lib:param: Add 'client protection' config option

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index bcbe012ec12a0c1df3f39976d2a512f6bea2b5a2..540e4cfb6b65ea1f783b38de00b9dcb170229816 100644 (file)
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -61,6 +61,13 @@ enum credentials_use_kerberos {
        CRED_USE_KERBEROS_REQUIRED,
 };
 
+enum credentials_client_protection {
+       CRED_CLIENT_PROTECTION_DEFAULT = -1,
+       CRED_CLIENT_PROTECTION_PLAIN = 0,
+       CRED_CLIENT_PROTECTION_SIGN,
+       CRED_CLIENT_PROTECTION_ENCRYPT,
+};
+
 enum credentials_krb_forwardable {
        CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
        CRED_NO_KRB_FORWARDABLE,       /* not forwardable */

diff --git a/docs-xml/smbdotconf/security/clientprotection.xml b/docs-xml/smbdotconf/security/clientprotection.xml
new file mode 100644 (file)
index 0000000..347b004
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientprotection.xml
@@ -0,0 +1,51 @@
+<samba:parameter name="client protection"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_client_protection_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>
+               This parameter defines which protection Samba client
+               tools should use by default.
+       </para>
+
+       <para>Possible client settings are:</para>
+       <itemizedlist>
+               <listitem>
+                       <para>
+                               <emphasis>default</emphasis> - Use the individual
+                               default values of the options:
+                               <itemizedlist>
+                                       <listitem><para><parameter>client signing</parameter></para></listitem>
+                                       <listitem><para><parameter>client smb encrypt</parameter></para></listitem>
+                               </itemizedlist>
+                       </para>
+               </listitem>
+
+               <listitem>
+                       <para>
+                               <emphasis>plain</emphasis> - This will send
+                               everything just as plaintext, signing or
+                               encryption are turned off.
+                       </para>
+               </listitem>
+
+               <listitem>
+                       <para>
+                               <emphasis>sign</emphasis> - This will enable
+                               integrity checking.
+                       </para>
+               </listitem>
+
+               <listitem>
+                       <para>
+                               <emphasis>encrypt</emphasis> - This will enable
+                               integrity checks and force encryption for
+                               privacy.
+                       </para>
+               </listitem>
+       </itemizedlist>
+</description>
+
+<value type="default">default</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 7b0f652c0694060b8bee6d0ac904af9a35d296c7..adfba67652e43230baf0ce31d9cbff2149a4590f 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2952,6 +2952,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
                                  "client use kerberos",
                                  "desired");
 
+       lpcfg_do_global_parameter(lp_ctx,
+                                 "client protection",
+                                 "default");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;

diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index b26f0738f09397ea68ed18428a11a8d2745fcd9f..a67e8549294ce9ea903b8c54918eda95a559afe2 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -173,6 +173,14 @@ static const struct enum_list enum_use_kerberos_vals[] = {
        {-1, NULL}
 };
 
+static const struct enum_list enum_client_protection_vals[] = {
+       {CRED_CLIENT_PROTECTION_DEFAULT,  "default"},
+       {CRED_CLIENT_PROTECTION_PLAIN,    "plain"},
+       {CRED_CLIENT_PROTECTION_SIGN,     "sign"},
+       {CRED_CLIENT_PROTECTION_ENCRYPT,  "encrypt"},
+       {-1, NULL}
+};
+
 static const struct enum_list enum_mdns_name_values[] = {
        {MDNS_NAME_NETBIOS, "netbios"},
        {MDNS_NAME_MDNS, "mdns"},

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 4f4912c70e40d903aad63b026d1eb51b81d9bb15..55184e9b7981c76033bc49ffb022c2746a2015d1 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -959,6 +959,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
        Globals._client_use_kerberos = CRED_USE_KERBEROS_DESIRED;
 
+       Globals.client_protection = CRED_CLIENT_PROTECTION_DEFAULT;
+
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
 }