From 50337ec4471e500c463232eddcca3de94945982b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Sep 2019 11:23:22 +1200 Subject: [PATCH 1/3] docs: Deprecate "lanman auth = yes" This feature is only available for SMB1 and we need to warn users that this is going away soon, and allow the removal in a future release under our rules for parameter deprecation. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 5 04:04:18 UTC 2019 on sn-devel-184 (cherry picked from commit 1006f7abe8980d2c01c181db93225353ce494b3a) --- docs-xml/smbdotconf/security/lanmanauth.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml index 97f2fb04dcb..e5e63e43076 100644 --- a/docs-xml/smbdotconf/security/lanmanauth.xml +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -2,8 +2,17 @@ context="G" type="boolean" function="_lanman_auth" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + This parameter has been deprecated since Samba 4.11 and + support for LanMan (as distinct from NTLM, NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release. + That is, in the future, the current default of + lanman auth = no + will be the enforced behaviour. + This parameter determines whether or not smbd 8 will attempt to authenticate users or permit password changes -- 2.11.0 From df663727802a1c6d23e5c1910e1576c25a3eb533 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Sep 2019 11:19:10 +1200 Subject: [PATCH 2/3] docs: Deprecate "encrypt passwords = no" This feature is only available for SMB1 and we need to warn users that this is going away soon, and allow the removal in a future release under our rules for parameter deprecation. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117 Signed-off-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 8d0d99a4d78ba408bb45e2d693049025e60e277a) --- docs-xml/smbdotconf/security/encryptpasswords.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml index 4bd97809d86..4fdfa898501 100644 --- a/docs-xml/smbdotconf/security/encryptpasswords.xml +++ b/docs-xml/smbdotconf/security/encryptpasswords.xml @@ -1,8 +1,16 @@ + This parameter has been deprecated since Samba 4.11 and + support for plaintext (as distinct from NTLM, NTLMv2 + or Kerberos authentication) + will be removed in a future Samba release. + That is, in the future, the current default of + encrypt passwords = yes + will be the enforced behaviour. This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords -- 2.11.0 From ebc26c2cd59b24f14074223a3f54a96c2b84a279 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Sep 2019 16:12:10 +1200 Subject: [PATCH 3/3] WHATSNEW: Add entry for deprecation of "lanman auth" and "encrypt passwords = no" BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117 Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index eece43fcd9e..904db5fefc3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -68,6 +68,18 @@ in the following years. If you have a strong requirement for SMB1 (except for supporting old Linux Kernels), please file a bug at https://bugzilla.samba.org and let us know about the details. +LanMan and plaintext authentication deprecated +---------------------------------------------- + +The "lanman auth" and "encrypt passwords" parameters are deprecated +with this release as both are only applicable to SMB1 and are quite +insecure. NTLM, NTLMv2 and Kerberos authentication are unaffected, as +"encrypt passwords = yes" has been the default since Samba 3.0.0. + +If you have a strong requirement for these authentication protocols, +please file a bug at https://bugzilla.samba.org and let us know about +the details. + BIND9_FLATFILE deprecated ------------------------- @@ -357,6 +369,8 @@ smb.conf changes fruit:zero_file_id Changed default False debug encryption New: dump encryption keys False rndc command Deprecated + lanman auth Deprecated + encrypt passwords Deprecated CHANGES SINCE 4.11.0rc2 -- 2.11.0