This allows SMB signing to work against many more DCs, and so improves network security.
The default for "client max protocol" remains NT1 in the rest of the code.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
context="G"
type="enum"
developer="1"
+ function="_client_max_protocol"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>The value of the parameter (a string) is the highest
<para>Normally this option should not be set as the automatic
negotiation phase in the SMB protocol takes care of choosing
the appropriate protocol.</para>
+
+ <para>The value <constant>default</constant> refers to the default protocol in each
+ part of the code, currently <constant>NT1</constant> in the client tools and
+ <constant>SMB3_02</constant> in winbindd.</para>
</description>
<related>server max protocol</related>
-<related>client mn protocol</related>
+<related>client min protocol</related>
-<value type="default">NT1</value>
+<value type="default">default</value>
<value type="example">LANMAN1</value>
</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "server min protocol", "LANMAN1");
lpcfg_do_global_parameter(lp_ctx, "server max protocol", "SMB3");
lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE");
- lpcfg_do_global_parameter(lp_ctx, "client max protocol", "NT1");
+ lpcfg_do_global_parameter(lp_ctx, "client max protocol", "default");
lpcfg_do_global_parameter(lp_ctx, "security", "AUTO");
lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True");
lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
lpcfg__security(lp_ctx));
}
+int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx)
+{
+ int client_max_protocol = lpcfg__client_max_protocol(lp_ctx);
+ if (client_max_protocol == PROTOCOL_DEFAULT) {
+ return PROTOCOL_NT1;
+ }
+ return client_max_protocol;
+}
+
bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
{
bool allowed = true;
#endif
static const struct enum_list enum_protocol[] = {
+ {PROTOCOL_DEFAULT, "default"}, /* the caller decides what this means */
{PROTOCOL_SMB2_10, "SMB2"}, /* for now keep PROTOCOL_SMB2_10 */
{PROTOCOL_SMB3_00, "SMB3"}, /* for now keep PROTOCOL_SMB3_00 */
{PROTOCOL_SMB3_10, "SMB3_10"},
.label = "client max protocol",
.type = P_ENUM,
.p_class = P_GLOBAL,
- .offset = GLOBAL_VAR(client_max_protocol),
+ .offset = GLOBAL_VAR(_client_max_protocol),
.special = NULL,
.enum_list = enum_protocol,
.flags = FLAG_ADVANCED,
/* protocol types. It assumes that higher protocols include lower protocols
as subsets. */
enum protocol_types {
- PROTOCOL_NONE,
+ PROTOCOL_DEFAULT=-1,
+ PROTOCOL_NONE=0,
PROTOCOL_CORE,
PROTOCOL_COREPLUS,
PROTOCOL_LANMAN1,
const char *lp_idmap_backend(const char *domain_name);
const char *lp_idmap_default_backend (void);
int lp_security(void);
+int lp_client_max_protocol(void);
+int lp_winbindd_max_protocol(void);
int lp_smb2_max_credits(void);
int lp_cups_encrypt(void);
bool lp_widelinks(int );
Globals.max_open_files = max_open_files();
Globals.server_max_protocol = PROTOCOL_SMB3_00;
Globals.server_min_protocol = PROTOCOL_LANMAN1;
- Globals.client_max_protocol = PROTOCOL_NT1;
+ Globals._client_max_protocol = PROTOCOL_DEFAULT;
Globals.client_min_protocol = PROTOCOL_CORE;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
lp__security());
}
+int lp_client_max_protocol(void)
+{
+ int client_max_protocol = lp__client_max_protocol();
+ if (client_max_protocol == PROTOCOL_DEFAULT) {
+ return PROTOCOL_NT1;
+ }
+ return client_max_protocol;
+}
+
+int lp_winbindd_max_protocol(void)
+{
+ int client_max_protocol = lp__client_max_protocol();
+ if (client_max_protocol == PROTOCOL_DEFAULT) {
+ return PROTOCOL_LATEST;
+ }
+ return client_max_protocol;
+}
+
struct loadparm_global * get_globals(void)
{
return &Globals;
result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
lp_client_min_protocol(),
- lp_client_max_protocol());
+ lp_winbindd_max_protocol());
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));