From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Mar 2016 20:59:42 +0000 (+0100)
Subject: CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
X-Git-Tag: samba-4.2.10~166
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=531c5aac2e55b3e765bb9b691b4c0c702eae274f;p=thirdparty%2Fsamba.git

CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---

diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
index ef262977a0c..30e7280bc5d 100644
--- a/docs-xml/smbdotconf/security/rawntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -11,10 +11,9 @@
     and <command moreinfo="none">ntlm auth</command> are all disabled,
     then only clients with SPNEGO support will be permitted.
     That means NTLMv2 is only supported within NTLMSSP.</para>
-
-    <para>Note that the default will change to "no" with Samba 4.5.</para>
 </description>
 
-<value type="default">yes</value>
-<value type="example">no</value>
+<related>lanman auth</related>
+<related>ntlm auth</related>
+<value type="default">no</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 21410ac9e1c..ce745c49fbb 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2509,7 +2509,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
 	lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
 	lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
-	lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "True");
+	lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
 	lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
 
 	lpcfg_do_global_parameter(lp_ctx, "UnixExtensions", "True");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 5819a0efa23..32adb43c3ef 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -660,7 +660,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.client_plaintext_auth = false;	/* Do NOT use a plaintext password even if is requested by the server */
 	Globals.lanman_auth = false;	/* Do NOT use the LanMan hash, even if it is supplied */
 	Globals.ntlm_auth = true;	/* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
-	Globals.raw_ntlmv2_auth = true;	/* Allow NTLMv2 without NTLMSSP */
+	Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
 	Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */