Attachment 16604 Details for Bug 14697 – Set ADS_AUTH_ALLOW_NTLMSSP for net ads commands

Set ADS_AUTH_ALLOW_NTLMSSP for net ads commands

use_ntlmssp.txt (text/plain), 2.91 KB, created by Shilpa Krishnareddy on 2021-05-03 06:52:32 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Shilpa Krishnareddy

Created: 2021-05-03 06:52:32 UTC

Size: 2.91 KB

patch

obsolete

>diff --git a/docs-xml/smbdotconf/security/sasl_bind_allow_ntlmssp.xml b/docs-xml/smbdotconf/security/sasl_bind_allow_ntlmssp.xml
>new file mode 100644
>index 0000000000..713cf2bb87
>--- /dev/null
>+++ b/docs-xml/smbdotconf/security/sasl_bind_allow_ntlmssp.xml
>@@ -0,0 +1,11 @@
>+<samba:parameter name="sasl bind allow ntlmssp"
>+                 context="G"
>+                type="boolean"
>+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
>+<description>
>+    <para>This parameter determines whether or not sasl bind will
>+    fallback to NTLMSSP if kerberos authentication fails.</para>
>+</description>
>+
>+<value type="default">yes</value>
>+</samba:parameter>
>diff --git a/lib/param/param_table.c b/lib/param/param_table.c
>index 2da5d66da6..a8c9525b38 100644
>--- a/lib/param/param_table.c
>+++ b/lib/param/param_table.c
>@@ -4899,6 +4899,14 @@ struct parm_struct parm_table[] = {
>                .special        = NULL,
>                .enum_list      = NULL,
>        },
>+       {
>+               .label          = "sasl bind allow ntlmssp",
>+               .type           = P_BOOL,
>+               .p_class        = P_GLOBAL,
>+               .offset         = GLOBAL_VAR(sasl_bind_allow_ntlmssp),
>+               .special        = NULL,
>+               .enum_list      = NULL,
>+       },
>
>        {NULL,  P_BOOL,  P_NONE,  0,  NULL,  NULL,  0}
> };
>diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
>index 103120d8ec..1f6d52f5f0 100644
>--- a/source3/libnet/libnet_join.c
>+++ b/source3/libnet/libnet_join.c
>@@ -152,6 +152,10 @@ static ADS_STATUS libnet_connect_ads(const char *ad_domain_name,
>                my_ads->auth.password = SMB_STRDUP(password);
>        }
>
>+       if(lp_sasl_bind_allow_ntlmssp() && password) {
>+               my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
>+       }
>+
>        status = ads_connect_user_creds(my_ads);
>        if (!ADS_ERR_OK(status)) {
>                ads_destroy(&my_ads);
>diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
>index d543fc28fc..9115cdbae8 100644
>--- a/source3/param/loadparm.c
>+++ b/source3/param/loadparm.c
>@@ -1065,6 +1065,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
>        Globals.ignore_local_unix_groups = true;
>
>        Globals.enable_preferred_dc = true;
>+       Globals.sasl_bind_allow_ntlmssp = true;
>
>        /* Now put back the settings that were set with lp_set_cmdline() */
>        apply_lp_set_cmdline();
>diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
>index 23ab0f9133..e5a4b6fd6a 100644
>--- a/source3/utils/net_ads.c
>+++ b/source3/utils/net_ads.c
>@@ -297,6 +297,10 @@ retry:
>                }
>        }
>
>+       if(lp_sasl_bind_allow_ntlmssp() && (ads->auth.password != NULL)) {
>+               ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
>+       }
>+
>        status = ads_connect(ads);
>
>        if (!ADS_ERR_OK(status)) {

Actions: View

Attachments on bug 14697: 16604