[Patches] change "client/server schannel" to yes and deprecate the options

Stefan Metzmacher metze at samba.org
Thu Dec 7 13:49:05 UTC 2017 

Hi,

it's 2017 and we should really get rid of the "client schannel" and
"server schannel" options...

This is based on the removal of 'use spnego' and 'winbind trusted
domains only' patchset.

Please review and push:-)

Thanks!
metze
-------------- next part --------------
From 71eed02002ee9790e20e5ba749293ba0a359972c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:22:22 +0100
Subject: [PATCH 1/3] docs-xml: deprecate "client schannel" and change the
 default to "yes"

This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 docs-xml/smbdotconf/security/clientschannel.xml | 11 +++++++++--
 lib/param/loadparm.c                            |  2 +-
 source3/param/loadparm.c                        |  2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 6ab3558..5b07da9 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -2,10 +2,17 @@
                  context="G"
                  type="enum"
                  enumlist="enum_bool_auto"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 
     <para>
+	This option is deprecated with Samba 4.8 and will be removed in future.
+	At the same time the default changed to yes, which will be the
+	hardcoded behavior in future.
+    </para>
+
+    <para>
     This controls whether the client offers or even demands the use of the netlogon schannel.
     <smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel, 
     <smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not
@@ -18,6 +25,6 @@
 
     <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
 </description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d01ea66..00e2a26 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2836,7 +2836,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
 
-	lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
+	lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");
 
 	lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 8f91547..20fe830 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -651,7 +651,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
 	Globals._security = SEC_AUTO;
 	Globals.encrypt_passwords = true;
-	Globals.client_schannel = Auto;
+	Globals.client_schannel = true;
 	Globals.winbind_sealed_pipes = true;
 	Globals.require_strong_key = true;
 	Globals.server_schannel = Auto;
-- 
1.9.1


From 4c84ab848ec995c2023c5b5a1b84dcd652b7519b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:22:22 +0100
Subject: [PATCH 2/3] docs-xml: deprecate "server schannel" and change the
 default to "yes"

No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 docs-xml/smbdotconf/security/serverschannel.xml | 13 +++++++++++--
 lib/param/loadparm.c                            |  2 +-
 source3/param/loadparm.c                        |  2 +-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index a2dca1b..489492d 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -2,8 +2,17 @@
                  context="G"
                  type="enum"
                  enumlist="enum_bool_auto"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+
+    <para>
+	This option is deprecated with Samba 4.8 and will be removed in future.
+	At the same time the default changed to yes, which will be the
+	hardcoded behavior in future. If you have the need for the behavior of "auto"
+	to be kept, please file a bug at https://bugzilla.samba.org.
+    </para>
+
     <para>
 	This controls whether the server offers or even demands the use of the netlogon schannel.
 	<smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
@@ -18,6 +27,6 @@
 	</para>
 </description>
 
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 00e2a26..fe5277f 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2782,7 +2782,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
 
-	lpcfg_do_global_parameter(lp_ctx, "server schannel", "Auto");
+	lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
 
 	lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 20fe830..82a903b 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -654,7 +654,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.client_schannel = true;
 	Globals.winbind_sealed_pipes = true;
 	Globals.require_strong_key = true;
-	Globals.server_schannel = Auto;
+	Globals.server_schannel = true;
 	Globals.read_raw = true;
 	Globals.write_raw = true;
 	Globals.null_passwords = false;
-- 
1.9.1


From 84a30bc20c79832eb02afc6a58eaf4f9d1fa0779 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:42:06 +0100
Subject: [PATCH 3/3] WHATSNEW: document the changes/deprecation of 'client
 schannel' and 'server schannel'

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 WHATSNEW.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b37c2c1..4ab8725 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -36,12 +36,16 @@ smb.conf changes
   --------------                     -----------             -------
   auth methods                       Removed
   binddns dir                        New
+  client schannel                    Default changed/        yes
+                                     Deprecated
   gpo update command                 New
   map untrusted to domain            Removed
   oplock contention limit            Removed
   prefork children                   New                     1
   profile acls                       Removed
   use spnego                         Removed
+  server schannel                    Default changed/        yes
+                                     Deprecated
   winbind trusted domains only       Removed
 
 
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171207/77970d7e/signature.sig>

More information about the samba-technical mailing list