From d2a473a7b7471937d1098a11258b875134ad702a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Jan 2022 14:08:13 +1300 Subject: dsdb: Allow password history and password changes without an NT hash We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead which allows us to decouple Samba from the unsalted NT hash for organisations that are willing to take this step (for user accounts). (History checking is limited to the last three passwords only, as ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4 package only stores three sets of keys.) Since we don't store a salt per-key, but only a single salt, the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Reviewed-by: Stefan Metzmacher --- source3/param/loadparm.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/param') diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 2b6e0bb248c..43838575f3b 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -705,6 +705,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */ Globals._lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */ Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ + Globals.nt_hash_store = NT_HASH_STORE_ALWAYS; /* Fill in NT hash when setting password */ Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */ Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ /* Note, that we will also use NTLM2 session security (which is different), if it is available */ -- cgit v1.2.1