--- /dev/null
+<samba:parameter name="reject md5 clients"
+ context="G"
+ type="boolean"
+ advanced="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
+
+ <para>You can set this to yes if all domain members support aes.
+ This will prevent downgrade attacks.</para>
+
+ <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
+FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
.enum_list = NULL,
.flags = FLAG_ADVANCED,
},
+ {
+ .label = "reject md5 clients",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(bRejectMD5Clients),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
{N_("TLS options"), P_SEP, P_SEPARATOR},