Context Navigation

source: vendor/3.5.7/source3/utils/ntlm_auth.c

Visit:

Last change on this file was 427, checked in by Silvan Scherrer, 16 years ago
Samba 3.5.x: update to 3.5.2
File size: 72.0 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Winbind status program.
5
6	Copyright (C) Tim Potter 2000-2003
7	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8	Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000
9	Copyright (C) Robert O'Callahan 2006 (added cached credential code).
10	Copyright (C) Kai Blin <kai@samba.org> 2008
11
12	This program is free software; you can redistribute it and/or modify
13	it under the terms of the GNU General Public License as published by
14	the Free Software Foundation; either version 3 of the License, or
15	(at your option) any later version.
16
17	This program is distributed in the hope that it will be useful,
18	but WITHOUT ANY WARRANTY; without even the implied warranty of
19	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20	GNU General Public License for more details.
21
22	You should have received a copy of the GNU General Public License
23	along with this program. If not, see <http://www.gnu.org/licenses/>.
24	*/
25
26	#include "includes.h"
27	#include "utils/ntlm_auth.h"
28	#include "../libcli/auth/libcli_auth.h"
29	#include "../libcli/auth/spnego.h"
30	#include "smb_krb5.h"
31	#include <iniparser.h>
32
33	#ifndef PAM_WINBIND_CONFIG_FILE
34	#define PAM_WINBIND_CONFIG_FILE "/etc/security/pam_winbind.conf"
35	#endif
36
37	#define WINBIND_KRB5_AUTH 0x00000080
38
39	#undef DBGC_CLASS
40	#define DBGC_CLASS DBGC_WINBIND
41
42	#define INITIAL_BUFFER_SIZE 300
43	#define MAX_BUFFER_SIZE 630000
44
45	enum stdio_helper_mode {
46	SQUID_2_4_BASIC,
47	SQUID_2_5_BASIC,
48	SQUID_2_5_NTLMSSP,
49	NTLMSSP_CLIENT_1,
50	GSS_SPNEGO,
51	GSS_SPNEGO_CLIENT,
52	NTLM_SERVER_1,
53	NTLM_CHANGE_PASSWORD_1,
54	NUM_HELPER_MODES
55	};
56
57	enum ntlm_auth_cli_state {
58	CLIENT_INITIAL = 0,
59	CLIENT_RESPONSE,
60	CLIENT_FINISHED,
61	CLIENT_ERROR
62	};
63
64	enum ntlm_auth_svr_state {
65	SERVER_INITIAL = 0,
66	SERVER_CHALLENGE,
67	SERVER_FINISHED,
68	SERVER_ERROR
69	};
70
71	struct ntlm_auth_state {
72	TALLOC_CTX *mem_ctx;
73	enum stdio_helper_mode helper_mode;
74	enum ntlm_auth_cli_state cli_state;
75	enum ntlm_auth_svr_state svr_state;
76	struct ntlmssp_state *ntlmssp_state;
77	uint32_t neg_flags;
78	char *want_feature_list;
79	bool have_session_key;
80	DATA_BLOB session_key;
81	DATA_BLOB initial_message;
82	};
83
84	typedef void (stdio_helper_function)(struct ntlm_auth_state state, char *buf,
85	int length);
86
87	static void manage_squid_basic_request (struct ntlm_auth_state *state,
88	char *buf, int length);
89
90	static void manage_squid_ntlmssp_request (struct ntlm_auth_state *state,
91	char *buf, int length);
92
93	static void manage_client_ntlmssp_request (struct ntlm_auth_state *state,
94	char *buf, int length);
95
96	static void manage_gss_spnego_request (struct ntlm_auth_state *state,
97	char *buf, int length);
98
99	static void manage_gss_spnego_client_request (struct ntlm_auth_state *state,
100	char *buf, int length);
101
102	static void manage_ntlm_server_1_request (struct ntlm_auth_state *state,
103	char *buf, int length);
104
105	static void manage_ntlm_change_password_1_request(struct ntlm_auth_state *state,
106	char *buf, int length);
107
108	static const struct {
109	enum stdio_helper_mode mode;
110	const char *name;
111	stdio_helper_function fn;
112	} stdio_helper_protocols[] = {
113	{ SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request},
114	{ SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request},
115	{ SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request},
116	{ NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_client_ntlmssp_request},
117	{ GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request},
118	{ GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request},
119	{ NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request},
120	{ NTLM_CHANGE_PASSWORD_1, "ntlm-change-password-1", manage_ntlm_change_password_1_request},
121	{ NUM_HELPER_MODES, NULL, NULL}
122	};
123
124	const char *opt_username;
125	const char *opt_domain;
126	const char *opt_workstation;
127	const char *opt_password;
128	static DATA_BLOB opt_challenge;
129	static DATA_BLOB opt_lm_response;
130	static DATA_BLOB opt_nt_response;
131	static int request_lm_key;
132	static int request_user_session_key;
133	static int use_cached_creds;
134
135	static const char *require_membership_of;
136	static const char *require_membership_of_sid;
137	static const char *opt_pam_winbind_conf;
138
139	static char winbind_separator(void)
140	{
141	struct winbindd_response response;
142	static bool got_sep;
143	static char sep;
144
145	if (got_sep)
146	return sep;
147
148	ZERO_STRUCT(response);
149
150	/* Send off request */
151
152	if (winbindd_request_response(WINBINDD_INFO, NULL, &response) !=
153	NSS_STATUS_SUCCESS) {
154	d_printf("could not obtain winbind separator!\n");
155	return *lp_winbind_separator();
156	}
157
158	sep = response.data.info.winbind_separator;
159	got_sep = True;
160
161	if (!sep) {
162	d_printf("winbind separator was NULL!\n");
163	return *lp_winbind_separator();
164	}
165
166	return sep;
167	}
168
169	const char *get_winbind_domain(void)
170	{
171	struct winbindd_response response;
172
173	static fstring winbind_domain;
174	if (*winbind_domain) {
175	return winbind_domain;
176	}
177
178	ZERO_STRUCT(response);
179
180	/* Send off request */
181
182	if (winbindd_request_response(WINBINDD_DOMAIN_NAME, NULL, &response) !=
183	NSS_STATUS_SUCCESS) {
184	DEBUG(0, ("could not obtain winbind domain name!\n"));
185	return lp_workgroup();
186	}
187
188	fstrcpy(winbind_domain, response.data.domain_name);
189
190	return winbind_domain;
191
192	}
193
194	const char *get_winbind_netbios_name(void)
195	{
196	struct winbindd_response response;
197
198	static fstring winbind_netbios_name;
199
200	if (*winbind_netbios_name) {
201	return winbind_netbios_name;
202	}
203
204	ZERO_STRUCT(response);
205
206	/* Send off request */
207
208	if (winbindd_request_response(WINBINDD_NETBIOS_NAME, NULL, &response) !=
209	NSS_STATUS_SUCCESS) {
210	DEBUG(0, ("could not obtain winbind netbios name!\n"));
211	return global_myname();
212	}
213
214	fstrcpy(winbind_netbios_name, response.data.netbios_name);
215
216	return winbind_netbios_name;
217
218	}
219
220	DATA_BLOB get_challenge(void)
221	{
222	static DATA_BLOB chal;
223	if (opt_challenge.length)
224	return opt_challenge;
225
226	chal = data_blob(NULL, 8);
227
228	generate_random_buffer(chal.data, chal.length);
229	return chal;
230	}
231
232	/* Copy of parse_domain_user from winbindd_util.c. Parse a string of the
233	form DOMAIN/user into a domain and a user */
234
235	static bool parse_ntlm_auth_domain_user(const char *domuser, fstring domain,
236	fstring user)
237	{
238
239	char *p = strchr(domuser,winbind_separator());
240
241	if (!p) {
242	return False;
243	}
244
245	fstrcpy(user, p+1);
246	fstrcpy(domain, domuser);
247	domain[PTR_DIFF(p, domuser)] = 0;
248	strupper_m(domain);
249
250	return True;
251	}
252
253	static bool get_require_membership_sid(void) {
254	struct winbindd_request request;
255	struct winbindd_response response;
256
257	if (!require_membership_of) {
258	return True;
259	}
260
261	if (require_membership_of_sid) {
262	return True;
263	}
264
265	/* Otherwise, ask winbindd for the name->sid request */
266
267	ZERO_STRUCT(request);
268	ZERO_STRUCT(response);
269
270	if (!parse_ntlm_auth_domain_user(require_membership_of,
271	request.data.name.dom_name,
272	request.data.name.name)) {
273	DEBUG(0, ("Could not parse %s into seperate domain/name parts!\n",
274	require_membership_of));
275	return False;
276	}
277
278	if (winbindd_request_response(WINBINDD_LOOKUPNAME, &request, &response) !=
279	NSS_STATUS_SUCCESS) {
280	DEBUG(0, ("Winbindd lookupname failed to resolve %s into a SID!\n",
281	require_membership_of));
282	return False;
283	}
284
285	require_membership_of_sid = SMB_STRDUP(response.data.sid.sid);
286
287	if (require_membership_of_sid)
288	return True;
289
290	return False;
291	}
292
293	/*
294	* Get some configuration from pam_winbind.conf to see if we
295	* need to contact trusted domain
296	*/
297
298	int get_pam_winbind_config()
299	{
300	int ctrl = 0;
301	dictionary *d = NULL;
302
303	if (!opt_pam_winbind_conf \|\| !*opt_pam_winbind_conf) {
304	opt_pam_winbind_conf = PAM_WINBIND_CONFIG_FILE;
305	}
306
307	d = iniparser_load(CONST_DISCARD(char *, opt_pam_winbind_conf));
308
309	if (!d) {
310	return 0;
311	}
312
313	if (iniparser_getboolean(d, CONST_DISCARD(char *, "global:krb5_auth"), false)) {
314	ctrl \|= WINBIND_KRB5_AUTH;
315	}
316
317	iniparser_freedict(d);
318
319	return ctrl;
320	}
321
322	/* Authenticate a user with a plaintext password */
323
324	static bool check_plaintext_auth(const char user, const char pass,
325	bool stdout_diagnostics)
326	{
327	struct winbindd_request request;
328	struct winbindd_response response;
329	NSS_STATUS result;
330
331	if (!get_require_membership_sid()) {
332	return False;
333	}
334
335	/* Send off request */
336
337	ZERO_STRUCT(request);
338	ZERO_STRUCT(response);
339
340	fstrcpy(request.data.auth.user, user);
341	fstrcpy(request.data.auth.pass, pass);
342	if (require_membership_of_sid) {
343	strlcpy(request.data.auth.require_membership_of_sid,
344	require_membership_of_sid,
345	sizeof(request.data.auth.require_membership_of_sid));
346	}
347
348	result = winbindd_request_response(WINBINDD_PAM_AUTH, &request, &response);
349
350	/* Display response */
351
352	if (stdout_diagnostics) {
353	if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
354	d_printf("Reading winbind reply failed! (0x01)\n");
355	}
356
357	d_printf("%s: %s (0x%x)\n",
358	response.data.auth.nt_status_string,
359	response.data.auth.error_string,
360	response.data.auth.nt_status);
361	} else {
362	if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
363	DEBUG(1, ("Reading winbind reply failed! (0x01)\n"));
364	}
365
366	DEBUG(3, ("%s: %s (0x%x)\n",
367	response.data.auth.nt_status_string,
368	response.data.auth.error_string,
369	response.data.auth.nt_status));
370	}
371
372	return (result == NSS_STATUS_SUCCESS);
373	}
374
375	/* authenticate a user with an encrypted username/password */
376
377	NTSTATUS contact_winbind_auth_crap(const char *username,
378	const char *domain,
379	const char *workstation,
380	const DATA_BLOB *challenge,
381	const DATA_BLOB *lm_response,
