From 0bfc10011bd5cacecda8b59c36e80f676e5c7fa3 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Fri, 9 Mar 2001 18:59:16 +0000
Subject: merge of 'lanman auth' and 'min protocol' from 2.2 (This used to be
 commit 1d84da779a0fe3219d77686a493d2b2fa1f8072a)

---
 source3/include/proto.h  |  2 ++
 source3/param/loadparm.c |  9 +++++++++
 source3/smbd/negprot.c   |  3 ++-
 source3/smbd/reply.c     | 33 ++++++++++++++++++++++-----------
 4 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index a119390d0d..442354abed 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1636,6 +1636,7 @@ BOOL lp_nt_acl_support(void);
 BOOL lp_stat_cache(void);
 BOOL lp_allow_trusted_domains(void);
 BOOL lp_restrict_anonymous(void);
+BOOL lp_lanman_auth(void);
 BOOL lp_host_msdfs(void);
 BOOL lp_kernel_oplocks(void);
 int lp_os_level(void);
@@ -1651,6 +1652,7 @@ int lp_usernamelevel(void);
 int lp_readsize(void);
 int lp_deadtime(void);
 int lp_maxprotocol(void);
+int lp_minprotocol(void);
 int lp_security(void);
 int lp_maxdisksize(void);
 int lp_lpqcachetime(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index b4cf4930cd..0593d2d190 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -186,6 +186,7 @@ typedef struct
 	int unamelevel;
 	int deadtime;
 	int maxprotocol;
+	int minprotocol;
 	int security;
 	int maxdisksize;
 	int lpqcachetime;
@@ -261,6 +262,7 @@ typedef struct
 	BOOL bKernelOplocks;
 	BOOL bAllowTrustedDomains;
 	BOOL bRestrictAnonymous;
+	BOOL bLanmanAuth;
 	BOOL bDebugHiresTimestamp;
 	BOOL bDebugPid;
 	BOOL bDebugUid;
@@ -687,6 +689,7 @@ static struct parm_struct parm_table[] = {
 	{"username level", P_INTEGER, P_GLOBAL, &Globals.unamelevel, NULL, NULL, 0},
 	{"unix password sync", P_BOOL, P_GLOBAL, &Globals.bUnixPasswdSync, NULL, NULL, 0},
 	{"restrict anonymous", P_BOOL, P_GLOBAL, &Globals.bRestrictAnonymous, NULL, NULL, 0},
+	{"lanman auth", P_BOOL, P_GLOBAL, &Globals.bLanmanAuth, NULL, NULL, 0},
 	{"use rhosts", P_BOOL, P_GLOBAL, &Globals.bUseRhosts, NULL, NULL, 0},
 	
 	{"username", P_STRING, P_LOCAL, &sDefault.szUsername, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE},
@@ -770,6 +773,8 @@ static struct parm_struct parm_table[] = {
 	{"Protocol Options", P_SEP, P_SEPARATOR},
 	
