auth: Return status code if configuration prohibits NTLM

Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

2 files changed, 9 insertions, 0 deletions

diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index cb4be7f6507..3927dfa7836 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -259,12 +259,19 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
 
 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 			     bool lanman_auth,
+			     enum ntlm_auth_level ntlm_auth,
 			     const struct samr_Password *client_lanman,
 			     const struct samr_Password *client_nt,
 			     const char *username, 
 			     const struct samr_Password *stored_lanman, 
 			     const struct samr_Password *stored_nt)
 {
+	if (ntlm_auth == NTLM_AUTH_DISABLED) {
+		DBG_WARNING("hash_password_check: NTLM authentication not "
+			    "permitted by configuration.\n");
+		return NT_STATUS_NTLM_BLOCKED;
+	}
+
 	if (stored_nt == NULL) {
 		DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
 			 username));
@@ -387,6 +394,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 		}
 		return hash_password_check(mem_ctx, 
 					   lanman_auth,
+					   ntlm_auth,
 					   lm_ok ? &client_lm : NULL, 
 					   nt_response->length ? &client_nt : NULL, 
 					   username,  
diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
index 86cab9b2d13..3fcd1f4ccbb 100644
--- a/libcli/auth/ntlm_check.h
+++ b/libcli/auth/ntlm_check.h
@@ -45,6 +45,7 @@ struct samr_Password;
 
 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 				 bool lanman_auth,
+			     enum ntlm_auth_level ntlm_auth,
 			     const struct samr_Password *client_lanman,
 			     const struct samr_Password *client_nt,
 			     const char *username,