--- /dev/null
+<samba:parameter name="client use krb5 netlogon"
+ context="G"
+ type="enum"
+ enumlist="enum_bool_auto_default"
+ function="_client_use_krb5_netlogon"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para><emphasis>This option is experimental for now!</emphasis>
+ </para>
+
+ <para>This option controls whether winbindd (and other client tools)
+ try to use ServerAuthenticateKerberos for the netlogon secure channel.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'client use krb5 netlogon:NETBIOSDOMAIN = yes|no' as option.</para>
+
+ <para>This option is over-ridden by the <smbconfoption name="reject aes netlogon servers"/> option (if it is effectively on)
+ and lets <smbconfoption name="client use krb5 netlogon"/> be yes as well.</para>
+
+ <para>
+ The 'default' currently maps to 'no'.
+ </para>
+
+ <para>
+ A meaning of 'auto' depends on the used kerberos library
+ and the trust/domain type.
+ </para>
+
+ <para>
+ If samba was compiled using '--without-ads' or
+ '--with-system-heimdalkrb5' it is not possible to
+ activate the ServerAuthenticateKerberos feature,
+ as the krb5_init_creds_step() function is not available.
+ This forces 'auto' to behave as 'no'.
+ </para>
+
+ <para>
+ The value of 'auto' maps to 'yes' if the domain
+ is detected as active directory domain, e.g.
+ with 'SECURITY = ADS' or on an active directory domain controller.
+ </para>
+</description>
+
+<value type="default">default</value>
+<value type="example">no</value>
+<value type="example">auto</value>
+<value type="example">yes</value>
+</samba:parameter>
by using 'reject aes netlogon servers:NETBIOSDOMAIN = no' as option.</para>
<para>This option overrides the <smbconfoption name="reject md5 servers"/> option.</para>
+ <para>This option overrides the <smbconfoption name="client use krb5 netlogon"/> option (if it is effectively off).</para>
</description>
<value type="default">no</value>
lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");
+ lpcfg_do_global_parameter(lp_ctx, "client use krb5 netlogon", "default");
+
lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
lpcfg_do_global_parameter(lp_ctx, "max log size", "5000");
return allowed;
}
+int lpcfg_client_use_krb5_netlogon(struct loadparm_context *lp_ctx)
+{
+ int val = lpcfg__client_use_krb5_netlogon(lp_ctx);
+
+ if (val == LP_ENUM_Default) {
+ val = false;
+ }
+
+ return val;
+}
+
int lpcfg_tdb_hash_size(struct loadparm_context *lp_ctx, const char *name)
{
const char *base;
struct smbsrv_connection;
#define Auto (2)
+#define LP_ENUM_Default (-2)
struct loadparm_context;
struct loadparm_service;
{-1, NULL}
};
+static const struct enum_list enum_bool_auto_default[] = {
+ {false, "No"},
+ {false, "False"},
+ {false, "0"},
+ {true, "Yes"},
+ {true, "True"},
+ {true, "1"},
+ {Auto, "Auto"},
+ {LP_ENUM_Default, "default"},
+ {-1, NULL}
+};
+
static const struct enum_list enum_csc_policy[] = {
{CSC_POLICY_MANUAL, "manual"},
{CSC_POLICY_DOCUMENTS, "documents"},
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
Globals.reject_md5_servers = true;
+ Globals._client_use_krb5_netlogon = LP_ENUM_Default;
Globals.server_schannel = true;
Globals.server_schannel_require_seal = true;
Globals.reject_md5_clients = true;
projects / thirdparty / samba.git / commitdiff
