auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
authorAndrew Bartlett <abartlet@samba.org>
Mon, 3 Jul 2017 00:11:51 +0000 (12:11 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Tue, 4 Jul 2017 04:57:20 +0000 (06:57 +0200)
commitd139d77ae3dbc490525ac94f46276d790bc2d879
treece71e9a10795feaa8df7e66002a52f8ad529124b
parent353de79af2888afedaf54aa3c16bc2f1c470271a
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='

The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Based on a patch by Mantas Mikul─Śnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikul─Śnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
docs-xml/smbdotconf/security/ntlmauth.xml
lib/param/loadparm.c
lib/param/param_table.c
libcli/auth/ntlm_check.c
libcli/auth/ntlm_check.h
source3/param/loadparm.c