[Patches] change "client/server schannel" to yes and deprecate the options
Stefan Metzmacher
metze at samba.org
Tue Jan 9 14:34:59 UTC 2018
Hi,
here's an updated patchset that passed a private autobuild.
This is again based on the removal of 'use spnego' and 'winbind trusted
domains only' patchset.
Please review and push:-)
Thanks!
metze
It's based on top of the just posted 'u
Am 07.12.2017 um 16:15 schrieb Stefan Metzmacher via samba-technical:
> Am 07.12.2017 um 14:49 schrieb Stefan Metzmacher via samba-technical:
>> Hi,
>>
>> it's 2017 and we should really get rid of the "client schannel" and
>> "server schannel" options...
>>
>> This is based on the removal of 'use spnego' and 'winbind trusted
>> domains only' patchset.
>>
>> Please review and push:-)
>
> It seems some tests rely on the "auto" behavior,
> I'll post a new patchset that passes a private autobuild...
>
> metze
>
>
-------------- next part --------------
From f84fc36d0661b7d0c229c6f54444407f50f7ba27 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:22:22 +0100
Subject: [PATCH 1/4] docs-xml: deprecate "client schannel" and change the
default to "yes"
This is already the default, because "require strong key = yes" is
the default.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/security/clientschannel.xml | 11 +++++++++--
lib/param/loadparm.c | 2 +-
source3/param/loadparm.c | 2 +-
3 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 6ab3558..5b07da9 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -2,10 +2,17 @@
context="G"
type="enum"
enumlist="enum_bool_auto"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future.
+ </para>
+
+ <para>
This controls whether the client offers or even demands the use of the netlogon schannel.
<smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel,
<smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not
@@ -18,6 +25,6 @@
<para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
</description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 3a4a41a..f6ee112 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2838,7 +2838,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
- lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
+ lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");
lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f8f76a6..9f79f13 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -651,7 +651,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
- Globals.client_schannel = Auto;
+ Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
Globals.server_schannel = Auto;
--
1.9.1
From 1b0c10a5b67f176b136d1969e3699e6f82d28a0d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 13 Dec 2017 13:09:47 +0100
Subject: [PATCH 2/4] selftest: explicitly configure some dcs with 'server
schannel = auto'
This is required for some tests.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/target/Samba3.pm | 1 +
selftest/target/Samba4.pm | 2 ++
2 files changed, 3 insertions(+)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5e64725..851460c 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -216,6 +216,7 @@ sub setup_nt4_dc($$)
lanman auth = yes
ntlm auth = yes
raw NTLMv2 auth = yes
+ server schannel = auto
rpc_server:epmapper = external
rpc_server:spoolss = external
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 8c17d77..e6bc3bb 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1466,6 +1466,7 @@ sub provision_ad_dc_ntvfs($$)
lsa over netlogon = yes
rpc server port = 1027
auth event notification = true
+ server schannel = auto
";
my $ret = $self->provision($prefix,
"domain controller",
@@ -1833,6 +1834,7 @@ sub provision_ad_dc($$$$$$)
lpq cache time = 0
print notify backchannel = yes
+ server schannel = auto
auth event notification = true
$smbconf_args
";
--
1.9.1
From 71ce8eaa41549394df486f3d8e4aadd498c14170 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:22:22 +0100
Subject: [PATCH 3/4] docs-xml: deprecate "server schannel" and change the
default to "yes"
No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/security/serverschannel.xml | 13 +++++++++++--
lib/param/loadparm.c | 2 +-
source3/param/loadparm.c | 2 +-
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index a2dca1b..489492d 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -2,8 +2,17 @@
context="G"
type="enum"
enumlist="enum_bool_auto"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+
+ <para>
+ This option is deprecated with Samba 4.8 and will be removed in future.
+ At the same time the default changed to yes, which will be the
+ hardcoded behavior in future. If you have the need for the behavior of "auto"
+ to be kept, please file a bug at https://bugzilla.samba.org.
+ </para>
+
<para>
This controls whether the server offers or even demands the use of the netlogon schannel.
<smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
@@ -18,6 +27,6 @@
</para>
</description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f6ee112..a18407d 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2784,7 +2784,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
- lpcfg_do_global_parameter(lp_ctx, "server schannel", "Auto");
+ lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9f79f13..582c875 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -654,7 +654,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
- Globals.server_schannel = Auto;
+ Globals.server_schannel = true;
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;
--
1.9.1
From e33bb96a128f3d532e7b1f3db7ecbc3efeb3e1ba Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:42:06 +0100
Subject: [PATCH 4/4] WHATSNEW: document the changes/deprecation of 'client
schannel' and 'server schannel'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1eecc5c..94278b3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -92,6 +92,8 @@ smb.conf changes
-------------- ----------- -------
auth methods Removed
binddns dir New
+ client schannel Default changed/ yes
+ Deprecated
gpo update command New
map untrusted to domain Removed
oplock contention limit Removed
@@ -100,6 +102,8 @@ smb.conf changes
fruit:time machine Added false
profile acls Removed
use spnego Removed
+ server schannel Default changed/ yes
+ Deprecated
winbind trusted domains only Removed
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180109/bd0c7c9e/signature.sig>
More information about the samba-technical
mailing list