Late security improvements and my work queue
Andrew Bartlett
abartlet at samba.org
Mon Jul 3 04:40:11 UTC 2017
On Fri, 2017-06-30 at 23:11 +1200, Andrew Bartlett via samba-technical
wrote:
> Just a heads-up, that if I ever get free of ldb locking, I want to
> try
> and:
> - enforce a setting of restrict anonymous = 2 on the AD DC
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12775
I've not managed this one yet, and it can still be set manually.
> - disable the s3 netlogon server when we are not a DC
> - add a way to disable NTLM entirely
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Attached are patches (without tests yet) for this. Please comment.
It should be compatible with FreeIPA's use case, it only changes the
default and the FreeIPA server still appears to be a PDC for the
schannel case.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
From f82e51424f073ccd9a6a04fc8084393569823a4c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 3 Jul 2017 11:28:06 +1200
Subject: [PATCH 1/6] s3-rpc_server: Disable the NETLOGON server by default
The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past. Therefore
reduce the attack surface.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12870
---
source3/rpc_server/rpc_config.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
index 23c6f88eac4..01e338e1a89 100644
--- a/source3/rpc_server/rpc_config.c
+++ b/source3/rpc_server/rpc_config.c
@@ -96,6 +96,7 @@ struct rpc_daemon_defaults {
const char *def_type;
} rpc_daemon_defaults[] = {
{ "epmd", "disabled" },
+ { "netlogon", "disabled" },
/* { "spoolssd", "embedded" }, */
/* { "lsasd", "embedded" }, */
{ "fssd", "disabled" },
@@ -109,7 +110,8 @@ enum rpc_daemon_type_e rpc_daemon_type(const char *name)
enum rpc_daemon_type_e type;
const char *def;
int i;
-
+ enum server_role server_role = lp_server_role();
+
def = "embedded";
for (i = 0; rpc_daemon_defaults[i].name; i++) {
if (strcasecmp_m(name, rpc_daemon_defaults[i].name) == 0) {
@@ -117,6 +119,16 @@ enum rpc_daemon_type_e rpc_daemon_type(const char *name)
}
}
+ /*
+ * Only enable the netlogon server by default if we are a
+ * classic/NT4 domain controller
+ */
+ if ((strcasecmp_m(name, "netlogon") == 0) &&
+ (server_role == ROLE_DOMAIN_BDC ||
+ server_role == ROLE_DOMAIN_PDC)) {
+ def = "embedded";
+ }
+
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_daemon", name, def);
--
2.11.0
From 159769929107f25bb23491bcc4154d151ff16006 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 3 Jul 2017 13:10:35 +1200
Subject: [PATCH 2/6] auth: Disable SChannel authentication if we are not a DC
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12870
---
auth/gensec/schannel.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 41f635182cf..c018ec608de 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -34,6 +34,7 @@
#include "param/param.h"
#include "auth/gensec/gensec_toplevel_proto.h"
#include "lib/crypto/crypto.h"
+#include "libds/common/roles.h"
struct schannel_state {
struct gensec_security *gensec;
@@ -723,9 +724,23 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
return NT_STATUS_OK;
}
+/*
+ * Reduce the attack surface by ensuring schannel is not availble when
+ * we are not a DC
+ */
static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
{
- return NT_STATUS_OK;
+ enum server_role server_role
+ = lpcfg_server_role(gensec_security->settings->lp_ctx);
+
+ switch (server_role) {
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ return NT_STATUS_OK;
+ default:
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
}
static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
--
2.11.0
From 0ef28e97398ba2beefc63f399b34b2c311dd8058 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 3 Jul 2017 12:11:51 +1200
Subject: [PATCH 3/6] auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and
re-factor 'ntlm auth ='
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Based on a patch by Mantas Mikulėnas <mantas at utenos-kolegija.lt>:
Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.
Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.
