allow users to disable the NetWkstaUserLogon call in server level

security by changing a setting in local.h or adding it to their
Makefile. See comment in local.h
(This used to be commit cc10fdf7583ec644850445ad96afd8b22b71e86f)

diff --git a/source3/include/local.h b/source3/include/local.h
index 9a31032ee68ae73f969ad292112398280bd8e4fa..ca8d231dcd99ce71dda15b5d77cdb289cf639a2e 100644 (file)
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -25,6 +25,16 @@
 */
 #define PRINTCAP_NAME "/etc/printcap"
 
+/* this affects server level security. With this set (recommended)
+   samba will do a full NetWkstaUserLogon to confirm that the client
+   really should have login rights. This can cause problems with
+   machines in trust relationships in which case you can disable it
+   here, but be warned, we have heard that some NT machines will then
+   allow anyone in with any password! Make sure you test it. */
+#ifndef USE_NETWKSTAUSERLOGON
+#define USE_NETWKSTAUSERLOGON 1
+#endif
+
 /* define what facility to use for syslog */
 #ifndef SYSLOG_FACILITY
 #define SYSLOG_FACILITY LOG_DAEMON

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 2176d5dafaa250384163b3d83ac6401cc3c22655..1c72f0cfa6e202a6da02d0abe58349443098b2bb 100644 (file)
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -1589,6 +1589,7 @@ BOOL server_validate(char *user, char *domain,
        }
 
 
+#if USE_NETWKSTAUSERLOGON
        if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) {
                DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost));
                cli_tdis(&cli);
@@ -1608,6 +1609,7 @@ BOOL server_validate(char *user, char *domain,
                cli_tdis(&cli);
                return False;
        }
+#endif
 
        DEBUG(3,("password server %s accepted the password\n", cli.desthost));