[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Tue Mar 29 03:33:02 UTC 2022 

The branch, master has been updated
       via  d7a91a855c7 s4-auth: Remove last traces of LanMan authentiation support in the AD DC.
       via  86f7e4e6905 s4-auth: Only build auth_developer module in developer mode
       via  360bb864e9a s4-auth: Do not trigger RODC replication unless missing all passwords
       via  1884bc11f01 s4-auth: Remove unused acct_flags parameter
      from  14e7112734b waf: Document the confusing --nonshared-binary, --builtin-libraries, --private-libraries and --bundled-libraries

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d7a91a855c7edfb0e09c93cbe4c56df0437fa467
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Mar 25 12:18:01 2022 +1300

    s4-auth: Remove last traces of LanMan authentiation support in the AD DC.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184

commit 86f7e4e69059e77c35f451919365685d909024af
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Mar 23 15:10:23 2022 +1300

    s4-auth: Only build auth_developer module in developer mode
    
    This is a silly module for provoking NTSTATUS replies for testing and
    was useful many moons ago for determining the NTSTATUS -> DOS table that
    windows uses.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 360bb864e9a958c395f841bdc8caf866f8dcb0e0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Mar 16 16:27:54 2022 +1300

    s4-auth: Do not trigger RODC replication unless missing all passwords
    
    With the NT hash becoming optional we cannot make blind assumptions that
    a missing value means we are on an RODC needing the password replicated.
    
    Instead, check for supplementalCredentials as well.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 1884bc11f0115078113253d48be684c32cb3c5f9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Mar 16 15:19:54 2022 +1300

    s4-auth: Remove unused acct_flags parameter
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                |  5 +++++
 docs-xml/smbdotconf/security/lanmanauth.xml |  4 ++++
 source4/auth/ntlm/auth_sam.c                | 15 +++++++--------
 source4/auth/ntlm/wscript_build             |  3 ++-
 4 files changed, 18 insertions(+), 9 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d23bede2da2..1bdf3a01cfb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -66,6 +66,11 @@ server used as a front.
 REMOVED FEATURES
 ================
 
+LanMan Authentication and password storage removed from the AD DC
+-----------------------------------------------------------------
+
+The storage and authentication with LanMan passwords has been entirely
+removed from the Samba AD DC, even when "lanman auth = yes" is set.
 
 smb.conf changes
 ================
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
index 842c12d9b64..045e89d94d6 100644
--- a/docs-xml/smbdotconf/security/lanmanauth.xml
+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
@@ -45,6 +45,10 @@
     then only NTLMv2 logins will be permitted and no LM hash will be
     stored.  All modern clients support NTLMv2, and but some older
     clients require special configuration to use it.</para>
+
+    <para><emphasis>This parameter has no impact on the Samba AD DC,
+    LM authentication is always disabled and no LM password is ever
+    stored.</emphasis></para>
 </description>
 
 <value type="default">no</value>
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 60795c40723..14b6c707aa5 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -52,7 +52,6 @@ extern const char *domain_ref_attrs[];
 ****************************************************************************/
 static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
 				    TALLOC_CTX *mem_ctx,
-				    uint16_t acct_flags,
 				    const struct samr_Password *nt_pwd,
 				    const struct auth_usersupplied_info *user_info, 
 				    DATA_BLOB *user_sess_key, 
@@ -79,8 +78,8 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
 		*lm_sess_key = data_blob(NULL, 0);
 		*user_sess_key = data_blob(NULL, 0);
 		status = hash_password_check(mem_ctx, 
-					     lpcfg_lanman_auth(auth_context->lp_ctx),
-					     user_info->password.hash.lanman,
+					     false,
+					     NULL,
 					     user_info->password.hash.nt,
 					     user_info->mapped.account_name,
 					     NULL, nt_pwd);
@@ -207,7 +206,6 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 						  TALLOC_CTX *mem_ctx,
 						  struct ldb_dn *domain_dn,
 						  struct ldb_message *msg,
-						  uint16_t acct_flags,
 						  const struct auth_usersupplied_info *user_info,
 						  DATA_BLOB *user_sess_key,
 						  DATA_BLOB *lm_sess_key,
@@ -222,6 +220,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 	const char * const attrs[] = { "pwdHistoryLength", NULL };
 	struct ldb_message *dom_msg;
 	struct samr_Password *nt_pwd;
+	const struct ldb_val *sc_val;
 	bool am_rodc;
 
 	tmp_ctx = talloc_new(mem_ctx);
@@ -244,7 +243,9 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 		return nt_status;
 	}
 
-	if (nt_pwd == NULL) {
+	sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
+
+	if (nt_pwd == NULL && sc_val == NULL) {
 		if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
 			/*
 			 * we don't have passwords for this
@@ -273,7 +274,6 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 	}
 
 	auth_status = authsam_password_ok(auth_context, tmp_ctx,
-					  acct_flags,
 					  nt_pwd,
 					  user_info,
 					  user_sess_key, lm_sess_key);
@@ -369,7 +369,6 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 		}
 
 		auth_status = authsam_password_ok(auth_context, tmp_ctx,
-						  acct_flags,
 						  nt_history_pwd,
 						  user_info,
 						  user_sess_key,
@@ -551,7 +550,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 	}
 
 	nt_status = authsam_password_check_and_record(auth_context, tmp_ctx,
-						      domain_dn, msg, acct_flags,
+						      domain_dn, msg,
 						      user_info,
 						      user_sess_key, lm_sess_key,
 						      authoritative);
diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build
index 43c21ceb67f..f669ca90367 100644
--- a/source4/auth/ntlm/wscript_build
+++ b/source4/auth/ntlm/wscript_build
@@ -28,7 +28,8 @@ bld.SAMBA_MODULE('auth4_developer',
 	source='auth_developer.c',
 	subsystem='auth4',
 	init_function='auth4_developer_init',
-	deps='tevent'
+	deps='tevent',
+        enabled=bld.env.DEVELOPER_MODE
 	)
 
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list