The Samba-Bugzilla – Attachment 12789 Details for
Bug 12252
[PATCH] "ntlm_auth --allow-mschapv2" is broken
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch halfway-to-v2
0001-ntlm_check-Allow-NTLMv1-if-MSV1_0_ALLOW_MSVCHAPV2-is.patch (text/plain), 5.50 KB, created by
Mantas Mikulėnas (grawity)
on 2017-01-03 08:40:39 UTC
(
hide
)
Description:
patch halfway-to-v2
Filename:
MIME Type:
Creator:
Mantas Mikulėnas (grawity)
Created:
2017-01-03 08:40:39 UTC
Size:
5.50 KB
patch
obsolete
>From 7961cd05b93870ce937ecd6ed612c17be73e3daf Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= <mantas@utenos-kolegija.lt> >Date: Tue, 3 Jan 2017 09:15:25 +0200 >Subject: [PATCH] ntlm_check: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") >added the --allow-mschapv2 option, but didn't implement checking for it >server-side. This implements such checking. > >Additionally, Samba now disables NTLMv1 authentication by default for >security reasons. To avoid having to re-enable it globally, 'ntlm auth' >becomes an enum and a new setting is added to allow only MSCHAPv2. > >Signed-off-by: Mantas MikulÄnas <mantas@utenos-kolegija.lt> >--- > docs-xml/smbdotconf/security/ntlmauth.xml | 21 ++++++++++++++++++++- > lib/param/param_table.c | 10 ++++++++++ > libcli/auth/ntlm_check.c | 5 +++-- > libcli/auth/ntlm_check.h | 11 ++++++++++- > 4 files changed, 43 insertions(+), 4 deletions(-) > >diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml >index 884ee9dbf1a0..026236c17989 100644 >--- a/docs-xml/smbdotconf/security/ntlmauth.xml >+++ b/docs-xml/smbdotconf/security/ntlmauth.xml >@@ -1,6 +1,7 @@ > <samba:parameter name="ntlm auth" > context="G" >- type="boolean" >+ type="enum" >+ enumlist="enum_ntlm_auth" > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> >@@ -16,6 +17,24 @@ > > <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para> > >+ <para>The available settings are:</para> >+ >+ <itemizedlist> >+ <listitem> >+ <para><constant>yes</constant> - Allow NTLMv1 for all clients.</para> >+ </listitem> >+ >+ <listitem> >+ <para><constant>no</constant> - Do not allow NTLMv1 to be used.</para> >+ </listitem> >+ >+ <listitem> >+ <para><constant>mschapv2 only</constant> - Only allow NTLMv1 when the >+ client promises that it is providing MSCHAPv2 authentication (such as >+ the <command moreinfo="none">ntlm_auth</command> tool).</para> >+ </listitem> >+ </itemizedlist> >+ > <para>The default changed from "yes" to "no" with Samba 4.5.</para> > </description> > >diff --git a/lib/param/param_table.c b/lib/param/param_table.c >index 4b5234a7c9e4..205a8e1886b2 100644 >--- a/lib/param/param_table.c >+++ b/lib/param/param_table.c >@@ -31,6 +31,7 @@ > #include "lib/param/param.h" > #include "lib/param/loadparm.h" > #include "lib/param/param_global.h" >+#include "libcli/auth/ntlm_check.h" > #include "libcli/smb/smb_constants.h" > #include "libds/common/roles.h" > #include "source4/lib/tls/tls.h" >@@ -315,6 +316,15 @@ static const struct enum_list enum_inherit_owner_vals[] = { > {INHERIT_OWNER_UNIX_ONLY, "unix only"}, > {-1, NULL}}; > >+static const struct enum_list enum_ntlm_auth[] = { >+ {NTLM_AUTH_ALLOW_NEVER, "no"}, >+ {NTLM_AUTH_ALLOW_NEVER, "false"}, >+ {NTLM_AUTH_ALLOW_ALWAYS, "yes"}, >+ {NTLM_AUTH_ALLOW_ALWAYS, "true"}, >+ {NTLM_AUTH_ALLOW_MSCHAPV2, "mschapv2 only"}, >+ {-1, NULL} >+}; >+ > /* Note: We do not initialise the defaults union - it is not allowed in ANSI C > * > * NOTE: Handling of duplicated (synonym) parameters: >diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c >index 7f91b52a5fd7..d83d0c0940cd 100644 >--- a/libcli/auth/ntlm_check.c >+++ b/libcli/auth/ntlm_check.c >@@ -280,7 +280,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, > > NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, > bool lanman_auth, >- bool ntlm_auth, >+ enum ntlm_auth_level ntlm_auth, > uint32_t logon_parameters, > const DATA_BLOB *challenge, > const DATA_BLOB *lm_response, >@@ -398,7 +398,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, > DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n")); > } > } else if (nt_response->length == 24 && stored_nt) { >- if (ntlm_auth) { >+ if (ntlm_auth == NTLM_AUTH_ALLOW_ALWAYS >+ || (ntlm_auth == NTLM_AUTH_ALLOW_MSCHAPV2 && (logon_parameters & MSV1_0_ALLOW_MSVCHAPV2))) { > /* We have the NT MD4 hash challenge available - see if we can > use it (ie. does it exist in the smbpasswd file). > */ >diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h >index df11f7d7a265..c98077a8f49e 100644 >--- a/libcli/auth/ntlm_check.h >+++ b/libcli/auth/ntlm_check.h >@@ -18,7 +18,14 @@ > You should have received a copy of the GNU General Public License > along with this program. If not, see <http://www.gnu.org/licenses/>. > */ >+#ifndef __LIBCLI_AUTH_NTLM_CHECK_H__ >+#define __LIBCLI_AUTH_NTLM_CHECK_H__ > >+enum ntlm_auth_level { >+ NTLM_AUTH_ALLOW_NEVER, >+ NTLM_AUTH_ALLOW_ALWAYS, >+ NTLM_AUTH_ALLOW_MSCHAPV2 >+}; > > /** > * Compare password hashes against those from the SAM >@@ -62,7 +69,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, > > NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, > bool lanman_auth, >- bool ntlm_auth, >+ enum ntlm_auth_level ntlm_auth, > uint32_t logon_parameters, > const DATA_BLOB *challenge, > const DATA_BLOB *lm_response, >@@ -74,3 +81,5 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, > const struct samr_Password *stored_nt, > DATA_BLOB *user_sess_key, > DATA_BLOB *lm_sess_key); >+ >+#endif /* __LIBCLI_AUTH_NTLM_CHECK_H__ */ >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12252
:
12456
| 12789