CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"

author Stefan Metzmacher <metze@samba.org>

Thu, 10 Mar 2016 16:03:59 +0000 (17:03 +0100)

committer Stefan Metzmacher <metze@samba.org>

Wed, 30 Mar 2016 02:08:52 +0000 (04:08 +0200)
author Stefan Metzmacher <metze@samba.org>
Thu, 10 Mar 2016 16:03:59 +0000 (17:03 +0100)
committer Stefan Metzmacher <metze@samba.org>
Wed, 30 Mar 2016 02:08:52 +0000 (04:08 +0200)
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml

index 27a9733475e0cfad3edc16b600405d184dd0a268..03531adbfb368d73a8137dcf9820f373bce27a84 100644 (file)
--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -19,11 +19,9 @@
         E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
         The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
         </para>
-
-       <para>Note the default will very likely change to <constant>no</constant> for Samba 4.5.</para>
  </description>
  
-<value type="default">yes</value>
-<value type="example">no</value>
+<value type="default">no</value>
+<value type="example">yes</value>
  
  </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c

index fca1fe86a28aeb4395dce41972c1795f069e4666..4857c199cc5de98feb072dfd1b660f01fcf927a3 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2514,7 +2514,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
         lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
         lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
  
-       lpcfg_do_global_parameter(lp_ctx, "allow dcerpc auth level connect", "True");
+       lpcfg_do_global_parameter(lp_ctx, "allow dcerpc auth level connect", "False");
  
         lpcfg_do_global_parameter(lp_ctx, "UnixExtensions", "True");
  
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index 0ec8c971b7b3351a7ef5a4b31f2c9191e8ac05cd..c975f1b6492de0bba47f40c08354aff4da9eb3d7 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -667,7 +667,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
         Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
         /* Note, that we will also use NTLM2 session security (which is different), if it is available */
  
-       Globals.allow_dcerpc_auth_level_connect = true; /* we need to allow this for now by default */
+       Globals.allow_dcerpc_auth_level_connect = false; /* we don't allow this by default */
  
         Globals.map_to_guest = 0;       /* By Default, "Never" */
         Globals.oplock_break_wait_time = 0;     /* By Default, 0 msecs. */
author	Stefan Metzmacher <metze@samba.org>
	Thu, 10 Mar 2016 16:03:59 +0000 (17:03 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Wed, 30 Mar 2016 02:08:52 +0000 (04:08 +0200)
docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml		patch \| blob \| blame \| history
lib/param/loadparm.c		patch \| blob \| blame \| history
source3/param/loadparm.c		patch \| blob \| blame \| history