[Patches] change "client/server schannel" to yes and deprecate the options

Stefan Metzmacher metze at samba.org
Tue Jan 9 14:34:59 UTC 2018 

Hi,

here's an updated patchset that passed a private autobuild.

This is again based on the removal of 'use spnego' and 'winbind trusted
domains only' patchset.

Please review and push:-)

Thanks!
metze

It's based on top of the just posted 'u
Am 07.12.2017 um 16:15 schrieb Stefan Metzmacher via samba-technical:
> Am 07.12.2017 um 14:49 schrieb Stefan Metzmacher via samba-technical:
>> Hi,
>>
>> it's 2017 and we should really get rid of the "client schannel" and
>> "server schannel" options...
>>
>> This is based on the removal of 'use spnego' and 'winbind trusted
>> domains only' patchset.
>>
>> Please review and push:-)
> 
> It seems some tests rely on the "auto" behavior,
> I'll post a new patchset that passes a private autobuild...
> 
> metze
> 
> 

-------------- next part --------------
From f84fc36d0661b7d0c229c6f54444407f50f7ba27 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:22:22 +0100
Subject: [PATCH 1/4] docs-xml: deprecate "client schannel" and change the
 default to "yes"

This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 docs-xml/smbdotconf/security/clientschannel.xml | 11 +++++++++--
 lib/param/loadparm.c                            |  2 +-
 source3/param/loadparm.c                        |  2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 6ab3558..5b07da9 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -2,10 +2,17 @@
                  context="G"
                  type="enum"
                  enumlist="enum_bool_auto"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 
     <para>
+	This option is deprecated with Samba 4.8 and will be removed in future.
+	At the same time the default changed to yes, which will be the
+	hardcoded behavior in future.
+    </para>
+
+    <para>
     This controls whether the client offers or even demands the use of the netlogon schannel.
     <smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel, 
     <smbconfoption name="client schannel">auto</smbconfoption> offers the schannel but does not
@@ -18,6 +25,6 @@
 
     <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
 </description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 3a4a41a..f6ee112 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2838,7 +2838,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
 
-	lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
+	lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");
 
 	lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f8f76a6..9f79f13 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -651,7 +651,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
 	Globals._security = SEC_AUTO;
 	Globals.encrypt_passwords = true;
-	Globals.client_schannel = Auto;
+	Globals.client_schannel = true;
 	Globals.winbind_sealed_pipes = true;
 	Globals.require_strong_key = true;
 	Globals.server_schannel = Auto;
-- 
1.9.1


From 1b0c10a5b67f176b136d1969e3699e6f82d28a0d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 13 Dec 2017 13:09:47 +0100
Subject: [PATCH 2/4] selftest: explicitly configure some dcs with 'server
 schannel = auto'

This is required for some tests.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 selftest/target/Samba3.pm | 1 +
 selftest/target/Samba4.pm | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5e64725..851460c 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -216,6 +216,7 @@ sub setup_nt4_dc($$)
 	lanman auth = yes
 	ntlm auth = yes
 	raw NTLMv2 auth = yes
+	server schannel = auto
 
 	rpc_server:epmapper = external
 	rpc_server:spoolss = external
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 8c17d77..e6bc3bb 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1466,6 +1466,7 @@ sub provision_ad_dc_ntvfs($$)
 	lsa over netlogon = yes
         rpc server port = 1027
         auth event notification = true
+	server schannel = auto
 	";
 	my $ret = $self->provision($prefix,
 				   "domain controller",
@@ -1833,6 +1834,7 @@ sub provision_ad_dc($$$$$$)
 	lpq cache time = 0
 	print notify backchannel = yes
 
+	server schannel = auto
         auth event notification = true
         $smbconf_args
 ";
-- 
1.9.1


From 71ce8eaa41549394df486f3d8e4aadd498c14170 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:22:22 +0100
Subject: [PATCH 3/4] docs-xml: deprecate "server schannel" and change the
 default to "yes"

No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 docs-xml/smbdotconf/security/serverschannel.xml | 13 +++++++++++--
 lib/param/loadparm.c                            |  2 +-
 source3/param/loadparm.c                        |  2 +-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index a2dca1b..489492d 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -2,8 +2,17 @@
                  context="G"
                  type="enum"
                  enumlist="enum_bool_auto"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+
+    <para>
+	This option is deprecated with Samba 4.8 and will be removed in future.
+	At the same time the default changed to yes, which will be the
+	hardcoded behavior in future. If you have the need for the behavior of "auto"
+	to be kept, please file a bug at https://bugzilla.samba.org.
+    </para>
+
     <para>
 	This controls whether the server offers or even demands the use of the netlogon schannel.
 	<smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
@@ -18,6 +27,6 @@
 	</para>
 </description>
 
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f6ee112..a18407d 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2784,7 +2784,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
 
-	lpcfg_do_global_parameter(lp_ctx, "server schannel", "Auto");
+	lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
 
 	lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9f79f13..582c875 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -654,7 +654,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.client_schannel = true;
 	Globals.winbind_sealed_pipes = true;
 	Globals.require_strong_key = true;
-	Globals.server_schannel = Auto;
+	Globals.server_schannel = true;
 	Globals.read_raw = true;
 	Globals.write_raw = true;
 	Globals.null_passwords = false;
-- 
1.9.1


From e33bb96a128f3d532e7b1f3db7ecbc3efeb3e1ba Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:42:06 +0100
Subject: [PATCH 4/4] WHATSNEW: document the changes/deprecation of 'client
 schannel' and 'server schannel'

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 WHATSNEW.txt | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1eecc5c..94278b3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -92,6 +92,8 @@ smb.conf changes
   --------------                     -----------             -------
   auth methods                       Removed
   binddns dir                        New
+  client schannel                    Default changed/        yes
+                                     Deprecated
   gpo update command                 New
   map untrusted to domain            Removed
   oplock contention limit            Removed
@@ -100,6 +102,8 @@ smb.conf changes
   fruit:time machine                 Added                   false
   profile acls                       Removed
   use spnego                         Removed
+  server schannel                    Default changed/        yes
+                                     Deprecated
   winbind trusted domains only       Removed
 
 
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180109/bd0c7c9e/signature.sig>

More information about the samba-technical mailing list