382	const DATA_BLOB *nt_response,
383	uint32 flags,
384	uint8 lm_key[8],
385	uint8 user_session_key[16],
386	char **error_string,
387	char **unix_name)
388	{
389	NTSTATUS nt_status;
390	NSS_STATUS result;
391	struct winbindd_request request;
392	struct winbindd_response response;
393
394	if (!get_require_membership_sid()) {
395	return NT_STATUS_INVALID_PARAMETER;
396	}
397
398	ZERO_STRUCT(request);
399	ZERO_STRUCT(response);
400
401	request.flags = flags;
402
403	request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT \| MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
404
405	if (require_membership_of_sid)
406	fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
407
408	fstrcpy(request.data.auth_crap.user, username);
409	fstrcpy(request.data.auth_crap.domain, domain);
410
411	fstrcpy(request.data.auth_crap.workstation,
412	workstation);
413
414	memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
415
416	if (lm_response && lm_response->length) {
417	memcpy(request.data.auth_crap.lm_resp,
418	lm_response->data,
419	MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp)));
420	request.data.auth_crap.lm_resp_len = lm_response->length;
421	}
422
423	if (nt_response && nt_response->length) {
424	if (nt_response->length > sizeof(request.data.auth_crap.nt_resp)) {
425	request.flags = request.flags \| WBFLAG_BIG_NTLMV2_BLOB;
426	request.extra_len = nt_response->length;
427	request.extra_data.data = SMB_MALLOC_ARRAY(char, request.extra_len);
428	if (request.extra_data.data == NULL) {
429	return NT_STATUS_NO_MEMORY;
430	}
431	memcpy(request.extra_data.data, nt_response->data,
432	nt_response->length);
433
434	} else {
435	memcpy(request.data.auth_crap.nt_resp,
436	nt_response->data, nt_response->length);
437	}
438	request.data.auth_crap.nt_resp_len = nt_response->length;
439	}
440
441	result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response);
442	SAFE_FREE(request.extra_data.data);
443
444	/* Display response */
445
446	if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0)) {
447	nt_status = NT_STATUS_UNSUCCESSFUL;
448	if (error_string)
449	*error_string = smb_xstrdup("Reading winbind reply failed!");
450	winbindd_free_response(&response);
451	return nt_status;
452	}
453
454	nt_status = (NT_STATUS(response.data.auth.nt_status));
455	if (!NT_STATUS_IS_OK(nt_status)) {
456	if (error_string)
457	*error_string = smb_xstrdup(response.data.auth.error_string);
458	winbindd_free_response(&response);
459	return nt_status;
460	}
461
462	if ((flags & WBFLAG_PAM_LMKEY) && lm_key) {
463	memcpy(lm_key, response.data.auth.first_8_lm_hash,
464	sizeof(response.data.auth.first_8_lm_hash));
465	}
466	if ((flags & WBFLAG_PAM_USER_SESSION_KEY) && user_session_key) {
467	memcpy(user_session_key, response.data.auth.user_session_key,
468	sizeof(response.data.auth.user_session_key));
469	}
470
471	if (flags & WBFLAG_PAM_UNIX_NAME) {
472	*unix_name = SMB_STRDUP(response.data.auth.unix_username);
473	if (!*unix_name) {
474	winbindd_free_response(&response);
475	return NT_STATUS_NO_MEMORY;
476	}
477	}
478
479	winbindd_free_response(&response);
480	return nt_status;
481	}
482
483	/* contact server to change user password using auth crap */
484	static NTSTATUS contact_winbind_change_pswd_auth_crap(const char *username,
485	const char *domain,
486	const DATA_BLOB new_nt_pswd,
487	const DATA_BLOB old_nt_hash_enc,
488	const DATA_BLOB new_lm_pswd,
489	const DATA_BLOB old_lm_hash_enc,
490	char **error_string)
491	{
492	NTSTATUS nt_status;
493	NSS_STATUS result;
494	struct winbindd_request request;
495	struct winbindd_response response;
496
497	if (!get_require_membership_sid())
498	{
499	if(error_string)
500	*error_string = smb_xstrdup("Can't get membership sid.");
501	return NT_STATUS_INVALID_PARAMETER;
502	}
503
504	ZERO_STRUCT(request);
505	ZERO_STRUCT(response);
506
507	if(username != NULL)
508	fstrcpy(request.data.chng_pswd_auth_crap.user, username);
509	if(domain != NULL)
510	fstrcpy(request.data.chng_pswd_auth_crap.domain,domain);
511
512	if(new_nt_pswd.length)
513	{
514	memcpy(request.data.chng_pswd_auth_crap.new_nt_pswd, new_nt_pswd.data, sizeof(request.data.chng_pswd_auth_crap.new_nt_pswd));
515	request.data.chng_pswd_auth_crap.new_nt_pswd_len = new_nt_pswd.length;
516	}
517
518	if(old_nt_hash_enc.length)
519	{
520	memcpy(request.data.chng_pswd_auth_crap.old_nt_hash_enc, old_nt_hash_enc.data, sizeof(request.data.chng_pswd_auth_crap.old_nt_hash_enc));
521	request.data.chng_pswd_auth_crap.old_nt_hash_enc_len = old_nt_hash_enc.length;
522	}
523
524	if(new_lm_pswd.length)
525	{
526	memcpy(request.data.chng_pswd_auth_crap.new_lm_pswd, new_lm_pswd.data, sizeof(request.data.chng_pswd_auth_crap.new_lm_pswd));
527	request.data.chng_pswd_auth_crap.new_lm_pswd_len = new_lm_pswd.length;
528	}
529
530	if(old_lm_hash_enc.length)
531	{
532	memcpy(request.data.chng_pswd_auth_crap.old_lm_hash_enc, old_lm_hash_enc.data, sizeof(request.data.chng_pswd_auth_crap.old_lm_hash_enc));
533	request.data.chng_pswd_auth_crap.old_lm_hash_enc_len = old_lm_hash_enc.length;
534	}
535
536	result = winbindd_request_response(WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, &request, &response);
537
538	/* Display response */
539
540	if ((result != NSS_STATUS_SUCCESS) && (response.data.auth.nt_status == 0))
541	{
542	nt_status = NT_STATUS_UNSUCCESSFUL;
543	if (error_string)
544	*error_string = smb_xstrdup("Reading winbind reply failed!");
545	winbindd_free_response(&response);
546	return nt_status;
547	}
548
549	nt_status = (NT_STATUS(response.data.auth.nt_status));
550	if (!NT_STATUS_IS_OK(nt_status))
551	{
552	if (error_string)
553	*error_string = smb_xstrdup(response.data.auth.error_string);
554	winbindd_free_response(&response);
555	return nt_status;
556	}
557
558	winbindd_free_response(&response);
559
560	return nt_status;
561	}
562
563	static NTSTATUS winbind_pw_check(struct ntlmssp_state ntlmssp_state, DATA_BLOB user_session_key, DATA_BLOB *lm_session_key)
564	{
565	static const char zeros[16] = { 0, };
566	NTSTATUS nt_status;
567	char *error_string = NULL;
568	uint8 lm_key[8];
569	uint8 user_sess_key[16];
570	char *unix_name = NULL;
571
572	nt_status = contact_winbind_auth_crap(ntlmssp_state->user, ntlmssp_state->domain,
573	ntlmssp_state->workstation,
574	&ntlmssp_state->chal,
575	&ntlmssp_state->lm_resp,
576	&ntlmssp_state->nt_resp,
577	WBFLAG_PAM_LMKEY \| WBFLAG_PAM_USER_SESSION_KEY \| WBFLAG_PAM_UNIX_NAME,
578	lm_key, user_sess_key,
579	&error_string, &unix_name);
580
581	if (NT_STATUS_IS_OK(nt_status)) {
582	if (memcmp(lm_key, zeros, 8) != 0) {
583	*lm_session_key = data_blob_talloc(ntlmssp_state, NULL, 16);
584	memcpy(lm_session_key->data, lm_key, 8);
585	memset(lm_session_key->data+8, '\0', 8);
586	}
587
588	if (memcmp(user_sess_key, zeros, 16) != 0) {
589	*user_session_key = data_blob_talloc(ntlmssp_state, user_sess_key, 16);
590	}
591	ntlmssp_state->auth_context = talloc_strdup(ntlmssp_state,
592	unix_name);
593	} else {
594	DEBUG(NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED) ? 0 : 3,
595	("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
596	ntlmssp_state->domain, ntlmssp_state->user,
597	ntlmssp_state->workstation,
598	error_string ? error_string : "unknown error (NULL)"));
599	ntlmssp_state->auth_context = NULL;
600	}
601
602	SAFE_FREE(error_string);
603	SAFE_FREE(unix_name);
604	return nt_status;
605	}
606
607	static NTSTATUS local_pw_check(struct ntlmssp_state ntlmssp_state, DATA_BLOB user_session_key, DATA_BLOB *lm_session_key)
608	{
609	NTSTATUS nt_status;
610	struct samr_Password lm_pw, nt_pw;
611
612	nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
613
614	nt_status = ntlm_password_check(ntlmssp_state,
615	true, true, 0,
616	&ntlmssp_state->chal,
617	&ntlmssp_state->lm_resp,
618	&ntlmssp_state->nt_resp,
619	ntlmssp_state->user,
620	ntlmssp_state->user,
621	ntlmssp_state->domain,
622	&lm_pw, &nt_pw, user_session_key, lm_session_key);
623
624	if (NT_STATUS_IS_OK(nt_status)) {
625	ntlmssp_state->auth_context = talloc_asprintf(ntlmssp_state,
626	"%s%c%s", ntlmssp_state->domain,
627	*lp_winbind_separator(),
628	ntlmssp_state->user);
629	} else {
630	DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
631	ntlmssp_state->domain, ntlmssp_state->user, ntlmssp_state->workstation,
632	nt_errstr(nt_status)));
633	ntlmssp_state->auth_context = NULL;
634	}
635	return nt_status;
636	}
637
638	static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_state)
639	{
640	NTSTATUS status;
641	if ( (opt_username == NULL) \|\| (opt_domain == NULL) ) {
642	status = NT_STATUS_UNSUCCESSFUL;
643	DEBUG(1, ("Need username and domain for NTLMSSP\n"));
644	return NT_STATUS_INVALID_PARAMETER;
645	}
646
647	status = ntlmssp_client_start(client_ntlmssp_state);
648
649	if (!NT_STATUS_IS_OK(status)) {
650	DEBUG(1, ("Could not start NTLMSSP client: %s\n",
651	nt_errstr(status)));
652	ntlmssp_end(client_ntlmssp_state);
653	return status;
654	}
655
656	status = ntlmssp_set_username(*client_ntlmssp_state, opt_username);
657
658	if (!NT_STATUS_IS_OK(status)) {
659	DEBUG(1, ("Could not set username: %s\n",
660	nt_errstr(status)));
661	ntlmssp_end(client_ntlmssp_state);
662	return status;
663	}
664
665	status = ntlmssp_set_domain(*client_ntlmssp_state, opt_domain);
666
667	if (!NT_STATUS_IS_OK(status)) {
668	DEBUG(1, ("Could not set domain: %s\n",
669	nt_errstr(status)));
670	ntlmssp_end(client_ntlmssp_state);
671	return status;
672	}
673
674	if (opt_password) {
675	status = ntlmssp_set_password(*client_ntlmssp_state, opt_password);
676
677	if (!NT_STATUS_IS_OK(status)) {
678	DEBUG(1, ("Could not set password: %s\n",
679	nt_errstr(status)));
680	ntlmssp_end(client_ntlmssp_state);
681	return status;
682	}
683	}
684
685	return NT_STATUS_OK;
686	}
687
688	static NTSTATUS ntlm_auth_start_ntlmssp_server(NTLMSSP_STATE **ntlmssp_state)
689	{
690	NTSTATUS status = ntlmssp_server_start(ntlmssp_state);
691
692	if (!NT_STATUS_IS_OK(status)) {
693	DEBUG(1, ("Could not start NTLMSSP server: %s\n",
694	nt_errstr(status)));
695	return status;
696	}
697
698	/* Have we been given a local password, or should we ask winbind? */
699	if (opt_password) {
700	(*ntlmssp_state)->check_password = local_pw_check;
701	(*ntlmssp_state)->get_domain = lp_workgroup;
702	(*ntlmssp_state)->get_global_myname = global_myname;
703	} else {
704	(*ntlmssp_state)->check_password = winbind_pw_check;
705	(*ntlmssp_state)->get_domain = get_winbind_domain;
706	(*ntlmssp_state)->get_global_myname = get_winbind_netbios_name;
707	}
708	return NT_STATUS_OK;
