diff options
-rw-r--r-- | auth/credentials/credentials.h | 7 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/clientprotection.xml | 51 | ||||
-rw-r--r-- | lib/param/loadparm.c | 4 | ||||
-rw-r--r-- | lib/param/param_table.c | 8 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 |
5 files changed, 72 insertions, 0 deletions
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index bcbe012ec12..540e4cfb6b6 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -61,6 +61,13 @@ enum credentials_use_kerberos { CRED_USE_KERBEROS_REQUIRED, }; +enum credentials_client_protection { + CRED_CLIENT_PROTECTION_DEFAULT = -1, + CRED_CLIENT_PROTECTION_PLAIN = 0, + CRED_CLIENT_PROTECTION_SIGN, + CRED_CLIENT_PROTECTION_ENCRYPT, +}; + enum credentials_krb_forwardable { CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */ CRED_NO_KRB_FORWARDABLE, /* not forwardable */ diff --git a/docs-xml/smbdotconf/security/clientprotection.xml b/docs-xml/smbdotconf/security/clientprotection.xml new file mode 100644 index 00000000000..347b0043be3 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientprotection.xml @@ -0,0 +1,51 @@ +<samba:parameter name="client protection" + context="G" + type="enum" + enumlist="enum_client_protection_vals" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + This parameter defines which protection Samba client + tools should use by default. + </para> + + <para>Possible client settings are:</para> + <itemizedlist> + <listitem> + <para> + <emphasis>default</emphasis> - Use the individual + default values of the options: + <itemizedlist> + <listitem><para><parameter>client signing</parameter></para></listitem> + <listitem><para><parameter>client smb encrypt</parameter></para></listitem> + </itemizedlist> + </para> + </listitem> + + <listitem> + <para> + <emphasis>plain</emphasis> - This will send + everything just as plaintext, signing or + encryption are turned off. + </para> + </listitem> + + <listitem> + <para> + <emphasis>sign</emphasis> - This will enable + integrity checking. + </para> + </listitem> + + <listitem> + <para> + <emphasis>encrypt</emphasis> - This will enable + integrity checks and force encryption for + privacy. + </para> + </listitem> + </itemizedlist> +</description> + +<value type="default">default</value> +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 7b0f652c069..adfba67652e 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2952,6 +2952,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "client use kerberos", "desired"); + lpcfg_do_global_parameter(lp_ctx, + "client protection", + "default"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/lib/param/param_table.c b/lib/param/param_table.c index b26f0738f09..a67e8549294 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -173,6 +173,14 @@ static const struct enum_list enum_use_kerberos_vals[] = { {-1, NULL} }; +static const struct enum_list enum_client_protection_vals[] = { + {CRED_CLIENT_PROTECTION_DEFAULT, "default"}, + {CRED_CLIENT_PROTECTION_PLAIN, "plain"}, + {CRED_CLIENT_PROTECTION_SIGN, "sign"}, + {CRED_CLIENT_PROTECTION_ENCRYPT, "encrypt"}, + {-1, NULL} +}; + static const struct enum_list enum_mdns_name_values[] = { {MDNS_NAME_NETBIOS, "netbios"}, {MDNS_NAME_MDNS, "mdns"}, diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 4f4912c70e4..55184e9b798 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -959,6 +959,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals._client_use_kerberos = CRED_USE_KERBEROS_DESIRED; + Globals.client_protection = CRED_CLIENT_PROTECTION_DEFAULT; + /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); } |