allow users to disable the NetWkstaUserLogon call in server level

security by changing a setting in local.h or adding it to their
Makefile. See comment in local.h
(This used to be commit cc10fdf7583ec644850445ad96afd8b22b71e86f)

2 files changed, 12 insertions, 0 deletions

diff --git a/source3/include/local.h b/source3/include/local.h
index 9a31032ee6..ca8d231dcd 100644
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -25,6 +25,16 @@
 */
 #define PRINTCAP_NAME "/etc/printcap"
 
+/* this affects server level security. With this set (recommended)
+   samba will do a full NetWkstaUserLogon to confirm that the client
+   really should have login rights. This can cause problems with
+   machines in trust relationships in which case you can disable it
+   here, but be warned, we have heard that some NT machines will then
+   allow anyone in with any password! Make sure you test it. */
+#ifndef USE_NETWKSTAUSERLOGON
+#define USE_NETWKSTAUSERLOGON 1
+#endif
+
 /* define what facility to use for syslog */
 #ifndef SYSLOG_FACILITY
 #define SYSLOG_FACILITY LOG_DAEMON
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 2176d5dafa..1c72f0cfa6 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -1589,6 +1589,7 @@ BOOL server_validate(char *user, char *domain,
 	}
 
 
+#if USE_NETWKSTAUSERLOGON
 	if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) {
 		DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost));
 		cli_tdis(&cli);
@@ -1608,6 +1609,7 @@ BOOL server_validate(char *user, char *domain,
 		cli_tdis(&cli);
 		return False;
 	}
+#endif
 
 	DEBUG(3,("password server %s accepted the password\n", cli.desthost));