709	}
710
711	/*******************************************************************
712	Used by firefox to drive NTLM auth to IIS servers.
713	*******************************************************************/
714
715	static NTSTATUS do_ccache_ntlm_auth(DATA_BLOB initial_msg, DATA_BLOB challenge_msg,
716	DATA_BLOB *reply)
717	{
718	struct winbindd_request wb_request;
719	struct winbindd_response wb_response;
720	int ctrl = 0;
721	NSS_STATUS result;
722
723	/* get winbindd to do the ntlmssp step on our behalf */
724	ZERO_STRUCT(wb_request);
725	ZERO_STRUCT(wb_response);
726
727	/*
728	* This is tricky here. If we set krb5_auth in pam_winbind.conf
729	* creds for users in trusted domain will be stored the winbindd
730	* child of the trusted domain. If we ask the primary domain for
731	* ntlm_ccache_auth, it will fail. So, we have to ask the trusted
732	* domain's child for ccache_ntlm_auth. that is to say, we have to
733	* set WBFALG_PAM_CONTACT_TRUSTDOM in request.flags.
734	*/
735	ctrl = get_pam_winbind_config();
736
737	if (ctrl \| WINBIND_KRB5_AUTH) {
738	wb_request.flags \|= WBFLAG_PAM_CONTACT_TRUSTDOM;
739	}
740
741	fstr_sprintf(wb_request.data.ccache_ntlm_auth.user,
742	"%s%c%s", opt_domain, winbind_separator(), opt_username);
743	wb_request.data.ccache_ntlm_auth.uid = geteuid();
744	wb_request.data.ccache_ntlm_auth.initial_blob_len = initial_msg.length;
745	wb_request.data.ccache_ntlm_auth.challenge_blob_len = challenge_msg.length;
746	wb_request.extra_len = initial_msg.length + challenge_msg.length;
747
748	if (wb_request.extra_len > 0) {
749	wb_request.extra_data.data = SMB_MALLOC_ARRAY(char, wb_request.extra_len);
750	if (wb_request.extra_data.data == NULL) {
751	return NT_STATUS_NO_MEMORY;
752	}
753
754	memcpy(wb_request.extra_data.data, initial_msg.data, initial_msg.length);
755	memcpy(wb_request.extra_data.data + initial_msg.length,
756	challenge_msg.data, challenge_msg.length);
757	}
758
759	result = winbindd_request_response(WINBINDD_CCACHE_NTLMAUTH, &wb_request, &wb_response);
760	SAFE_FREE(wb_request.extra_data.data);
761
762	if (result != NSS_STATUS_SUCCESS) {
763	winbindd_free_response(&wb_response);
764	return NT_STATUS_UNSUCCESSFUL;
765	}
766
767	if (reply) {
768	*reply = data_blob(wb_response.extra_data.data,
769	wb_response.data.ccache_ntlm_auth.auth_blob_len);
770	if (wb_response.data.ccache_ntlm_auth.auth_blob_len > 0 &&
771	reply->data == NULL) {
772	winbindd_free_response(&wb_response);
773	return NT_STATUS_NO_MEMORY;
774	}
775	}
776
777	winbindd_free_response(&wb_response);
778	return NT_STATUS_MORE_PROCESSING_REQUIRED;
779	}
780
781	static void manage_squid_ntlmssp_request(struct ntlm_auth_state *state,
782	char *buf, int length)
783	{
784	DATA_BLOB request, reply;
785	NTSTATUS nt_status;
786
787	if (strlen(buf) < 2) {
788	DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
789	x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
790	return;
791	}
792
793	if (strlen(buf) > 3) {
794	if(strncmp(buf, "SF ", 3) == 0){
795	DEBUG(10, ("Setting flags to negotioate\n"));
796	TALLOC_FREE(state->want_feature_list);
797	state->want_feature_list = talloc_strdup(state->mem_ctx,
798	buf+3);
799	x_fprintf(x_stdout, "OK\n");
800	return;
801	}
802	request = base64_decode_data_blob(buf + 3);
803	} else {
804	request = data_blob_null;
805	}
806
807	if ((strncmp(buf, "PW ", 3) == 0)) {
808	/* The calling application wants us to use a local password
809	* (rather than winbindd) */
810
811	opt_password = SMB_STRNDUP((const char *)request.data,
812	request.length);
813
814	if (opt_password == NULL) {
815	DEBUG(1, ("Out of memory\n"));
816	x_fprintf(x_stdout, "BH Out of memory\n");
817	data_blob_free(&request);
818	return;
819	}
820
821	x_fprintf(x_stdout, "OK\n");
822	data_blob_free(&request);
823	return;
824	}
825
826	if (strncmp(buf, "YR", 2) == 0) {
827	if (state->ntlmssp_state)
828	ntlmssp_end(&state->ntlmssp_state);
829	state->svr_state = SERVER_INITIAL;
830	} else if (strncmp(buf, "KK", 2) == 0) {
831	/* No special preprocessing required */
832	} else if (strncmp(buf, "GF", 2) == 0) {
833	DEBUG(10, ("Requested negotiated NTLMSSP flags\n"));
834
835	if (state->svr_state == SERVER_FINISHED) {
836	x_fprintf(x_stdout, "GF 0x%08x\n", state->neg_flags);
837	}
838	else {
839	x_fprintf(x_stdout, "BH\n");
840	}
841	data_blob_free(&request);
842	return;
843	} else if (strncmp(buf, "GK", 2) == 0) {
844	DEBUG(10, ("Requested NTLMSSP session key\n"));
845	if(state->have_session_key) {
846	char *key64 = base64_encode_data_blob(state->mem_ctx,
847	state->session_key);
848	x_fprintf(x_stdout, "GK %s\n", key64?key64:"<NULL>");
849	TALLOC_FREE(key64);
850	} else {
851	x_fprintf(x_stdout, "BH\n");
852	}
853
854	data_blob_free(&request);
855	return;
856	} else {
857	DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
858	x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
859	return;
860	}
861
862	if (!state->ntlmssp_state) {
863	nt_status = ntlm_auth_start_ntlmssp_server(
864	&state->ntlmssp_state);
865	if (!NT_STATUS_IS_OK(nt_status)) {
866	x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
867	return;
868	}
869	ntlmssp_want_feature_list(state->ntlmssp_state,
870	state->want_feature_list);
871	}
872
873	DEBUG(10, ("got NTLMSSP packet:\n"));
874	dump_data(10, request.data, request.length);
875
876	nt_status = ntlmssp_update(state->ntlmssp_state, request, &reply);
877
878	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
879	char *reply_base64 = base64_encode_data_blob(state->mem_ctx,
880	reply);
881	x_fprintf(x_stdout, "TT %s\n", reply_base64);
882	TALLOC_FREE(reply_base64);
883	data_blob_free(&reply);
884	state->svr_state = SERVER_CHALLENGE;
885	DEBUG(10, ("NTLMSSP challenge\n"));
886	} else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
887	x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
888	DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
889
890	ntlmssp_end(&state->ntlmssp_state);
891	} else if (!NT_STATUS_IS_OK(nt_status)) {
892	x_fprintf(x_stdout, "NA %s\n", nt_errstr(nt_status));
893	DEBUG(10, ("NTLMSSP %s\n", nt_errstr(nt_status)));
894	} else {
895	x_fprintf(x_stdout, "AF %s\n",
896	(char *)state->ntlmssp_state->auth_context);
897	DEBUG(10, ("NTLMSSP OK!\n"));
898
899	if(state->have_session_key)
900	data_blob_free(&state->session_key);
901	state->session_key = data_blob(
902	state->ntlmssp_state->session_key.data,
903	state->ntlmssp_state->session_key.length);
904	state->neg_flags = state->ntlmssp_state->neg_flags;
905	state->have_session_key = true;
906	state->svr_state = SERVER_FINISHED;
907	}
908
909	data_blob_free(&request);
910	}
911
912	static void manage_client_ntlmssp_request(struct ntlm_auth_state *state,
913	char *buf, int length)
914	{
915	DATA_BLOB request, reply;
916	NTSTATUS nt_status;
917
918	if (!opt_username \|\| !*opt_username) {
919	x_fprintf(x_stderr, "username must be specified!\n\n");
920	exit(1);
921	}
922
923	if (strlen(buf) < 2) {
924	DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
925	x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
926	return;
927	}
928
929	if (strlen(buf) > 3) {
930	if(strncmp(buf, "SF ", 3) == 0) {
931	DEBUG(10, ("Looking for flags to negotiate\n"));
932	talloc_free(state->want_feature_list);
933	state->want_feature_list = talloc_strdup(state->mem_ctx,
934	buf+3);
935	x_fprintf(x_stdout, "OK\n");
936	return;
937	}
938	request = base64_decode_data_blob(buf + 3);
939	} else {
940	request = data_blob_null;
941	}
942
943	if (strncmp(buf, "PW ", 3) == 0) {
944	/* We asked for a password and obviously got it :-) */
945
946	opt_password = SMB_STRNDUP((const char *)request.data,
947	request.length);
948
949	if (opt_password == NULL) {
950	DEBUG(1, ("Out of memory\n"));
951	x_fprintf(x_stdout, "BH Out of memory\n");
952	data_blob_free(&request);
953	return;
954	}
955
956	x_fprintf(x_stdout, "OK\n");
957	data_blob_free(&request);
958	return;
959	}
960
961	if (!state->ntlmssp_state && use_cached_creds) {
962	/* check whether cached credentials are usable. */
963	DATA_BLOB empty_blob = data_blob_null;
964
965	nt_status = do_ccache_ntlm_auth(empty_blob, empty_blob, NULL);
966	if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
967	/* failed to use cached creds */
968	use_cached_creds = False;
969	}
970	}
971
972	if (opt_password == NULL && !use_cached_creds) {
973	/* Request a password from the calling process. After
974	sending it, the calling process should retry asking for the
975	negotiate. */
976
977	DEBUG(10, ("Requesting password\n"));
978	x_fprintf(x_stdout, "PW\n");
979	return;
980	}
981
982	if (strncmp(buf, "YR", 2) == 0) {
983	if (state->ntlmssp_state)
984	ntlmssp_end(&state->ntlmssp_state);
985	state->cli_state = CLIENT_INITIAL;
986	} else if (strncmp(buf, "TT", 2) == 0) {
987	/* No special preprocessing required */
988	} else if (strncmp(buf, "GF", 2) == 0) {
989	DEBUG(10, ("Requested negotiated NTLMSSP flags\n"));
990
991	if(state->cli_state == CLIENT_FINISHED) {
992	x_fprintf(x_stdout, "GF 0x%08x\n", state->neg_flags);
993	}
994	else {
995	x_fprintf(x_stdout, "BH\n");
996	}
997
998	data_blob_free(&request);
999	return;
1000	} else if (strncmp(buf, "GK", 2) == 0 ) {
1001	DEBUG(10, ("Requested session key\n"));
1002
1003	if(state->cli_state == CLIENT_FINISHED) {
1004	char *key64 = base64_encode_data_blob(state->mem_ctx,
