,
"","",
"","",
"",
NULL, NULL,
NULL, NULL,
NULL,
AUTH_PASSWORD_RESPONSE);
return NT_STATUS_IS_OK(nt_status) ? True : False;
}
NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
return make_user_info(user_info, smb_name, smb_name,
client_domain, client_domain,
get_remote_machine_name(),
remote_address,
lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
}
bool make_user_info_guest(const struct tsocket_address *remote_address,
struct auth_usersupplied_info **user_info)
{
NTSTATUS nt_status;
nt_status = make_user_info(user_info,
"","",
"","",
"",
remote_address,
NULL, NULL,
NULL, NULL,
NULL,
AUTH_PASSWORD_RESPONSE);
return NT_STATUS_IS_OK(nt_status) ? true : false;
}
NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *workstation_name,
DATA_BLOB *lm_pwd,
DATA_BLOB *nt_pwd,
const struct samr_Password *lm_interactive_pwd,
const struct samr_Password *nt_interactive_pwd,
const char *plaintext,
enum auth_password_state password_state)
{
const char *domain;
NTSTATUS result;
bool was_mapped;
char *internal_username = NULL;
was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
if (!internal_username) {
return NT_STATUS_NO_MEMORY;
}
DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, workstation_name));
domain = client_domain;
/* If you connect to a Windows domain member using a bogus domain name,
* the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
* the Windows box is a DC the name will become DOMAIN\user and be
* authenticated against AD, if the Windows box is a member server but
* not a DC the name will become WORKSTATION\user. A standalone
* non-domain member box will also map to WORKSTATION\user.
* This also deals with the client passing in a "" domain */
if (!is_trusted_domain(domain) &&
!strequal(domain, my_sam_name()) &&
!strequal(domain, get_global_sam_name()))
{
if (lp_map_untrusted_to_domain())
domain = my_sam_name();
else
domain = get_global_sam_name();
DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
"workstation [%s]\n",
client_domain, domain, smb_name, workstation_name));
}
/* We know that the given domain is trusted (and we are allowing them),
* it is our global SAM name, or for legacy behavior it is our
* primary domain name */
result = make_user_info(user_info, smb_name, internal_username,
client_domain, domain, workstation_name,
lm_pwd, nt_pwd,
lm_interactive_pwd, nt_interactive_pwd,
plaintext, password_state);
if (NT_STATUS_IS_OK(result)) {
/* We have tried mapping */
(*user_info)->mapped_state = True;
/* did we actually map the user to a different name? */
(*user_info)->was_mapped = was_mapped;
}
return result;
}
bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
const uint8 chal[8],
DATA_BLOB plaintext_password)
{
DATA_BLOB local_lm_blob;
DATA_BLOB local_nt_blob;
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
char *plaintext_password_string;
/*
* Not encrypted - do so.
*/
DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
"format.\n"));
if (plaintext_password.data && plaintext_password.length) {
unsigned char local_lm_response[24];
#ifdef DEBUG_PASSWORD
DEBUG(10,("Unencrypted password (len %d):\n",
(int)plaintext_password.length));
dump_data(100, plaintext_password.data,
plaintext_password.length);
#endif
SMBencrypt( (const char *)plaintext_password.data,
(const uchar*)chal, local_lm_response);
local_lm_blob = data_blob(local_lm_response, 24);
/* We can't do an NT hash here, as the password needs to be
case insensitive */
local_nt_blob = data_blob_null;
} else {
local_lm_blob = data_blob_null;
local_nt_blob = data_blob_null;
}
plaintext_password_string = talloc_strndup(talloc_tos(),
(const char *)plaintext_password.data,
plaintext_password.length);
if (!plaintext_password_string) {
return false;
}
ret = make_user_info(
user_info, smb_name, smb_name, client_domain, client_domain,
get_remote_machine_name(),
remote_address,
local_lm_blob.data ? &local_lm_blob : NULL,
local_nt_blob.data ? &local_nt_blob : NULL,
NULL, NULL,
plaintext_password_string,
AUTH_PASSWORD_PLAIN);
if (plaintext_password_string) {
memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
talloc_free(plaintext_password_string);
}
data_blob_free(&local_lm_blob);
return NT_STATUS_IS_OK(ret) ? true : false;
}