diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-07-03 14:39:09 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-04 06:57:21 +0200 |
commit | fca8536a827bff142290bf736d3294116fefebb1 (patch) | |
tree | a51046fdd270e8c1dbe085bd57a52ef4e7b21233 | |
parent | 831861ecf910504eecab30a7e132f0fa210ed212 (diff) | |
download | samba-fca8536a827bff142290bf736d3294116fefebb1.tar.gz |
samr: Disable NTLM-based password changes on the server if NTLM is disabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
-rw-r--r-- | docs-xml/smbdotconf/security/ntlmauth.xml | 3 | ||||
-rw-r--r-- | source3/rpc_server/samr/srv_samr_chgpasswd.c | 8 | ||||
-rw-r--r-- | source4/rpc_server/samr/samr_password.c | 9 |
3 files changed, 19 insertions, 1 deletions
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index 88105e69ed5..f0969bf9ed2 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -42,7 +42,8 @@ <listitem> <para><constant>disabled</constant> - Do not allow NTLM (or - LanMan) authentication of any level as a server.</para> + LanMan) authentication of any level as a server, nor permit + NTLM password changes.</para> </listitem> </itemizedlist> diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c index ab9e92ace78..87a3f32ff13 100644 --- a/source3/rpc_server/samr/srv_samr_chgpasswd.c +++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c @@ -683,6 +683,14 @@ static NTSTATUS check_oem_password(const char *user, bool nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted); bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted); + enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth(); + + /* this call should be disabled without NTLM auth */ + if (ntlm_auth_level == NTLM_AUTH_DISABLED) { + DBG_WARNING("NTLM password changes not" + "permitted by configuration.\n"); + return NT_STATUS_NTLM_BLOCKED; + } acct_ctrl = pdb_get_acct_ctrl(sampass); #if 0 diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 785633ddc25..22f456f090b 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -307,10 +307,19 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, struct samr_Password nt_verifier, lm_verifier; const char *user_samAccountName = NULL; struct dom_sid *user_objectSid = NULL; + enum ntlm_auth_level ntlm_auth_level + = lpcfg_ntlm_auth(dce_call->conn->dce_ctx->lp_ctx); *r->out.dominfo = NULL; *r->out.reject = NULL; + /* this call should be disabled without NTLM auth */ + if (ntlm_auth_level == NTLM_AUTH_DISABLED) { + DBG_WARNING("NTLM password changes not" + "permitted by configuration.\n"); + return NT_STATUS_NTLM_BLOCKED; + } + if (r->in.nt_password == NULL || r->in.nt_verifier == NULL) { return NT_STATUS_INVALID_PARAMETER; |