1005	state->session_key);
1006	x_fprintf(x_stdout, "GK %s\n", key64?key64:"<NULL>");
1007	TALLOC_FREE(key64);
1008	}
1009	else {
1010	x_fprintf(x_stdout, "BH\n");
1011	}
1012
1013	data_blob_free(&request);
1014	return;
1015	} else {
1016	DEBUG(1, ("NTLMSSP query [%s] invalid", buf));
1017	x_fprintf(x_stdout, "BH NTLMSSP query invalid\n");
1018	return;
1019	}
1020
1021	if (!state->ntlmssp_state) {
1022	nt_status = ntlm_auth_start_ntlmssp_client(
1023	&state->ntlmssp_state);
1024	if (!NT_STATUS_IS_OK(nt_status)) {
1025	x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
1026	return;
1027	}
1028	ntlmssp_want_feature_list(state->ntlmssp_state,
1029	state->want_feature_list);
1030	state->initial_message = data_blob_null;
1031	}
1032
1033	DEBUG(10, ("got NTLMSSP packet:\n"));
1034	dump_data(10, request.data, request.length);
1035
1036	if (use_cached_creds && !opt_password &&
1037	(state->cli_state == CLIENT_RESPONSE)) {
1038	nt_status = do_ccache_ntlm_auth(state->initial_message, request,
1039	&reply);
1040	} else {
1041	nt_status = ntlmssp_update(state->ntlmssp_state, request,
1042	&reply);
1043	}
1044
1045	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1046	char *reply_base64 = base64_encode_data_blob(state->mem_ctx,
1047	reply);
1048	if (state->cli_state == CLIENT_INITIAL) {
1049	x_fprintf(x_stdout, "YR %s\n", reply_base64);
1050	state->initial_message = reply;
1051	state->cli_state = CLIENT_RESPONSE;
1052	} else {
1053	x_fprintf(x_stdout, "KK %s\n", reply_base64);
1054	data_blob_free(&reply);
1055	}
1056	TALLOC_FREE(reply_base64);
1057	DEBUG(10, ("NTLMSSP challenge\n"));
1058	} else if (NT_STATUS_IS_OK(nt_status)) {
1059	char *reply_base64 = base64_encode_data_blob(talloc_tos(),
1060	reply);
1061	x_fprintf(x_stdout, "AF %s\n", reply_base64);
1062	TALLOC_FREE(reply_base64);
1063
1064	if(state->have_session_key)
1065	data_blob_free(&state->session_key);
1066
1067	state->session_key = data_blob(
1068	state->ntlmssp_state->session_key.data,
1069	state->ntlmssp_state->session_key.length);
1070	state->neg_flags = state->ntlmssp_state->neg_flags;
1071	state->have_session_key = true;
1072
1073	DEBUG(10, ("NTLMSSP OK!\n"));
1074	state->cli_state = CLIENT_FINISHED;
1075	if (state->ntlmssp_state)
1076	ntlmssp_end(&state->ntlmssp_state);
1077	} else {
1078	x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status));
1079	DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status)));
1080	state->cli_state = CLIENT_ERROR;
1081	if (state->ntlmssp_state)
1082	ntlmssp_end(&state->ntlmssp_state);
1083	}
1084
1085	data_blob_free(&request);
1086	}
1087
1088	static void manage_squid_basic_request(struct ntlm_auth_state *state,
1089	char *buf, int length)
1090	{
1091	char user, pass;
1092	user=buf;
1093
1094	pass=(char *)memchr(buf,' ',length);
1095	if (!pass) {
1096	DEBUG(2, ("Password not found. Denying access\n"));
1097	x_fprintf(x_stdout, "ERR\n");
1098	return;
1099	}
1100	*pass='\0';
1101	pass++;
1102
1103	if (state->helper_mode == SQUID_2_5_BASIC) {
1104	rfc1738_unescape(user);
1105	rfc1738_unescape(pass);
1106	}
1107
1108	if (check_plaintext_auth(user, pass, False)) {
1109	x_fprintf(x_stdout, "OK\n");
1110	} else {
1111	x_fprintf(x_stdout, "ERR\n");
1112	}
1113	}
1114
1115	static void offer_gss_spnego_mechs(void) {
1116
1117	DATA_BLOB token;
1118	struct spnego_data spnego;
1119	ssize_t len;
1120	char *reply_base64;
1121	TALLOC_CTX *ctx = talloc_tos();
1122	char *principal;
1123	char *myname_lower;
1124
1125	ZERO_STRUCT(spnego);
1126
1127	myname_lower = talloc_strdup(ctx, global_myname());
1128	if (!myname_lower) {
1129	return;
1130	}
1131	strlower_m(myname_lower);
1132
1133	principal = talloc_asprintf(ctx, "%s$@%s", myname_lower, lp_realm());
1134	if (!principal) {
1135	return;
1136	}
1137
1138	/* Server negTokenInit (mech offerings) */
1139	spnego.type = SPNEGO_NEG_TOKEN_INIT;
1140	spnego.negTokenInit.mechTypes = talloc_array(ctx, const char *, 2);
1141	#ifdef HAVE_KRB5
1142	spnego.negTokenInit.mechTypes[0] = talloc_strdup(ctx, OID_KERBEROS5_OLD);
1143	spnego.negTokenInit.mechTypes[1] = talloc_strdup(ctx, OID_NTLMSSP);
1144	spnego.negTokenInit.mechTypes[2] = NULL;
1145	#else
1146	spnego.negTokenInit.mechTypes[0] = talloc_strdup(ctx, OID_NTLMSSP);
1147	spnego.negTokenInit.mechTypes[1] = NULL;
1148	#endif
1149
1150
1151	spnego.negTokenInit.mechListMIC = data_blob_talloc(ctx, principal,
1152	strlen(principal));
1153
1154	len = spnego_write_data(ctx, &token, &spnego);
1155	spnego_free_data(&spnego);
1156
1157	if (len == -1) {
1158	DEBUG(1, ("Could not write SPNEGO data blob\n"));
1159	x_fprintf(x_stdout, "BH Could not write SPNEGO data blob\n");
1160	return;
1161	}
1162
1163	reply_base64 = base64_encode_data_blob(talloc_tos(), token);
1164	x_fprintf(x_stdout, "TT %s *\n", reply_base64);
1165
1166	TALLOC_FREE(reply_base64);
1167	data_blob_free(&token);
1168	DEBUG(10, ("sent SPNEGO negTokenInit\n"));
1169	return;
1170	}
1171
1172	static void manage_gss_spnego_request(struct ntlm_auth_state *state,
1173	char *buf, int length)
1174	{
1175	static NTLMSSP_STATE *ntlmssp_state = NULL;
1176	struct spnego_data request, response;
1177	DATA_BLOB token;
1178	NTSTATUS status;
1179	ssize_t len;
1180	TALLOC_CTX *ctx = talloc_tos();
1181
1182	char *user = NULL;
1183	char *domain = NULL;
1184
1185	const char *reply_code;
1186	char *reply_base64;
1187	char *reply_argument = NULL;
1188
1189	if (strlen(buf) < 2) {
1190	DEBUG(1, ("SPENGO query [%s] invalid", buf));
1191	x_fprintf(x_stdout, "BH SPENGO query invalid\n");
1192	return;
1193	}
1194
1195	if (strncmp(buf, "YR", 2) == 0) {
1196	if (ntlmssp_state)
1197	ntlmssp_end(&ntlmssp_state);
1198	} else if (strncmp(buf, "KK", 2) == 0) {
1199	;
1200	} else {
1201	DEBUG(1, ("SPENGO query [%s] invalid", buf));
1202	x_fprintf(x_stdout, "BH SPENGO query invalid\n");
1203	return;
1204	}
1205
1206	if ( (strlen(buf) == 2)) {
1207
1208	/* no client data, get the negTokenInit offering
1209	mechanisms */
1210
1211	offer_gss_spnego_mechs();
1212	return;
1213	}
1214
1215	/* All subsequent requests have a blob. This might be negTokenInit or negTokenTarg */
1216
1217	if (strlen(buf) <= 3) {
1218	DEBUG(1, ("GSS-SPNEGO query [%s] invalid\n", buf));
1219	x_fprintf(x_stdout, "BH GSS-SPNEGO query invalid\n");
1220	return;
1221	}
1222
1223	token = base64_decode_data_blob(buf + 3);
1224	len = spnego_read_data(ctx, token, &request);
1225	data_blob_free(&token);
1226
1227	if (len == -1) {
1228	DEBUG(1, ("GSS-SPNEGO query [%s] invalid", buf));
1229	x_fprintf(x_stdout, "BH GSS-SPNEGO query invalid\n");
1230	return;
1231	}
1232
1233	if (request.type == SPNEGO_NEG_TOKEN_INIT) {
1234
1235	/* Second request from Client. This is where the
1236	client offers its mechanism to use. */
1237
1238	if ( (request.negTokenInit.mechTypes == NULL) \|\|
1239	(request.negTokenInit.mechTypes[0] == NULL) ) {
1240	DEBUG(1, ("Client did not offer any mechanism"));
1241	x_fprintf(x_stdout, "BH Client did not offer any "
1242	"mechanism\n");
1243	return;
1244	}
1245
1246	status = NT_STATUS_UNSUCCESSFUL;
1247	if (strcmp(request.negTokenInit.mechTypes[0], OID_NTLMSSP) == 0) {
1248
1249	if ( request.negTokenInit.mechToken.data == NULL ) {
1250	DEBUG(1, ("Client did not provide NTLMSSP data\n"));
1251	x_fprintf(x_stdout, "BH Client did not provide "
1252	"NTLMSSP data\n");
1253	return;
1254	}
1255
1256	if ( ntlmssp_state != NULL ) {
1257	DEBUG(1, ("Client wants a new NTLMSSP challenge, but "
1258	"already got one\n"));
1259	x_fprintf(x_stdout, "BH Client wants a new "
1260	"NTLMSSP challenge, but "
1261	"already got one\n");
1262	ntlmssp_end(&ntlmssp_state);
1263	return;
1264	}
1265
1266	if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) {
1267	x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
1268	return;
1269	}
1270
1271	DEBUG(10, ("got NTLMSSP packet:\n"));
1272	dump_data(10, request.negTokenInit.mechToken.data,
1273	request.negTokenInit.mechToken.length);
1274
1275	response.type = SPNEGO_NEG_TOKEN_TARG;
1276	response.negTokenTarg.supportedMech = talloc_strdup(ctx, OID_NTLMSSP);
1277	response.negTokenTarg.mechListMIC = data_blob_talloc(ctx, NULL, 0);
1278
1279	status = ntlmssp_update(ntlmssp_state,
1280	request.negTokenInit.mechToken,
1281	&response.negTokenTarg.responseToken);
1282	}
1283
1284	#ifdef HAVE_KRB5
1285	if (strcmp(request.negTokenInit.mechTypes[0], OID_KERBEROS5_OLD) == 0) {
1286
1287	TALLOC_CTX *mem_ctx = talloc_init("manage_gss_spnego_request");
1288	char *principal;
1289	DATA_BLOB ap_rep;
1290	DATA_BLOB session_key;
1291	struct PAC_DATA *pac_data = NULL;
1292
1293	if ( request.negTokenInit.mechToken.data == NULL ) {
1294	DEBUG(1, ("Client did not provide Kerberos data\n"));
1295	x_fprintf(x_stdout, "BH Client did not provide "
1296	"Kerberos data\n");
1297	return;
1298	}
1299
1300	response.type = SPNEGO_NEG_TOKEN_TARG;
1301	response.negTokenTarg.supportedMech = talloc_strdup(ctx, OID_KERBEROS5_OLD);
1302	response.negTokenTarg.mechListMIC = data_blob_talloc(ctx, NULL, 0);
1303	response.negTokenTarg.responseToken = data_blob_talloc(ctx, NULL, 0);
1304
1305	status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
1306	&request.negTokenInit.mechToken,
1307	&principal, &pac_data, &ap_rep,
1308	&session_key, True);
1309
1310	/* Now in "principal" we have the name we are
