diff options
author | Andreas Schneider <asn@samba.org> | 2020-08-20 16:44:32 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2021-04-28 03:43:34 +0000 |
commit | 7accd9003521f38b03d1073890761f7d8dc8d675 (patch) | |
tree | 1208d229a7f55c0aeaab3b82700a246d4b708cd1 | |
parent | 4c4353705f3303c91abe97766000ece18f724388 (diff) | |
download | samba-7accd9003521f38b03d1073890761f7d8dc8d675.tar.gz |
auth:creds: Use 'client protection' option for smb sign and encrypt defaults
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | auth/credentials/credentials.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 3975fba693f..f7c7a47bd4e 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -947,6 +947,8 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, { const char *sep = NULL; const char *realm = lpcfg_realm(lp_ctx); + enum credentials_client_protection protection = + lpcfg_client_protection(lp_ctx); cli_credentials_set_username(cred, "", CRED_UNINITIALISED); if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) { @@ -976,6 +978,20 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, if (cred->signing_state_obtained <= CRED_SMB_CONF) { /* Will be set to default for invalid smb.conf values */ cred->signing_state = lpcfg_client_signing(lp_ctx); + if (cred->signing_state == SMB_SIGNING_DEFAULT) { + switch (protection) { + case CRED_CLIENT_PROTECTION_DEFAULT: + break; + case CRED_CLIENT_PROTECTION_PLAIN: + cred->signing_state = SMB_SIGNING_OFF; + break; + case CRED_CLIENT_PROTECTION_SIGN: + case CRED_CLIENT_PROTECTION_ENCRYPT: + cred->signing_state = SMB_SIGNING_REQUIRED; + break; + } + } + cred->signing_state_obtained = CRED_SMB_CONF; } @@ -988,6 +1004,20 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, if (cred->encryption_state_obtained <= CRED_SMB_CONF) { /* Will be set to default for invalid smb.conf values */ cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx); + if (cred->encryption_state == SMB_ENCRYPTION_DEFAULT) { + switch (protection) { + case CRED_CLIENT_PROTECTION_DEFAULT: + break; + case CRED_CLIENT_PROTECTION_PLAIN: + case CRED_CLIENT_PROTECTION_SIGN: + cred->encryption_state = SMB_ENCRYPTION_OFF; + break; + case CRED_CLIENT_PROTECTION_ENCRYPT: + cred->encryption_state = SMB_ENCRYPTION_REQUIRED; + break; + } + } + cred->encryption_state_obtained = CRED_SMB_CONF; } |