[SCM] Samba Shared Repository - branch v4-15-test updated
Jule Anger
janger at samba.org
Fri Sep 10 14:55:01 UTC 2021
The branch, v4-15-test has been updated
via a7b9904c90b docs: Avoid duplicate information on USER and PASSWD, reference the common section
via 4ad10cf8e82 docs: Document all the other ways to send a password to smbclient et al
via 8416bcce6a7 docs: Ensure to rebuild manpages if samba.entities or samba.version changes
via 33f06d10a03 docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values
from 2baaa891bb3 VERSION: Bump version up to Samba 4.15.0rc7...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit a7b9904c90bd82475ffa328f763e7df00446e9fb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 09:20:45 2021 +1200
docs: Avoid duplicate information on USER and PASSWD, reference the common section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Sep 9 00:52:09 UTC 2021 on sn-devel-184
(cherry picked from commit 18e08c709002506fe217ca6a7a098fcdc00f8c29)
Autobuild-User(v4-15-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-15-test): Fri Sep 10 14:54:25 UTC 2021 on sn-devel-184
commit 4ad10cf8e82d6c69f9918db154f588fc27c13842
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 09:14:08 2021 +1200
docs: Document all the other ways to send a password to smbclient et al
This was previously hidden knowlege not easily available to
administrators and end users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 9b50d2e52e6c85bc3ab991cd8a4b870aff397bda)
commit 8416bcce6a7ba088a97e7883496c3dc51c149187
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 10 09:13:15 2021 +1200
docs: Ensure to rebuild manpages if samba.entities or samba.version changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit a363742635c54a6cb19363f4be9d2be2b731a5e6)
commit 33f06d10a03a3e51fe0774491f73a392471f4f81
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Sep 8 15:10:14 2021 +0200
docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values
This matches what smbstatus prints out. Note there's also the removal of
an '-' in "hmac-sha-256" => HMAC-SHA256".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14825
RN: "{client,server} smb3 {signing,encryption} algorithms" should use the same strings as smbstatus output
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Sep 8 16:37:07 UTC 2021 on sn-devel-184
(cherry picked from commit 867c6ff9f3f28ab4bfa0cb1660889f3f5be0d111)
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/wafsamba.py | 6 ++-
docs-xml/build/DTD/samba.entities | 52 +++++++++++++++++-----
docs-xml/manpages/smbclient.1.xml | 14 ++----
.../security/clientsmbencryptionalgos.xml | 8 ++--
.../smbdotconf/security/clientsmbsigningalgos.xml | 10 ++---
.../security/serversmbencryptionalgos.xml | 8 ++--
.../smbdotconf/security/serversmbsigningalgos.xml | 10 ++---
lib/param/loadparm.h | 4 +-
libcli/smb/util.c | 14 +++---
9 files changed, 77 insertions(+), 49 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 4fe9daf160e..0427c90ca80 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -946,9 +946,13 @@ def SAMBAMANPAGES(bld, manpages, extra_source=None):
bld.env.SAMBA_CATALOGS = 'file:///etc/xml/catalog file:///usr/local/share/xml/catalog file://' + bld.env.SAMBA_CATALOG
for m in manpages.split():
- source = m + '.xml'
+ source = [m + '.xml']
if extra_source is not None:
source = [source, extra_source]
+ # ${SRC[1]} and ${SRC[2]} are not referenced in the
+ # SAMBA_GENERATOR but trigger the dependency calculation so
+ # ensures that manpages are rebuilt when these change.
+ source += ['build/DTD/samba.entities', 'build/DTD/samba.build.version']
bld.SAMBA_GENERATOR(m,
source=source,
target=m,
diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities
index 80e051e7684..beff3cb1f6e 100644
--- a/docs-xml/build/DTD/samba.entities
+++ b/docs-xml/build/DTD/samba.entities
@@ -595,13 +595,16 @@
</para>
<para>
- If &pct;password is not specified, the user will be
+ If &pct;PASSWORD is not specified, the user will be
prompted. The client will first check the
- <envar>USER</envar> environment variable, then the
- <envar>LOGNAME</envar> variable and if either exists,
- the string is uppercased. If these environmental
+ <envar>USER</envar> environment variable
+ (which is also permitted to also contain the
+ password seperated by a &pct;), then the
+ <envar>LOGNAME</envar> variable (which is not
+ permitted to contain a password) and if either exists,
+ the value is used. If these environmental
variables are not found, the username
- <constant>GUEST</constant> is used.
+ found in a Kerberos Credentials cache may be used.
