Disable "ntlm auth" by default
Stefan Metzmacher
metze at samba.org
Fri Jul 22 08:15:52 UTC 2016
Hi,
here're patches which change the default of the "ntlm auth"
option from yes to no.
Please review and push:-)
Thanks!
metze
-------------- next part --------------
From 0b2eaf747777753606a06474b8d42f1a0731b260 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 11 May 2016 23:09:53 +0200
Subject: [PATCH 1/7] s3:ntlm_auth: call fault_setup() in order to get usefull
backtraces
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/utils/ntlm_auth.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index ed6b2f4..05916d6 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -2308,6 +2308,7 @@ enum {
smb_init_locale();
setup_logging("ntlm_auth", DEBUG_STDERR);
+ fault_setup();
/* Parse options */
--
1.9.1
From d84b79248ffbd592fa37b657858809115c4f4bea Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 21 Jul 2016 19:41:57 +0200
Subject: [PATCH 2/7] s3:tests: add 'as user' to the test names in
test_smbclient_auth.sh
We already have 'as anon', having an indication for each case makes it
easier to mark some as knownfail.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/script/tests/test_smbclient_auth.sh | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh
index 1681772..e5a7984 100755
--- a/source3/script/tests/test_smbclient_auth.sh
+++ b/source3/script/tests/test_smbclient_auth.sh
@@ -27,18 +27,18 @@ echo "${SERVER_IP}" | grep -q ':.*:' && {
# we also try
# fd00-0000-0000-0000-0000-0000-5357-5f03.ipv6-literal.net
IPV6LITERAL=$(echo "${SERVER_IP}.ipv6-literal.net" | sed -e 's!:!-!g' -e 's!%!s!')
- testit "smbclient //${IPV6LITERAL}/tmpguest" $SMBCLIENT //${IPV6LITERAL}/tmpguest $CONFIGURATION -U$USERNAME%$PASSWORD -c quit $ADDARGS
- testit "smbclient //${IPV6LITERAL}./tmpguest" $SMBCLIENT //${IPV6LITERAL}./tmpguest $CONFIGURATION -U$USERNAME%$PASSWORD -c quit $ADDARGS
+ testit "smbclient //${IPV6LITERAL}/tmpguest as user" $SMBCLIENT //${IPV6LITERAL}/tmpguest $CONFIGURATION -U$USERNAME%$PASSWORD -c quit $ADDARGS
+ testit "smbclient //${IPV6LITERAL}./tmpguest as user" $SMBCLIENT //${IPV6LITERAL}./tmpguest $CONFIGURATION -U$USERNAME%$PASSWORD -c quit $ADDARGS
}
-testit "smbclient //${SERVER_IP}/tmpguest" $SMBCLIENT //${SERVER_IP}/tmpguest $CONFIGURATION -U$USERNAME%$PASSWORD -p 139 -c quit $ADDARGS
+testit "smbclient //${SERVER_IP}/tmpguest as user" $SMBCLIENT //${SERVER_IP}/tmpguest $CONFIGURATION -U$USERNAME%$PASSWORD -p 139 -c quit $ADDARGS
-testit "smbclient //$SERVER/guestonly" $SMBCLIENT //$SERVER/guestonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/guestonly as user" $SMBCLIENT //$SERVER/guestonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/guestonly as anon" $SMBCLIENT //$SERVER/guestonly $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
-testit "smbclient //$SERVER/tmpguest" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/tmpguest as user" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/tmpguest as anon" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
-testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forceuser as user" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forceuser as anon" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
-testit "smbclient //$SERVER/forceuser_unixonly" $SMBCLIENT //$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
-testit "smbclient //$SERVER/forceuser_wkngroup" $SMBCLIENT //$SERVER/forceuser_wkngroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
-testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forceuser_unixonly as user" $SMBCLIENT //$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forceuser_wkngroup as user" $SMBCLIENT //$SERVER/forceuser_wkngroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+testit "smbclient //$SERVER/forcegroup as user" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
testit "smbclient //$SERVER/forcegroup as anon" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
--
1.9.1
From 8229fb10c8f8aa0421a8a83a5fcded9b460969d1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 21 Jul 2016 19:45:04 +0200
Subject: [PATCH 3/7] s3:selftest: run smbclient_auth with a few more
combinations
E.g. we try lanman, ntlmv1 and ntlmv2 authentication.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/selftest/tests.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 7538f12..4736ebc 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -126,7 +126,7 @@ plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3s
plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
-for options in ["--option=clientusespnego=no", " --option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1", ""]:
+for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
env = "nt4_dc"
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
@@ -134,9 +134,10 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
-for env in ["nt4_dc", "nt4_member", "ad_member"]:
- plantestsuite("samba3.blackbox.smbclient_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
- plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) member creds" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration])
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
+ for env in ["nt4_member", "ad_member"]:
+ plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
env="nt4_dc"
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) ipv6" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IPV6', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration])
--
1.9.1
From 708bc3bdb0553e82591d9c325820b873c632f30a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 21 Jul 2016 09:26:27 +0200
Subject: [PATCH 4/7] selftest: set "ntlm auth = yes" for now as a lot of tests
rely on it
