[SCM] Samba Shared Repository - branch v4-1-stable updated

Karolin Seeger kseeger at samba.org
Tue Sep 1 06:53:00 UTC 2015


The branch, v4-1-stable has been updated
       via  74be972 VERSION: Disable git snapshots for the 4.1.20 release.
       via  ec3ff76 WHATSNEW: Add release notes for Samba 4.1.20.
       via  487c3b3 s3: winbindd: Fix TALLOC_FREE of uninitialized groups variable.
       via  711131e s3-util: Compare the maximum allowed length of a NetBIOS name
       via  0c640d0 s3-net: use talloc array in share allowedusers
       via  49e39b0 s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.
       via  516f518 lib: replace: Add strsep function (missing on Solaris).
       via  e889ea3 s3-auth: Fix a possible null pointer dereference
       via  28ee83d s3-smbd: Leave sys_disk_free() if dfree command is used
       via  d7d60d8 s3-smbd: reset protocol in smbXsrv_connection_init_tables failure paths.
       via  7127c60 s3:libsmb: Fix a bug in conversion of ea list to ea array.
       via  5f029fc smbd:trans2: treat new SMB_SIGNING_DESIRED in case
       via  a55bed3 docs:smb.conf: explain effect of new setting 'desired' of smb encrypt
       via  aae0423 smbd:smb2: use encryption_desired in send_break
       via  57c879a smbd:smb2: only enable encryption in tcon if desired
       via  2cad86c smbd:smb2: only enable encryption in session if desired
       via  3ed2fbe smbd:smb2: separate between encryption required and enc desired
       via  2c19c6f smbXsrv: add bools encryption_desired to session and tcon
       via  b615fb6 Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
       via  0b97972 smbd: Make SMB3 clients use encryption with "smb encrypt = auto"
       via  15b323d s4:selftest: also run rpc.winreg with kerberos and all possible auth options
       via  d8df89f s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal
       via  6d6799a s4:rpc_server: fix padding caclucation in dcesrv_auth_response()
       via  62966eb s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error
       via  496d7f9 s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload
       via  e22adb8 s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define
       via  e661c30 s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign()
       via  3336fb7 s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with auth_info as internal error
       via  18342a7 s4:librpc/rpc: let dcerpc_ship_next_request() use a sig_size for a padded payload
       via  ad94101 s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT define
       via  9ab5872 s3:rpc_server: remove pad handling from api_pipe_alter_context()
       via  c17dd15 s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes()
       via  843c953 s3:librpc/rpc: allow up to DCERPC_AUTH_PAD_ALIGNMENT padding bytes in dcerpc_add_auth_footer()
       via  213b98b librpc/rpc: add DCERPC_AUTH_PAD_LENGTH(stub_length) helper macro
       via  c0432c2 dcerpc.idl: add DCERPC_AUTH_PAD_ALIGNMENT (=16)
       via  5570954 auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting
       via  54b9c1c auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE
       via  b6a59bb winbindd: winbindd_raw_kerberos_login - ensure logon_info exists in PAC.
       via  7e05f60 kerberos auth info3 should contain resource group ids available from pac_logon
       via  8ddab98 s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge in resource groups from a trusted PAC.
       via  4bdfb15 s3: auth: Change auth3_generate_session_info_pac() to use a copy of the info3 struct from the struct PAC_LOGON_INFO.
       via  02bda07 s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and merge resource group SIDs into it.
       via  a3d6a15 s3: auth: Change make_server_info_info3() to take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
       via  2ff1428 s3: auth: Add some const to the struct netr_SamInfo3 * arguments of copy_netr_SamInfo3() and make_server_info_info3()
       via  7434e77 docs: overhaul the description of "smb encrypt" to include SMB3 encryption.
       via  972a97b docs: Change smb encrypt default in docs to match s3 and lib/param
       via  290c1ae s3: smbd: Codenomicon crash in do_smb_load_module().
       via  81dde5e s3:winbindd: make sure we pass a valid server to rpccli_netlogon_sam_network_logon*()
       via  e700e9d s3: smbd: Use separate flag to track become_root()/unbecome_root() state.
       via  af4617a s3:param/loadparm fix testparm --show-all-parameters
       via  9a67af3 VERSION: Bump version up to 4.1.20...
      from  f14dcca VERSION: Disable git snapshots for the 4.1.19 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                     |   2 +-
 WHATSNEW.txt                                |  92 +++++++++-
 auth/gensec/gensec.c                        |  14 ++
 auth/gensec/gensec_start.c                  |   6 +
 docs-xml/smbdotconf/security/smbencrypt.xml | 262 ++++++++++++++++++++++++----
 lib/param/param_table.c                     |   1 +