1311	authenticated as. */
1312
1313	if (NT_STATUS_IS_OK(status)) {
1314
1315	domain = strchr_m(principal, '@');
1316
1317	if (domain == NULL) {
1318	DEBUG(1, ("Did not get a valid principal "
1319	"from ads_verify_ticket\n"));
1320	x_fprintf(x_stdout, "BH Did not get a "
1321	"valid principal from "
1322	"ads_verify_ticket\n");
1323	return;
1324	}
1325
1326	*domain++ = '\0';
1327	domain = SMB_STRDUP(domain);
1328	user = SMB_STRDUP(principal);
1329
1330	data_blob_free(&ap_rep);
1331	}
1332
1333	TALLOC_FREE(mem_ctx);
1334	}
1335	#endif
1336
1337	} else {
1338
1339	if ( (request.negTokenTarg.supportedMech == NULL) \|\|
1340	( strcmp(request.negTokenTarg.supportedMech, OID_NTLMSSP) != 0 ) ) {
1341	/* Kerberos should never send a negTokenTarg, OID_NTLMSSP
1342	is the only one we support that sends this stuff */
1343	DEBUG(1, ("Got a negTokenTarg for something non-NTLMSSP: %s\n",
1344	request.negTokenTarg.supportedMech));
1345	x_fprintf(x_stdout, "BH Got a negTokenTarg for "
1346	"something non-NTLMSSP\n");
1347	return;
1348	}
1349
1350	if (request.negTokenTarg.responseToken.data == NULL) {
1351	DEBUG(1, ("Got a negTokenTarg without a responseToken!\n"));
1352	x_fprintf(x_stdout, "BH Got a negTokenTarg without a "
1353	"responseToken!\n");
1354	return;
1355	}
1356
1357	status = ntlmssp_update(ntlmssp_state,
1358	request.negTokenTarg.responseToken,
1359	&response.negTokenTarg.responseToken);
1360
1361	response.type = SPNEGO_NEG_TOKEN_TARG;
1362	response.negTokenTarg.supportedMech = talloc_strdup(ctx, OID_NTLMSSP);
1363	response.negTokenTarg.mechListMIC = data_blob_talloc(ctx, NULL, 0);
1364
1365	if (NT_STATUS_IS_OK(status)) {
1366	user = SMB_STRDUP(ntlmssp_state->user);
1367	domain = SMB_STRDUP(ntlmssp_state->domain);
1368	ntlmssp_end(&ntlmssp_state);
1369	}
1370	}
1371
1372	spnego_free_data(&request);
1373
1374	if (NT_STATUS_IS_OK(status)) {
1375	response.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
1376	reply_code = "AF";
1377	reply_argument = talloc_asprintf(ctx, "%s\\%s", domain, user);
1378	} else if (NT_STATUS_EQUAL(status,
1379	NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1380	response.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
1381	reply_code = "TT";
1382	reply_argument = talloc_strdup(ctx, "*");
1383	} else {
1384	response.negTokenTarg.negResult = SPNEGO_REJECT;
1385	reply_code = "NA";
1386	reply_argument = talloc_strdup(ctx, nt_errstr(status));
1387	}
1388
1389	if (!reply_argument) {
1390	DEBUG(1, ("Could not write SPNEGO data blob\n"));
1391	x_fprintf(x_stdout, "BH Could not write SPNEGO data blob\n");
1392	return;
1393	}
1394
1395	SAFE_FREE(user);
1396	SAFE_FREE(domain);
1397
1398	len = spnego_write_data(ctx, &token, &response);
1399	spnego_free_data(&response);
1400
1401	if (len == -1) {
1402	DEBUG(1, ("Could not write SPNEGO data blob\n"));
1403	x_fprintf(x_stdout, "BH Could not write SPNEGO data blob\n");
1404	return;
1405	}
1406
1407	reply_base64 = base64_encode_data_blob(talloc_tos(), token);
1408
1409	x_fprintf(x_stdout, "%s %s %s\n",
1410	reply_code, reply_base64, reply_argument);
1411
1412	TALLOC_FREE(reply_base64);
1413	data_blob_free(&token);
1414
1415	return;
1416	}
1417
1418	static NTLMSSP_STATE *client_ntlmssp_state = NULL;
1419
1420	static bool manage_client_ntlmssp_init(struct spnego_data spnego)
1421	{
1422	NTSTATUS status;
1423	DATA_BLOB null_blob = data_blob_null;
1424	DATA_BLOB to_server;
1425	char *to_server_base64;
1426	const char *my_mechs[] = {OID_NTLMSSP, NULL};
1427	TALLOC_CTX *ctx = talloc_tos();
1428
1429	DEBUG(10, ("Got spnego negTokenInit with NTLMSSP\n"));
1430
1431	if (client_ntlmssp_state != NULL) {
1432	DEBUG(1, ("Request for initial SPNEGO request where "
1433	"we already have a state\n"));
1434	return False;
1435	}
1436
1437	if (!client_ntlmssp_state) {
1438	if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_client(&client_ntlmssp_state))) {
1439	x_fprintf(x_stdout, "BH %s\n", nt_errstr(status));
1440	return False;
1441	}
1442	}
1443
1444
1445	if (opt_password == NULL) {
1446
1447	/* Request a password from the calling process. After
1448	sending it, the calling process should retry with
1449	the negTokenInit. */
1450
1451	DEBUG(10, ("Requesting password\n"));
1452	x_fprintf(x_stdout, "PW\n");
1453	return True;
1454	}
1455
1456	spnego.type = SPNEGO_NEG_TOKEN_INIT;
1457	spnego.negTokenInit.mechTypes = my_mechs;
1458	spnego.negTokenInit.reqFlags = data_blob_null;
1459	spnego.negTokenInit.reqFlagsPadding = 0;
1460	spnego.negTokenInit.mechListMIC = null_blob;
1461
1462	status = ntlmssp_update(client_ntlmssp_state, null_blob,
1463	&spnego.negTokenInit.mechToken);
1464
1465	if ( !(NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) \|\|
1466	NT_STATUS_IS_OK(status)) ) {
1467	DEBUG(1, ("Expected OK or MORE_PROCESSING_REQUIRED, got: %s\n",
1468	nt_errstr(status)));
1469	ntlmssp_end(&client_ntlmssp_state);
1470	return False;
1471	}
1472
1473	spnego_write_data(ctx, &to_server, &spnego);
1474	data_blob_free(&spnego.negTokenInit.mechToken);
1475
1476	to_server_base64 = base64_encode_data_blob(talloc_tos(), to_server);
1477	data_blob_free(&to_server);
1478	x_fprintf(x_stdout, "KK %s\n", to_server_base64);
1479	TALLOC_FREE(to_server_base64);
1480	return True;
1481	}
1482
1483	static void manage_client_ntlmssp_targ(struct spnego_data spnego)
1484	{
1485	NTSTATUS status;
1486	DATA_BLOB null_blob = data_blob_null;
1487	DATA_BLOB request;
1488	DATA_BLOB to_server;
1489	char *to_server_base64;
1490	TALLOC_CTX *ctx = talloc_tos();
1491
1492	DEBUG(10, ("Got spnego negTokenTarg with NTLMSSP\n"));
1493
1494	if (client_ntlmssp_state == NULL) {
1495	DEBUG(1, ("Got NTLMSSP tArg without a client state\n"));
1496	x_fprintf(x_stdout, "BH Got NTLMSSP tArg without a client state\n");
1497	return;
1498	}
1499
1500	if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
1501	x_fprintf(x_stdout, "NA\n");
1502	ntlmssp_end(&client_ntlmssp_state);
1503	return;
1504	}
1505
1506	if (spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) {
1507	x_fprintf(x_stdout, "AF\n");
1508	ntlmssp_end(&client_ntlmssp_state);
1509	return;
1510	}
1511
1512	status = ntlmssp_update(client_ntlmssp_state,
1513	spnego.negTokenTarg.responseToken,
1514	&request);
1515
1516	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1517	DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED from "
1518	"ntlmssp_client_update, got: %s\n",
1519	nt_errstr(status)));
1520	x_fprintf(x_stdout, "BH Expected MORE_PROCESSING_REQUIRED from "
1521	"ntlmssp_client_update\n");
1522	data_blob_free(&request);
1523	ntlmssp_end(&client_ntlmssp_state);
1524	return;
1525	}
1526
1527	spnego.type = SPNEGO_NEG_TOKEN_TARG;
1528	spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
1529	spnego.negTokenTarg.supportedMech = (char *)OID_NTLMSSP;
1530	spnego.negTokenTarg.responseToken = request;
1531	spnego.negTokenTarg.mechListMIC = null_blob;
1532
1533	spnego_write_data(ctx, &to_server, &spnego);
1534	data_blob_free(&request);
1535
1536	to_server_base64 = base64_encode_data_blob(talloc_tos(), to_server);
1537	data_blob_free(&to_server);
1538	x_fprintf(x_stdout, "KK %s\n", to_server_base64);
1539	TALLOC_FREE(to_server_base64);
1540	return;
1541	}
1542
1543	#ifdef HAVE_KRB5
1544
1545	static bool manage_client_krb5_init(struct spnego_data spnego)
1546	{
1547	char *principal;
1548	DATA_BLOB tkt, to_server;
1549	DATA_BLOB session_key_krb5 = data_blob_null;
1550	struct spnego_data reply;
1551	char *reply_base64;
1552	int retval;
1553
1554	const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL};
1555	ssize_t len;
1556	TALLOC_CTX *ctx = talloc_tos();
1557
1558	if ( (spnego.negTokenInit.mechListMIC.data == NULL) \|\|
1559	(spnego.negTokenInit.mechListMIC.length == 0) ) {
1560	DEBUG(1, ("Did not get a principal for krb5\n"));
1561	return False;
1562	}
1563
1564	principal = (char *)SMB_MALLOC(
1565	spnego.negTokenInit.mechListMIC.length+1);
1566
1567	if (principal == NULL) {
1568	DEBUG(1, ("Could not malloc principal\n"));
1569	return False;
1570	}
1571
1572	memcpy(principal, spnego.negTokenInit.mechListMIC.data,
1573	spnego.negTokenInit.mechListMIC.length);
1574	principal[spnego.negTokenInit.mechListMIC.length] = '\0';
1575
1576	retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL);
1577
1578	if (retval) {
1579	char *user = NULL;
1580
1581	/* Let's try to first get the TGT, for that we need a
1582	password. */
1583
1584	if (opt_password == NULL) {
1585	DEBUG(10, ("Requesting password\n"));
1586	x_fprintf(x_stdout, "PW\n");
1587	return True;
1588	}
1589
1590	user = talloc_asprintf(talloc_tos(), "%s@%s", opt_username, opt_domain);
1591	if (!user) {
1592	return false;
1593	}
1594
1595	if ((retval = kerberos_kinit_password(user, opt_password, 0, NULL))) {
1596	DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval)));
1597	return False;
1598	}
1599
1600	retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL);
1601
1602	if (retval) {
1603	DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
1604	return False;
1605	}
1606	}
1607
1608	data_blob_free(&session_key_krb5);
1609
1610	ZERO_STRUCT(reply);
1611
1612	reply.type = SPNEGO_NEG_TOKEN_INIT;
1613	reply.negTokenInit.mechTypes = my_mechs;
1614	reply.negTokenInit.reqFlags = data_blob_null;
1615	reply.negTokenInit.reqFlagsPadding = 0;
