diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2017-07-03 12:11:51 +1200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-04 06:57:20 +0200 |
| commit | d139d77ae3dbc490525ac94f46276d790bc2d879 (patch) | |
| tree | ce71e9a10795feaa8df7e66002a52f8ad529124b /source3/param | |
| parent | 353de79af2888afedaf54aa3c16bc2f1c470271a (diff) | |
| download | samba-d139d77ae3dbc490525ac94f46276d790bc2d879.tar.gz | |
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:
Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.
Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.
Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Diffstat (limited to 'source3/param')
| -rw-r--r-- | source3/param/loadparm.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 8f0cf5e6e03..ba3763e97d1 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -71,6 +71,7 @@ #include "../lib/util/bitmap.h" #include "librpc/gen_ndr/nbt.h" #include "source4/lib/tls/tls.h" +#include "libcli/auth/ntlm_check.h" #ifdef HAVE_SYS_SYSCTL_H #include <sys/sysctl.h> @@ -693,7 +694,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */ Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */ Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */ - Globals.ntlm_auth = false; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ + Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */ Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ /* Note, that we will also use NTLM2 session security (which is different), if it is available */ |