 lib/replace/replace.c                       |  20 +++
 lib/replace/replace.h                       |   5 +
 lib/replace/wscript                         |   4 +-
 lib/util/modules.c                          |   5 +
 libcli/smb/smbXcli_base.c                   |   6 +
 libcli/smb/smb_constants.h                  |   1 +
 librpc/idl/dcerpc.idl                       |   1 +
 librpc/rpc/rpc_common.h                     |   6 +
 source3/auth/auth_generic.c                 |  11 +-
 source3/auth/auth_ntlmssp.c                 |   4 +-
 source3/auth/auth_util.c                    |   2 +-
 source3/auth/proto.h                        |   9 +-
 source3/auth/server_info.c                  |  79 ++++++++-
 source3/auth/user_krb5.c                    |   8 +-
 source3/lib/util.c                          |   2 +-
 source3/librpc/idl/smbXsrv.idl              |   2 +
 source3/librpc/rpc/dcerpc.h                 |   2 +-
 source3/librpc/rpc/dcerpc_helpers.c         |  26 ++-
 source3/libsmb/cli_smb2_fnum.c              |   2 +-
 source3/param/loadparm.c                    |   2 +-
 source3/passdb/lookup_sid.c                 |   4 +-
 source3/passdb/lookup_sid.h                 |   2 +-
 source3/rpc_client/cli_pipe.c               |   1 -
 source3/rpc_server/srv_pipe.c               |  28 +--
 source3/smbd/dfree.c                        |  29 ++-
 source3/smbd/globals.h                      |   3 +
 source3/smbd/process.c                      |   7 +-
 source3/smbd/smb2_server.c                  |  22 ++-
 source3/smbd/smb2_sesssetup.c               |   8 +-
 source3/smbd/smb2_tcon.c                    |  10 +-
 source3/smbd/trans2.c                       |   9 +-
 source3/utils/net_rpc.c                     |  24 ++-
 source3/winbindd/winbindd_dual_srv.c        |   2 +-
 source3/winbindd/winbindd_pam.c             |  45 ++++-
 source4/librpc/rpc/dcerpc.c                 |  16 +-
 source4/rpc_server/common/reply.c           |   9 +-
 source4/rpc_server/dcesrv_auth.c            |   8 +-
 source4/selftest/tests.py                   |   9 +-
 source4/smb_server/smb2/negprot.c           |   1 +
 45 files changed, 661 insertions(+), 150 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 610c2c8..bfe6225 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=1
-SAMBA_VERSION_RELEASE=19
+SAMBA_VERSION_RELEASE=20
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f7b50ab..642653b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,92 @@
                    ==============================
+                   Release Notes for Samba 4.1.20
+                          September 1, 2015
+                   ==============================
+
+
+This is the latest stable release of Samba 4.1.
+
+
+Changes since 4.1.19:
+---------------------
+
+o   Michael Adam <obnox at samba.org>
+    * BUG 11366: docs: Overhaul the description of "smb encrypt" to include SMB3
+      encryption.
+    * BUG 11372: smbd: Fix SMB3 functionality of "smb encrypt".
+
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 10823: s3: winbindd: Fix TALLOC_FREE of uninitialized groups variable.
+    * BUG 11328: Use resource group sids obtained from pac logon_info.
+    * BUG 11339: s3: smbd: Use separate flag to track
+      become_root()/unbecome_root() state.
+    * BUG 11342: s3: smbd: Codenomicon crash in do_smb_load_module().
+    * BUG 11359: lib: replace: Add strsep function (missing on Solaris).
+
+
+o   Christian Ambach <ambi at samba.org>
+    * BUG 11170: s3:param/loadparm fix 'testparm --show-all-parameters'.
+
+
+o   Ralph Boehme <slow at samba.org>
+    * BUG 11426: s3-net: Use talloc array in share allowedusers.
+
+
+o   G√ľnther Deschner <gd at samba.org>
+    * BUG 11373: s3-smbd: Reset protocol in smbXsrv_connection_init_tables
+      failure paths.
+
+
+o   Justin Maggard <jmaggard at netgear.com>
+    * BUG 11320: s3-passdb: Respect LOOKUP_NAME_GROUP flag in sid lookup.
+
+
+o   Stefan Metzmacher <metze at samba.org>
+    * BUG 11061: Fix logon via MS Remote Desktop.
+    * BUG 11081: s3:winbindd: make sure we pass a valid server to
+      rpccli_netlogon_sam_network_logon*().
+
+
+o   Anubhav Rakshit <anubhav.rakshit at gmail.com>
+    * BUG 11361: s3:libsmb: Fix a bug in conversion of ea list to ea array.
+
+
+o   Andreas Schneider <asn at samba.org>
+    * BUG 11403: s3-smbd: Leave sys_disk_free() if dfree command is used.
+    * BUG 11404: s3-auth: Fix a possible null pointer dereference.
+
+
+o   Roel van Meer <roel at 1afa.com>
+    * BUG 11427: s3-util: Compare the maximum allowed length of a NetBIOS name.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+======================================================================
+
+                   ==============================
                    Release Notes for Samba 4.1.19
                             June 23, 2015
                    ==============================
@@ -74,10 +162,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
-======================================================================
 