Signed-off-by: Mantas Mikulėnas <mantas at utenos-kolegija.lt>
---
docs-xml/smbdotconf/security/ntlmauth.xml | 43 ++++++++++++++++++++++++++-----
lib/param/loadparm.c | 2 +-
lib/param/param_table.c | 14 ++++++++++
libcli/auth/ntlm_check.c | 5 ++--
libcli/auth/ntlm_check.h | 12 ++++++++-
source3/param/loadparm.c | 2 +-
6 files changed, 66 insertions(+), 12 deletions(-)
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 884ee9dbf1a..b935bb0a37e 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -1,6 +1,7 @@
<samba:parameter name="ntlm auth"
context="G"
- type="boolean"
+ type="enum"
+ enumlist="enum_ntlm_auth"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
@@ -9,17 +10,45 @@
If disabled, either the lanman password hash or an NTLMv2 response
will need to be sent by the client.</para>
- <para>If this option, and <command moreinfo="none">lanman
- auth</command> are both disabled, then only NTLMv2 logins will be
- permited. Not all clients support NTLMv2, and most will require
- special configuration to use it.</para>
+ <para>By default with <command moreinfo="none">lanman
+ auth</command> set to <constant>no</constant> and
+ <command moreinfo="none">ntlm auth</command> set to
+ <constant>ntlmv2-only</constant> only NTLMv2 logins will be
+ permited. Most clients support NTLMv2 by default, but some older
+ clients will require special configuration to use it.</para>
<para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
- <para>The default changed from "yes" to "no" with Samba 4.5.</para>
+ <para>The available settings are:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><constant>ntlmv1-permitted</constant>
+ (alias <constant>yes</constant>) - Allow NTLMv1 and above for all clients.</para>
+
+ </listitem>
+
+ <listitem>
+ <para><constant>ntlmv2-only</constant>
+ (alias <constant>no</constant>) - Do not allow NTLMv1 to be used,
+ but permit NTLMv2.</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>mschapv2-and-ntlmv2-only</constant> - Only
+ allow NTLMv1 when the client promises that it is providing
+ MSCHAPv2 authentication (such as the <command
+ moreinfo="none">ntlm_auth</command> tool).</para>
+ </listitem>
+
+ </itemizedlist>
+
+ <para>The default changed from <constant>yes</constant> to
+ <constant>no</constant> with Samba 4.5. The default with Samba 4.7 is
+ <constant>ntlmv2-only</constant>with the same behvaiour.</para>
</description>
<related>lanman auth</related>
<related>raw NTLMv2 auth</related>
-<value type="default">no</value>
+<value type="default">ntlmv2-only</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 3ceea50b279..544e57b98df 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2709,7 +2709,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
- lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False");
+ lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "ntlmv2-only");
lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 21cac107647..4e9910dd083 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -31,6 +31,7 @@
#include "lib/param/param.h"
#include "lib/param/loadparm.h"
#include "lib/param/param_global.h"
+#include "libcli/auth/ntlm_check.h"
#include "libcli/smb/smb_constants.h"
#include "libds/common/roles.h"
#include "source4/lib/tls/tls.h"
@@ -330,6 +331,19 @@ static const struct enum_list enum_mangled_names[] = {
{-1, NULL}
};
+static const struct enum_list enum_ntlm_auth[] = {
+ {NTLM_AUTH_NTLMV2_ONLY, "ntlmv2-only"},
+ {NTLM_AUTH_NTLMV2_ONLY, "no"},
+ {NTLM_AUTH_NTLMV2_ONLY, "false"},
+ {NTLM_AUTH_NTLMV2_ONLY, "0"},
+ {NTLM_AUTH_ON, "ntlmv1-permitted"},
+ {NTLM_AUTH_ON, "yes"},
+ {NTLM_AUTH_ON, "true"},
+ {NTLM_AUTH_ON, "1"},
+ {NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, "mschapv2-and-ntlmv2-only"},
+ {-1, NULL}
+};
+
/* Note: We do not initialise the defaults union - it is not allowed in ANSI C
*
* NOTE: Handling of duplicated (synonym) parameters:
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index d7fba34cdba..8e8d100075a 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -280,7 +280,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
bool lanman_auth,
- bool ntlm_auth,
+ enum ntlm_auth_level ntlm_auth,
uint32_t logon_parameters,
const DATA_BLOB *challenge,
const DATA_BLOB *lm_response,
@@ -397,7 +397,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
}
} else if (nt_response->length == 24 && stored_nt) {
- if (ntlm_auth) {
+ if (ntlm_auth == NTLM_AUTH_ON
+ || (ntlm_auth == NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY && (logon_parameters & MSV1_0_ALLOW_MSVCHAPV2))) {
/* We have the NT MD4 hash challenge available - see if we can
use it (ie. does it exist in the smbpasswd file).
