From 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 18:39:56 +0200
Subject: lib/param: add "require strong key" option, defaulting to true

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 ++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml

(limited to 'docs-xml')

diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
new file mode 100644
index 0000000000..de749bbb06
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="require strong key"
+                 context="G"
+                 type="boolean"
+                 advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether winbindd requires support
+	for md5 strong key support for the netlogon secure channel.</para>
+
+	<para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
+	NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+	<para>You can set this to no if some domain controllers only support des.
+	This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
+
+	<para>Note for active directory domain this option is hardcoded to 'yes'</para>
+
+	<para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
+
+	<para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
-- 
cgit