mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
lib/param: add "require strong key" option, defaulting to true
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
de4f8f0825
commit
6630c68cce
27
docs-xml/smbdotconf/winbind/requirestrongkey.xml
Normal file
27
docs-xml/smbdotconf/winbind/requirestrongkey.xml
Normal file
@ -0,0 +1,27 @@
|
||||
<samba:parameter name="require strong key"
|
||||
context="G"
|
||||
type="boolean"
|
||||
advanced="1"
|
||||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||||
<description>
|
||||
<para>This option controls whether winbindd requires support
|
||||
for md5 strong key support for the netlogon secure channel.</para>
|
||||
|
||||
<para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
|
||||
NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
|
||||
|
||||
<para>You can set this to no if some domain controllers only support des.
|
||||
This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
|
||||
|
||||
<para>The behavior can be controlled per netbios domain
|
||||
by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
|
||||
|
||||
<para>Note for active directory domain this option is hardcoded to 'yes'</para>
|
||||
|
||||
<para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
|
||||
|
||||
<para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
|
||||
</description>
|
||||
|
||||
<value type="default">yes</value>
|
||||
</samba:parameter>
|
@ -2184,6 +2184,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
||||
|
||||
lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
|
||||
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
|
||||
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
|
||||
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
|
||||
lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
|
||||
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
|
||||
|
@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
|
||||
FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
|
||||
FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
|
||||
FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
|
||||
FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
|
||||
FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
|
||||
FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
|
||||
FN_GLOBAL_BOOL(stat_cache, bStatCache)
|
||||
|
@ -4198,6 +4198,15 @@ static struct parm_struct parm_table[] = {
|
||||
.enum_list = NULL,
|
||||
.flags = FLAG_ADVANCED,
|
||||
},
|
||||
{
|
||||
.label = "require strong key",
|
||||
.type = P_BOOL,
|
||||
.p_class = P_GLOBAL,
|
||||
.offset = GLOBAL_VAR(bRequireStrongKey),
|
||||
.special = NULL,
|
||||
.enum_list = NULL,
|
||||
.flags = FLAG_ADVANCED,
|
||||
},
|
||||
|
||||
{N_("DNS options"), P_SEP, P_SEPARATOR},
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user