--- /dev/null
+<samba:parameter name="client smb3 signing algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ signing algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of aes-128-cmac from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256
+ will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
+ available algorithms for these dialects.
+ </para>
+</description>
+
+<value type="default">aes-128-cmac, hmac-sha-256</value>
+<value type="example">aes-128-cmac</value>
+<value type="example">-aes-128-cmac</value>
+</samba:parameter>
--- /dev/null
+<samba:parameter name="server smb3 signing algorithms"
+ context="G"
+ type="list"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter specifies the availability and order of
+ signing algorithms which are available for negotiation in the SMB3_11 dialect.
+ </para>
+ <para>It is also possible to remove individual algorithms from the default list,
+ by prefixing them with '-'. This can avoid having to specify a hardcoded list.
+ </para>
+ <para>Note: that the removal of aes-128-cmac from the list will result
+ in SMB3_00 and SMB3_02 being unavailable, and the removal od hmac-sha-256
+ will result in SMB2_02 and SMB2_10 being unavailable, as these are the default and only
+ available algorithms for these dialects.
+ </para>
+</description>
+
+<value type="default">aes-128-cmac, hmac-sha-256</value>
+<value type="example">aes-128-cmac</value>
+<value type="example">-aes-128-cmac</value>
+</samba:parameter>
"winbind use krb5 enterprise principals",
"yes");
+ lpcfg_do_global_parameter(lp_ctx,
+ "client smb3 signing algorithms",
+ DEFAULT_SMB3_SIGNING_ALGORITHMS);
+ lpcfg_do_global_parameter(lp_ctx,
+ "server smb3 signing algorithms",
+ DEFAULT_SMB3_SIGNING_ALGORITHMS);
+
lpcfg_do_global_parameter(lp_ctx,
"client smb3 encryption algorithms",
DEFAULT_SMB3_ENCRYPTION_ALGORITHMS);
#define DEFAULT_SMB2_MAX_TRANSACT (8*1024*1024)
#define DEFAULT_SMB2_MAX_CREDITS 8192
+#define DEFAULT_SMB3_SIGNING_ALGORITHMS "aes-128-cmac hmac-sha-256"
#define DEFAULT_SMB3_ENCRYPTION_ALGORITHMS "aes-128-gcm aes-128-ccm aes-256-gcm aes-256-ccm"
#define LOADPARM_EXTRA_LOCALS \
Globals.winbind_use_krb5_enterprise_principals = true;
+ Globals.client_smb3_signing_algorithms =
+ str_list_make_v3_const(NULL, DEFAULT_SMB3_SIGNING_ALGORITHMS, NULL);
+ Globals.server_smb3_signing_algorithms =
+ str_list_make_v3_const(NULL, DEFAULT_SMB3_SIGNING_ALGORITHMS, NULL);
+
Globals.client_smb3_encryption_algorithms =
str_list_make_v3_const(NULL, DEFAULT_SMB3_ENCRYPTION_ALGORITHMS, NULL);
Globals.server_smb3_encryption_algorithms =