In future we should use a mix of environments some which support ntlmv1
and some without.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/target/Samba3.pm | 5 +++++
selftest/target/Samba4.pm | 1 +
2 files changed, 6 insertions(+)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5f4c0c..46dfc29 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -213,6 +213,7 @@ sub setup_nt4_dc($$)
domain master = yes
domain logons = yes
lanman auth = yes
+ ntlm auth = yes
raw NTLMv2 auth = yes
rpc_server:epmapper = external
@@ -315,6 +316,7 @@ sub setup_nt4_member($$$)
my $member_options = "
security = domain
dbwrap_tdb_mutexes:* = yes
+ ntlm auth = yes
${require_mutexes}
";
my $ret = $self->provision($prefix,
@@ -381,6 +383,7 @@ sub setup_admember($$$$)
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
netbios aliases = foo bar
+ ntlm auth = yes
";
my $ret = $self->provision($prefix,
@@ -550,6 +553,7 @@ sub setup_simpleserver($$)
my $simpleserver_options = "
lanman auth = yes
+ ntlm auth = yes
vfs objects = xattr_tdb streams_depot time_audit full_audit
change notify = no
@@ -842,6 +846,7 @@ sub setup_maptoguest($$)
my $options = "
map to guest = bad user
+ntlm auth = yes
";
my $vars = $self->provision($path,
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index b09bb66..51630fe 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -574,6 +574,7 @@ sub provision_raw_step1($$)
log file = $ctx->{logdir}/log.\%m
log level = $ctx->{server_loglevel}
lanman auth = Yes
+ ntlm auth = Yes
rndc command = true
dns update command = $ctx->{samba_dnsupdate}
spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
--
1.9.1
From c17bd80262c907755361b5e0908781bc5b0a7532 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 15 Mar 2016 21:59:42 +0100
Subject: [PATCH 5/7] docs-xml:smbdotconf: default "ntlm auth" to "no"
https://bugzilla.samba.org/show_bug.cgi?id=11749
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/security/ntlmauth.xml | 8 ++++++--
lib/param/loadparm.c | 2 +-
source3/param/loadparm.c | 2 +-
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 6af1908..5dcb569 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -12,8 +12,12 @@
<para>If this option, and <command moreinfo="none">lanman
auth</command> are both disabled, then only NTLMv2 logins will be
permited. Not all clients support NTLMv2, and most will require
- special configuration to use it.</para>
+ special configuration to use it.</para>
+
+ <para>The default changed from "yes" to "no" with Samba 4.5.</para>
</description>
-<value type="default">yes</value>
+<related>lanman auth</related>
+<related>raw NTLMv2 auth</related>
+<value type="default">no</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 515ed05..c25ef5a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2630,7 +2630,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
- lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
+ lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index df700bc..474f5a5 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -690,7 +690,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */
Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */
Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
- Globals.ntlm_auth = true; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals.ntlm_auth = false; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
--
1.9.1
From 2afcbcd8be01b3107297a112410c4fa9817bcd61 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 21 Jul 2016 19:50:36 +0200
Subject: [PATCH 6/7] selftest: don't allow ntlmv1 for 'nt4_member' and
'ad_member'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/knownfail | 3 ++-
selftest/target/Samba3.pm | 2 --
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index 1a92a5d..397e53c 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -282,6 +282,7 @@
# ad_dc requires signing
#
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
-
# fl2000dc doesn't support AES
^samba4.krb5.kdc.*as-req-aes.*fl2000dc
+# nt4_member and ad_member don't support ntlmv1
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 46dfc29..eada999 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -316,7 +316,6 @@ sub setup_nt4_member($$$)
my $member_options = "
security = domain
dbwrap_tdb_mutexes:* = yes
- ntlm auth = yes
${require_mutexes}
";
my $ret = $self->provision($prefix,
@@ -383,7 +382,6 @@ sub setup_admember($$$$)
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
netbios aliases = foo bar
- ntlm auth = yes
";
my $ret = $self->provision($prefix,
--
1.9.1
From 9a7dd069c270c221d2e12c324c7ed412e82b68c2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 21 Jul 2016 20:04:10 +0200
Subject: [PATCH 7/7] WHATNEW: the default for "ntlm auth" is "no"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6c86795..8eb16ba 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -12,7 +12,17 @@ Samba 4.5 will be the next version of the Samba suite.
UPGRADING
=========
-Nothing special.
+NTLMv1 authentication disabled by default
+-----------------------------------------
+
+In order to improve security we have changed
+the default value for the "ntlm auth" option from
+"yes" to "no". This may have impact on very old
+client which doesn't support NTLMv2 yet.
+
+By default Samba will only allow NTLMv2 via NTLMSSP now,
+as we have the following default "lanman auth = no",
+"ntlm auth = no" and "raw NTLMv2 auth = no".
NEW FEATURES/CHANGES
@@ -141,6 +151,7 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
+ ntlm auth Changed default no
only user Removed
username Removed
kccsrv:samba_kcc Changed default true
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160722/a4190c85/signature.sig>
More information about the samba-technical
mailing list