38 lines
1.2 KiB
Diff
38 lines
1.2 KiB
Diff
From 499fd673befa6fed6bd0e542d9bb06cb49bd150e Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Thu, 11 Apr 2019 11:40:11 +0200
|
|
Subject: [PATCH 198/208] s3:param: Only allow SMB 3.0+ for DCERPC client
|
|
connections over named pipes
|
|
|
|
We need an AES encrypted transport as some RPC services only encrypt
|
|
secrets using RC4, e.g. password changes over SAMR.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
source3/param/loadparm.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index b52e2bcb036..c1d02cf5bc6 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -4614,6 +4614,15 @@ int lp_client_max_protocol(void)
|
|
int lp_client_ipc_min_protocol(void)
|
|
{
|
|
int client_ipc_min_protocol = lp__client_ipc_min_protocol();
|
|
+
|
|
+ /*
|
|
+ * If weak crypto is not allowed, force at least SMB3 which offers AES
|
|
+ * encrypted connections.
|
|
+ */
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
+ return MAX(client_ipc_min_protocol, PROTOCOL_SMB3_00);
|
|
+ }
|
|
+
|
|
if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
|
|
client_ipc_min_protocol = lp_client_min_protocol();
|
|
}
|
|
--
|
|
2.23.0
|
|
|