s3-winbindd: Allow winbindd to connect over SMB2 to servers

This allows SMB signing to work against many more DCs, and so improves network security.

The default for "client max protocol" remains NT1 in the rest of the code.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
index d541425c99d0556970a5123aa2fdef79e45c5082..9321d3f97bbcfd1575a6d077d993c390ac7a6dbb 100644 (file)
--- a/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
+++ b/docs-xml/smbdotconf/protocol/clientmaxprotocol.xml
@@ -2,6 +2,7 @@
                 context="G"
                 type="enum"
                 developer="1"
+                function="_client_max_protocol"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>The value of the parameter (a string) is the highest 
@@ -74,11 +75,15 @@
     <para>Normally this option should not be set as the automatic 
     negotiation phase in the SMB protocol takes care of choosing 
     the appropriate protocol.</para>
+
+    <para>The value <constant>default</constant> refers to the default protocol in each
+    part of the code, currently <constant>NT1</constant> in the client tools and
+    <constant>SMB3_02</constant> in winbindd.</para>
 </description>
 
 <related>server max protocol</related>
-<related>client mn protocol</related>
+<related>client min protocol</related>
 
-<value type="default">NT1</value>
+<value type="default">default</value>
 <value type="example">LANMAN1</value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5543f790a47136533ed3dc42f6c4b26ff00c9930..d1e36dfcfb9639629fb9ba43e5ac4e49722948c5 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2480,7 +2480,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "server min protocol", "LANMAN1");
        lpcfg_do_global_parameter(lp_ctx, "server max protocol", "SMB3");
        lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE");
-       lpcfg_do_global_parameter(lp_ctx, "client max protocol", "NT1");
+       lpcfg_do_global_parameter(lp_ctx, "client max protocol", "default");
        lpcfg_do_global_parameter(lp_ctx, "security", "AUTO");
        lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True");
        lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
@@ -3154,6 +3154,15 @@ int lpcfg_security(struct loadparm_context *lp_ctx)
                                lpcfg__security(lp_ctx));
 }
 
+int lpcfg_client_max_protocol(struct loadparm_context *lp_ctx)
+{
+       int client_max_protocol = lpcfg__client_max_protocol(lp_ctx);
+       if (client_max_protocol == PROTOCOL_DEFAULT) {
+               return PROTOCOL_NT1;
+       }
+       return client_max_protocol;
+}
+
 bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
 {
        bool allowed = true;

diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index bdc6b85798e5f7826933fe961f1afe7961f3c445..15ffa8c3f69b679fa5b31a8cbbd4bae3baf33a90 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -38,6 +38,7 @@
 #endif
 
 static const struct enum_list enum_protocol[] = {
+       {PROTOCOL_DEFAULT, "default"}, /* the caller decides what this means */
        {PROTOCOL_SMB2_10, "SMB2"}, /* for now keep PROTOCOL_SMB2_10 */
        {PROTOCOL_SMB3_00, "SMB3"}, /* for now keep PROTOCOL_SMB3_00 */
        {PROTOCOL_SMB3_10, "SMB3_10"},
@@ -1387,7 +1388,7 @@ struct parm_struct parm_table[] = {
                .label          = "client max protocol",
                .type           = P_ENUM,
                .p_class        = P_GLOBAL,
-               .offset         = GLOBAL_VAR(client_max_protocol),
+               .offset         = GLOBAL_VAR(_client_max_protocol),
                .special        = NULL,
                .enum_list      = enum_protocol,
                .flags          = FLAG_ADVANCED,

diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index ea82677fa0640894f8d31c5f284e2f2fbc38ef9b..f2c880c49ca17258419349028c04ce56129ae5d0 100644 (file)
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -76,7 +76,8 @@
 /* protocol types. It assumes that higher protocols include lower protocols
    as subsets. */
 enum protocol_types {
-       PROTOCOL_NONE,
+       PROTOCOL_DEFAULT=-1,
+       PROTOCOL_NONE=0,
        PROTOCOL_CORE,
        PROTOCOL_COREPLUS,
        PROTOCOL_LANMAN1,

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 70fa7f74ed7fde98e0422e8a401e3ac3bec5066b..255948f4e144958f9c3c223b4e40515eb50c9e04 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -990,6 +990,8 @@ bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
 const char *lp_idmap_backend(const char *domain_name);
 const char *lp_idmap_default_backend (void);
 int lp_security(void);
+int lp_client_max_protocol(void);
+int lp_winbindd_max_protocol(void);
 int lp_smb2_max_credits(void);
 int lp_cups_encrypt(void);
 bool lp_widelinks(int );

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 5ab0de71104acccd96d24ab3f044015a7f7d53ed..52ffbccd3c67a09388ef5f2f716edce3229405e1 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -642,7 +642,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.max_open_files = max_open_files();
        Globals.server_max_protocol = PROTOCOL_SMB3_00;
        Globals.server_min_protocol = PROTOCOL_LANMAN1;
-       Globals.client_max_protocol = PROTOCOL_NT1;
+       Globals._client_max_protocol = PROTOCOL_DEFAULT;
        Globals.client_min_protocol = PROTOCOL_CORE;
        Globals._security = SEC_AUTO;
        Globals.encrypt_passwords = true;
@@ -4335,6 +4335,24 @@ int lp_security(void)
                                lp__security());
 }
 
+int lp_client_max_protocol(void)
+{
+       int client_max_protocol = lp__client_max_protocol();
+       if (client_max_protocol == PROTOCOL_DEFAULT) {
+               return PROTOCOL_NT1;
+       }
+       return client_max_protocol;
+}
+
+int lp_winbindd_max_protocol(void)
+{
+       int client_max_protocol = lp__client_max_protocol();
+       if (client_max_protocol == PROTOCOL_DEFAULT) {
+               return PROTOCOL_LATEST;
+       }
+       return client_max_protocol;
+}
+
 struct loadparm_global * get_globals(void)
 {
        return &Globals;

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index ef7c17ab5e7b527a549801d573ea74e997c54184..0e13a94c5af780f239d6f8cd24953131571c657e 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -936,7 +936,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
 
        result = smbXcli_negprot((*cli)->conn, (*cli)->timeout,
                                 lp_client_min_protocol(),
-                                lp_client_max_protocol());
+                                lp_winbindd_max_protocol());
 
        if (!NT_STATUS_IS_OK(result)) {
                DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));