1616	reply.negTokenInit.mechToken = tkt;
1617	reply.negTokenInit.mechListMIC = data_blob_null;
1618
1619	len = spnego_write_data(ctx, &to_server, &reply);
1620	data_blob_free(&tkt);
1621
1622	if (len == -1) {
1623	DEBUG(1, ("Could not write SPNEGO data blob\n"));
1624	return False;
1625	}
1626
1627	reply_base64 = base64_encode_data_blob(talloc_tos(), to_server);
1628	x_fprintf(x_stdout, "KK %s *\n", reply_base64);
1629
1630	TALLOC_FREE(reply_base64);
1631	data_blob_free(&to_server);
1632	DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n"));
1633	return True;
1634	}
1635
1636	static void manage_client_krb5_targ(struct spnego_data spnego)
1637	{
1638	switch (spnego.negTokenTarg.negResult) {
1639	case SPNEGO_ACCEPT_INCOMPLETE:
1640	DEBUG(1, ("Got a Kerberos negTokenTarg with ACCEPT_INCOMPLETE\n"));
1641	x_fprintf(x_stdout, "BH Got a Kerberos negTokenTarg with "
1642	"ACCEPT_INCOMPLETE\n");
1643	break;
1644	case SPNEGO_ACCEPT_COMPLETED:
1645	DEBUG(10, ("Accept completed\n"));
1646	x_fprintf(x_stdout, "AF\n");
1647	break;
1648	case SPNEGO_REJECT:
1649	DEBUG(10, ("Rejected\n"));
1650	x_fprintf(x_stdout, "NA\n");
1651	break;
1652	default:
1653	DEBUG(1, ("Got an invalid negTokenTarg\n"));
1654	x_fprintf(x_stdout, "AF\n");
1655	}
1656	}
1657
1658	#endif
1659
1660	static void manage_gss_spnego_client_request(struct ntlm_auth_state *state,
1661	char *buf, int length)
1662	{
1663	DATA_BLOB request;
1664	struct spnego_data spnego;
1665	ssize_t len;
1666	TALLOC_CTX *ctx = talloc_tos();
1667
1668	if (!opt_username \|\| !*opt_username) {
1669	x_fprintf(x_stderr, "username must be specified!\n\n");
1670	exit(1);
1671	}
1672
1673	if (strlen(buf) <= 3) {
1674	DEBUG(1, ("SPNEGO query [%s] too short\n", buf));
1675	x_fprintf(x_stdout, "BH SPNEGO query too short\n");
1676	return;
1677	}
1678
1679	request = base64_decode_data_blob(buf+3);
1680
1681	if (strncmp(buf, "PW ", 3) == 0) {
1682
1683	/* We asked for a password and obviously got it :-) */
1684
1685	opt_password = SMB_STRNDUP((const char *)request.data, request.length);
1686
1687	if (opt_password == NULL) {
1688	DEBUG(1, ("Out of memory\n"));
1689	x_fprintf(x_stdout, "BH Out of memory\n");
1690	data_blob_free(&request);
1691	return;
1692	}
1693
1694	x_fprintf(x_stdout, "OK\n");
1695	data_blob_free(&request);
1696	return;
1697	}
1698
1699	if ( (strncmp(buf, "TT ", 3) != 0) &&
1700	(strncmp(buf, "AF ", 3) != 0) &&
1701	(strncmp(buf, "NA ", 3) != 0) ) {
1702	DEBUG(1, ("SPNEGO request [%s] invalid\n", buf));
1703	x_fprintf(x_stdout, "BH SPNEGO request invalid\n");
1704	data_blob_free(&request);
1705	return;
1706	}
1707
1708	/* So we got a server challenge to generate a SPNEGO
1709	client-to-server request... */
1710
1711	len = spnego_read_data(ctx, request, &spnego);
1712	data_blob_free(&request);
1713
1714	if (len == -1) {
1715	DEBUG(1, ("Could not read SPNEGO data for [%s]\n", buf));
1716	x_fprintf(x_stdout, "BH Could not read SPNEGO data\n");
1717	return;
1718	}
1719
1720	if (spnego.type == SPNEGO_NEG_TOKEN_INIT) {
1721
1722	/* The server offers a list of mechanisms */
1723
1724	const char mechType = (const char )spnego.negTokenInit.mechTypes;
1725
1726	while (*mechType != NULL) {
1727
1728	#ifdef HAVE_KRB5
1729	if ( (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) \|\|
1730	(strcmp(*mechType, OID_KERBEROS5) == 0) ) {
1731	if (manage_client_krb5_init(spnego))
1732	goto out;
1733	}
1734	#endif
1735
1736	if (strcmp(*mechType, OID_NTLMSSP) == 0) {
1737	if (manage_client_ntlmssp_init(spnego))
1738	goto out;
1739	}
1740
1741	mechType++;
1742	}
1743
1744	DEBUG(1, ("Server offered no compatible mechanism\n"));
1745	x_fprintf(x_stdout, "BH Server offered no compatible mechanism\n");
1746	return;
1747	}
1748
1749	if (spnego.type == SPNEGO_NEG_TOKEN_TARG) {
1750
1751	if (spnego.negTokenTarg.supportedMech == NULL) {
1752	/* On accept/reject Windows does not send the
1753	mechanism anymore. Handle that here and
1754	shut down the mechanisms. */
1755
1756	switch (spnego.negTokenTarg.negResult) {
1757	case SPNEGO_ACCEPT_COMPLETED:
1758	x_fprintf(x_stdout, "AF\n");
1759	break;
1760	case SPNEGO_REJECT:
1761	x_fprintf(x_stdout, "NA\n");
1762	break;
1763	default:
1764	DEBUG(1, ("Got a negTokenTarg with no mech and an "
1765	"unknown negResult: %d\n",
1766	spnego.negTokenTarg.negResult));
1767	x_fprintf(x_stdout, "BH Got a negTokenTarg with"
1768	" no mech and an unknown "
1769	"negResult\n");
1770	}
1771
1772	ntlmssp_end(&client_ntlmssp_state);
1773	goto out;
1774	}
1775
1776	if (strcmp(spnego.negTokenTarg.supportedMech,
1777	OID_NTLMSSP) == 0) {
1778	manage_client_ntlmssp_targ(spnego);
1779	goto out;
1780	}
1781
1782	#if HAVE_KRB5
1783	if (strcmp(spnego.negTokenTarg.supportedMech,
1784	OID_KERBEROS5_OLD) == 0) {
1785	manage_client_krb5_targ(spnego);
1786	goto out;
1787	}
1788	#endif
1789
1790	}
1791
1792	DEBUG(1, ("Got an SPNEGO token I could not handle [%s]!\n", buf));
1793	x_fprintf(x_stdout, "BH Got an SPNEGO token I could not handle\n");
1794	return;
1795
1796	out:
1797	spnego_free_data(&spnego);
1798	return;
1799	}
1800
1801	static void manage_ntlm_server_1_request(struct ntlm_auth_state *state,
1802	char *buf, int length)
1803	{
1804	char request, parameter;
1805	static DATA_BLOB challenge;
1806	static DATA_BLOB lm_response;
1807	static DATA_BLOB nt_response;
1808	static char *full_username;
1809	static char *username;
1810	static char *domain;
1811	static char *plaintext_password;
1812	static bool ntlm_server_1_user_session_key;
1813	static bool ntlm_server_1_lm_session_key;
1814
1815	if (strequal(buf, ".")) {
1816	if (!full_username && !username) {
1817	x_fprintf(x_stdout, "Error: No username supplied!\n");
1818	} else if (plaintext_password) {
1819	/* handle this request as plaintext */
1820	if (!full_username) {
1821	if (asprintf(&full_username, "%s%c%s", domain, winbind_separator(), username) == -1) {
1822	x_fprintf(x_stdout, "Error: Out of memory in asprintf!\n.\n");
1823	return;
1824	}
1825	}
1826	if (check_plaintext_auth(full_username, plaintext_password, False)) {
1827	x_fprintf(x_stdout, "Authenticated: Yes\n");
1828	} else {
1829	x_fprintf(x_stdout, "Authenticated: No\n");
1830	}
1831	} else if (!lm_response.data && !nt_response.data) {
1832	x_fprintf(x_stdout, "Error: No password supplied!\n");
1833	} else if (!challenge.data) {
1834	x_fprintf(x_stdout, "Error: No lanman-challenge supplied!\n");
1835	} else {
1836	char *error_string = NULL;
1837	uchar lm_key[8];
1838	uchar user_session_key[16];
1839	uint32 flags = 0;
1840
1841	if (full_username && !username) {
1842	fstring fstr_user;
1843	fstring fstr_domain;
1844
1845	if (!parse_ntlm_auth_domain_user(full_username, fstr_user, fstr_domain)) {
1846	/* username might be 'tainted', don't print into our new-line deleimianted stream */
1847	x_fprintf(x_stdout, "Error: Could not parse into domain and username\n");
1848	}
1849	SAFE_FREE(username);
1850	SAFE_FREE(domain);
1851	username = smb_xstrdup(fstr_user);
1852	domain = smb_xstrdup(fstr_domain);
1853	}
1854
1855	if (!domain) {
1856	domain = smb_xstrdup(get_winbind_domain());
1857	}
1858
1859	if (ntlm_server_1_lm_session_key)
1860	flags \|= WBFLAG_PAM_LMKEY;
1861
1862	if (ntlm_server_1_user_session_key)
1863	flags \|= WBFLAG_PAM_USER_SESSION_KEY;
1864
1865	if (!NT_STATUS_IS_OK(
1866	contact_winbind_auth_crap(username,
1867	domain,
1868	global_myname(),
1869	&challenge,
1870	&lm_response,
1871	&nt_response,
1872	flags,
1873	lm_key,
1874	user_session_key,
1875	&error_string,
1876	NULL))) {
1877
1878	x_fprintf(x_stdout, "Authenticated: No\n");
1879	x_fprintf(x_stdout, "Authentication-Error: %s\n.\n", error_string);
1880	} else {
1881	static char zeros[16];
1882	char *hex_lm_key;
1883	char *hex_user_session_key;
1884
1885	x_fprintf(x_stdout, "Authenticated: Yes\n");
1886
1887	if (ntlm_server_1_lm_session_key
1888	&& (memcmp(zeros, lm_key,
1889	sizeof(lm_key)) != 0)) {
1890	hex_lm_key = hex_encode_talloc(NULL,
1891	(const unsigned char *)lm_key,
1892	sizeof(lm_key));
1893	x_fprintf(x_stdout, "LANMAN-Session-Key: %s\n", hex_lm_key);
1894	TALLOC_FREE(hex_lm_key);
1895	}
1896
1897	if (ntlm_server_1_user_session_key
1898	&& (memcmp(zeros, user_session_key,
1899	sizeof(user_session_key)) != 0)) {
1900	hex_user_session_key = hex_encode_talloc(NULL,
1901	(const unsigned char *)user_session_key,
1902	sizeof(user_session_key));
1903	x_fprintf(x_stdout, "User-Session-Key: %s\n", hex_user_session_key);
1904	TALLOC_FREE(hex_user_session_key);
1905	}
1906	}
1907	SAFE_FREE(error_string);
1908	}
1909	/* clear out the state */
1910	challenge = data_blob_null;
1911	nt_response = data_blob_null;
1912	lm_response = data_blob_null;
1913	SAFE_FREE(full_username);
1914	SAFE_FREE(username);
1915	SAFE_FREE(domain);
1916	SAFE_FREE(plaintext_password);
1917	ntlm_server_1_user_session_key = False;
1918	ntlm_server_1_lm_session_key = False;
1919	x_fprintf(x_stdout, ".\n");
1920
1921	return;
1922	}
1923
1924	request = buf;
1925
1926	/* Indicates a base64 encoded structure */
1927	parameter = strstr_m(request, ":: ");
1928	if (!parameter) {
1929	parameter = strstr_m(request, ": ");
1930
1931	if (!parameter) {
1932	DEBUG(0, ("Parameter not found!\n"));
1933	x_fprintf(x_stdout, "Error: Parameter not found!\n.\n");
1934	return;
1935	}
1936
1937	parameter[0] ='\0';
1938	parameter++;
1939	parameter[0] ='\0';
