samr: Disable NTLM-based password changes on the server if NTLM is disabled

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 88105e69ed5b096b7c97c010eef6e39f6e6a061c..f0969bf9ed2f74910f30d6a27d8dd42123d58c83 100644 (file)
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -42,7 +42,8 @@
 
         <listitem>
           <para><constant>disabled</constant> - Do not allow NTLM (or
-          LanMan) authentication of any level as a server.</para>
+          LanMan) authentication of any level as a server, nor permit
+          NTLM password changes.</para>
         </listitem>
 
     </itemizedlist>

diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
index ab9e92ace78da7d735245ab062ff2045fc2f5798..87a3f32ff134db7f5cf812c24d32223e8638e972 100644 (file)
--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
@@ -683,6 +683,14 @@ static NTSTATUS check_oem_password(const char *user,
 
        bool nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted);
        bool lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
+       enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+       /* this call should be disabled without NTLM auth */
+       if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+               DBG_WARNING("NTLM password changes not"
+                           "permitted by configuration.\n");
+               return NT_STATUS_NTLM_BLOCKED;
+       }
 
        acct_ctrl = pdb_get_acct_ctrl(sampass);
 #if 0

diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index 785633ddc259c987bab30a14937e7361a2d87b46..22f456f090b39f5fc345acb87b028e34805aed61 100644 (file)
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -307,10 +307,19 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
        struct samr_Password nt_verifier, lm_verifier;
        const char *user_samAccountName = NULL;
        struct dom_sid *user_objectSid = NULL;
+       enum ntlm_auth_level ntlm_auth_level
+               = lpcfg_ntlm_auth(dce_call->conn->dce_ctx->lp_ctx);
 
        *r->out.dominfo = NULL;
        *r->out.reject = NULL;
 
+       /* this call should be disabled without NTLM auth */
+       if (ntlm_auth_level == NTLM_AUTH_DISABLED) {
+               DBG_WARNING("NTLM password changes not"
+                           "permitted by configuration.\n");
+               return NT_STATUS_NTLM_BLOCKED;
+       }
+
        if (r->in.nt_password == NULL ||
            r->in.nt_verifier == NULL) {
                return NT_STATUS_INVALID_PARAMETER;