param: Disable LanMan authentication unless NTLMv1 is also enabled

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923

1 files changed, 17 insertions, 1 deletions

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ba3763e97d1..d5b1c56e21e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -693,7 +693,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.restrict_anonymous = 0;
 	Globals.client_lanman_auth = false;	/* Do NOT use the LanMan hash if it is available */
 	Globals.client_plaintext_auth = false;	/* Do NOT use a plaintext password even if is requested by the server */
-	Globals.lanman_auth = false;	/* Do NOT use the LanMan hash, even if it is supplied */
+	Globals._lanman_auth = false;	/* Do NOT use the LanMan hash, even if it is supplied */
 	Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY;	/* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
 	Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
 	Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
@@ -4592,6 +4592,22 @@ int lp_rpc_high_port(void)
 	return Globals.rpc_high_port;
 }
 
+/*
+ * Do not allow LanMan auth if unless NTLMv1 is also allowed
+ *
+ * This also ensures it is disabled if NTLM is totally disabled
+ */
+bool lp_lanman_auth(void)
+{
+	enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+	if (ntlm_auth_level == NTLM_AUTH_ON) {
+		return lp__lanman_auth();
+	} else {
+		return false;
+	}
+}
+
 struct loadparm_global * get_globals(void)
 {
 	return &Globals;