The branch, master has been updated
via d7a91a855c7 s4-auth: Remove last traces of LanMan authentiation
support in the AD DC.
via 86f7e4e6905 s4-auth: Only build auth_developer module in developer
mode
via 360bb864e9a s4-auth: Do not trigger RODC replication unless missing
all passwords
via 1884bc11f01 s4-auth: Remove unused acct_flags parameter
from 14e7112734b waf: Document the confusing --nonshared-binary,
--builtin-libraries, --private-libraries and --bundled-libraries
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d7a91a855c7edfb0e09c93cbe4c56df0437fa467
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Mar 25 12:18:01 2022 +1300
s4-auth: Remove last traces of LanMan authentiation support in the AD DC.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184
commit 86f7e4e69059e77c35f451919365685d909024af
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Mar 23 15:10:23 2022 +1300
s4-auth: Only build auth_developer module in developer mode
This is a silly module for provoking NTSTATUS replies for testing and
was useful many moons ago for determining the NTSTATUS -> DOS table that
windows uses.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 360bb864e9a958c395f841bdc8caf866f8dcb0e0
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Mar 16 16:27:54 2022 +1300
s4-auth: Do not trigger RODC replication unless missing all passwords
With the NT hash becoming optional we cannot make blind assumptions that
a missing value means we are on an RODC needing the password replicated.
Instead, check for supplementalCredentials as well.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 1884bc11f0115078113253d48be684c32cb3c5f9
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Mar 16 15:19:54 2022 +1300
s4-auth: Remove unused acct_flags parameter
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 5 +++++
docs-xml/smbdotconf/security/lanmanauth.xml | 4 ++++
source4/auth/ntlm/auth_sam.c | 15 +++++++--------
source4/auth/ntlm/wscript_build | 3 ++-
4 files changed, 18 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d23bede2da2..1bdf3a01cfb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -66,6 +66,11 @@ server used as a front.
REMOVED FEATURES
================
+LanMan Authentication and password storage removed from the AD DC
+-----------------------------------------------------------------
+
+The storage and authentication with LanMan passwords has been entirely
+removed from the Samba AD DC, even when "lanman auth = yes" is set.
smb.conf changes
================
diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml
b/docs-xml/smbdotconf/security/lanmanauth.xml
index 842c12d9b64..045e89d94d6 100644
--- a/docs-xml/smbdotconf/security/lanmanauth.xml
+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
@@ -45,6 +45,10 @@
then only NTLMv2 logins will be permitted and no LM hash will be
stored. All modern clients support NTLMv2, and but some older
clients require special configuration to use it.</para>
+
+ <para><emphasis>This parameter has no impact on the Samba AD DC,
+ LM authentication is always disabled and no LM password is ever
+ stored.</emphasis></para>
</description>
<value type="default">no</value>
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 60795c40723..14b6c707aa5 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -52,7 +52,6 @@ extern const char *domain_ref_attrs[];
****************************************************************************/
static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
TALLOC_CTX *mem_ctx,
- uint16_t acct_flags,
const struct samr_Password *nt_pwd,
const struct auth_usersupplied_info
*user_info,
DATA_BLOB *user_sess_key,
@@ -79,8 +78,8 @@ static NTSTATUS authsam_password_ok(struct auth4_context
*auth_context,
*lm_sess_key = data_blob(NULL, 0);
*user_sess_key = data_blob(NULL, 0);
status = hash_password_check(mem_ctx,
-
lpcfg_lanman_auth(auth_context->lp_ctx),
- user_info->password.hash.lanman,
+ false,
+ NULL,
user_info->password.hash.nt,
user_info->mapped.account_name,
NULL, nt_pwd);
@@ -207,7 +206,6 @@ static NTSTATUS authsam_password_check_and_record(struct
auth4_context *auth_con
TALLOC_CTX *mem_ctx,
struct ldb_dn *domain_dn,
struct ldb_message *msg,
- uint16_t acct_flags,
const struct
auth_usersupplied_info *user_info,
DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key,
@@ -222,6 +220,7 @@ static NTSTATUS authsam_password_check_and_record(struct
auth4_context *auth_con
const char * const attrs[] = { "pwdHistoryLength", NULL };
struct ldb_message *dom_msg;
struct samr_Password *nt_pwd;
+ const struct ldb_val *sc_val;
bool am_rodc;
tmp_ctx = talloc_new(mem_ctx);
@@ -244,7 +243,9 @@ static NTSTATUS authsam_password_check_and_record(struct
auth4_context *auth_con
return nt_status;
}
- if (nt_pwd == NULL) {
+ sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
+
+ if (nt_pwd == NULL && sc_val == NULL) {
if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS
&& am_rodc) {
/*
* we don't have passwords for this
@@ -273,7 +274,6 @@ static NTSTATUS authsam_password_check_and_record(struct
auth4_context *auth_con
}
auth_status = authsam_password_ok(auth_context, tmp_ctx,
- acct_flags,
nt_pwd,
user_info,
user_sess_key, lm_sess_key);
@@ -369,7 +369,6 @@ static NTSTATUS authsam_password_check_and_record(struct
auth4_context *auth_con
}
auth_status = authsam_password_ok(auth_context, tmp_ctx,
- acct_flags,
nt_history_pwd,
user_info,
user_sess_key,
@@ -551,7 +550,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context
*auth_context,
}
nt_status = authsam_password_check_and_record(auth_context, tmp_ctx,
- domain_dn, msg,
acct_flags,
+ domain_dn, msg,
user_info,
user_sess_key,
lm_sess_key,
authoritative);
diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build
index 43c21ceb67f..f669ca90367 100644
--- a/source4/auth/ntlm/wscript_build
+++ b/source4/auth/ntlm/wscript_build
@@ -28,7 +28,8 @@ bld.SAMBA_MODULE('auth4_developer',
source='auth_developer.c',
subsystem='auth4',
init_function='auth4_developer_init',
- deps='tevent'
+ deps='tevent',
+ enabled=bld.env.DEVELOPER_MODE
)
--
Samba Shared Repository
