From d0d266bbf79fac956ca5de0b48dfac08b6f18628 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 3 Jul 2017 14:11:47 +1200 Subject: param: Disable LanMan authentication unless NTLMv1 is also enabled Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 --- docs-xml/smbdotconf/security/lanmanauth.xml | 1 + docs-xml/smbdotconf/security/ntlmauth.xml | 3 +-- lib/param/loadparm.c | 16 ++++++++++++++++ source3/include/proto.h | 1 + source3/param/loadparm.c | 18 +++++++++++++++++- 5 files changed, 36 insertions(+), 3 deletions(-) diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml index 138a24f9f28..a9e4f88b89f 100644 --- a/docs-xml/smbdotconf/security/lanmanauth.xml +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -1,6 +1,7 @@ This parameter determines whether or not smbd diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index 891da280760..fbb3d3fec06 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -7,8 +7,7 @@ This parameter determines whether or not smbd 8 will attempt to authenticate users using the NTLM encrypted password response. - If disabled, either the lanman password hash or an NTLMv2 response - will need to be sent by the client. + If disabled, NTLM and LanMan authencication is disabled server-wide. By default with lanman auth set to no and diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 9c93277c35e..a221e879d07 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3511,3 +3511,19 @@ int lpcfg_tdb_flags(struct loadparm_context *lp_ctx, int tdb_flags) } return tdb_flags; } + +/* + * Do not allow LanMan auth if unless NTLMv1 is also allowed + * + * This also ensures it is disabled if NTLM is totally disabled + */ +bool lpcfg_lanman_auth(struct loadparm_context *lp_ctx) +{ + enum ntlm_auth_level ntlm_auth_level = lpcfg_ntlm_auth(lp_ctx); + + if (ntlm_auth_level == NTLM_AUTH_ON) { + return lpcfg__lanman_auth(lp_ctx); + } else { + return false; + } +} diff --git a/source3/include/proto.h b/source3/include/proto.h index 45841dca8ad..c8f6c282b68 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -879,6 +879,7 @@ int lp_cups_encrypt(void); bool lp_widelinks(int ); int lp_rpc_low_port(void); int lp_rpc_high_port(void); +bool lp_lanman_auth(void); int lp_wi_scan_global_parametrics( const char *regex, size_t max_matches, diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index ba3763e97d1..d5b1c56e21e 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -693,7 +693,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.restrict_anonymous = 0; Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */ Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */ - Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */ + Globals._lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */ Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */ Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ @@ -4592,6 +4592,22 @@ int lp_rpc_high_port(void) return Globals.rpc_high_port; } +/* + * Do not allow LanMan auth if unless NTLMv1 is also allowed + * + * This also ensures it is disabled if NTLM is totally disabled + */ +bool lp_lanman_auth(void) +{ + enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth(); + + if (ntlm_auth_level == NTLM_AUTH_ON) { + return lp__lanman_auth(); + } else { + return false; + } +} + struct loadparm_global * get_globals(void) { return &Globals; -- cgit v1.2.1