                    ==============================
                    Release Notes for Samba 4.1.18
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index ea62861..01c4ac6 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -39,9 +39,15 @@ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 	if (!gensec_security->ops->unseal_packet) {
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	return gensec_security->ops->unseal_packet(gensec_security,
 						   data, length,
@@ -79,6 +85,9 @@ _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
 }
@@ -107,6 +116,11 @@ _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		return 0;
 	}
+	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+			return 0;
+		}
+	}
 
 	return gensec_security->ops->sig_size(gensec_security, data_size);
 }
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index e46f0ee..8b649e5 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -701,6 +701,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	gensec_security->dcerpc_auth_level = auth_level;
+	/*
+	 * We need to reset sign/seal in order to reset it.
+	 * We may got some default features inherited by the credentials
+	 */
+	gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
+	gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
 	if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
index 51079ae..284fe9e 100644
--- a/docs-xml/smbdotconf/security/smbencrypt.xml
+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
@@ -4,41 +4,235 @@
                  basic="1"
 		 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+	<para>
+	This parameter controls whether a remote client is allowed or required
+	to use SMB encryption. It has different effects depending on whether
+	the connection uses SMB1 or SMB2 and newer:
+	</para>
 
-    <para>This is a new feature introduced with Samba 3.2 and above. It is an
-    extension to the SMB/CIFS protocol negotiated as part of the UNIX extensions.
-    SMB encryption uses the GSSAPI (SSPI on Windows) ability to encrypt
-    and sign every request/response in a SMB protocol stream. When
-    enabled it provides a secure method of SMB/CIFS communication,
-    similar to an ssh protected session, but using SMB/CIFS authentication
-    to negotiate encryption and signing keys. Currently this is only
-    supported by Samba 3.2 smbclient, and hopefully soon Linux CIFSFS
-    and MacOS/X clients. Windows clients do not support this feature.
-    </para>
-
-    <para>This controls whether the remote client is allowed or required to use SMB encryption. Possible values 
-    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> 
-    and <emphasis>disabled</emphasis>. This may be set on a per-share
-    basis, but clients may chose to encrypt the entire session, not
-    just traffic to a specific share. If this is set to mandatory
-    then all traffic to a share <emphasis>must</emphasis>
-    be encrypted once the connection has been made to the share.
-    The server would return "access denied" to all non-encrypted
-    requests on such a share. Selecting encrypted traffic reduces
-    throughput as smaller packet sizes must be used (no huge UNIX
-    style read/writes allowed) as well as the overhead of encrypting
-    and signing all the data.
-    </para>
-
-    <para>If SMB encryption is selected, Windows style SMB signing (see
-    the <smbconfoption name="server signing"/> option) is no longer necessary,
-    as the GSSAPI flags use select both signing and sealing of the data.
-    </para>
-
-    <para>When set to auto, SMB encryption is offered, but not enforced. 
-    When set to mandatory, SMB encryption is required and if set 
-    to disabled, SMB encryption can not be negotiated.</para>
+	<itemizedlist>
+	<listitem>
+		<para>
+		If the connection uses SMB1, then this option controls the use
+		of a Samba-specific extension to the SMB protocol introduced in
+		Samba 3.2 that makes use of the Unix extensions.
+		</para>
+	</listitem>
+
+	<listitem>
+		<para>
+		If the connection uses SMB2 or newer, then this option controls
+		the use of the SMB-level encryption that is supported in SMB
+		version 3.0 and above and available in Windows 8 and newer.
+		</para>
+	</listitem>
+	</itemizedlist>
+
+	<para>
+		This parameter can be set globally and on a per-share bases.
+		Possible values are
+		<emphasis>off</emphasis> (or <emphasis>disabled</emphasis>),
+		<emphasis>enabled</emphasis> (or <emphasis>auto</emphasis>, or
+		<emphasis>if_required</emphasis>),
+		<emphasis>desired</emphasis>,
+		and
+		<emphasis>required</emphasis>
+		(or <emphasis>mandatory</emphasis>).
+		A special value is <emphasis>default</emphasis> which is
+		the implicit default setting of <emphasis>enabled</emphasis>.
+	</para>
+
+	<variablelist>
+		<varlistentry>
+		<term><emphasis>Effects for SMB1</emphasis></term>
+		<listitem>
+		<para>
+		The Samba-specific encryption of SMB1 connections is an
+		extension to the SMB protocol negotiated as part of the UNIX
+		extensions.  SMB encryption uses the GSSAPI (SSPI on Windows)
+		ability to encrypt and sign every request/response in a SMB
+		protocol stream. When enabled it provides a secure method of
+		SMB/CIFS communication, similar to an ssh protected session, but
+		using SMB/CIFS authentication to negotiate encryption and
+		signing keys. Currently this is only supported smbclient of by
