samba.git/libcli/auth, branch v4-7-stable Unnamed repository; edit this file 'description' to name the repository. CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth". 2018-08-11T19:56:43+00:00 Günther Deschner gd@samba.org 2018-03-13T15:56:20+00:00 9ff1d906d0945c644b964f2e577547927387ac6e This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. Found by Vivek Das <vdas@redhat.com> (Red Hat QE). In order to demonstrate simply run: smbclient //server/share -U user%password -mNT1 -c quit \ --option="client ntlmv2 auth"=no \ --option="client use spnego"=no against a server that uses "ntlm auth = ntlmv2-only" (our default setting). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.

Found by Vivek Das <vdas@redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check() 2018-08-11T19:56:42+00:00 Günther Deschner gd@samba.org 2018-03-14T14:36:05+00:00 29f2fe7d072d37644592e1cf6bc069de60c5f607 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check() 2018-08-11T19:56:42+00:00 Andrew Bartlett abartlet@samba.org 2018-07-26T20:44:24+00:00 a5fe27c10e776ad59288762330ab513439efbfb2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 Signed-off-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
lib: auth: Store the netlogon_creds_cli_global_db pointer on the NULL context. 2017-08-17T08:38:22+00:00 Jeremy Allison jra@samba.org 2017-07-24T23:14:00+00:00 dbc050b7e888373dd43b56d1c42756d73047b98c Now we shutdown correctly it doesn't need the talloc_autofree_context(). Last use of talloc_autofree_context() ourside the talloc test code ! Please don't add it ever again :-). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jul 27 01:34:12 CEST 2017 on sn-devel-144 (cherry picked from commit e74081ce5d0f81024f7384816c589e5bc28baf80) 
Now we shutdown correctly it doesn't need the talloc_autofree_context().

Last use of talloc_autofree_context() ourside the talloc test code !

Please don't add it ever again :-).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jul 27 01:34:12 CEST 2017 on sn-devel-144

(cherry picked from commit e74081ce5d0f81024f7384816c589e5bc28baf80)
lib: auth: Add a shutdown function for netlogon_creds_cli_global_db. 2017-08-17T08:38:22+00:00 Jeremy Allison jra@samba.org 2017-07-24T21:49:47+00:00 301044e10640aa6ce4867c28fc61aed889fbb611 Will allow us to move off the talloc_autofree_context(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 4cc104d015bdfeb631c7c8f5252fc31727a128ca) 
Will allow us to move off the talloc_autofree_context().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4cc104d015bdfeb631c7c8f5252fc31727a128ca)
lib: cli: fname is a local variable already freed in the function scope, doesn't need to be on talloc_autofree_context() 2017-08-17T08:38:21+00:00 Jeremy Allison jra@samba.org 2017-07-24T19:56:15+00:00 a4a0478b00b48ae4900c8a711fa1596fed79b7ba BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 5c8a98c2dae92c71873798eb37f506093700a14c) 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12932

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5c8a98c2dae92c71873798eb37f506093700a14c)
param: Add new "disabled" value to "ntlm auth" to disable NTLM totally 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T02:16:50+00:00 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0 Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T00:11:51+00:00 d139d77ae3dbc490525ac94f46276d790bc2d879 The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*() 2017-06-27T14:57:46+00:00 Stefan Metzmacher metze@samba.org 2017-06-13T09:18:37+00:00 0f5945a06df4bef501ca5085c621294057007225 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
libcli/auth: add const to set_pw_in_buffer() 2017-06-27T14:57:46+00:00 Stefan Metzmacher metze@samba.org 2017-06-13T09:17:03+00:00 1b48c8515ed8fd29204c82cc47f958f4636cd494 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>