From c7acae904301cfc6a281d63f4e7d3cc6f4fff938 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Dec 2017 13:22:22 +0100
Subject: [PATCH] docs-xml: deprecate "client schannel" and change the default
 to "yes"

This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 docs-xml/smbdotconf/security/clientschannel.xml | 11 +++++++++--
 lib/param/loadparm.c                            |  2 +-
 source3/param/loadparm.c                        |  2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 6ab35588800..5b07da95050 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -2,9 +2,16 @@
                  context="G"
                  type="enum"
                  enumlist="enum_bool_auto"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
 
+    <para>
+	This option is deprecated with Samba 4.8 and will be removed in future.
+	At the same time the default changed to yes, which will be the
+	hardcoded behavior in future.
+    </para>
+
     <para>
     This controls whether the client offers or even demands the use of the netlogon schannel.
     <smbconfoption name="client schannel">no</smbconfoption> does not offer the schannel, 
@@ -18,6 +25,6 @@
 
     <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
 </description>
-<value type="default">auto</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">auto</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 3a4a41ae75c..f6ee112c127 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2838,7 +2838,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
 
-	lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
+	lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");
 
 	lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f8f76a66ebc..9f79f132def 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -651,7 +651,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
 	Globals._security = SEC_AUTO;
 	Globals.encrypt_passwords = true;
-	Globals.client_schannel = Auto;
+	Globals.client_schannel = true;
 	Globals.winbind_sealed_pipes = true;
 	Globals.require_strong_key = true;
 	Globals.server_schannel = Auto;
-- 
2.47.3