From: Andrew Bartlett Date: Thu, 24 Mar 2022 23:18:01 +0000 (+1300) Subject: s4-auth: Remove last traces of LanMan authentiation support in the AD DC. X-Git-Tag: tevent-0.12.0~222 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7a91a855c7edfb0e09c93cbe4c56df0437fa467;p=thirdparty%2Fsamba.git s4-auth: Remove last traces of LanMan authentiation support in the AD DC. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184 --- diff --git a/WHATSNEW.txt b/WHATSNEW.txt index d23bede2da2..1bdf3a01cfb 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -66,6 +66,11 @@ server used as a front. REMOVED FEATURES ================ +LanMan Authentication and password storage removed from the AD DC +----------------------------------------------------------------- + +The storage and authentication with LanMan passwords has been entirely +removed from the Samba AD DC, even when "lanman auth = yes" is set. smb.conf changes ================ diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml index 842c12d9b64..045e89d94d6 100644 --- a/docs-xml/smbdotconf/security/lanmanauth.xml +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -45,6 +45,10 @@ then only NTLMv2 logins will be permitted and no LM hash will be stored. All modern clients support NTLMv2, and but some older clients require special configuration to use it. + + This parameter has no impact on the Samba AD DC, + LM authentication is always disabled and no LM password is ever + stored. no diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 5a56076ac5b..14b6c707aa5 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -78,8 +78,8 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context, *lm_sess_key = data_blob(NULL, 0); *user_sess_key = data_blob(NULL, 0); status = hash_password_check(mem_ctx, - lpcfg_lanman_auth(auth_context->lp_ctx), - user_info->password.hash.lanman, + false, + NULL, user_info->password.hash.nt, user_info->mapped.account_name, NULL, nt_pwd);