samr: Disable NTLM-based password changes on the server if NTLM is disabled

Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
author: Andrew Bartlett <abartlet@samba.org> 2017-07-03 14:39:09 +1200
committer: Andrew Bartlett <abartlet@samba.org> 2017-07-04 06:57:21 +0200
commit: fca8536a827bff142290bf736d3294116fefebb1 (patch)
tree: a51046fdd270e8c1dbe085bd57a52ef4e7b21233
parent: 831861ecf910504eecab30a7e132f0fa210ed212 (diff)
download: samba-fca8536a827bff142290bf736d3294116fefebb1.tar.gz
3 files changed, 19 insertions, 1 deletions
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 88105e69ed5..f0969bf9ed2 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -42,7 +42,8 @@
 
         <listitem>
           <para><constant>disabled</constant> - Do not allow NTLM (or
-          LanMan) authentication of any level as a server.</para>
+          LanMan) authentication of any level as a server, nor permit
+          NTLM password changes.</para>
         </listitem>
 
     </itemizedlist>
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index ab9e92ace78..87a3f32ff13 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -683,6 +683,14 @@ static NTSTATUS check_oem_password(const char *user,
 
 	bool nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted);
 	bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
+	enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+	/* this call should be disabled without NTLM auth */
+	if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+		DBG_WARNING("NTLM password changes not"
+			    "permitted by configuration.\n");
+		return NT_STATUS_NTLM_BLOCKED;
+	}
 
 	acct_ctrl = pdb_get_acct_ctrl(sampass);
 #if 0
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 785633ddc25..22f456f090b 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -307,10 +307,19 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 	struct samr_Password nt_verifier, lm_verifier;
 	const char *user_samAccountName = NULL;
 	struct dom_sid *user_objectSid = NULL;
+	enum ntlm_auth_level ntlm_auth_level
+		= lpcfg_ntlm_auth(dce_call->conn->dce_ctx->lp_ctx);
 
 	*r->out.dominfo = NULL;
 	*r->out.reject = NULL;
 
+	/* this call should be disabled without NTLM auth */
+	if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+		DBG_WARNING("NTLM password changes not"
+			    "permitted by configuration.\n");
+		return NT_STATUS_NTLM_BLOCKED;
+	}
+
 	if (r->in.nt_password == NULL ||
 	    r->in.nt_verifier == NULL) {
 		return NT_STATUS_INVALID_PARAMETER;
author	Andrew Bartlett <abartlet@samba.org>	2017-07-03 14:39:09 +1200
committer	Andrew Bartlett <abartlet@samba.org>	2017-07-04 06:57:21 +0200
commit	fca8536a827bff142290bf736d3294116fefebb1 (patch)
tree	a51046fdd270e8c1dbe085bd57a52ef4e7b21233
parent	831861ecf910504eecab30a7e132f0fa210ed212 (diff)
download	samba-fca8536a827bff142290bf736d3294116fefebb1.tar.gz