Attachment 12789 Details for Bug 12252 – patch halfway-to-v2

[patch] patch halfway-to-v2

0001-ntlm_check-Allow-NTLMv1-if-MSV1_0_ALLOW_MSVCHAPV2-is.patch (text/plain), 5.50 KB, created by Mantas Mikulėnas (grawity) on 2017-01-03 08:40:39 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Mantas Mikulėnas (grawity)

Created: 2017-01-03 08:40:39 UTC

Size: 5.50 KB

patch

obsolete

>From 7961cd05b93870ce937ecd6ed612c17be73e3daf Mon Sep 17 00:00:00 2001
>From: =?UTF-8?q?Mantas=20Mikul=C4=97nas?= <mantas@utenos-kolegija.lt>
>Date: Tue, 3 Jan 2017 09:15:25 +0200
>Subject: [PATCH] ntlm_check: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given
>MIME-Version: 1.0
>Content-Type: text/plain; charset=UTF-8
>Content-Transfer-Encoding: 8bit
>
>Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
>added the --allow-mschapv2 option, but didn't implement checking for it
>server-side. This implements such checking.
>
>Additionally, Samba now disables NTLMv1 authentication by default for
>security reasons. To avoid having to re-enable it globally, 'ntlm auth'
>becomes an enum and a new setting is added to allow only MSCHAPv2.
>
>Signed-off-by: Mantas MikulÄnas <mantas@utenos-kolegija.lt>
>---
> docs-xml/smbdotconf/security/ntlmauth.xml | 21 ++++++++++++++++++++-
> lib/param/param_table.c                   | 10 ++++++++++
> libcli/auth/ntlm_check.c                  |  5 +++--
> libcli/auth/ntlm_check.h                  | 11 ++++++++++-
> 4 files changed, 43 insertions(+), 4 deletions(-)
>
>diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
>index 884ee9dbf1a0..026236c17989 100644
>--- a/docs-xml/smbdotconf/security/ntlmauth.xml
>+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
>@@ -1,6 +1,7 @@
> <samba:parameter name="ntlm auth"
>                  context="G"
>-                 type="boolean"
>+                 type="enum"
>+                 enumlist="enum_ntlm_auth"
>                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> <description>
>     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
>@@ -16,6 +17,24 @@
> 
>     <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
> 
>+    <para>The available settings are:</para>
>+
>+    <itemizedlist>
>+        <listitem>
>+            <para><constant>yes</constant> - Allow NTLMv1 for all clients.</para>
>+        </listitem>
>+
>+        <listitem>
>+            <para><constant>no</constant> - Do not allow NTLMv1 to be used.</para>
>+        </listitem>
>+
>+        <listitem>
>+            <para><constant>mschapv2 only</constant> - Only allow NTLMv1 when the
>+            client promises that it is providing MSCHAPv2 authentication (such as
>+            the <command moreinfo="none">ntlm_auth</command> tool).</para>
>+        </listitem>
>+    </itemizedlist>
>+
>     <para>The default changed from "yes" to "no" with Samba 4.5.</para>
> </description>
> 
>diff --git a/lib/param/param_table.c b/lib/param/param_table.c
>index 4b5234a7c9e4..205a8e1886b2 100644
>--- a/lib/param/param_table.c
>+++ b/lib/param/param_table.c
>@@ -31,6 +31,7 @@
> #include "lib/param/param.h"
> #include "lib/param/loadparm.h"
> #include "lib/param/param_global.h"
>+#include "libcli/auth/ntlm_check.h"
> #include "libcli/smb/smb_constants.h"
> #include "libds/common/roles.h"
> #include "source4/lib/tls/tls.h"
>@@ -315,6 +316,15 @@ static const struct enum_list enum_inherit_owner_vals[] = {
>     {INHERIT_OWNER_UNIX_ONLY, "unix only"},
>     {-1, NULL}};
> 
>+static const struct enum_list enum_ntlm_auth[] = {
>+	{NTLM_AUTH_ALLOW_NEVER, "no"},
>+	{NTLM_AUTH_ALLOW_NEVER, "false"},
>+	{NTLM_AUTH_ALLOW_ALWAYS, "yes"},
>+	{NTLM_AUTH_ALLOW_ALWAYS, "true"},
>+	{NTLM_AUTH_ALLOW_MSCHAPV2, "mschapv2 only"},
>+	{-1, NULL}
>+};
>+
> /* Note: We do not initialise the defaults union - it is not allowed in ANSI C
>  *
>  * NOTE: Handling of duplicated (synonym) parameters:
>diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
>index 7f91b52a5fd7..d83d0c0940cd 100644
>--- a/libcli/auth/ntlm_check.c
>+++ b/libcli/auth/ntlm_check.c
>@@ -280,7 +280,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
> 
> NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
> 			     bool lanman_auth,
>-			     bool ntlm_auth,
>+			     enum ntlm_auth_level ntlm_auth,
> 			     uint32_t logon_parameters,
> 			     const DATA_BLOB *challenge,
> 			     const DATA_BLOB *lm_response,
>@@ -398,7 +398,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
> 			DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
> 		}
> 	} else if (nt_response->length == 24 && stored_nt) {
>-		if (ntlm_auth) {		
>+		if (ntlm_auth == NTLM_AUTH_ALLOW_ALWAYS
>+		    || (ntlm_auth == NTLM_AUTH_ALLOW_MSCHAPV2 && (logon_parameters & MSV1_0_ALLOW_MSVCHAPV2))) {
> 			/* We have the NT MD4 hash challenge available - see if we can
> 			   use it (ie. does it exist in the smbpasswd file).
> 			*/
>diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
>index df11f7d7a265..c98077a8f49e 100644
>--- a/libcli/auth/ntlm_check.h
>+++ b/libcli/auth/ntlm_check.h
>@@ -18,7 +18,14 @@
>    You should have received a copy of the GNU General Public License
>    along with this program.  If not, see <http://www.gnu.org/licenses/>.
> */
>+#ifndef __LIBCLI_AUTH_NTLM_CHECK_H__
>+#define __LIBCLI_AUTH_NTLM_CHECK_H__
> 
>+enum ntlm_auth_level {
>+	NTLM_AUTH_ALLOW_NEVER,
>+	NTLM_AUTH_ALLOW_ALWAYS,
>+	NTLM_AUTH_ALLOW_MSCHAPV2
>+};
> 
> /**
>  * Compare password hashes against those from the SAM
>@@ -62,7 +69,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
> 
> NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
> 				 bool lanman_auth,
>-				 bool ntlm_auth,
>+				 enum ntlm_auth_level ntlm_auth,
> 			     uint32_t logon_parameters,
> 			     const DATA_BLOB *challenge,
> 			     const DATA_BLOB *lm_response,
>@@ -74,3 +81,5 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
> 			     const struct samr_Password *stored_nt, 
> 			     DATA_BLOB *user_sess_key, 
> 			     DATA_BLOB *lm_sess_key);
>+
>+#endif /* __LIBCLI_AUTH_NTLM_CHECK_H__ */
>-- 
>2.11.0
>

Actions: View

Attachments on bug 12252: 12456 | 12789