+		Samba 3.2 and newer, and hopefully soon Linux CIFSFS and MacOS/X
+		clients. Windows clients do not support this feature.
+		</para>
+
+		<para>This may be set on a per-share
+		basis, but clients may chose to encrypt the entire session, not
+		just traffic to a specific share. If this is set to mandatory
+		then all traffic to a share <emphasis>must</emphasis>
+		be encrypted once the connection has been made to the share.
+		The server would return "access denied" to all non-encrypted
+		requests on such a share. Selecting encrypted traffic reduces
+		throughput as smaller packet sizes must be used (no huge UNIX
+		style read/writes allowed) as well as the overhead of encrypting
+		and signing all the data.
+		</para>
+
+		<para>
+		If SMB encryption is selected, Windows style SMB signing (see
+		the <smbconfoption name="server signing"/> option) is no longer
+		necessary, as the GSSAPI flags use select both signing and
+		sealing of the data.
+		</para>
+
+		<para>
+		When set to auto or default, SMB encryption is offered, but not
+		enforced.  When set to mandatory, SMB encryption is required and
+		if set to disabled, SMB encryption can not be negotiated.
+		</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term><emphasis>Effects for SMB2</emphasis></term>
+		<listitem>
+		<para>
+		Native SMB transport encryption is available in SMB version 3.0
+		or newer. It is only offered by Samba if
+		<emphasis>server max protocol</emphasis> is set to
+		<emphasis>SMB3</emphasis> or newer.
+		Clients supporting this type of encryption include
+		Windows 8 and newer,
+		Windows server 2012 and newer,
+		and smbclient of Samba 4.1 and newer.
+		</para>
+
+		<para>
+		The protocol implementation offers various options:
+		</para>
+
+		<itemizedlist>
+			<listitem>
+			<para>
+			The capability to perform SMB encryption can be
+			negotiated during protocol negotiation.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Data encryption can be enabled globally. In that case,
+			an encryption-capable connection will have all traffic
+			in all its sessions encrypted. In particular all share
+			connections will be encrypted.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Data encryption can also be enabled per share if not
+			enabled globally. For an encryption-capable connection,
+			all connections to an encryption-enabled share will be
+			encrypted.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Encryption can be enforced. This means that session
+			setups will be denied on non-encryption-capable
+			connections if data encryption has been enabled
+			globally. And tree connections will be denied for
+			non-encryption capable connections to shares with data
+			encryption enabled.
+			</para>
+			</listitem>
+		</itemizedlist>
+
+		<para>
+		These features can be crontrolled with settings of
+		<emphasis>smb encrypt</emphasis> as follows:
+		</para>
+
+		<itemizedlist>
+			<listitem>
+			<para>
+			Leaving it as default, explicitly setting
+			<emphasis>default</emphasis>, or setting it to
+			<emphasis>enabled</emphasis> globally will enable
+			negotiation of encryption but will not turn on
+			data encryption globally or per share.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>desired</emphasis> globally
+			will enable negotiation and will turn on data encryption
+			on sessions and share connections for those clients
+			that support it.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>required</emphasis> globally
+			will enable negotiation and turn on data encryption
+			on sessions and share connections. Clients that do
+			not support encryption will be denied access to the
+			server.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>off</emphasis> globally will
+			completely disable the encryption feature.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>desired</emphasis> on a share
+			will turn on data encryption for this share for clients
+			that support encryption if negotiation has been
+			enabled globally.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>required</emphasis> on a share
+			will enforce data encryption for this share if
+			negotiation has been enabled globally. I.e. clients that
+			do not support encryption will be denied access to the
+			share.
+			</para>
+			<para>
+			Note that this allows per-share enforcing to be
+			controlled in Samba differently from Windows:
+			In Windows, <emphasis>RejectUnencryptedAccess</emphasis>
+			is a global setting, and if it is set, all shares with
+			data encryption turned on
+			are automatically enforcing encryption. In order to
+			achieve the same effect in Samba, one
+			has to globally set <emphasis>smb encrypt</emphasis> to
+			<emphasis>enabled</emphasis>, and then set all shares
+			that should be encrypted to
+			<emphasis>required</emphasis>.
+			Additionally, it is possible in Samba to have some
+			shares with encryption <emphasis>required</emphasis>
+			and some other shares with encryption only
+			<emphasis>desired</emphasis>, which is not possible in
+			Windows.
+			</para>
+			</listitem>
+
+			<listitem>
+			<para>
+			Setting it to <emphasis>off</emphasis> or
+			<emphasis>enabled</emphasis> for a share has
+			no effect.
+			</para>
+			</listitem>
+		</itemizedlist>
+		</listitem>
+		</varlistentry>
+	</variablelist>
 </description>
 
