diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-02-27 03:43:58 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:26 +0200 |
commit | f65f618e9634d75f0074b2031f856f0ed605d705 (patch) | |
tree | f24c4d2a41372fb875709fff8957db8b2a35fac0 /docs-xml | |
parent | 8ff6a955f51ccb64cc6679bb457064659f030ab8 (diff) | |
download | samba-f65f618e9634d75f0074b2031f856f0ed605d705.tar.gz |
CVE-2016-2115: docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/smbdotconf/security/clientipcsigning.xml | 35 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/clientsigning.xml | 12 |
2 files changed, 42 insertions, 5 deletions
diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml new file mode 100644 index 00000000000..d976f2dc00e --- /dev/null +++ b/docs-xml/smbdotconf/security/clientipcsigning.xml @@ -0,0 +1,35 @@ +<samba:parameter name="client ipc signing" + context="G" + type="enum" + function="_client_ipc_signing" + enumlist="enum_smb_signing_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This controls whether the client is allowed or required to use SMB signing for IPC$ + connections as DCERPC transport. Possible values + are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> + and <emphasis>disabled</emphasis>. + </para> + + <para>The default value is the same as the effective value of + <smbconfoption name="client signing"/> if the effective value of + <smbconfoption name="client ipc min protocol"/> is + <constant>NT1</constant>. In any other case the default value is + <constant>mandatory</constant>.</para> + + <para>Note that the default value will be changed to <constant>mandatory</constant> + in all cases for Samba 4.5</para> + + <para>When the effective value of this option is <constant>mandatory</constant>, SMB signing is required.</para> + + <para>When set to auto, SMB signing is offered, but not enforced and if set + to disabled, SMB signing is not offered either.</para> + + <para>Connections from winbindd to Active Directory Domain Controllers + always enforce signing.</para> +</description> + +<related>client signing</related> + +<value type="default">default</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml index 2af5ada63e8..8addf8a3834 100644 --- a/docs-xml/smbdotconf/security/clientsigning.xml +++ b/docs-xml/smbdotconf/security/clientsigning.xml @@ -9,14 +9,16 @@ and <emphasis>disabled</emphasis>. </para> - <para>When set to auto or default, SMB signing is offered, but not - enforced, except in winbindd, where it is enforced to Active - Directory Domain Controllers. </para> + <para>When set to auto or default, SMB signing is offered, but not enforced.</para> <para>When set to mandatory, SMB signing is required and if set - to disabled, SMB signing is not offered either. -</para> + to disabled, SMB signing is not offered either.</para> + + <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the + <smbconfoption name="client ipc signing"/> option.</para> </description> +<related>client ipc signing</related> + <value type="default">default</value> </samba:parameter> |