From b0c0ffeed40f9e20d3a2ef197854d6ea11cdabb1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Mar 2016 21:02:34 +0100
Subject: [PATCH] CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to
 "yes"
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: GÃ¼nther Deschner <gd@samba.org>
---
 .../smbdotconf/security/rawntlmv2auth.xml     | 20 +++++++++++++++++++
 lib/param/loadparm.c                          |  1 +
 source3/param/loadparm.c                      |  1 +
 3 files changed, 22 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/rawntlmv2auth.xml
diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
new file mode 100644
index 00000000000..ef262977a0c
--- /dev/null
+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="raw NTLMv2 auth"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
+    extended security (without SPNEGO) to use NTLMv2 authentication.</para>
+
+    <para>If this option, <command moreinfo="none">lanman auth</command>
+    and <command moreinfo="none">ntlm auth</command> are all disabled,
+    then only clients with SPNEGO support will be permitted.
+    That means NTLMv2 is only supported within NTLMSSP.</para>
+
+    <para>Note that the default will change to "no" with Samba 4.5.</para>
+</description>
+
+<value type="default">yes</value>
+<value type="example">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 0de9793b6ab..21410ac9e1c 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2509,6 +2509,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
 	lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
 	lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
+	lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "True");
 	lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
 
 	lpcfg_do_global_parameter(lp_ctx, "UnixExtensions", "True");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 360d997bb90..5819a0efa23 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -660,6 +660,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.client_plaintext_auth = false;	/* Do NOT use a plaintext password even if is requested by the server */
 	Globals.lanman_auth = false;	/* Do NOT use the LanMan hash, even if it is supplied */
 	Globals.ntlm_auth = true;	/* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+	Globals.raw_ntlmv2_auth = true;	/* Allow NTLMv2 without NTLMSSP */
 	Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
 
-- 
2.47.2

