sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code
6b9018d3c9
samba-mirror/docs-xml/smbdotconf/security
History
Andrew Bartlett d2a473a7b7 dsdb: Allow password history and password changes without an NT hash 
We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead
which allows us to decouple Samba from the unsalted NT hash for
organisations that are willing to take this step (for user accounts).

(History checking is limited to the last three passwords only, as
ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4
package only stores three sets of keys.)

Since we don't store a salt per-key, but only a single salt, the check
will fail for a previous password if the account was renamed prior to a
newer password being set.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-06-26 22:10:29 +00:00
..
accessbasedshareenum.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
aclflaginheritedcanonicalization.xml loadparam: add option "acl flag inherited canonicalization" 2021-05-27 19:51:57 +00:00
aclgroupcontrol.xml manpage: corrected small typo error 2015-11-02 14:43:15 +01:00
adminusers.xml docs:smbdotconf: change type to cmdlist where needed. 2015-07-31 01:55:32 +02:00
algorithmicridbase.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
allowdcerpcauthlevelconnect.xml CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no" 2016-04-12 19:25:28 +02:00
allowtrusteddomains.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
binddnsdir.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
checkpasswordscript.xml smbdotconf: mark "check password script" with substitution="1" 2019-11-27 10:25:34 +00:00
clientipcsigning.xml docs-xml: Use 'desired' and 'required' for option 'client ipc signing' 2021-04-28 03:43:34 +00:00
clientlanmanauth.xml docs: deprecate "client lanman auth" 2020-08-18 00:10:40 +00:00
clientntlmv2auth.xml docs: deprecate "client NTLMv2 auth" 2020-08-18 00:10:40 +00:00
clientplaintextauth.xml docs: deprecate "client plaintext auth" 2020-08-18 00:10:40 +00:00
clientprotection.xml lib:param: Add 'client protection' config option 2021-04-28 03:43:34 +00:00
clientschannel.xml docs-xml: deprecate "client schannel" and change the default to "yes" 2018-01-10 01:01:24 +01:00
clientsigning.xml docs-xml: Use 'desired' and 'required' for option 'client signing' 2021-04-28 03:43:34 +00:00
clientsmbencrypt.xml docs-xml: Add 'client smb encrypt' 2020-08-19 16:22:40 +00:00
clientsmbencryptionalgos.xml docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values 2021-09-08 16:37:07 +00:00
clientsmbsigningalgos.xml docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values 2021-09-08 16:37:07 +00:00
clientusekerberos.xml spelling: connnect encrytion exisit expection explicit invalide missmatch paramater paramter partion privilige relase reponse seperate unkown verson authencication progagated 2022-06-10 18:12:33 +00:00
clientusepsnegoprincipal.xml docs:smbdotconf: add deprecated flags where missing. 2015-07-31 01:55:31 +02:00
createmask.xml docs:smbdotconf: change type to octal where needed 2015-07-31 01:55:32 +02:00
debugencryption.xml docs-xml: add "debug encryption" global parm 2019-02-09 18:30:14 +01:00
dedicatedkeytabfile.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
directorymask.xml docs:smbdotconf: change type to octal where needed 2015-07-31 01:55:32 +02:00
directorysecuritymask.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
encryptpasswords.xml docs: Deprecate "encrypt passwords = no" 2019-09-05 02:45:28 +00:00
forcecreatemode.xml docs:smbdotconf: change type to octal where needed 2015-07-31 01:55:32 +02:00
forcedirectorymode.xml docs:smbdotconf: change type to octal where needed 2015-07-31 01:55:32 +02:00
forcedirectorysecuritymode.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
forcegroup.xml smbdotconf: mark "force group" with substitution="1" 2019-11-27 10:25:33 +00:00
forcesecuritymode.xml
forceunknownacluser.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
forceuser.xml smbdotconf: mark "force user" with substitution="1" 2019-11-27 10:25:33 +00:00
guestaccount.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
guestok.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
guestonly.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
hostsallow.xml Revert "docs-xml: Update documentation for removal of NIS support" 2022-06-09 21:45:28 +00:00
hostsdeny.xml docs:smbdotconf: change type to cmdlist where needed. 2015-07-31 01:55:32 +02:00
inheritacls.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
inheritowner.xml smbd: add an option to inherit only the UNIX owner 2016-08-10 08:18:17 +02:00
inheritpermissions.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
invalidusers.xml Revert "docs-xml: Update documentation for removal of NIS support" 2022-06-09 21:45:28 +00:00
kdcenablefast.xml docs-xml: add 'kdc enable fast' option 2022-03-11 17:10:29 +00:00
kerberosencryptiontypes.xml Correct "encyption" typos. 2017-02-22 08:26:23 +01:00
kerberosmethod.xml docs:smbdotconf: add enumlist property to parameters where missing 2015-07-31 01:55:29 +02:00
kpasswdport.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
krb5port.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