*/
diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
index df11f7d7a26..f1dc54a4847 100644
--- a/libcli/auth/ntlm_check.h
+++ b/libcli/auth/ntlm_check.h
@@ -18,7 +18,15 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#ifndef __LIBCLI_AUTH_NTLM_CHECK_H__
+#define __LIBCLI_AUTH_NTLM_CHECK_H__
+/* mangled names options */
+enum ntlm_auth_level {NTLM_AUTH_ON,
+ NTLM_AUTH_NTLMV2_ONLY,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY};
+
+struct samr_Password;
/**
* Compare password hashes against those from the SAM
@@ -62,7 +70,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
bool lanman_auth,
- bool ntlm_auth,
+ enum ntlm_auth_level ntlm_auth,
uint32_t logon_parameters,
const DATA_BLOB *challenge,
const DATA_BLOB *lm_response,
@@ -74,3 +82,5 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *stored_nt,
DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key);
+
+#endif /* __LIBCLI_AUTH_NTLM_CHECK_H__ */
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 8f0cf5e6e03..9182ae3bb77 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -693,7 +693,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */
Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */
Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
- Globals.ntlm_auth = false; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
--
2.11.0
From 515a04f526c63add1a8ea59bd8e05f06a73b83ce Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 3 Jul 2017 14:11:47 +1200
Subject: [PATCH 4/6] param: Disable LanMan authentication unless NTLMv1 is
also enabled
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
docs-xml/smbdotconf/security/lanmanauth.xml | 1 +
docs-xml/smbdotconf/security/ntlmauth.xml | 3 +--
lib/param/loadparm.c | 18 ++++++++++++++++++
source3/include/proto.h | 1 +
source3/param/loadparm.c | 19 ++++++++++++++++++-
5 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
index 138a24f9f28..a9e4f88b89f 100644
--- a/docs-xml/smbdotconf/security/lanmanauth.xml
+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
@@ -1,6 +1,7 @@
<samba:parameter name="lanman auth"
context="G"
type="boolean"
+ function="_lanman_auth"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index b935bb0a37e..ef809c22e9e 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -7,8 +7,7 @@
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to
authenticate users using the NTLM encrypted password response.
- If disabled, either the lanman password hash or an NTLMv2 response
- will need to be sent by the client.</para>
+ If disabled, NTLM and LanMan authencication is disabled server-wide.</para>
<para>By default with <command moreinfo="none">lanman
auth</command> set to <constant>no</constant> and
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 544e57b98df..7864856315e 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -70,6 +70,7 @@
#include "librpc/gen_ndr/nbt.h"
#include "libds/common/roles.h"
#include "lib/util/samba_util.h"
+#include "libcli/auth/ntlm_check.h"
#ifdef HAVE_HTTPCONNECTENCRYPT
#include <cups/http.h>
@@ -3510,3 +3511,20 @@ int lpcfg_tdb_flags(struct loadparm_context *lp_ctx, int tdb_flags)
}
return tdb_flags;
}
+
+/*
+ * Do not allow LanMan auth if unless NTLMv1 is also allowed
+ *
+ * This also ensures it is disabled if NTLM is totally disabled
+ */
+bool lpcfg_lanman_auth(struct loadparm_context *lp_ctx)
+{
+ enum ntlm_auth_level ntlm_auth_level = lpcfg_ntlm_auth(lp_ctx);
+
+ if (ntlm_auth_level == NTLM_AUTH_ON) {
+ return lpcfg__lanman_auth(lp_ctx);
+ } else {
+ return false;
+ }
+}
+
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 45841dca8ad..c8f6c282b68 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -879,6 +879,7 @@ int lp_cups_encrypt(void);
bool lp_widelinks(int );
int lp_rpc_low_port(void);
int lp_rpc_high_port(void);
+bool lp_lanman_auth(void);
int lp_wi_scan_global_parametrics(
const char *regex, size_t max_matches,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9182ae3bb77..d5b1c56e21e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -71,6 +71,7 @@
#include "../lib/util/bitmap.h"
#include "librpc/gen_ndr/nbt.h"
#include "source4/lib/tls/tls.h"
+#include "libcli/auth/ntlm_check.h"
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
@@ -692,7 +693,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.restrict_anonymous = 0;
Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */
Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */
- Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
+ Globals._lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
@@ -4591,6 +4592,22 @@ int lp_rpc_high_port(void)
return Globals.rpc_high_port;
}
+/*
+ * Do not allow LanMan auth if unless NTLMv1 is also allowed
+ *
+ * This also ensures it is disabled if NTLM is totally disabled
+ */
+bool lp_lanman_auth(void)
+{
+ enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+ if (ntlm_auth_level == NTLM_AUTH_ON) {
+ return lp__lanman_auth();
+ } else {
+ return false;
+ }
+}
+
struct loadparm_global * get_globals(void)
{
return &Globals;
--
2.11.0
From 4f86199d85c01675ac4c9b40a0662ee975ce3c8a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 3 Jul 2017 14:16:50 +1200
Subject: [PATCH 5/6] param: Add new "disabled" value to "ntlm auth" to disable
NTLM totally
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
---
docs-xml/smbdotconf/security/ntlmauth.xml | 5 +++++
lib/param/param_table.c | 1 +
libcli/auth/ntlm_check.c | 6 ++++++
libcli/auth/ntlm_check.h | 2 +-
4 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index ef809c22e9e..631c675250f 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -40,6 +40,11 @@
moreinfo="none">ntlm_auth</command> tool).</para>
</listitem>
+ <listitem>
+ <para><constant>disabled</constant> - Do not allow NTLM (or
+ LanMan) authentication of any level as a server.</para>
+ </listitem>
+
</itemizedlist>
<para>The default changed from <constant>yes</constant> to
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 4e9910dd083..f9052304bda 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -332,6 +332,7 @@ static const struct enum_list enum_mangled_names[] = {
};
static const struct enum_list enum_ntlm_auth[] = {
+ {NTLM_AUTH_DISABLED, "disabled"},
{NTLM_AUTH_NTLMV2_ONLY, "ntlmv2-only"},
{NTLM_AUTH_NTLMV2_ONLY, "no"},
{NTLM_AUTH_NTLMV2_ONLY, "false"},
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 8e8d100075a..e6ff49b8bf5 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -296,6 +296,12 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
DATA_BLOB tmp_sess_key;
const char *upper_client_domain = NULL;
+ if (ntlm_auth == NTLM_AUTH_DISABLED) {
+ DBG_WARNING("ntlm_password_check: NTLM authentication not "
+ "permitted by configuration.\n");
+ return NT_STATUS_NTLM_BLOCKED;
+ }
+
if (client_domain != NULL) {
upper_client_domain = talloc_strdup_upper(mem_ctx, client_domain);
if (upper_client_domain == NULL) {
diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
index f1dc54a4847..86cab9b2d13 100644
--- a/libcli/auth/ntlm_check.h
+++ b/libcli/auth/ntlm_check.h
@@ -22,7 +22,7 @@
#define __LIBCLI_AUTH_NTLM_CHECK_H__
/* mangled names options */
-enum ntlm_auth_level {NTLM_AUTH_ON,
+enum ntlm_auth_level {NTLM_AUTH_DISABLED, NTLM_AUTH_ON,
NTLM_AUTH_NTLMV2_ONLY,
NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY};
--
2.11.0
From 33ccab139db9215a131a6a8b5798180d62c82eea Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Mon, 3 Jul 2017 14:39:09 +1200
Subject: [PATCH 6/6] samr: Disable NTLM-based password changes on the server
if NTLM is disabled
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
docs-xml/smbdotconf/security/ntlmauth.xml | 5 +++--
source3/rpc_server/samr/srv_samr_chgpasswd.c | 8 ++++++++
source4/rpc_server/samr/samr_password.c | 11 ++++++++++-
3 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 631c675250f..21775f81734 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -41,8 +41,9 @@
</listitem>
<listitem>
- <para><constant>disabled</constant> - Do not allow NTLM (or
- LanMan) authentication of any level as a server.</para>
+ <para><constant>disabled</constant> - Do not allow NTLM (or
+ LanMan) authentication of any level as a server, nor permit
+ NTLM password changes.</para>
</listitem>
</itemizedlist>
diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index ab9e92ace78..9d1deba764e 100644
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -683,6 +683,14 @@ static NTSTATUS check_oem_password(const char *user,
bool nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted);
bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
+ enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+ /* this call should be disabled without NTLM auth */
+ if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+ DBG_WARNING("NTLM password changes not"
+ "permitted by configuration.\n");
+ return NT_STATUS_NTLM_BLOCKED;
+ }
acct_ctrl = pdb_get_acct_ctrl(sampass);
#if 0
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 785633ddc25..446613cbef4 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -307,10 +307,19 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
struct samr_Password nt_verifier, lm_verifier;
const char *user_samAccountName = NULL;
struct dom_sid *user_objectSid = NULL;
-
+ enum ntlm_auth_level ntlm_auth_level
+ = lpcfg_ntlm_auth(dce_call->conn->dce_ctx->lp_ctx);
+
*r->out.dominfo = NULL;
*r->out.reject = NULL;
+ /* this call should be disabled without NTLM auth */
+ if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+ DBG_WARNING("NTLM password changes not"
+ "permitted by configuration.\n");
+ return NT_STATUS_NTLM_BLOCKED;
+ }
+
if (r->in.nt_password == NULL ||
r->in.nt_verifier == NULL) {
return NT_STATUS_INVALID_PARAMETER;
--
2.11.0
More information about the samba-technical
mailing list