diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-07-03 12:11:51 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-04 06:57:20 +0200 |
commit | d139d77ae3dbc490525ac94f46276d790bc2d879 (patch) | |
tree | ce71e9a10795feaa8df7e66002a52f8ad529124b /lib/param | |
parent | 353de79af2888afedaf54aa3c16bc2f1c470271a (diff) | |
download | samba-d139d77ae3dbc490525ac94f46276d790bc2d879.tar.gz |
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:
Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.
Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.
Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Diffstat (limited to 'lib/param')
-rw-r--r-- | lib/param/loadparm.c | 3 | ||||
-rw-r--r-- | lib/param/param_table.c | 14 |
2 files changed, 16 insertions, 1 deletions
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 3ceea50b279..9c93277c35e 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -70,6 +70,7 @@ #include "librpc/gen_ndr/nbt.h" #include "libds/common/roles.h" #include "lib/util/samba_util.h" +#include "libcli/auth/ntlm_check.h" #ifdef HAVE_HTTPCONNECTENCRYPT #include <cups/http.h> @@ -2709,7 +2710,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False"); lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True"); lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False"); - lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False"); + lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "ntlmv2-only"); lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False"); lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False"); diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 21cac107647..4e9910dd083 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -31,6 +31,7 @@ #include "lib/param/param.h" #include "lib/param/loadparm.h" #include "lib/param/param_global.h" +#include "libcli/auth/ntlm_check.h" #include "libcli/smb/smb_constants.h" #include "libds/common/roles.h" #include "source4/lib/tls/tls.h" @@ -330,6 +331,19 @@ static const struct enum_list enum_mangled_names[] = { {-1, NULL} }; +static const struct enum_list enum_ntlm_auth[] = { + {NTLM_AUTH_NTLMV2_ONLY, "ntlmv2-only"}, + {NTLM_AUTH_NTLMV2_ONLY, "no"}, + {NTLM_AUTH_NTLMV2_ONLY, "false"}, + {NTLM_AUTH_NTLMV2_ONLY, "0"}, + {NTLM_AUTH_ON, "ntlmv1-permitted"}, + {NTLM_AUTH_ON, "yes"}, + {NTLM_AUTH_ON, "true"}, + {NTLM_AUTH_ON, "1"}, + {NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, "mschapv2-and-ntlmv2-only"}, + {-1, NULL} +}; + /* Note: We do not initialise the defaults union - it is not allowed in ANSI C * * NOTE: Handling of duplicated (synonym) parameters: |