param: Add new "disabled" value to "ntlm auth" to disable NTLM totally

author Andrew Bartlett <abartlet@samba.org>

Mon, 3 Jul 2017 02:16:50 +0000 (14:16 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Tue, 4 Jul 2017 04:57:20 +0000 (06:57 +0200)
author Andrew Bartlett <abartlet@samba.org>
Mon, 3 Jul 2017 02:16:50 +0000 (14:16 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Tue, 4 Jul 2017 04:57:20 +0000 (06:57 +0200)
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml

index fbb3d3fec063fd76a3900182c9faa48ff426bd0c..88105e69ed5b096b7c97c010eef6e39f6e6a061c 100644 (file)
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -40,6 +40,11 @@
              moreinfo="none">ntlm_auth</command> tool).</para>
          </listitem>
  
+        <listitem>
+          <para><constant>disabled</constant> - Do not allow NTLM (or
+          LanMan) authentication of any level as a server.</para>
+        </listitem>
+
      </itemizedlist>
  
      <para>The default changed from <constant>yes</constant> to
diff --git a/lib/param/param_table.c b/lib/param/param_table.c

index 4e9910dd083e49a520d7c22b612b6ce21e42f4af..f9052304bdac15a3329ad2d844bcafb216259ae7 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -332,6 +332,7 @@ static const struct enum_list enum_mangled_names[] = {
  };
  
  static const struct enum_list enum_ntlm_auth[] = {
+       {NTLM_AUTH_DISABLED, "disabled"},
         {NTLM_AUTH_NTLMV2_ONLY, "ntlmv2-only"},
         {NTLM_AUTH_NTLMV2_ONLY, "no"},
         {NTLM_AUTH_NTLMV2_ONLY, "false"},
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c

index 8e8d100075a60456535a4622596d8c3c83e4de0f..3b02adc1d482a81ce29588ec3f756c1580ed113b 100644 (file)
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -296,6 +296,12 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
         DATA_BLOB tmp_sess_key;
         const char *upper_client_domain = NULL;
  
+       if (ntlm_auth == NTLM_AUTH_DISABLED) {
+               DBG_WARNING("ntlm_password_check: NTLM authentication not "
+                           "permitted by configuration.\n");
+               return NT_STATUS_NTLM_BLOCKED;
+       }
+
         if (client_domain != NULL) {
                 upper_client_domain = talloc_strdup_upper(mem_ctx, client_domain);
                 if (upper_client_domain == NULL) {
diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h

index f1dc54a48474887a2673be9ad173a2b1ec708e01..86cab9b2d13a18a0c2088aa395162ea371dbe431 100644 (file)
--- a/libcli/auth/ntlm_check.h
+++ b/libcli/auth/ntlm_check.h
@@ -22,7 +22,7 @@
  #define __LIBCLI_AUTH_NTLM_CHECK_H__
  
  /* mangled names options */
-enum ntlm_auth_level {NTLM_AUTH_ON,
+enum ntlm_auth_level {NTLM_AUTH_DISABLED, NTLM_AUTH_ON,
                       NTLM_AUTH_NTLMV2_ONLY,
                       NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY};
author	Andrew Bartlett <abartlet@samba.org>
	Mon, 3 Jul 2017 02:16:50 +0000 (14:16 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Tue, 4 Jul 2017 04:57:20 +0000 (06:57 +0200)
docs-xml/smbdotconf/security/ntlmauth.xml		patch \| blob \| history
lib/param/param_table.c		patch \| blob \| history
libcli/auth/ntlm_check.c		patch \| blob \| history
libcli/auth/ntlm_check.h		patch \| blob \| history