</para>
<para>
@@ -616,9 +619,15 @@
</para>
<para>
- Be cautious about including passwords in scripts. For
- security it is better to let the client ask for the
- password if needed.
+ Be cautious about including passwords in scripts
+ or passing user-supplied values onto the command line. For
+ security it is better to let the Samba client tool ask for the
+ password if needed, or obtain the password once with <command>kinit</command>.
+ </para>
+ <para>
+ While Samba will attempt to scrub the password
+ from the process title (as seen in ps), this
+ is after startup and so is subject to a race.
</para>
</listitem>
</varlistentry>
@@ -659,10 +668,31 @@
Specify the password on the commandline.
</para>
+ <para> Be cautious about including passwords in
+ scripts or passing user-supplied values onto
+ the command line. For security it is better to
+ let the Samba client tool ask for the password
+ if needed, or obtain the password once with
+ <command>kinit</command>.
+ </para>
+
+ <para> If --password is not specified,
+ the tool will check the <envar>PASSWD</envar>
+ environment variable, followed by <envar>PASSWD_FD</envar>
+ which is expected to contain an open
+ file descriptor (FD) number.
+ </para>
+ <para>
+ Finally it will check <envar>PASSWD_FILE</envar> (containing
+ a file path to be opened). The file should only
+ contain the password. Make certain that the
+ permissions on the file restrict
+ access from unwanted users!
+ </para>
<para>
- Be cautious about including passwords in scripts. For
- security it is better to let the client ask for the
- password if needed.
+ While Samba will attempt to scrub the password
+ from the process title (as seen in ps), this
+ is after startup and so is subject to a race.
</para>
</listitem>
</varlistentry>
diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
index 0de5b8a0e00..48ba59525d6 100644
--- a/docs-xml/manpages/smbclient.1.xml
+++ b/docs-xml/manpages/smbclient.1.xml
@@ -1193,16 +1193,10 @@
<refsect1>
<title>ENVIRONMENT VARIABLES</title>
- <para>The variable <envar>USER</envar> may contain the
- username of the person using the client. This information is
- used only if the protocol level is high enough to support
- session-level passwords.</para>
-
-
- <para>The variable <envar>PASSWD</envar> may contain
- the password of the person using the client. This information is
- used only if the protocol level is high enough to support
- session-level passwords. </para>
+ <para>See the <command>--user</command> and
+ <command>--password</command> options for details on ways to
+ specify a username and password via an environment variable.
+ </para>
</refsect1>
diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
index 27da51ad625..78df3f909e9 100644
--- a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
+++ b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
@@ -9,13 +9,13 @@
<para>It is also possible to remove individual algorithms from the default list,
by prefixing them with '-'. This can avoid having to specify a hardcoded list.
</para>
- <para>Note: that the removal of aes-128-ccm from the list will result
+ <para>Note: that the removal of AES-128-CCM from the list will result
in SMB3_00 and SMB3_02 being unavailable, as it is the default and only
available algorithm for these dialects.
</para>
</description>
-<value type="default">aes-128-gcm, aes-128-ccm, aes-256-gcm, aes-256-ccm</value>
-<value type="example">aes-256-gcm</value>
-<value type="example">-aes-128-gcm -aes-128-ccm</value>
+<value type="default">AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM</value>
+<value type="example">AES-256-GCM</value>
+<value type="example">-AES-128-GCM -AES-128-CCM</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
index 1ad6c09626f..f7c61f3e661 100644
--- a/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
+++ b/docs-xml/smbdotconf/security/clientsmbsigningalgos.xml
@@ -9,14 +9,14 @@
<para>It is also possible to remove individual algorithms from the default list,
by prefixing them with '-'. This can avoid having to specify a hardcoded list.
</para>
- <para>Note: that the removal of aes-128-cmac from the list will result
- in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256
+ <para>Note: that the removal of AES-128-CMAC from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256
will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
available algorithms for these dialects.
</para>
</description>
-<value type="default">aes-128-gmac, aes-128-cmac, hmac-sha-256</value>
-<value type="example">aes-128-cmac, hmac-sha-256</value>
-<value type="example">-aes-128-cmac</value>
+<value type="default">AES-128-GMAC, AES-128-CMAC, HMAC-SHA256</value>
+<value type="example">AES-128-CMAC, HMAC-SHA256</value>
+<value type="example">-AES-128-CMAC</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
index 3217970d4e7..2dd2db98cc5 100644
--- a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
+++ b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
@@ -9,13 +9,13 @@
<para>It is also possible to remove individual algorithms from the default list,
by prefixing them with '-'. This can avoid having to specify a hardcoded list.
