From: Andreas Schneider Date: Thu, 20 Aug 2020 08:18:08 +0000 (+0200) Subject: lib:param: Add 'client protection' config option X-Git-Tag: tevent-0.11.0~986 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4c4353705f3303c91abe97766000ece18f724388;p=thirdparty%2Fsamba.git lib:param: Add 'client protection' config option Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index bcbe012ec12..540e4cfb6b6 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -61,6 +61,13 @@ enum credentials_use_kerberos { CRED_USE_KERBEROS_REQUIRED, }; +enum credentials_client_protection { + CRED_CLIENT_PROTECTION_DEFAULT = -1, + CRED_CLIENT_PROTECTION_PLAIN = 0, + CRED_CLIENT_PROTECTION_SIGN, + CRED_CLIENT_PROTECTION_ENCRYPT, +}; + enum credentials_krb_forwardable { CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */ CRED_NO_KRB_FORWARDABLE, /* not forwardable */ diff --git a/docs-xml/smbdotconf/security/clientprotection.xml b/docs-xml/smbdotconf/security/clientprotection.xml new file mode 100644 index 00000000000..347b0043be3 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientprotection.xml @@ -0,0 +1,51 @@ + + + + This parameter defines which protection Samba client + tools should use by default. + + + Possible client settings are: + + + + default - Use the individual + default values of the options: + + client signing + client smb encrypt + + + + + + + plain - This will send + everything just as plaintext, signing or + encryption are turned off. + + + + + + sign - This will enable + integrity checking. + + + + + + encrypt - This will enable + integrity checks and force encryption for + privacy. + + + + + +default + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 7b0f652c069..adfba67652e 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2952,6 +2952,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "client use kerberos", "desired"); + lpcfg_do_global_parameter(lp_ctx, + "client protection", + "default"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/lib/param/param_table.c b/lib/param/param_table.c index b26f0738f09..a67e8549294 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -173,6 +173,14 @@ static const struct enum_list enum_use_kerberos_vals[] = { {-1, NULL} }; +static const struct enum_list enum_client_protection_vals[] = { + {CRED_CLIENT_PROTECTION_DEFAULT, "default"}, + {CRED_CLIENT_PROTECTION_PLAIN, "plain"}, + {CRED_CLIENT_PROTECTION_SIGN, "sign"}, + {CRED_CLIENT_PROTECTION_ENCRYPT, "encrypt"}, + {-1, NULL} +}; + static const struct enum_list enum_mdns_name_values[] = { {MDNS_NAME_NETBIOS, "netbios"}, {MDNS_NAME_MDNS, "mdns"}, diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 4f4912c70e4..55184e9b798 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -959,6 +959,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals._client_use_kerberos = CRED_USE_KERBEROS_DESIRED; + Globals.client_protection = CRED_CLIENT_PROTECTION_DEFAULT; + /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); }