From: skids Date: Tue, 10 Nov 2015 16:28:42 +0000 (-0500) Subject: Pass on MSCHAP errors from ntlm_auth, too X-Git-Tag: release_3_0_11~166^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db5cc20197bd395b0e1dba7424641c644ba1fd57;p=thirdparty%2Ffreeradius-server.git Pass on MSCHAP errors from ntlm_auth, too Not that supplicants do anything helpful with them, but locked and disabled account error codes can be gleaned from ntlm_auth. Previously only SMB-Account-Cntrl could cause them to send. --- diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index 3b17240735b..3dcb8457c44 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -1163,6 +1163,18 @@ static int CC_HINT(nonnull (1, 2, 4, 5 ,6)) do_mschap(rlm_mschap_t *inst, REQUES return -648; } + if (strcasestr(buffer, "Account locked out") || + strcasestr(buffer, "0xC0000234")) { + REDEBUG2("%s", buffer); + return -647; + } + + if (strcasestr(buffer, "Account disabled") || + strcasestr(buffer, "0xC0000072")) { + REDEBUG2("%s", buffer); + return -691; + } + RDEBUG2("External script failed"); p = strchr(buffer, '\n'); if (p) *p = '\0'; @@ -1392,29 +1404,25 @@ static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned c char new_challenge[33], buffer[128]; char *p; - if ((smb_ctrl && ((smb_ctrl->vp_integer & ACB_PW_EXPIRED) != 0)) || (mschap_result == -648)) { + if ((mschap_result == -648) || + (smb_ctrl && ((smb_ctrl->vp_integer & ACB_PW_EXPIRED) != 0))) { REDEBUG("Password has expired. User should retry authentication"); error = 648; retry = inst->allow_retry ? 1 : 0; message = "Password expired"; rcode = RLM_MODULE_REJECT; - - } else if (mschap_result < 0) { - REDEBUG("MS-CHAP2-Response is incorrect"); - error = 691; - retry = inst->allow_retry ? 1 : 0; - message = "Authentication failed"; - rcode = RLM_MODULE_REJECT; /* * Account is disabled. * * They're found, but they don't exist, so we * return 'not found'. */ - } else if (smb_ctrl && (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) || - ((smb_ctrl->vp_integer & (ACB_NORMAL|ACB_WSTRUST)) == 0))) { - REDEBUG("SMB-Account-Ctrl says that the account is disabled, or is not a normal " - "or workstation trust account"); + } else if ((mschap_result == -691) || + (smb_ctrl && (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) || + ((smb_ctrl->vp_integer & (ACB_NORMAL|ACB_WSTRUST)) == 0)))) { + REDEBUG("SMB-Account-Ctrl (or ntlm_auth) " + "says that the account is disabled, " + "or is not a normal or workstation trust account"); error = 691; retry = 1; message = "Account disabled"; @@ -1422,12 +1430,20 @@ static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned c /* * User is locked out. */ - } else if (smb_ctrl && ((smb_ctrl->vp_integer & ACB_AUTOLOCK) != 0)) { - REDEBUG("SMB-Account-Ctrl says that the account is locked out"); + } else if ((mschap_result == -647) || + (smb_ctrl && ((smb_ctrl->vp_integer & ACB_AUTOLOCK) != 0))) { + REDEBUG("SMB-Account-Ctrl (or ntlm_auth) " + "says that the account is locked out"); error = 647; retry = 0; message = "Account locked out"; rcode = RLM_MODULE_USERLOCK; + } else if (mschap_result < 0) { + REDEBUG("MS-CHAP2-Response is incorrect"); + error = 691; + retry = inst->allow_retry ? 1 : 0; + message = "Authentication failed"; + rcode = RLM_MODULE_REJECT; } if (rcode == RLM_MODULE_OK) return RLM_MODULE_OK;