auth: Return status code if configuration prohibits NTLM

Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index cb4be7f6507c76dd7581473c56cce4085db23dd3..3927dfa78366bce7a94f772f1f2783a059fe93cc 100644 (file)
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -259,12 +259,19 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
 
 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
                             bool lanman_auth,
+                            enum ntlm_auth_level ntlm_auth,
                             const struct samr_Password *client_lanman,
                             const struct samr_Password *client_nt,
                             const char *username, 
                             const struct samr_Password *stored_lanman, 
                             const struct samr_Password *stored_nt)
 {
+       if (ntlm_auth == NTLM_AUTH_DISABLED) {
+               DBG_WARNING("hash_password_check: NTLM authentication not "
+                           "permitted by configuration.\n");
+               return NT_STATUS_NTLM_BLOCKED;
+       }
+
        if (stored_nt == NULL) {
                DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
                         username));
@@ -387,6 +394,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
                }
                return hash_password_check(mem_ctx, 
                                           lanman_auth,
+                                          ntlm_auth,
                                           lm_ok ? &client_lm : NULL, 
                                           nt_response->length ? &client_nt : NULL, 
                                           username,  

diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
index 86cab9b2d13a18a0c2088aa395162ea371dbe431..3fcd1f4ccbbe8373bd8de60ffb9946ee19f9d50c 100644 (file)
--- a/libcli/auth/ntlm_check.h
+++ b/libcli/auth/ntlm_check.h
@@ -45,6 +45,7 @@ struct samr_Password;
 
 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
                                 bool lanman_auth,
+                            enum ntlm_auth_level ntlm_auth,
                             const struct samr_Password *client_lanman,
                             const struct samr_Password *client_nt,
                             const char *username, 

diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 1b346b438706027c1cae6824b5daad704af5a3e5..30125809563c9e09776ab4844970fcb94b52e15f 100644 (file)
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -73,6 +73,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
        switch (user_info->password_state) {
        case AUTH_PASSWORD_HASH:
                status = hash_password_check(mem_ctx, lp_lanman_auth(),
+                                            lp_ntlm_auth(),
                                             user_info->password.hash.lanman,
                                             user_info->password.hash.nt,
                                             username,

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 3e2cf16b9e4e6517563a491a0d7e67bade7de1c1..b46b1da821397e510a894c8ff66f48c53c09e588 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -125,6 +125,7 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
                *user_sess_key = data_blob(NULL, 0);
                status = hash_password_check(mem_ctx, 
                                             false,
+                                            lpcfg_ntlm_auth(auth_context->lp_ctx),
                                             NULL,
                                             user_info->password.hash.nt,
                                             user_info->mapped.account_name,