auth: Return status code if configuration prohibits NTLM

Currently, we rely on ‘stored_nt’ being NULL to give an NT_STATUS_WRONG_PASSWORD error. Signed-off-by: Joseph Sutton <[email protected]> Reviewed-by: Andrew Bartlett <[email protected]>
tgl1986 · May 16, 2023 · 2a8db07 · 2a8db07
1 parent 23a67d5
commit 2a8db07
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 0 deletions.
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
@@ -259,12 +259,19 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
 
 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 			     bool lanman_auth,
+			     enum ntlm_auth_level ntlm_auth,
 			     const struct samr_Password *client_lanman,
 			     const struct samr_Password *client_nt,
 			     const char *username, 
 			     const struct samr_Password *stored_lanman, 
 			     const struct samr_Password *stored_nt)
 {
+	if (ntlm_auth == NTLM_AUTH_DISABLED) {
+		DBG_WARNING("hash_password_check: NTLM authentication not "
+			    "permitted by configuration.\n");
+		return NT_STATUS_NTLM_BLOCKED;
+	}
+
 	if (stored_nt == NULL) {
 		DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
 			 username));
@@ -387,6 +394,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
 		}
 		return hash_password_check(mem_ctx, 
 					   lanman_auth,
+					   ntlm_auth,
 					   lm_ok ? &client_lm : NULL, 
 					   nt_response->length ? &client_nt : NULL, 
 					   username,  

diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
@@ -45,6 +45,7 @@ struct samr_Password;
 
 NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 				 bool lanman_auth,
+			     enum ntlm_auth_level ntlm_auth,
 			     const struct samr_Password *client_lanman,
 			     const struct samr_Password *client_nt,
 			     const char *username, 

diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
@@ -73,6 +73,7 @@ static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx,
 	switch (user_info->password_state) {
 	case AUTH_PASSWORD_HASH:
 		status = hash_password_check(mem_ctx, lp_lanman_auth(),
+					     lp_ntlm_auth(),
 					     user_info->password.hash.lanman,
 					     user_info->password.hash.nt,
 					     username,

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
@@ -125,6 +125,7 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
 		*user_sess_key = data_blob(NULL, 0);
 		status = hash_password_check(mem_ctx, 
 					     false,
+					     lpcfg_ntlm_auth(auth_context->lp_ctx),
 					     NULL,
 					     user_info->password.hash.nt,
 					     user_info->mapped.account_name,