1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

lib:param: Add 'client protection' config option

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andreas Schneider 2020-08-20 10:18:08 +02:00 committed by Andrew Bartlett
parent 5a751ea55e
commit 4c4353705f
5 changed files with 72 additions and 0 deletions

View File

@ -61,6 +61,13 @@ enum credentials_use_kerberos {
CRED_USE_KERBEROS_REQUIRED,
};
enum credentials_client_protection {
CRED_CLIENT_PROTECTION_DEFAULT = -1,
CRED_CLIENT_PROTECTION_PLAIN = 0,
CRED_CLIENT_PROTECTION_SIGN,
CRED_CLIENT_PROTECTION_ENCRYPT,
};
enum credentials_krb_forwardable {
CRED_AUTO_KRB_FORWARDABLE = 0, /* Default, follow library defaults */
CRED_NO_KRB_FORWARDABLE, /* not forwardable */

View File

@ -0,0 +1,51 @@
<samba:parameter name="client protection"
context="G"
type="enum"
enumlist="enum_client_protection_vals"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
This parameter defines which protection Samba client
tools should use by default.
</para>
<para>Possible client settings are:</para>
<itemizedlist>
<listitem>
<para>
<emphasis>default</emphasis> - Use the individual
default values of the options:
<itemizedlist>
<listitem><para><parameter>client signing</parameter></para></listitem>
<listitem><para><parameter>client smb encrypt</parameter></para></listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
<emphasis>plain</emphasis> - This will send
everything just as plaintext, signing or
encryption are turned off.
</para>
</listitem>
<listitem>
<para>
<emphasis>sign</emphasis> - This will enable
integrity checking.
</para>
</listitem>
<listitem>
<para>
<emphasis>encrypt</emphasis> - This will enable
integrity checks and force encryption for
privacy.
</para>
</listitem>
</itemizedlist>
</description>
<value type="default">default</value>
</samba:parameter>

View File

@ -2952,6 +2952,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"client use kerberos",
"desired");
lpcfg_do_global_parameter(lp_ctx,
"client protection",
"default");
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;

View File

@ -173,6 +173,14 @@ static const struct enum_list enum_use_kerberos_vals[] = {
{-1, NULL}
};
static const struct enum_list enum_client_protection_vals[] = {
{CRED_CLIENT_PROTECTION_DEFAULT, "default"},
{CRED_CLIENT_PROTECTION_PLAIN, "plain"},
{CRED_CLIENT_PROTECTION_SIGN, "sign"},
{CRED_CLIENT_PROTECTION_ENCRYPT, "encrypt"},
{-1, NULL}
};
static const struct enum_list enum_mdns_name_values[] = {
{MDNS_NAME_NETBIOS, "netbios"},
{MDNS_NAME_MDNS, "mdns"},

View File

@ -959,6 +959,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals._client_use_kerberos = CRED_USE_KERBEROS_DESIRED;
Globals.client_protection = CRED_CLIENT_PROTECTION_DEFAULT;
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}