diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2017-07-03 14:16:50 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-04 06:57:20 +0200 |
| commit | 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0 (patch) | |
| tree | 4ea7182cd156999dd7c205822adac7d00ee1ac2d | |
| parent | c278fa65ebe18063a09bb1f2af5e39459f9f2a7d (diff) | |
| download | samba-00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.tar.gz | |
param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
| -rw-r--r-- | docs-xml/smbdotconf/security/ntlmauth.xml | 5 | ||||
| -rw-r--r-- | lib/param/param_table.c | 1 | ||||
| -rw-r--r-- | libcli/auth/ntlm_check.c | 6 | ||||
| -rw-r--r-- | libcli/auth/ntlm_check.h | 2 |
4 files changed, 13 insertions, 1 deletions
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index fbb3d3fec06..88105e69ed5 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -40,6 +40,11 @@ moreinfo="none">ntlm_auth</command> tool).</para> </listitem> + <listitem> + <para><constant>disabled</constant> - Do not allow NTLM (or + LanMan) authentication of any level as a server.</para> + </listitem> + </itemizedlist> <para>The default changed from <constant>yes</constant> to diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 4e9910dd083..f9052304bda 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -332,6 +332,7 @@ static const struct enum_list enum_mangled_names[] = { }; static const struct enum_list enum_ntlm_auth[] = { + {NTLM_AUTH_DISABLED, "disabled"}, {NTLM_AUTH_NTLMV2_ONLY, "ntlmv2-only"}, {NTLM_AUTH_NTLMV2_ONLY, "no"}, {NTLM_AUTH_NTLMV2_ONLY, "false"}, diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c index 8e8d100075a..3b02adc1d48 100644 --- a/libcli/auth/ntlm_check.c +++ b/libcli/auth/ntlm_check.c @@ -296,6 +296,12 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, DATA_BLOB tmp_sess_key; const char *upper_client_domain = NULL; + if (ntlm_auth == NTLM_AUTH_DISABLED) { + DBG_WARNING("ntlm_password_check: NTLM authentication not " + "permitted by configuration.\n"); + return NT_STATUS_NTLM_BLOCKED; + } + if (client_domain != NULL) { upper_client_domain = talloc_strdup_upper(mem_ctx, client_domain); if (upper_client_domain == NULL) { diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h index f1dc54a4847..86cab9b2d13 100644 --- a/libcli/auth/ntlm_check.h +++ b/libcli/auth/ntlm_check.h @@ -22,7 +22,7 @@ #define __LIBCLI_AUTH_NTLM_CHECK_H__ /* mangled names options */ -enum ntlm_auth_level {NTLM_AUTH_ON, +enum ntlm_auth_level {NTLM_AUTH_DISABLED, NTLM_AUTH_ON, NTLM_AUTH_NTLMV2_ONLY, NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY}; |