1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00

CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-02-27 03:45:43 +01:00
parent 09a757685d
commit 39282d2ce7
7 changed files with 124 additions and 3 deletions

View File

@ -0,0 +1,29 @@
<samba:parameter name="client ipc max protocol"
context="G"
type="enum"
function="_client_ipc_max_protocol"
enumlist="enum_protocol"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>The value of the parameter (a string) is the highest
protocol level that will be supported for IPC$ connections as DCERPC transport.</para>
<para>Normally this option should not be set as the automatic
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
<para>The value <constant>default</constant> refers to the latest
supported protocol, currently <constant>SMB3_11</constant>.</para>
<para>See <smbconfoption name="client max protocol"/> for a full list
of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2
are silently upgraded to NT1.</para>
</description>
<related>client ipc min protocol</related>
<related>client min protocol</related>
<related>client max protocol</related>
<value type="default">default</value>
<value type="example">SMB2_10</value>
</samba:parameter>

View File

@ -0,0 +1,29 @@
<samba:parameter name="client ipc min protocol"
context="G"
type="enum"
function="_client_ipc_min_protocol"
enumlist="enum_protocol"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This setting controls the minimum protocol version that the
will be attempted to use for IPC$ connections as DCERPC transport.</para>
<para>Normally this option should not be set as the automatic
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
<para>The value <constant>default</constant> refers to the higher value
of <constant>NT1</constant> and the effective value of
<smbconfoption name="client min protocol"/>.</para>
<para>See <smbconfoption name="client max protocol"/> for a full list
of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2
are silently upgraded to NT1.</para>
</description>
<related>client ipc max protocol</related>
<related>client min protocol</related>
<related>client max protocol</related>
<value type="default">default</value>
<value type="example">SMB3_11</value>
</samba:parameter>

View File

@ -79,13 +79,16 @@
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
<para>The value <constant>default</constant> refers to the default protocol in each
part of the code, currently <constant>NT1</constant> in the client tools and
<constant>SMB3_02</constant> in winbindd.</para>
<para>The value <constant>default</constant> refers to <constant>NT1</constant>.</para>
<para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
<smbconfoption name="client ipc max protocol"/> option.</para>
</description>
<related>server max protocol</related>
<related>client min protocol</related>
<related>client ipc min protocol</related>
<related>client ipc max protocol</related>
<value type="default">default</value>
<value type="example">LANMAN1</value>

View File

@ -13,10 +13,16 @@
<para>See <related>client max protocol</related> for a full list
of available protocols.</para>
<para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
<smbconfoption name="client ipc min protocol"/> option.</para>
</description>
<related>client max protocol</related>
<related>server min protocol</related>
<related>client ipc min protocol</related>
<related>client ipc max protocol</related>
<value type="default">CORE</value>
<value type="example">NT1</value>
</samba:parameter>

View File

@ -2614,6 +2614,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "server max protocol", "SMB3");
lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE");
lpcfg_do_global_parameter(lp_ctx, "client max protocol", "default");
lpcfg_do_global_parameter(lp_ctx, "client ipc min protocol", "default");
lpcfg_do_global_parameter(lp_ctx, "client ipc max protocol", "default");
lpcfg_do_global_parameter(lp_ctx, "security", "AUTO");
lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True");
lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
@ -3319,6 +3321,30 @@ int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx)
return client_max_protocol;
}
int lpcfg_client_ipc_min_protocol(struct loadparm_context *lp_ctx)
{
int client_ipc_min_protocol = lpcfg__client_ipc_min_protocol(lp_ctx);
if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
client_ipc_min_protocol = lpcfg_client_min_protocol(lp_ctx);
}
if (client_ipc_min_protocol < PROTOCOL_NT1) {
return PROTOCOL_NT1;
}
return client_ipc_min_protocol;
}
int lpcfg_client_ipc_max_protocol(struct loadparm_context *lp_ctx)
{
int client_ipc_max_protocol = lpcfg__client_ipc_max_protocol(lp_ctx);
if (client_ipc_max_protocol == PROTOCOL_DEFAULT) {
return PROTOCOL_LATEST;
}
if (client_ipc_max_protocol < PROTOCOL_NT1) {
return PROTOCOL_NT1;
}
return client_ipc_max_protocol;
}
bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
{
bool allowed = true;

View File

@ -904,6 +904,8 @@ const char *lp_idmap_default_backend (void);
int lp_security(void);
int lp_client_max_protocol(void);
int lp_winbindd_max_protocol(void);
int lp_client_ipc_min_protocol(void);
int lp_client_ipc_max_protocol(void);
int lp_smb2_max_credits(void);
int lp_cups_encrypt(void);
bool lp_widelinks(int );

View File

@ -639,6 +639,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.server_min_protocol = PROTOCOL_LANMAN1;
Globals._client_max_protocol = PROTOCOL_DEFAULT;
Globals.client_min_protocol = PROTOCOL_CORE;
Globals._client_ipc_max_protocol = PROTOCOL_DEFAULT;
Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
Globals.client_schannel = Auto;
@ -4445,6 +4447,30 @@ int lp_winbindd_max_protocol(void)
return client_max_protocol;
}
int lp_client_ipc_min_protocol(void)
{
int client_ipc_min_protocol = lp__client_ipc_min_protocol();
if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
client_ipc_min_protocol = lp_client_min_protocol();
}
if (client_ipc_min_protocol < PROTOCOL_NT1) {
return PROTOCOL_NT1;
}
return client_ipc_min_protocol;
}
int lp_client_ipc_max_protocol(void)
{
int client_ipc_max_protocol = lp__client_ipc_max_protocol();
if (client_ipc_max_protocol == PROTOCOL_DEFAULT) {
return PROTOCOL_LATEST;
}
if (client_ipc_max_protocol < PROTOCOL_NT1) {
return PROTOCOL_NT1;
}
return client_ipc_max_protocol;
}
struct loadparm_global * get_globals(void)
{
return &Globals;