From 50337ec4471e500c463232eddcca3de94945982b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 5 Sep 2019 11:23:22 +1200
Subject: [PATCH 1/3] docs: Deprecate "lanman auth = yes"

This feature is only available for SMB1 and we need to warn users that this
is going away soon, and allow the removal in a future release under our rules
for parameter deprecation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  5 04:04:18 UTC 2019 on sn-devel-184

(cherry picked from commit 1006f7abe8980d2c01c181db93225353ce494b3a)
---
 docs-xml/smbdotconf/security/lanmanauth.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml
index 97f2fb04dcb..e5e63e43076 100644
--- a/docs-xml/smbdotconf/security/lanmanauth.xml
+++ b/docs-xml/smbdotconf/security/lanmanauth.xml
@@ -2,8 +2,17 @@
                  context="G"
                  type="boolean"
 		 function="_lanman_auth"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+    <para>This parameter has been deprecated since Samba 4.11 and
+    support for LanMan (as distinct from NTLM, NTLMv2 or
+    Kerberos authentication)
+    will be removed in a future Samba release.</para>
+    <para>That is, in the future, the current default of
+    <command>lanman auth = no</command>
+    will be the enforced behaviour.</para>
+
     <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
     <manvolnum>8</manvolnum></citerefentry> will attempt to
     authenticate users or permit password changes
-- 
2.11.0


From df663727802a1c6d23e5c1910e1576c25a3eb533 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 5 Sep 2019 11:19:10 +1200
Subject: [PATCH 2/3] docs: Deprecate "encrypt passwords = no"

This feature is only available for SMB1 and we need to warn users that this
is going away soon, and allow the removal in a future release under our rules
for parameter deprecation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 8d0d99a4d78ba408bb45e2d693049025e60e277a)
---
 docs-xml/smbdotconf/security/encryptpasswords.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs-xml/smbdotconf/security/encryptpasswords.xml b/docs-xml/smbdotconf/security/encryptpasswords.xml
index 4bd97809d86..4fdfa898501 100644
--- a/docs-xml/smbdotconf/security/encryptpasswords.xml
+++ b/docs-xml/smbdotconf/security/encryptpasswords.xml
@@ -1,8 +1,16 @@
 <samba:parameter name="encrypt passwords"
                  context="G"
                  type="boolean"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+    <para>This parameter has been deprecated since Samba 4.11 and
+    support for plaintext (as distinct from NTLM, NTLMv2
+    or Kerberos authentication)
+    will be removed in a future Samba release.</para>
+    <para>That is, in the future, the current default of
+    <command>encrypt passwords = yes</command>
+    will be the enforced behaviour.</para>
     <para>This boolean controls whether encrypted passwords 
     will be negotiated with the client. Note that Windows NT 4.0 SP3 and 
     above and also Windows 98 will by default expect encrypted passwords 
-- 
2.11.0


From ebc26c2cd59b24f14074223a3f54a96c2b84a279 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 5 Sep 2019 16:12:10 +1200
Subject: [PATCH 3/3] WHATSNEW: Add entry for deprecation of "lanman auth" and
 "encrypt passwords = no"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14117

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 WHATSNEW.txt | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index eece43fcd9e..904db5fefc3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -68,6 +68,18 @@ in the following years. If you have a strong requirement for SMB1
 (except for supporting old Linux Kernels), please file a bug
 at https://bugzilla.samba.org and let us know about the details.
 
+LanMan and plaintext authentication deprecated
+----------------------------------------------
+
+The "lanman auth" and "encrypt passwords" parameters are deprecated
+with this release as both are only applicable to SMB1 and are quite
+insecure.  NTLM, NTLMv2 and Kerberos authentication are unaffected, as
+"encrypt passwords = yes" has been the default since Samba 3.0.0.
+
+If you have a strong requirement for these authentication protocols,
+please file a bug at https://bugzilla.samba.org and let us know about
+the details.
+
 BIND9_FLATFILE deprecated
 -------------------------
 
@@ -357,6 +369,8 @@ smb.conf changes
   fruit:zero_file_id                 Changed default            False
   debug encryption                   New: dump encryption keys  False
   rndc command                       Deprecated
+  lanman auth                        Deprecated
+  encrypt passwords                  Deprecated
 
 
 CHANGES SINCE 4.11.0rc2
-- 
2.11.0