From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Dec 2017 12:22:22 +0000 (+0100)
Subject: docs-xml: deprecate "server schannel" and change the default to "yes"
X-Git-Tag: talloc-2.1.11~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0341e83d40dc42fbb1f1e467626418a9e4dedf40;p=thirdparty%2Fsamba.git

docs-xml: deprecate "server schannel" and change the default to "yes"

No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index a2dca1bbdb4..489492d79b1 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -2,8 +2,17 @@
                  context="G"
                  type="enum"
                  enumlist="enum_bool_auto"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+
+    <para>
+	This option is deprecated with Samba 4.8 and will be removed in future.
+	At the same time the default changed to yes, which will be the
+	hardcoded behavior in future. If you have the need for the behavior of "auto"
+	to be kept, please file a bug at https://bugzilla.samba.org.
+    </para>
+
     <para>
 	This controls whether the server offers or even demands the use of the netlogon schannel.
 	<smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption
@@ -18,6 +27,6 @@
 	</para>
 </description>
 
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f6ee112c127..a18407d9c07 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2784,7 +2784,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
 
-	lpcfg_do_global_parameter(lp_ctx, "server schannel", "Auto");
+	lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
 
 	lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9f79f132def..582c8756ffa 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -654,7 +654,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.client_schannel = true;
 	Globals.winbind_sealed_pipes = true;
 	Globals.require_strong_key = true;
-	Globals.server_schannel = Auto;
+	Globals.server_schannel = true;
 	Globals.read_raw = true;
 	Globals.write_raw = true;
 	Globals.null_passwords = false;