1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

lib/param: add "require strong key" option, defaulting to true

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2013-10-17 18:39:56 +02:00
parent de4f8f0825
commit 6630c68cce
4 changed files with 38 additions and 0 deletions

View File

@ -0,0 +1,27 @@
<samba:parameter name="require strong key"
context="G"
type="boolean"
advanced="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This option controls whether winbindd requires support
for md5 strong key support for the netlogon secure channel.</para>
<para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
<para>You can set this to no if some domain controllers only support des.
This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
<para>The behavior can be controlled per netbios domain
by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
<para>Note for active directory domain this option is hardcoded to 'yes'</para>
<para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
<para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
</description>
<value type="default">yes</value>
</samba:parameter>

View File

@ -2184,6 +2184,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);

View File

@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
FN_GLOBAL_BOOL(stat_cache, bStatCache)

View File

@ -4198,6 +4198,15 @@ static struct parm_struct parm_table[] = {
.enum_list = NULL,
.flags = FLAG_ADVANCED,
},
{
.label = "require strong key",
.type = P_BOOL,
.p_class = P_GLOBAL,
.offset = GLOBAL_VAR(bRequireStrongKey),
.special = NULL,
.enum_list = NULL,
.flags = FLAG_ADVANCED,
},
{N_("DNS options"), P_SEP, P_SEPARATOR},
{