samr: Disable NTLM-based password changes on the server if NTLM is disabled

Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
author: Andrew Bartlett <abartlet@samba.org> 2017-07-03 14:39:09 +1200
committer: Andrew Bartlett <abartlet@samba.org> 2017-07-04 06:57:21 +0200
commit: fca8536a827bff142290bf736d3294116fefebb1 (patch)
tree: a51046fdd270e8c1dbe085bd57a52ef4e7b21233 /source3/rpc_server
parent: 831861ecf910504eecab30a7e132f0fa210ed212 (diff)
download: samba-fca8536a827bff142290bf736d3294116fefebb1.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index ab9e92ace78..87a3f32ff13 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -683,6 +683,14 @@ static NTSTATUS check_oem_password(const char *user,
 
 	bool nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted);
 	bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
+	enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+	/* this call should be disabled without NTLM auth */
+	if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+		DBG_WARNING("NTLM password changes not"
+			    "permitted by configuration.\n");
+		return NT_STATUS_NTLM_BLOCKED;
+	}
 
 	acct_ctrl = pdb_get_acct_ctrl(sampass);
 #if 0
author	Andrew Bartlett <abartlet@samba.org>	2017-07-03 14:39:09 +1200
committer	Andrew Bartlett <abartlet@samba.org>	2017-07-04 06:57:21 +0200
commit	fca8536a827bff142290bf736d3294116fefebb1 (patch)
tree	a51046fdd270e8c1dbe085bd57a52ef4e7b21233 /source3/rpc_server
parent	831861ecf910504eecab30a7e132f0fa210ed212 (diff)
download	samba-fca8536a827bff142290bf736d3294116fefebb1.tar.gz