The Samba-Bugzilla – Attachment 15462 Details for
Bug 14117
Deprecate "lanman auth = yes" and "encrypt passwords = no"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch cherry-picked from master with WHATSNEW.txt
deprecate-lanman-auth-and-plaintext.patch (text/plain), 5.32 KB, created by
Andrew Bartlett
on 2019-09-05 04:24:56 UTC
(
hide
)
Description:
patch cherry-picked from master with WHATSNEW.txt
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-09-05 04:24:56 UTC
Size:
5.32 KB
patch
obsolete
>From 50337ec4471e500c463232eddcca3de94945982b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 5 Sep 2019 11:23:22 +1200 >Subject: [PATCH 1/3] docs: Deprecate "lanman auth = yes" > >This feature is only available for SMB1 and we need to warn users that this >is going away soon, and allow the removal in a future release under our rules >for parameter deprecation. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Garming Sam <garming@catalyst.net.nz> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Thu Sep 5 04:04:18 UTC 2019 on sn-devel-184 > >(cherry picked from commit 1006f7abe8980d2c01c181db93225353ce494b3a) >--- > docs-xml/smbdotconf/security/lanmanauth.xml | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml >index 97f2fb04dcb..e5e63e43076 100644 >--- a/docs-xml/smbdotconf/security/lanmanauth.xml >+++ b/docs-xml/smbdotconf/security/lanmanauth.xml >@@ -2,8 +2,17 @@ > context="G" > type="boolean" > function="_lanman_auth" >+ deprecated="1" > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> >+ <para>This parameter has been deprecated since Samba 4.11 and >+ support for LanMan (as distinct from NTLM, NTLMv2 or >+ Kerberos authentication) >+ will be removed in a future Samba release.</para> >+ <para>That is, in the future, the current default of >+ <command>lanman auth = no</command> >+ will be the enforced behaviour.</para> >+ > <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> > <manvolnum>8</manvolnum></citerefentry> will attempt to > authenticate users or permit password changes >-- >2.11.0 > > >From df663727802a1c6d23e5c1910e1576c25a3eb533 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 5 Sep 2019 11:19:10 +1200 >Subject: [PATCH 2/3] docs: Deprecate "encrypt passwords = no" > >This feature is only available for SMB1 and we need to warn users that this >is going away soon, and allow the removal in a future release under our rules >for parameter deprecation. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Garming Sam <garming@catalyst.net.nz> >(cherry picked from commit 8d0d99a4d78ba408bb45e2d693049025e60e277a) >--- > docs-xml/smbdotconf/security/encryptpasswords.xml | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml >index 4bd97809d86..4fdfa898501 100644 >--- a/docs-xml/smbdotconf/security/encryptpasswords.xml >+++ b/docs-xml/smbdotconf/security/encryptpasswords.xml >@@ -1,8 +1,16 @@ > <samba:parameter name="encrypt passwords" > context="G" > type="boolean" >+ deprecated="1" > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> >+ <para>This parameter has been deprecated since Samba 4.11 and >+ support for plaintext (as distinct from NTLM, NTLMv2 >+ or Kerberos authentication) >+ will be removed in a future Samba release.</para> >+ <para>That is, in the future, the current default of >+ <command>encrypt passwords = yes</command> >+ will be the enforced behaviour.</para> > <para>This boolean controls whether encrypted passwords > will be negotiated with the client. Note that Windows NT 4.0 SP3 and > above and also Windows 98 will by default expect encrypted passwords >-- >2.11.0 > > >From ebc26c2cd59b24f14074223a3f54a96c2b84a279 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 5 Sep 2019 16:12:10 +1200 >Subject: [PATCH 3/3] WHATSNEW: Add entry for deprecation of "lanman auth" and > "encrypt passwords = no" > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > WHATSNEW.txt | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index eece43fcd9e..904db5fefc3 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -68,6 +68,18 @@ in the following years. If you have a strong requirement for SMB1 > (except for supporting old Linux Kernels), please file a bug > at https://bugzilla.samba.org and let us know about the details. > >+LanMan and plaintext authentication deprecated >+---------------------------------------------- >+ >+The "lanman auth" and "encrypt passwords" parameters are deprecated >+with this release as both are only applicable to SMB1 and are quite >+insecure. NTLM, NTLMv2 and Kerberos authentication are unaffected, as >+"encrypt passwords = yes" has been the default since Samba 3.0.0. >+ >+If you have a strong requirement for these authentication protocols, >+please file a bug at https://bugzilla.samba.org and let us know about >+the details. >+ > BIND9_FLATFILE deprecated > ------------------------- > >@@ -357,6 +369,8 @@ smb.conf changes > fruit:zero_file_id Changed default False > debug encryption New: dump encryption keys False > rndc command Deprecated >+ lanman auth Deprecated >+ encrypt passwords Deprecated > > > CHANGES SINCE 4.11.0rc2 >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review?
(
garming
)
metze
:
review+
Actions:
View
Attachments on
bug 14117
: 15462