diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-07-03 12:11:51 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-04 06:57:20 +0200 |
commit | d139d77ae3dbc490525ac94f46276d790bc2d879 (patch) | |
tree | ce71e9a10795feaa8df7e66002a52f8ad529124b /libcli | |
parent | 353de79af2888afedaf54aa3c16bc2f1c470271a (diff) | |
download | samba-d139d77ae3dbc490525ac94f46276d790bc2d879.tar.gz |
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:
Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.
Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.
Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/auth/ntlm_check.c | 5 | ||||
-rw-r--r-- | libcli/auth/ntlm_check.h | 12 |
2 files changed, 14 insertions, 3 deletions
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c index d7fba34cdba..8e8d100075a 100644 --- a/libcli/auth/ntlm_check.c +++ b/libcli/auth/ntlm_check.c @@ -280,7 +280,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, bool lanman_auth, - bool ntlm_auth, + enum ntlm_auth_level ntlm_auth, uint32_t logon_parameters, const DATA_BLOB *challenge, const DATA_BLOB *lm_response, @@ -397,7 +397,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n")); } } else if (nt_response->length == 24 && stored_nt) { - if (ntlm_auth) { + if (ntlm_auth == NTLM_AUTH_ON + || (ntlm_auth == NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY && (logon_parameters & MSV1_0_ALLOW_MSVCHAPV2))) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h index df11f7d7a26..f1dc54a4847 100644 --- a/libcli/auth/ntlm_check.h +++ b/libcli/auth/ntlm_check.h @@ -18,7 +18,15 @@ You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ +#ifndef __LIBCLI_AUTH_NTLM_CHECK_H__ +#define __LIBCLI_AUTH_NTLM_CHECK_H__ +/* mangled names options */ +enum ntlm_auth_level {NTLM_AUTH_ON, + NTLM_AUTH_NTLMV2_ONLY, + NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY}; + +struct samr_Password; /** * Compare password hashes against those from the SAM @@ -62,7 +70,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, bool lanman_auth, - bool ntlm_auth, + enum ntlm_auth_level ntlm_auth, uint32_t logon_parameters, const DATA_BLOB *challenge, const DATA_BLOB *lm_response, @@ -74,3 +82,5 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, const struct samr_Password *stored_nt, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key); + +#endif /* __LIBCLI_AUTH_NTLM_CHECK_H__ */ |