-<value type="default">auto</value>
+<value type="default">default</value>
 </samba:parameter>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index d590bd1..aa16969 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -101,6 +101,7 @@ static const struct enum_list enum_smb_signing_vals[] = {
 	{SMB_SIGNING_IF_REQUIRED, "On"},
 	{SMB_SIGNING_IF_REQUIRED, "enabled"},
 	{SMB_SIGNING_IF_REQUIRED, "auto"},
+	{SMB_SIGNING_DESIRED, "desired"},
 	{SMB_SIGNING_REQUIRED, "required"},
 	{SMB_SIGNING_REQUIRED, "mandatory"},
 	{SMB_SIGNING_REQUIRED, "force"},
diff --git a/lib/replace/replace.c b/lib/replace/replace.c
index 37edb31..488da0a 100644
--- a/lib/replace/replace.c
+++ b/lib/replace/replace.c
@@ -467,6 +467,26 @@ char *rep_strcasestr(const char *haystack, const char *needle)
 }
 #endif
 
+#ifndef HAVE_STRSEP
+char *rep_strsep(char **pps, const char *delim)
+{
+	char *ret = *pps;
+	char *p = *pps;
+
+	if (p == NULL) {
+		return NULL;
+	}
+	p += strcspn(p, delim);
+	if (*p == '\0') {
+		*pps = NULL;
+	} else {
+		*p = '\0';
+		*pps = p + 1;
+	}
+	return ret;
+}
+#endif
+
 #ifndef HAVE_STRTOK_R
 /* based on GLIBC version, copyright Free Software Foundation */
 char *rep_strtok_r(char *s, const char *delim, char **save_ptr)
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index cd0c25e..57163a9 100644


-- 
Samba Shared Repository



More information about the samba-cvs mailing list