<listitem>
<para><constant>disabled</constant> - Do not allow NTLM (or
- LanMan) authentication of any level as a server.</para>
+ LanMan) authentication of any level as a server, nor permit
+ NTLM password changes.</para>
</listitem>
</itemizedlist>
bool nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted);
bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
+ enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+ /* this call should be disabled without NTLM auth */
+ if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+ DBG_WARNING("NTLM password changes not"
+ "permitted by configuration.\n");
+ return NT_STATUS_NTLM_BLOCKED;
+ }
acct_ctrl = pdb_get_acct_ctrl(sampass);
#if 0
struct samr_Password nt_verifier, lm_verifier;
const char *user_samAccountName = NULL;
struct dom_sid *user_objectSid = NULL;
+ enum ntlm_auth_level ntlm_auth_level
+ = lpcfg_ntlm_auth(dce_call->conn->dce_ctx->lp_ctx);
*r->out.dominfo = NULL;
*r->out.reject = NULL;
+ /* this call should be disabled without NTLM auth */
+ if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+ DBG_WARNING("NTLM password changes not"
+ "permitted by configuration.\n");
+ return NT_STATUS_NTLM_BLOCKED;
+ }
+
if (r->in.nt_password == NULL ||
r->in.nt_verifier == NULL) {
return NT_STATUS_INVALID_PARAMETER;