lanmanauth.xml s4-auth: Remove last traces of LanMan authentiation support in the AD DC. 2022-03-29 03:32:57 +00:00
lognttokencommand.xml smbdotconf: mark "log nt token command" with substitution="1" 2019-11-27 10:25:35 +00:00
maptoguest.xml docs:smbdotconf: add enumlist property to parameters where missing 2015-07-31 01:55:29 +02:00
mindomainuid.xml CVE-2020-25717: loadparm: Add new parameter "min domain uid" 2021-11-09 19:45:32 +00:00
mitkdccommand.xml docs-xml: remove SWAT specific flags 2019-11-27 10:25:37 +00:00
nt_hash_store.xml dsdb: Allow password history and password changes without an NT hash 2022-06-26 22:10:29 +00:00
ntlmauth.xml dsdb: Allow password history and password changes without an NT hash 2022-06-26 22:10:29 +00:00
ntpsigndsocketdirectory.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
nullpasswords.xml docs:smbdotconf: add deprecated flags where missing. 2015-07-31 01:55:31 +02:00
obeypamrestrictions.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
oldpasswordallowedperiod.xml docs:smbdotconf: fix a typo in oldpasswordallowedperiod.xml 2020-12-17 13:59:37 +00:00
pampasswordchange.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
passdbbackend.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
passdbexpandexplicit.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
passwdchat.xml docs-xml: Update documentation for removal of NIS support 2021-04-22 17:57:30 +00:00
passwdchatdebug.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
passwdchattimeout.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
passwdprogram.xml smbdotconf: mark "passwd program" with substitution="1" 2019-11-27 10:25:35 +00:00
passwordhashgpgkeyids.xml docs-xml/smbdotconf: add "password hash gpg key ids" option 2016-07-22 16:03:27 +02:00
passwordhashuserpasswordschemes.xml docs: configuration options for extra password hashes 2017-05-25 02:25:12 +02:00
passwordserver.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
preloadmodules.xml docs:smbdotconf: change type to cmdlist where needed. 2015-07-31 01:55:32 +02:00
privatedir.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
rawntlmv2auth.xml docs: deprecate "raw NTLMv2 auth" 2020-08-18 00:10:40 +00:00
readlist.xml docs:smbdotconf: change type to cmdlist where needed. 2015-07-31 01:55:32 +02:00
readonly.xml docs:smbdotconf: 'write ok' is a synonym of 'writeable' not of 'read only' 2015-07-31 01:55:31 +02:00
renameuserscript.xml smbdotconf: mark "rename user script" with substitution="1" 2019-11-27 10:25:36 +00:00
restrictanonymous.xml docs-xml: Update documentation for 'restrict anonymous' option 2019-02-07 17:23:18 +01:00
rootdirectory.xml smbdotconf: mark "root directory" with substitution="1" 2019-11-27 10:25:36 +00:00
sambakcccommand.xml docs:smbdotconf: change type to cmdlist where needed. 2015-07-31 01:55:32 +02:00
security.xml remove duplicate lines from 'man smb.conf' 2016-09-21 17:18:46 +02:00
securitymask.xml
serverrole.xml CVE-2020-25717: Add FreeIPA domain controller role 2021-11-09 19:45:33 +00:00
serverschannel.xml spelling: connnect encrytion exisit expection explicit invalide missmatch paramater paramter partion privilige relase reponse seperate unkown verson authencication progagated 2022-06-10 18:12:33 +00:00
serversigning.xml CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality 2016-04-12 19:25:26 +02:00
serversmbencrypt.xml param: Create and use enum_smb_encryption_vals 2020-08-19 16:22:40 +00:00
serversmbencryptionalgos.xml docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values 2021-09-08 16:37:07 +00:00
serversmbsigningalgos.xml docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values 2021-09-08 16:37:07 +00:00
smbencrypt.xml param: Create and use enum_smb_encryption_vals 2020-08-19 16:22:40 +00:00
smbpasswdfile.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
tlscafile.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
tlscertfile.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
tlscrlfile.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
tlsdhparamsfile.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
tlsenabled.xml
tlskeyfile.xml docs-xml: remove explicit "constant" 2019-11-27 10:25:37 +00:00
tlspriority.xml tls: Use NORMAL:-VERS-SSL3.0 as the default configuration 2020-07-01 14:56:33 +00:00
tlsverifypeer.xml CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible" 2016-04-12 19:25:25 +02:00
unixpasswordsync.xml docs-xml/smbdotconf: reference "unix password sync" with "password hash gpg key ids" 2016-07-22 16:03:27 +02:00
usernamelevel.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
usernamemap.xml Revert "docs-xml: Update documentation for removal of NIS support" 2022-06-09 21:45:28 +00:00
usernamemapcachetime.xml docs:smbdotconf: make formatting of headers uniform. 2015-07-31 01:55:29 +02:00
usernamemapscript.xml smb.conf.5: Fix a typo for "username map script" 2021-11-11 19:08:37 +00:00
validusers.xml Revert "docs-xml: Update documentation for removal of NIS support" 2022-06-09 21:45:28 +00:00
writeable.xml docs:smbdotconf: 'write ok' is a synonym of 'writeable' not of 'read only' 2015-07-31 01:55:31 +02:00
writelist.xml docs:smbdotconf: change type to cmdlist where needed. 2015-07-31 01:55:32 +02:00