diff options
author | Gerald Carter <jerry@samba.org> | 2001-03-09 18:59:16 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2001-03-09 18:59:16 +0000 |
commit | 0bfc10011bd5cacecda8b59c36e80f676e5c7fa3 (patch) | |
tree | c697a708da79caa3291c7844eb2148bccdf869ac | |
parent | 53a331cfb271bd64bb26d0d433439e249adbbe71 (diff) | |
download | samba-0bfc10011bd5cacecda8b59c36e80f676e5c7fa3.tar.gz samba-0bfc10011bd5cacecda8b59c36e80f676e5c7fa3.tar.bz2 samba-0bfc10011bd5cacecda8b59c36e80f676e5c7fa3.zip |
merge of 'lanman auth' and 'min protocol' from 2.2
(This used to be commit 1d84da779a0fe3219d77686a493d2b2fa1f8072a)
-rw-r--r-- | source3/include/proto.h | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 9 | ||||
-rw-r--r-- | source3/smbd/negprot.c | 3 | ||||
-rw-r--r-- | source3/smbd/reply.c | 33 |
4 files changed, 35 insertions, 12 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index a119390d0d..442354abed 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1636,6 +1636,7 @@ BOOL lp_nt_acl_support(void); BOOL lp_stat_cache(void); BOOL lp_allow_trusted_domains(void); BOOL lp_restrict_anonymous(void); +BOOL lp_lanman_auth(void); BOOL lp_host_msdfs(void); BOOL lp_kernel_oplocks(void); int lp_os_level(void); @@ -1651,6 +1652,7 @@ int lp_usernamelevel(void); int lp_readsize(void); int lp_deadtime(void); int lp_maxprotocol(void); +int lp_minprotocol(void); int lp_security(void); int lp_maxdisksize(void); int lp_lpqcachetime(void); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index b4cf4930cd..0593d2d190 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -186,6 +186,7 @@ typedef struct int unamelevel; int deadtime; int maxprotocol; + int minprotocol; int security; int maxdisksize; int lpqcachetime; @@ -261,6 +262,7 @@ typedef struct BOOL bKernelOplocks; BOOL bAllowTrustedDomains; BOOL bRestrictAnonymous; + BOOL bLanmanAuth; BOOL bDebugHiresTimestamp; BOOL bDebugPid; BOOL bDebugUid; @@ -687,6 +689,7 @@ static struct parm_struct parm_table[] = { {"username level", P_INTEGER, P_GLOBAL, &Globals.unamelevel, NULL, NULL, 0}, {"unix password sync", P_BOOL, P_GLOBAL, &Globals.bUnixPasswdSync, NULL, NULL, 0}, {"restrict anonymous", P_BOOL, P_GLOBAL, &Globals.bRestrictAnonymous, NULL, NULL, 0}, + {"lanman auth", P_BOOL, P_GLOBAL, &Globals.bLanmanAuth, NULL, NULL, 0}, {"use rhosts", P_BOOL, P_GLOBAL, &Globals.bUseRhosts, NULL, NULL, 0}, {"username", P_STRING, P_LOCAL, &sDefault.szUsername, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE}, @@ -770,6 +773,8 @@ static struct parm_struct parm_table[] = { {"Protocol Options", P_SEP, P_SEPARATOR}, {"protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, 0}, + {"max protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, 0}, + {"min protocol", P_ENUM, P_GLOBAL, &Globals.minprotocol, NULL, enum_protocol, 0}, {"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, 0}, {"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, 0}, {"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, 0}, @@ -1206,6 +1211,7 @@ static void init_globals(void) Globals.max_log_size = 5000; Globals.max_open_files = MAX_OPEN_FILES; Globals.maxprotocol = PROTOCOL_NT1; + Globals.minprotocol = PROTOCOL_CORE; Globals.security = SEC_USER; Globals.bEncryptPasswords = False; Globals.bUpdateEncrypt = False; @@ -1250,6 +1256,7 @@ static void init_globals(void) Globals.bNTAclSupport = True; /* Use NT ACLs by default. */ Globals.bStatCache = True; /* use stat cache by default */ Globals.bRestrictAnonymous = False; + Globals.bLanmanAuth = True; /* Do use the LanMan hash if it is available */ Globals.map_to_guest = 0; /* By Default, "Never" */ Globals.min_passwd_length = MINPASSWDLENGTH; /* By Default, 5. */ Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */ @@ -1506,6 +1513,7 @@ FN_GLOBAL_BOOL(lp_nt_acl_support, &Globals.bNTAclSupport) FN_GLOBAL_BOOL(lp_stat_cache, &Globals.bStatCache) FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains) FN_GLOBAL_BOOL(lp_restrict_anonymous, &Globals.bRestrictAnonymous) +FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth) FN_GLOBAL_BOOL(lp_host_msdfs, &Globals.bHostMSDfs) FN_GLOBAL_BOOL(lp_kernel_oplocks, &Globals.bKernelOplocks) FN_GLOBAL_INTEGER(lp_os_level, &Globals.os_level) @@ -1521,6 +1529,7 @@ FN_GLOBAL_INTEGER(lp_usernamelevel, &Globals.unamelevel) FN_GLOBAL_INTEGER(lp_readsize, &Globals.ReadSize) FN_GLOBAL_INTEGER(lp_deadtime, &Globals.deadtime) FN_GLOBAL_INTEGER(lp_maxprotocol, &Globals.maxprotocol) +FN_GLOBAL_INTEGER(lp_minprotocol, &Globals.minprotocol) FN_GLOBAL_INTEGER(lp_security, &Globals.security) FN_GLOBAL_INTEGER(lp_maxdisksize, &Globals.maxdisksize) FN_GLOBAL_INTEGER(lp_lpqcachetime, &Globals.lpqcachetime) diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 41e95b816d..74d8eb3983 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -411,7 +411,8 @@ int reply_negprot(connection_struct *conn, { p = smb_buf(inbuf)+1; Index = 0; - if (lp_maxprotocol() >= supported_protocols[protocol].protocol_level) + if ((supported_protocols[protocol].protocol_level <= lp_maxprotocol()) && + (supported_protocols[protocol].protocol_level >= lp_minprotocol())) while (p < (smb_buf(inbuf) + bcc)) { if (strequal(p,supported_protocols[protocol].proto_name)) diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 402f9db754..4e87782a48 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -700,6 +700,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int int smb_ntpasslen = 0; pstring smb_ntpasswd; BOOL valid_nt_password = False; + BOOL valid_lm_password = False; pstring user; pstring orig_user; BOOL guest=False; @@ -935,15 +936,11 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int * security=domain. */ - if (!guest && - !check_server_security(orig_user, domain, user, - smb_apasswd, smb_apasslen, - smb_ntpasswd, smb_ntpasslen) && - !check_domain_security(orig_user, domain, user, - smb_apasswd, smb_apasslen, - smb_ntpasswd, smb_ntpasslen) && - !check_hosts_equiv(user) - ) + if (!guest && !check_server_security(orig_user, domain, user, + smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) && + !check_domain_security(orig_user, domain, user, smb_apasswd, + smb_apasslen, smb_ntpasswd, smb_ntpasslen) && + !check_hosts_equiv(user)) { /* @@ -959,12 +956,26 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int if(smb_ntpasslen) { if(!password_ok(user, smb_ntpasswd,smb_ntpasslen,NULL)) - DEBUG(2,("NT Password did not match for user '%s' ! Defaulting to Lanman\n", user)); + DEBUG(2,("NT Password did not match for user '%s'!\n", user)); else valid_nt_password = True; } + + + /* check the LanMan password only if necessary and if allowed + by lp_lanman_auth() */ + if (!valid_nt_password && lp_lanman_auth()) + { + DEBUG(2,("Defaulting to Lanman password for %s\n", user)); + valid_lm_password = password_ok(user, smb_apasswd,smb_apasslen,NULL); + } + - if (!valid_nt_password && !password_ok(user, smb_apasswd,smb_apasslen,NULL)) + /* The true branch will be executed if + (1) the NT password failed (or was not tried), and + (2) LanMan authentication failed (or was disabled) + */ + if (!valid_nt_password && !valid_lm_password) { if (lp_security() >= SEC_USER) { |