lib/param: add "reject md5 servers" option, defaulting to false

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
new file mode 100644 (file)
index 0000000..18f8bcb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="reject md5 servers"
+                 context="G"
+                 type="boolean"
+                 advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>This option controls whether winbindd requires support
+       for aes support for the netlogon secure channel.</para>
+
+       <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
+       NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+       <para>You can set this to yes if all domain controllers support aes.
+       This will prevent downgrade attacks.</para>
+
+       <para>The behavior can be controlled per netbios domain
+       by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
+
+       <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>

diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index 2cb3300075d097c68223d709fb3310103e9f7591..5b55c7dd428b6bc036bf34d38bccc7d00e2b81fc 100644 (file)
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -204,6 +204,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
 FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
 FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
 FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
+FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
 FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
 FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
 FN_GLOBAL_BOOL(stat_cache, bStatCache)

diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 282d804e8a22601efa1beaf7d7e707ee743ada45..0a07147db0edab912aa93cf31d9fed70bfef5ea7 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -4189,6 +4189,15 @@ static struct parm_struct parm_table[] = {
                .enum_list      = NULL,
                .flags          = FLAG_ADVANCED,
        },
+       {
+               .label          = "reject md5 servers",
+               .type           = P_BOOL,
+               .p_class        = P_GLOBAL,
+               .offset         = GLOBAL_VAR(bRejectMD5Servers),
+               .special        = NULL,
+               .enum_list      = NULL,
+               .flags          = FLAG_ADVANCED,
+       },
 
        {N_("DNS options"), P_SEP, P_SEPARATOR},
        {