 	{"protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, 0},
+	{"max protocol", P_ENUM, P_GLOBAL, &Globals.maxprotocol, NULL, enum_protocol, 0},
+	{"min protocol", P_ENUM, P_GLOBAL, &Globals.minprotocol, NULL, enum_protocol, 0},
 	{"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, 0},
 	{"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, 0},
 	{"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, 0},
@@ -1206,6 +1211,7 @@ static void init_globals(void)
 	Globals.max_log_size = 5000;
 	Globals.max_open_files = MAX_OPEN_FILES;
 	Globals.maxprotocol = PROTOCOL_NT1;
+	Globals.minprotocol = PROTOCOL_CORE;
 	Globals.security = SEC_USER;
 	Globals.bEncryptPasswords = False;
 	Globals.bUpdateEncrypt = False;
@@ -1250,6 +1256,7 @@ static void init_globals(void)
 	Globals.bNTAclSupport = True;	/* Use NT ACLs by default. */
 	Globals.bStatCache = True;	/* use stat cache by default */
 	Globals.bRestrictAnonymous = False;
+	Globals.bLanmanAuth = True;	/* Do use the LanMan hash if it is available */
 	Globals.map_to_guest = 0;	/* By Default, "Never" */
 	Globals.min_passwd_length = MINPASSWDLENGTH;	/* By Default, 5. */
 	Globals.oplock_break_wait_time = 0;	/* By Default, 0 msecs. */
@@ -1506,6 +1513,7 @@ FN_GLOBAL_BOOL(lp_nt_acl_support, &Globals.bNTAclSupport)
 FN_GLOBAL_BOOL(lp_stat_cache, &Globals.bStatCache)
 FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains)
 FN_GLOBAL_BOOL(lp_restrict_anonymous, &Globals.bRestrictAnonymous)
+FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
 FN_GLOBAL_BOOL(lp_host_msdfs, &Globals.bHostMSDfs)
 FN_GLOBAL_BOOL(lp_kernel_oplocks, &Globals.bKernelOplocks)
 FN_GLOBAL_INTEGER(lp_os_level, &Globals.os_level)
@@ -1521,6 +1529,7 @@ FN_GLOBAL_INTEGER(lp_usernamelevel, &Globals.unamelevel)
 FN_GLOBAL_INTEGER(lp_readsize, &Globals.ReadSize)
 FN_GLOBAL_INTEGER(lp_deadtime, &Globals.deadtime)
 FN_GLOBAL_INTEGER(lp_maxprotocol, &Globals.maxprotocol)
+FN_GLOBAL_INTEGER(lp_minprotocol, &Globals.minprotocol)
 FN_GLOBAL_INTEGER(lp_security, &Globals.security)
 FN_GLOBAL_INTEGER(lp_maxdisksize, &Globals.maxdisksize)
 FN_GLOBAL_INTEGER(lp_lpqcachetime, &Globals.lpqcachetime)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 41e95b816d..74d8eb3983 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -411,7 +411,8 @@ int reply_negprot(connection_struct *conn,
     {
       p = smb_buf(inbuf)+1;
       Index = 0;
-      if (lp_maxprotocol() >= supported_protocols[protocol].protocol_level)
+      if ((supported_protocols[protocol].protocol_level <= lp_maxprotocol()) &&
+	  (supported_protocols[protocol].protocol_level >= lp_minprotocol()))
 	while (p < (smb_buf(inbuf) + bcc))
 	  { 
 	    if (strequal(p,supported_protocols[protocol].proto_name))
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 402f9db754..4e87782a48 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -700,6 +700,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
   int   smb_ntpasslen = 0;   
   pstring smb_ntpasswd;
   BOOL valid_nt_password = False;
+  BOOL valid_lm_password = False;
   pstring user;
   pstring orig_user;
   BOOL guest=False;
@@ -935,15 +936,11 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
    * security=domain.
    */
 
-  if (!guest && 
-			  !check_server_security(orig_user, domain, user,
-									 smb_apasswd, smb_apasslen,
-									 smb_ntpasswd, smb_ntpasslen) &&
-			  !check_domain_security(orig_user, domain, user,
-                             smb_apasswd, smb_apasslen,
-                             smb_ntpasswd, smb_ntpasslen) &&
-      !check_hosts_equiv(user)
-     )
+  if (!guest && !check_server_security(orig_user, domain, user, 
+         smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) &&
+      !check_domain_security(orig_user, domain, user, smb_apasswd,
+         smb_apasslen, smb_ntpasswd, smb_ntpasslen) &&
+      !check_hosts_equiv(user))
   {
 
     /* 
@@ -959,12 +956,26 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
     if(smb_ntpasslen)
     {
       if(!password_ok(user, smb_ntpasswd,smb_ntpasslen,NULL))
-        DEBUG(2,("NT Password did not match for user '%s' ! Defaulting to Lanman\n", user));
+        DEBUG(2,("NT Password did not match for user '%s'!\n", user));
       else
         valid_nt_password = True;
     } 
+    
+    
+    /* check the LanMan password only if necessary and if allowed 
+       by lp_lanman_auth() */
+    if (!valid_nt_password && lp_lanman_auth())
+    {
+      DEBUG(2,("Defaulting to Lanman password for %s\n", user));
+      valid_lm_password = password_ok(user, smb_apasswd,smb_apasslen,NULL);
+    }
+      
 
-    if (!valid_nt_password && !password_ok(user, smb_apasswd,smb_apasslen,NULL))
+    /* The true branch will be executed if 
+       (1) the NT password failed (or was not tried), and 
+       (2) LanMan authentication failed (or was disabled) 
+     */
+    if (!valid_nt_password && !valid_lm_password)
     {
       if (lp_security() >= SEC_USER) 
       {
-- 
cgit