diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-03-10 17:03:59 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:27 +0200 |
commit | 06b038c017234f1eae35f4c316a0d105cc4d1061 (patch) | |
tree | 4f7a4d969bbddbb383fb2acef03a13dec7b2c1ee | |
parent | 9085300e90fd06242ca03e426c09b01ed610c45a (diff) | |
download | samba-06b038c017234f1eae35f4c316a0d105cc4d1061.tar.gz |
CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
We sadly need to allow this for now by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
-rw-r--r-- | docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 29 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 |
3 files changed, 33 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml new file mode 100644 index 00000000000..27a9733475e --- /dev/null +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml @@ -0,0 +1,29 @@ +<samba:parameter name="allow dcerpc auth level connect" + context="G" + type="boolean" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This option controls whether DCERPC services are allowed to + be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, + but no per message integrity nor privacy protection.</para> + + <para>Some interfaces like samr, lsarpc and netlogon have a hard-coded default of + <constant>no</constant> and epmapper, mgmt and rpcecho have a hard-coded default of + <constant>yes</constant>. + </para> + + <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para> + + <para>This option yields precedence to the implementation specific restrictions. + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. + The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. + </para> + + <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para> +</description> + +<value type="default">yes</value> +<value type="example">no</value> + +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index f6a7cfefdff..c47759d94c7 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2634,6 +2634,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False"); lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False"); + lpcfg_do_global_parameter(lp_ctx, "allow dcerpc auth level connect", "True"); + lpcfg_do_global_parameter(lp_ctx, "UnixExtensions", "True"); lpcfg_do_global_parameter(lp_ctx, "PreferredMaster", "Auto"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 47d2a929834..2af0f310ee9 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -697,6 +697,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ /* Note, that we will also use NTLM2 session security (which is different), if it is available */ + Globals.allow_dcerpc_auth_level_connect = true; /* we need to allow this for now by default */ + Globals.map_to_guest = 0; /* By Default, "Never" */ Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */ Globals.enhanced_browsing = true; |