diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-07-03 14:11:47 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-04 06:57:20 +0200 |
commit | d0d266bbf79fac956ca5de0b48dfac08b6f18628 (patch) | |
tree | fa89526c2830abc2e2fc3aede769466bfc1dafde | |
parent | 8b398a4d72a53b57e622afb4aeefa026b96c3d2a (diff) | |
download | samba-d0d266bbf79fac956ca5de0b48dfac08b6f18628.tar.gz |
param: Disable LanMan authentication unless NTLMv1 is also enabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
-rw-r--r-- | docs-xml/smbdotconf/security/lanmanauth.xml | 1 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/ntlmauth.xml | 3 | ||||
-rw-r--r-- | lib/param/loadparm.c | 16 | ||||
-rw-r--r-- | source3/include/proto.h | 1 | ||||
-rw-r--r-- | source3/param/loadparm.c | 18 |
5 files changed, 36 insertions, 3 deletions
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml index 138a24f9f28..a9e4f88b89f 100644 --- a/docs-xml/smbdotconf/security/lanmanauth.xml +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -1,6 +1,7 @@ <samba:parameter name="lanman auth" context="G" type="boolean" + function="_lanman_auth" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index 891da280760..fbb3d3fec06 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -7,8 +7,7 @@ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate users using the NTLM encrypted password response. - If disabled, either the lanman password hash or an NTLMv2 response - will need to be sent by the client.</para> + If disabled, NTLM and LanMan authencication is disabled server-wide.</para> <para>By default with <command moreinfo="none">lanman auth</command> set to <constant>no</constant> and diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 9c93277c35e..a221e879d07 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3511,3 +3511,19 @@ int lpcfg_tdb_flags(struct loadparm_context *lp_ctx, int tdb_flags) } return tdb_flags; } + +/* + * Do not allow LanMan auth if unless NTLMv1 is also allowed + * + * This also ensures it is disabled if NTLM is totally disabled + */ +bool lpcfg_lanman_auth(struct loadparm_context *lp_ctx) +{ + enum ntlm_auth_level ntlm_auth_level = lpcfg_ntlm_auth(lp_ctx); + + if (ntlm_auth_level == NTLM_AUTH_ON) { + return lpcfg__lanman_auth(lp_ctx); + } else { + return false; + } +} diff --git a/source3/include/proto.h b/source3/include/proto.h index 45841dca8ad..c8f6c282b68 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -879,6 +879,7 @@ int lp_cups_encrypt(void); bool lp_widelinks(int ); int lp_rpc_low_port(void); int lp_rpc_high_port(void); +bool lp_lanman_auth(void); int lp_wi_scan_global_parametrics( const char *regex, size_t max_matches, diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index ba3763e97d1..d5b1c56e21e 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -693,7 +693,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.restrict_anonymous = 0; Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */ Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */ - Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */ + Globals._lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */ Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */ Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ @@ -4592,6 +4592,22 @@ int lp_rpc_high_port(void) return Globals.rpc_high_port; } +/* + * Do not allow LanMan auth if unless NTLMv1 is also allowed + * + * This also ensures it is disabled if NTLM is totally disabled + */ +bool lp_lanman_auth(void) +{ + enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth(); + + if (ntlm_auth_level == NTLM_AUTH_ON) { + return lp__lanman_auth(); + } else { + return false; + } +} + struct loadparm_global * get_globals(void) { return &Globals; |