|
 |
b6b438 |
From 499fd673befa6fed6bd0e542d9bb06cb49bd150e Mon Sep 17 00:00:00 2001
|
|
|
b6b438 |
From: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
Date: Thu, 11 Apr 2019 11:40:11 +0200
|
|
|
b6b438 |
Subject: [PATCH 198/208] s3:param: Only allow SMB 3.0+ for DCERPC client
|
|
|
b6b438 |
connections over named pipes
|
|
|
b6b438 |
|
|
|
b6b438 |
We need an AES encrypted transport as some RPC services only encrypt
|
|
|
b6b438 |
secrets using RC4, e.g. password changes over SAMR.
|
|
|
b6b438 |
|
|
|
b6b438 |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
---
|
|
|
b6b438 |
source3/param/loadparm.c | 9 +++++++++
|
|
|
b6b438 |
1 file changed, 9 insertions(+)
|
|
|
b6b438 |
|
|
|
b6b438 |
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
|
b6b438 |
index b52e2bcb036..c1d02cf5bc6 100644
|
|
|
b6b438 |
--- a/source3/param/loadparm.c
|
|
|
b6b438 |
+++ b/source3/param/loadparm.c
|
|
|
b6b438 |
@@ -4614,6 +4614,15 @@ int lp_client_max_protocol(void)
|
|
|
b6b438 |
int lp_client_ipc_min_protocol(void)
|
|
|
b6b438 |
{
|
|
|
b6b438 |
int client_ipc_min_protocol = lp__client_ipc_min_protocol();
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ /*
|
|
|
b6b438 |
+ * If weak crypto is not allowed, force at least SMB3 which offers AES
|
|
|
b6b438 |
+ * encrypted connections.
|
|
|
b6b438 |
+ */
|
|
|
b6b438 |
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
|
b6b438 |
+ return MAX(client_ipc_min_protocol, PROTOCOL_SMB3_00);
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+
|
|
|
b6b438 |
if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
|
|
|
b6b438 |
client_ipc_min_protocol = lp_client_min_protocol();
|
|
|
b6b438 |
}
|
|
|
b6b438 |
--
|
|
|
b6b438 |
2.23.0
|
|
|
b6b438 |
|