1940	parameter++;
1941
1942	} else {
1943	parameter[0] ='\0';
1944	parameter++;
1945	parameter[0] ='\0';
1946	parameter++;
1947	parameter[0] ='\0';
1948	parameter++;
1949
1950	base64_decode_inplace(parameter);
1951	}
1952
1953	if (strequal(request, "LANMAN-Challenge")) {
1954	challenge = strhex_to_data_blob(NULL, parameter);
1955	if (challenge.length != 8) {
1956	x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n",
1957	parameter,
1958	(int)challenge.length);
1959	challenge = data_blob_null;
1960	}
1961	} else if (strequal(request, "NT-Response")) {
1962	nt_response = strhex_to_data_blob(NULL, parameter);
1963	if (nt_response.length < 24) {
1964	x_fprintf(x_stdout, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n",
1965	parameter,
1966	(int)nt_response.length);
1967	nt_response = data_blob_null;
1968	}
1969	} else if (strequal(request, "LANMAN-Response")) {
1970	lm_response = strhex_to_data_blob(NULL, parameter);
1971	if (lm_response.length != 24) {
1972	x_fprintf(x_stdout, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n",
1973	parameter,
1974	(int)lm_response.length);
1975	lm_response = data_blob_null;
1976	}
1977	} else if (strequal(request, "Password")) {
1978	plaintext_password = smb_xstrdup(parameter);
1979	} else if (strequal(request, "NT-Domain")) {
1980	domain = smb_xstrdup(parameter);
1981	} else if (strequal(request, "Username")) {
1982	username = smb_xstrdup(parameter);
1983	} else if (strequal(request, "Full-Username")) {
1984	full_username = smb_xstrdup(parameter);
1985	} else if (strequal(request, "Request-User-Session-Key")) {
1986	ntlm_server_1_user_session_key = strequal(parameter, "Yes");
1987	} else if (strequal(request, "Request-LanMan-Session-Key")) {
1988	ntlm_server_1_lm_session_key = strequal(parameter, "Yes");
1989	} else {
1990	x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request);
1991	}
1992	}
1993
1994	static void manage_ntlm_change_password_1_request(struct ntlm_auth_state *state,
1995	char *buf, int length)
1996	{
1997	char request, parameter;
1998	static DATA_BLOB new_nt_pswd;
1999	static DATA_BLOB old_nt_hash_enc;
2000	static DATA_BLOB new_lm_pswd;
2001	static DATA_BLOB old_lm_hash_enc;
2002	static char *full_username = NULL;
2003	static char *username = NULL;
2004	static char *domain = NULL;
2005	static char *newpswd = NULL;
2006	static char *oldpswd = NULL;
2007
2008	if (strequal(buf, ".")) {
2009	if(newpswd && oldpswd) {
2010	uchar old_nt_hash[16];
2011	uchar old_lm_hash[16];
2012	uchar new_nt_hash[16];
2013	uchar new_lm_hash[16];
2014
2015	new_nt_pswd = data_blob(NULL, 516);
2016	old_nt_hash_enc = data_blob(NULL, 16);
2017
2018	/* Calculate the MD4 hash (NT compatible) of the
2019	* password */
2020	E_md4hash(oldpswd, old_nt_hash);
2021	E_md4hash(newpswd, new_nt_hash);
2022
2023	/* E_deshash returns false for 'long'
2024	passwords (> 14 DOS chars).
2025
2026	Therefore, don't send a buffer
2027	encrypted with the truncated hash
2028	(it could allow an even easier
2029	attack on the password)
2030
2031	Likewise, obey the admin's restriction
2032	*/
2033
2034	if (lp_client_lanman_auth() &&
2035	E_deshash(newpswd, new_lm_hash) &&
2036	E_deshash(oldpswd, old_lm_hash)) {
2037	new_lm_pswd = data_blob(NULL, 516);
2038	old_lm_hash_enc = data_blob(NULL, 16);
2039	encode_pw_buffer(new_lm_pswd.data, newpswd,
2040	STR_UNICODE);
2041
2042	arcfour_crypt(new_lm_pswd.data, old_nt_hash, 516);
2043	E_old_pw_hash(new_nt_hash, old_lm_hash,
2044	old_lm_hash_enc.data);
2045	} else {
2046	new_lm_pswd.data = NULL;
2047	new_lm_pswd.length = 0;
2048	old_lm_hash_enc.data = NULL;
2049	old_lm_hash_enc.length = 0;
2050	}
2051
2052	encode_pw_buffer(new_nt_pswd.data, newpswd,
2053	STR_UNICODE);
2054
2055	arcfour_crypt(new_nt_pswd.data, old_nt_hash, 516);
2056	E_old_pw_hash(new_nt_hash, old_nt_hash,
2057	old_nt_hash_enc.data);
2058	}
2059
2060	if (!full_username && !username) {
2061	x_fprintf(x_stdout, "Error: No username supplied!\n");
2062	} else if ((!new_nt_pswd.data \|\| !old_nt_hash_enc.data) &&
2063	(!new_lm_pswd.data \|\| old_lm_hash_enc.data) ) {
2064	x_fprintf(x_stdout, "Error: No NT or LM password "
2065	"blobs supplied!\n");
2066	} else {
2067	char *error_string = NULL;
2068
2069	if (full_username && !username) {
2070	fstring fstr_user;
2071	fstring fstr_domain;
2072
2073	if (!parse_ntlm_auth_domain_user(full_username,
2074	fstr_user,
2075	fstr_domain)) {
2076	/* username might be 'tainted', don't
2077	* print into our new-line
2078	* deleimianted stream */
2079	x_fprintf(x_stdout, "Error: Could not "
2080	"parse into domain and "
2081	"username\n");
2082	SAFE_FREE(username);
2083	username = smb_xstrdup(full_username);
2084	} else {
2085	SAFE_FREE(username);
2086	SAFE_FREE(domain);
2087	username = smb_xstrdup(fstr_user);
2088	domain = smb_xstrdup(fstr_domain);
2089	}
2090
2091	}
2092
2093	if(!NT_STATUS_IS_OK(contact_winbind_change_pswd_auth_crap(
2094	username, domain,
2095	new_nt_pswd,
2096	old_nt_hash_enc,
2097	new_lm_pswd,
2098	old_lm_hash_enc,
2099	&error_string))) {
2100	x_fprintf(x_stdout, "Password-Change: No\n");
2101	x_fprintf(x_stdout, "Password-Change-Error: "
2102	"%s\n.\n", error_string);
2103	} else {
2104	x_fprintf(x_stdout, "Password-Change: Yes\n");
2105	}
2106
2107	SAFE_FREE(error_string);
2108	}
2109	/* clear out the state */
2110	new_nt_pswd = data_blob_null;
2111	old_nt_hash_enc = data_blob_null;
2112	new_lm_pswd = data_blob_null;
2113	old_nt_hash_enc = data_blob_null;
2114	SAFE_FREE(full_username);
2115	SAFE_FREE(username);
2116	SAFE_FREE(domain);
2117	SAFE_FREE(newpswd);
2118	SAFE_FREE(oldpswd);
2119	x_fprintf(x_stdout, ".\n");
2120
2121	return;
2122	}
2123
2124	request = buf;
2125
2126	/* Indicates a base64 encoded structure */
2127	parameter = strstr_m(request, ":: ");
2128	if (!parameter) {
2129	parameter = strstr_m(request, ": ");
2130
2131	if (!parameter) {
2132	DEBUG(0, ("Parameter not found!\n"));
2133	x_fprintf(x_stdout, "Error: Parameter not found!\n.\n");
2134	return;
2135	}
2136
2137	parameter[0] ='\0';
2138	parameter++;
2139	parameter[0] ='\0';
2140	parameter++;
2141	} else {
2142	parameter[0] ='\0';
2143	parameter++;
2144	parameter[0] ='\0';
2145	parameter++;
2146	parameter[0] ='\0';
2147	parameter++;
2148
2149	base64_decode_inplace(parameter);
2150	}
2151
2152	if (strequal(request, "new-nt-password-blob")) {
2153	new_nt_pswd = strhex_to_data_blob(NULL, parameter);
2154	if (new_nt_pswd.length != 516) {
2155	x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2156	"(got %d bytes, expected 516)\n.\n",
2157	parameter,
2158	(int)new_nt_pswd.length);
2159	new_nt_pswd = data_blob_null;
2160	}
2161	} else if (strequal(request, "old-nt-hash-blob")) {
2162	old_nt_hash_enc = strhex_to_data_blob(NULL, parameter);
2163	if (old_nt_hash_enc.length != 16) {
2164	x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2165	"(got %d bytes, expected 16)\n.\n",
2166	parameter,
2167	(int)old_nt_hash_enc.length);
2168	old_nt_hash_enc = data_blob_null;
2169	}
2170	} else if (strequal(request, "new-lm-password-blob")) {
2171	new_lm_pswd = strhex_to_data_blob(NULL, parameter);
2172	if (new_lm_pswd.length != 516) {
2173	x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2174	"(got %d bytes, expected 516)\n.\n",
2175	parameter,
2176	(int)new_lm_pswd.length);
2177	new_lm_pswd = data_blob_null;
2178	}
2179	}
2180	else if (strequal(request, "old-lm-hash-blob")) {
2181	old_lm_hash_enc = strhex_to_data_blob(NULL, parameter);
2182	if (old_lm_hash_enc.length != 16)
2183	{
2184	x_fprintf(x_stdout, "Error: hex decode of %s failed! "
2185	"(got %d bytes, expected 16)\n.\n",
2186	parameter,
2187	(int)old_lm_hash_enc.length);
2188	old_lm_hash_enc = data_blob_null;
2189	}
2190	} else if (strequal(request, "nt-domain")) {
2191	domain = smb_xstrdup(parameter);
2192	} else if(strequal(request, "username")) {
2193	username = smb_xstrdup(parameter);
2194	} else if(strequal(request, "full-username")) {
2195	username = smb_xstrdup(parameter);
2196	} else if(strequal(request, "new-password")) {
2197	newpswd = smb_xstrdup(parameter);
2198	} else if (strequal(request, "old-password")) {
2199	oldpswd = smb_xstrdup(parameter);
2200	} else {
2201	x_fprintf(x_stdout, "Error: Unknown request %s\n.\n", request);
2202	}
2203	}
2204
2205	static void manage_squid_request(struct ntlm_auth_state *state,
2206	stdio_helper_function fn)
2207	{
2208	char *buf;
2209	char tmp[INITIAL_BUFFER_SIZE+1];
2210	int length, buf_size = 0;
2211	char *c;
2212
2213	buf = talloc_strdup(state->mem_ctx, "");
2214	if (!buf) {
2215	DEBUG(0, ("Failed to allocate input buffer.\n"));
2216	x_fprintf(x_stderr, "ERR\n");
2217	exit(1);
2218	}
2219
2220	do {
2221
2222	/* this is not a typo - x_fgets doesn't work too well under
2223	* squid */
2224	if (fgets(tmp, sizeof(tmp)-1, stdin) == NULL) {
2225	if (ferror(stdin)) {
2226	DEBUG(1, ("fgets() failed! dying..... errno=%d "
2227	"(%s)\n", ferror(stdin),
2228	strerror(ferror(stdin))));
2229
2230	exit(1);
2231	}
2232	exit(0);
2233	}
2234
2235	buf = talloc_strdup_append_buffer(buf, tmp);
2236	buf_size += INITIAL_BUFFER_SIZE;
2237
2238	if (buf_size > MAX_BUFFER_SIZE) {
2239	DEBUG(2, ("Oversized message\n"));
2240	x_fprintf(x_stderr, "ERR\n");
2241	talloc_free(buf);
2242	return;
2243	}
2244
2245	c = strchr(buf, '\n');
2246	} while (c == NULL);
2247
2248	*c = '\0';
