Attachment 15462 Details for Bug 14117 – patch cherry-picked from master with WHATSNEW.txt

[patch] patch cherry-picked from master with WHATSNEW.txt

deprecate-lanman-auth-and-plaintext.patch (text/plain), 5.32 KB, created by Andrew Bartlett on 2019-09-05 04:24:56 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2019-09-05 04:24:56 UTC

Size: 5.32 KB

patch

obsolete

>From 50337ec4471e500c463232eddcca3de94945982b Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Thu, 5 Sep 2019 11:23:22 +1200
>Subject: [PATCH 1/3] docs: Deprecate "lanman auth = yes"
>
>This feature is only available for SMB1 and we need to warn users that this
>is going away soon, and allow the removal in a future release under our rules
>for parameter deprecation.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>Reviewed-by: Garming Sam <garming@catalyst.net.nz>
>
>Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
>Autobuild-Date(master): Thu Sep  5 04:04:18 UTC 2019 on sn-devel-184
>
>(cherry picked from commit 1006f7abe8980d2c01c181db93225353ce494b3a)
>---
> docs-xml/smbdotconf/security/lanmanauth.xml | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
>diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
>index 97f2fb04dcb..e5e63e43076 100644
>--- a/docs-xml/smbdotconf/security/lanmanauth.xml
>+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
>@@ -2,8 +2,17 @@
>                  context="G"
>                  type="boolean"
> 		 function="_lanman_auth"
>+                 deprecated="1"
>                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> <description>
>+    <para>This parameter has been deprecated since Samba 4.11 and
>+    support for LanMan (as distinct from NTLM, NTLMv2 or
>+    Kerberos authentication)
>+    will be removed in a future Samba release.</para>
>+    <para>That is, in the future, the current default of
>+    <command>lanman auth = no</command>
>+    will be the enforced behaviour.</para>
>+
>     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
>     <manvolnum>8</manvolnum></citerefentry> will attempt to
>     authenticate users or permit password changes
>-- 
>2.11.0
>
>
>From df663727802a1c6d23e5c1910e1576c25a3eb533 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Thu, 5 Sep 2019 11:19:10 +1200
>Subject: [PATCH 2/3] docs: Deprecate "encrypt passwords = no"
>
>This feature is only available for SMB1 and we need to warn users that this
>is going away soon, and allow the removal in a future release under our rules
>for parameter deprecation.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>Reviewed-by: Garming Sam <garming@catalyst.net.nz>
>(cherry picked from commit 8d0d99a4d78ba408bb45e2d693049025e60e277a)
>---
> docs-xml/smbdotconf/security/encryptpasswords.xml | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
>diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml
>index 4bd97809d86..4fdfa898501 100644
>--- a/docs-xml/smbdotconf/security/encryptpasswords.xml
>+++ b/docs-xml/smbdotconf/security/encryptpasswords.xml
>@@ -1,8 +1,16 @@
> <samba:parameter name="encrypt passwords"
>                  context="G"
>                  type="boolean"
>+                 deprecated="1"
>                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> <description>
>+    <para>This parameter has been deprecated since Samba 4.11 and
>+    support for plaintext (as distinct from NTLM, NTLMv2
>+    or Kerberos authentication)
>+    will be removed in a future Samba release.</para>
>+    <para>That is, in the future, the current default of
>+    <command>encrypt passwords = yes</command>
>+    will be the enforced behaviour.</para>
>     <para>This boolean controls whether encrypted passwords 
>     will be negotiated with the client. Note that Windows NT 4.0 SP3 and 
>     above and also Windows 98 will by default expect encrypted passwords 
>-- 
>2.11.0
>
>
>From ebc26c2cd59b24f14074223a3f54a96c2b84a279 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Thu, 5 Sep 2019 16:12:10 +1200
>Subject: [PATCH 3/3] WHATSNEW: Add entry for deprecation of "lanman auth" and
> "encrypt passwords = no"
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> WHATSNEW.txt | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
>diff --git a/WHATSNEW.txt b/WHATSNEW.txt
>index eece43fcd9e..904db5fefc3 100644
>--- a/WHATSNEW.txt
>+++ b/WHATSNEW.txt
>@@ -68,6 +68,18 @@ in the following years. If you have a strong requirement for SMB1
> (except for supporting old Linux Kernels), please file a bug
> at https://bugzilla.samba.org and let us know about the details.
> 
>+LanMan and plaintext authentication deprecated
>+----------------------------------------------
>+
>+The "lanman auth" and "encrypt passwords" parameters are deprecated
>+with this release as both are only applicable to SMB1 and are quite
>+insecure.  NTLM, NTLMv2 and Kerberos authentication are unaffected, as
>+"encrypt passwords = yes" has been the default since Samba 3.0.0.
>+
>+If you have a strong requirement for these authentication protocols,
>+please file a bug at https://bugzilla.samba.org and let us know about
>+the details.
>+
> BIND9_FLATFILE deprecated
> -------------------------
> 
>@@ -357,6 +369,8 @@ smb.conf changes
>   fruit:zero_file_id                 Changed default            False
>   debug encryption                   New: dump encryption keys  False
>   rndc command                       Deprecated
>+  lanman auth                        Deprecated
>+  encrypt passwords                  Deprecated
> 
> 
> CHANGES SINCE 4.11.0rc2
>-- 
>2.11.0
>

Flags:

abartlet: review? (garming)
metze: review+

Actions: View

Attachments on bug 14117: 15462