</para>
- <para>Note: that the removal of aes-128-ccm from the list will result
+ <para>Note: that the removal of AES-128-CCM from the list will result
in SMB3_00 and SMB3_02 being unavailable, as it is the default and only
available algorithm for these dialects.
</para>
</description>
-<value type="default">aes-128-gcm, aes-128-ccm, aes-256-gcm, aes-256-ccm</value>
-<value type="example">aes-256-gcm</value>
-<value type="example">-aes-128-gcm -aes-128-ccm</value>
+<value type="default">AES-128-GCM, AES-128-CCM, AES-256-GCM, AES-256-CCM</value>
+<value type="example">AES-256-GCM</value>
+<value type="example">-AES-128-GCM -AES-128-CCM</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
index e73d4f04242..7884e603b5b 100644
--- a/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
+++ b/docs-xml/smbdotconf/security/serversmbsigningalgos.xml
@@ -9,14 +9,14 @@
<para>It is also possible to remove individual algorithms from the default list,
by prefixing them with '-'. This can avoid having to specify a hardcoded list.
</para>
- <para>Note: that the removal of aes-128-cmac from the list will result
- in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256
+ <para>Note: that the removal of AES-128-CMAC from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal of HMAC-SHA256
will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
available algorithms for these dialects.
</para>
</description>
-<value type="default">aes-128-gmac, aes-128-cmac, hmac-sha-256</value>
-<value type="example">aes-128-cmac, hmac-sha-256</value>
-<value type="example">-aes-128-cmac</value>
+<value type="default">AES-128-GMAC, AES-128-CMAC, HMAC-SHA256</value>
+<value type="example">AES-128-CMAC, HMAC-SHA256</value>
+<value type="example">-AES-128-CMAC</value>
</samba:parameter>
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index a942eaf9472..a3331436229 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -285,8 +285,8 @@ enum samba_weak_crypto {
#define DEFAULT_SMB2_MAX_TRANSACT (8*1024*1024)
#define DEFAULT_SMB2_MAX_CREDITS 8192
-#define DEFAULT_SMB3_SIGNING_ALGORITHMS "aes-128-gmac aes-128-cmac hmac-sha-256"
-#define DEFAULT_SMB3_ENCRYPTION_ALGORITHMS "aes-128-gcm aes-128-ccm aes-256-gcm aes-256-ccm"
+#define DEFAULT_SMB3_SIGNING_ALGORITHMS "AES-128-GMAC AES-128-CMAC HMAC-SHA256"
+#define DEFAULT_SMB3_ENCRYPTION_ALGORITHMS "AES-128-GCM AES-128-CCM AES-256-GCM AES-256-CCM"
#define LOADPARM_EXTRA_LOCALS \
int usershare; \
diff --git a/libcli/smb/util.c b/libcli/smb/util.c
index 061f478c92d..e1c0f124236 100644
--- a/libcli/smb/util.c
+++ b/libcli/smb/util.c
@@ -466,9 +466,9 @@ enum smb_encryption_setting smb_encryption_setting_translate(const char *str)
}
static const struct enum_list enum_smb3_signing_algorithms[] = {
- {SMB2_SIGNING_AES128_GMAC, "aes-128-gmac"},
- {SMB2_SIGNING_AES128_CMAC, "aes-128-cmac"},
- {SMB2_SIGNING_HMAC_SHA256, "hmac-sha-256"},
+ {SMB2_SIGNING_AES128_GMAC, "AES-128-GMAC"},
+ {SMB2_SIGNING_AES128_CMAC, "AES-128-CMAC"},
+ {SMB2_SIGNING_HMAC_SHA256, "HMAC-SHA256"},
{-1, NULL}
};
@@ -488,10 +488,10 @@ const char *smb3_signing_algorithm_name(uint16_t algo)
}
static const struct enum_list enum_smb3_encryption_algorithms[] = {
- {SMB2_ENCRYPTION_AES128_GCM, "aes-128-gcm"},
- {SMB2_ENCRYPTION_AES128_CCM, "aes-128-ccm"},
- {SMB2_ENCRYPTION_AES256_GCM, "aes-256-gcm"},
- {SMB2_ENCRYPTION_AES256_CCM, "aes-256-ccm"},
+ {SMB2_ENCRYPTION_AES128_GCM, "AES-128-GCM"},
+ {SMB2_ENCRYPTION_AES128_CCM, "AES-128-CCM"},
+ {SMB2_ENCRYPTION_AES256_GCM, "AES-256-GCM"},
+ {SMB2_ENCRYPTION_AES256_CCM, "AES-256-CCM"},
{-1, NULL}
};
--
Samba Shared Repository
More information about the samba-cvs
mailing list