2249	length = c-buf;
2250
2251	DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length));
2252
2253	if (buf[0] == '\0') {
2254	DEBUG(2, ("Invalid Request\n"));
2255	x_fprintf(x_stderr, "ERR\n");
2256	talloc_free(buf);
2257	return;
2258	}
2259
2260	fn(state, buf, length);
2261	talloc_free(buf);
2262	}
2263
2264
2265	static void squid_stream(enum stdio_helper_mode stdio_mode, stdio_helper_function fn) {
2266	TALLOC_CTX *mem_ctx;
2267	struct ntlm_auth_state *state;
2268
2269	/* initialize FDescs */
2270	x_setbuf(x_stdout, NULL);
2271	x_setbuf(x_stderr, NULL);
2272
2273	mem_ctx = talloc_init("ntlm_auth");
2274	if (!mem_ctx) {
2275	DEBUG(0, ("squid_stream: Failed to create talloc context\n"));
2276	x_fprintf(x_stderr, "ERR\n");
2277	exit(1);
2278	}
2279
2280	state = talloc_zero(mem_ctx, struct ntlm_auth_state);
2281	if (!state) {
2282	DEBUG(0, ("squid_stream: Failed to talloc ntlm_auth_state\n"));
2283	x_fprintf(x_stderr, "ERR\n");
2284	exit(1);
2285	}
2286
2287	state->mem_ctx = mem_ctx;
2288	state->helper_mode = stdio_mode;
2289
2290	while(1) {
2291	manage_squid_request(state, fn);
2292	}
2293	}
2294
2295
2296	/* Authenticate a user with a challenge/response */
2297
2298	static bool check_auth_crap(void)
2299	{
2300	NTSTATUS nt_status;
2301	uint32 flags = 0;
2302	char lm_key[8];
2303	char user_session_key[16];
2304	char *hex_lm_key;
2305	char *hex_user_session_key;
2306	char *error_string;
2307	static uint8 zeros[16];
2308
2309	x_setbuf(x_stdout, NULL);
2310
2311	if (request_lm_key)
2312	flags \|= WBFLAG_PAM_LMKEY;
2313
2314	if (request_user_session_key)
2315	flags \|= WBFLAG_PAM_USER_SESSION_KEY;
2316
2317	flags \|= WBFLAG_PAM_NT_STATUS_SQUASH;
2318
2319	nt_status = contact_winbind_auth_crap(opt_username, opt_domain,
2320	opt_workstation,
2321	&opt_challenge,
2322	&opt_lm_response,
2323	&opt_nt_response,
2324	flags,
2325	(unsigned char *)lm_key,
2326	(unsigned char *)user_session_key,
2327	&error_string, NULL);
2328
2329	if (!NT_STATUS_IS_OK(nt_status)) {
2330	x_fprintf(x_stdout, "%s (0x%x)\n",
2331	error_string,
2332	NT_STATUS_V(nt_status));
2333	SAFE_FREE(error_string);
2334	return False;
2335	}
2336
2337	if (request_lm_key
2338	&& (memcmp(zeros, lm_key,
2339	sizeof(lm_key)) != 0)) {
2340	hex_lm_key = hex_encode_talloc(talloc_tos(), (const unsigned char *)lm_key,
2341	sizeof(lm_key));
2342	x_fprintf(x_stdout, "LM_KEY: %s\n", hex_lm_key);
2343	TALLOC_FREE(hex_lm_key);
2344	}
2345	if (request_user_session_key
2346	&& (memcmp(zeros, user_session_key,
2347	sizeof(user_session_key)) != 0)) {
2348	hex_user_session_key = hex_encode_talloc(talloc_tos(), (const unsigned char *)user_session_key,
2349	sizeof(user_session_key));
2350	x_fprintf(x_stdout, "NT_KEY: %s\n", hex_user_session_key);
2351	TALLOC_FREE(hex_user_session_key);
2352	}
2353
2354	return True;
2355	}
2356
2357	/* Main program */
2358
2359	enum {
2360	OPT_USERNAME = 1000,
2361	OPT_DOMAIN,
2362	OPT_WORKSTATION,
2363	OPT_CHALLENGE,
2364	OPT_RESPONSE,
2365	OPT_LM,
2366	OPT_NT,
2367	OPT_PASSWORD,
2368	OPT_LM_KEY,
2369	OPT_USER_SESSION_KEY,
2370	OPT_DIAGNOSTICS,
2371	OPT_REQUIRE_MEMBERSHIP,
2372	OPT_USE_CACHED_CREDS,
2373	OPT_PAM_WINBIND_CONF
2374	};
2375
2376	int main(int argc, const char **argv)
2377	{
2378	TALLOC_CTX *frame = talloc_stackframe();
2379	int opt;
2380	static const char *helper_protocol;
2381	static int diagnostics;
2382
2383	static const char *hex_challenge;
2384	static const char *hex_lm_response;
2385	static const char *hex_nt_response;
2386
2387	poptContext pc;
2388
2389	/* NOTE: DO NOT change this interface without considering the implications!
2390	This is an external interface, which other programs will use to interact
2391	with this helper.
2392	*/
2393
2394	/* We do not use single-letter command abbreviations, because they harm future
2395	interface stability. */
2396
2397	struct poptOption long_options[] = {
2398	POPT_AUTOHELP
2399	{ "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"},
2400	{ "username", 0, POPT_ARG_STRING, &opt_username, OPT_USERNAME, "username"},
2401	{ "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"},
2402	{ "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"},
2403	{ "challenge", 0, POPT_ARG_STRING, &hex_challenge, OPT_CHALLENGE, "challenge (HEX encoded)"},
2404	{ "lm-response", 0, POPT_ARG_STRING, &hex_lm_response, OPT_LM, "LM Response to the challenge (HEX encoded)"},
2405	{ "nt-response", 0, POPT_ARG_STRING, &hex_nt_response, OPT_NT, "NT or NTLMv2 Response to the challenge (HEX encoded)"},
2406	{ "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},
2407	{ "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"},
2408	{ "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"},
2409	{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
2410	{ "diagnostics", 0, POPT_ARG_NONE, &diagnostics, OPT_DIAGNOSTICS, "Perform diagnostics on the authentictaion chain"},
2411	{ "require-membership-of", 0, POPT_ARG_STRING, &require_membership_of, OPT_REQUIRE_MEMBERSHIP, "Require that a user be a member of this group (either name or SID) for authentication to succeed" },
2412	{ "pam-winbind-conf", 0, POPT_ARG_STRING, &opt_pam_winbind_conf, OPT_PAM_WINBIND_CONF, "Require that request must set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5 auth is required" },
2413	POPT_COMMON_CONFIGFILE
2414	POPT_COMMON_VERSION
2415	POPT_TABLEEND
2416	};
2417
2418	/* Samba client initialisation */
2419	load_case_tables();
2420
2421	dbf = x_stderr;
2422
2423	/* Parse options */
2424
2425	pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
2426
2427	/* Parse command line options */
2428
2429	if (argc == 1) {
2430	poptPrintHelp(pc, stderr, 0);
2431	return 1;
2432	}
2433
2434	while((opt = poptGetNextOpt(pc)) != -1) {
2435	/* Get generic config options like --configfile */
2436	}
2437
2438	poptFreeContext(pc);
2439
2440	if (!lp_load(get_dyn_CONFIGFILE(), True, False, False, True)) {
2441	d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n",
2442	get_dyn_CONFIGFILE(), strerror(errno));
2443	exit(1);
2444	}
2445
2446	pc = poptGetContext(NULL, argc, (const char **)argv, long_options,
2447	POPT_CONTEXT_KEEP_FIRST);
2448
2449	while((opt = poptGetNextOpt(pc)) != -1) {
2450	switch (opt) {
2451	case OPT_CHALLENGE:
2452	opt_challenge = strhex_to_data_blob(NULL, hex_challenge);
2453	if (opt_challenge.length != 8) {
2454	x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
2455	hex_challenge,
2456	(int)opt_challenge.length);
2457	exit(1);
2458	}
2459	break;
2460	case OPT_LM:
2461	opt_lm_response = strhex_to_data_blob(NULL, hex_lm_response);
2462	if (opt_lm_response.length != 24) {
2463	x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
2464	hex_lm_response,
2465	(int)opt_lm_response.length);
2466	exit(1);
2467	}
2468	break;
2469
2470	case OPT_NT:
2471	opt_nt_response = strhex_to_data_blob(NULL, hex_nt_response);
2472	if (opt_nt_response.length < 24) {
2473	x_fprintf(x_stderr, "hex decode of %s failed! (only got %d bytes)\n",
2474	hex_nt_response,
2475	(int)opt_nt_response.length);
2476	exit(1);
2477	}
2478	break;
2479
2480	case OPT_REQUIRE_MEMBERSHIP:
2481	if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
2482	require_membership_of_sid = require_membership_of;
2483	}
2484	break;
2485	}
2486	}
2487
2488	if (opt_username) {
2489	char *domain = SMB_STRDUP(opt_username);
2490	char p = strchr_m(domain, lp_winbind_separator());
2491	if (p) {
2492	opt_username = p+1;
2493	*p = '\0';
2494	if (opt_domain && !strequal(opt_domain, domain)) {
2495	x_fprintf(x_stderr, "Domain specified in username (%s) "
2496	"doesn't match specified domain (%s)!\n\n",
2497	domain, opt_domain);
2498	poptPrintHelp(pc, stderr, 0);
2499	exit(1);
2500	}
2501	opt_domain = domain;
2502	} else {
2503	SAFE_FREE(domain);
2504	}
2505	}
2506
2507	/* Note: if opt_domain is "" then send no domain */
2508	if (opt_domain == NULL) {
2509	opt_domain = get_winbind_domain();
2510	}
2511
2512	if (opt_workstation == NULL) {
2513	opt_workstation = "";
2514	}
2515
2516	if (helper_protocol) {
2517	int i;
2518	for (i=0; i<NUM_HELPER_MODES; i++) {
2519	if (strcmp(helper_protocol, stdio_helper_protocols[i].name) == 0) {
2520	squid_stream(stdio_helper_protocols[i].mode, stdio_helper_protocols[i].fn);
2521	exit(0);
2522	}
2523	}
2524	x_fprintf(x_stderr, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol);
2525
2526	for (i=0; i<NUM_HELPER_MODES; i++) {
2527	x_fprintf(x_stderr, "%s\n", stdio_helper_protocols[i].name);
2528	}
2529
2530	exit(1);
2531	}
2532
2533	if (!opt_username \|\| !*opt_username) {
2534	x_fprintf(x_stderr, "username must be specified!\n\n");
2535	poptPrintHelp(pc, stderr, 0);
2536	exit(1);
2537	}
2538
2539	if (opt_challenge.length) {
2540	if (!check_auth_crap()) {
2541	exit(1);
2542	}
2543	exit(0);
2544	}
2545
2546	if (!opt_password) {
2547	opt_password = getpass("password: ");
2548	}
2549
2550	if (diagnostics) {
2551	if (!diagnose_ntlm_auth()) {
2552	return 1;
2553	}
2554	} else {
2555	fstring user;
2556
2557	fstr_sprintf(user, "%s%c%s", opt_domain, winbind_separator(), opt_username);
2558	if (!check_plaintext_auth(user, opt_password, True)) {
2559	return 1;
2560	}
2561	}
2562
2563	/* Exit code */
2564
2565	poptFreeContext(pc);
2566	TALLOC_FREE(frame);
2567	return 0;
2568	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: