From 7961cd05b93870ce937ecd6ed612c17be73e3daf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= <mantas@utenos-kolegija.lt>
Date: Tue, 3 Jan 2017 09:15:25 +0200
Subject: [PATCH] ntlm_check: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
---
 docs-xml/smbdotconf/security/ntlmauth.xml | 21 ++++++++++++++++++++-
 lib/param/param_table.c                   | 10 ++++++++++
 libcli/auth/ntlm_check.c                  |  5 +++--
 libcli/auth/ntlm_check.h                  | 11 ++++++++++-
 4 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 884ee9dbf1a0..026236c17989 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -1,6 +1,7 @@
 <samba:parameter name="ntlm auth"
                  context="G"
-                 type="boolean"
+                 type="enum"
+                 enumlist="enum_ntlm_auth"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
@@ -16,6 +17,24 @@
 
     <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
 
+    <para>The available settings are:</para>
+
+    <itemizedlist>
+        <listitem>
+            <para><constant>yes</constant> - Allow NTLMv1 for all clients.</para>
+        </listitem>
+
+        <listitem>
+            <para><constant>no</constant> - Do not allow NTLMv1 to be used.</para>
+        </listitem>
+
+        <listitem>
+            <para><constant>mschapv2 only</constant> - Only allow NTLMv1 when the
+            client promises that it is providing MSCHAPv2 authentication (such as
+            the <command moreinfo="none">ntlm_auth</command> tool).</para>
+        </listitem>
+    </itemizedlist>
+
     <para>The default changed from "yes" to "no" with Samba 4.5.</para>
 </description>
 
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 4b5234a7c9e4..205a8e1886b2 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -31,6 +31,7 @@
 #include "lib/param/param.h"
 #include "lib/param/loadparm.h"
 #include "lib/param/param_global.h"
+#include "libcli/auth/ntlm_check.h"
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
 #include "source4/lib/tls/tls.h"
@@ -315,6 +316,15 @@ static const struct enum_list enum_inherit_owner_vals[] = {
     {INHERIT_OWNER_UNIX_ONLY, "unix only"},
     {-1, NULL}};
 
+static const struct enum_list enum_ntlm_auth[] = {
+	{NTLM_AUTH_ALLOW_NEVER, "no"},
+	{NTLM_AUTH_ALLOW_NEVER, "false"},
+	{NTLM_AUTH_ALLOW_ALWAYS, "yes"},
+	{NTLM_AUTH_ALLOW_ALWAYS, "true"},
+	{NTLM_AUTH_ALLOW_MSCHAPV2, "mschapv2 only"},
+	{-1, NULL}
+};
+
 /* Note: We do not initialise the defaults union - it is not allowed in ANSI C
  *
  * NOTE: Handling of duplicated (synonym) parameters:
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 7f91b52a5fd7..d83d0c0940cd 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -280,7 +280,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 
 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			     bool lanman_auth,
-			     bool ntlm_auth,
+			     enum ntlm_auth_level ntlm_auth,
 			     uint32_t logon_parameters,
 			     const DATA_BLOB *challenge,
 			     const DATA_BLOB *lm_response,
@@ -398,7 +398,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
 		}
 	} else if (nt_response->length == 24 && stored_nt) {
-		if (ntlm_auth) {		
+		if (ntlm_auth == NTLM_AUTH_ALLOW_ALWAYS
+		    || (ntlm_auth == NTLM_AUTH_ALLOW_MSCHAPV2 && (logon_parameters & MSV1_0_ALLOW_MSVCHAPV2))) {
 			/* We have the NT MD4 hash challenge available - see if we can
 			   use it (ie. does it exist in the smbpasswd file).
 			*/
diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
index df11f7d7a265..c98077a8f49e 100644
--- a/libcli/auth/ntlm_check.h
+++ b/libcli/auth/ntlm_check.h
@@ -18,7 +18,14 @@
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
+#ifndef __LIBCLI_AUTH_NTLM_CHECK_H__
+#define __LIBCLI_AUTH_NTLM_CHECK_H__
 
+enum ntlm_auth_level {
+	NTLM_AUTH_ALLOW_NEVER,
+	NTLM_AUTH_ALLOW_ALWAYS,
+	NTLM_AUTH_ALLOW_MSCHAPV2
+};
 
 /**
  * Compare password hashes against those from the SAM
@@ -62,7 +69,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 
 NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 				 bool lanman_auth,
-				 bool ntlm_auth,
+				 enum ntlm_auth_level ntlm_auth,
 			     uint32_t logon_parameters,
 			     const DATA_BLOB *challenge,
 			     const DATA_BLOB *lm_response,
@@ -74,3 +81,5 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 			     const struct samr_Password *stored_nt, 
 			     DATA_BLOB *user_sess_key, 
 			     DATA_BLOB *lm_sess_key);
+
+#endif /* __LIBCLI_AUTH_NTLM_CHECK_H__ */
-- 
2.11.0