This is a merge of the NETLOGON schannel server code from Samba

TNG. Actually, it exists in the main Samba cvs tree in APPLIANCE_TNG
as I found out later :-)

It adds a new parameter: server schannel = yes/auto/no defaulting to
auto.

What does this mean to the user: No requireSignOrSeal registry patch
for XP anymore.

Many thanks for this code to Luke Leighton, Elrond and anybody else I
forgot to mention.

My next thing will be to see if this applies cleanly to 3_0.

Please test and comment!

Volker
(This used to be commit e1f953241eb020f19fe657f29afdae28dcf5a03b)

2 files changed, 50 insertions, 0 deletions

diff --git a/docs/docbook/manpages/smb.conf.5.sgml b/docs/docbook/manpages/smb.conf.5.sgml
index 2fbd27b934..40c4963c8d 100644
--- a/docs/docbook/manpages/smb.conf.5.sgml
+++ b/docs/docbook/manpages/smb.conf.5.sgml
@@ -744,6 +744,7 @@ alias|alias|alias|alias...
 		<listitem><para><link linkend="ROOTDIR"><parameter>root dir</parameter></link></para></listitem>
 		<listitem><para><link linkend="ROOTDIRECTORY"><parameter>root directory</parameter></link></para></listitem>
 		<listitem><para><link linkend="SECURITY"><parameter>security</parameter></link></para></listitem>
+		<listitem><para><link linkend="SERVERSCHANNEL"><parameter>server schannel</parameter></link></para></listitem>
 		<listitem><para><link linkend="SERVERSTRING"><parameter>server string</parameter></link></para></listitem>
 		<listitem><para><link linkend="SETPRIMARYGROUPSCRIPT"><parameter>set primary group script</parameter></link></para></listitem>
 		<listitem><para><link linkend="SHOWADDPRINTERWIZARD"><parameter>show add printer wizard</parameter></link></para></listitem>
@@ -6923,6 +6924,31 @@ print5|My Printer 5
 
 
 		<varlistentry>
+		<term><anchor id="SERVERSCHANNEL"/>server schannel (G)</term>
+		<listitem>
+
+		<para>This controls whether the server offers or even
+		demands the use of the netlogon schannel.
+		<parameter>server schannel = no</parameter> does not
+		offer the schannel, <parameter>server schannel =
+		auto</parameter> offers the schannel but does not
+		enforce it, and <parameter>server schannel =
+		yes</parameter> denies access if the client is not
+		able to speak netlogon schannel. This is only the case
+		for Windows NT4 before SP4.</para>
+
+		<para>Please note that with this set to
+		<parameter>no</parameter> you will have to apply the
+		WindowsXP requireSignOrSeal-Registry patch found in
+		the docs/Registry subdirectory.</para
+
+		<para>Default: <command>server schannel = auto</command></para>
+
+		<para>Example: <command>server schannel = yes</command>/para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
 		<term><anchor id="SERVERSTRING"/>server string (G)</term>
 		<listitem><para>This controls what string will show up in the 
 		printer comment box in print manager and next to the IPC connection 
diff --git a/docs/docbook/smbdotconf/security/serverschannel.xml b/docs/docbook/smbdotconf/security/serverschannel.xml
new file mode 100644
index 0000000000..05261fa417
--- /dev/null
+++ b/docs/docbook/smbdotconf/security/serverschannel.xml
@@ -0,0 +1,24 @@
+<samba:parameter xmlns:samba="http://samba.org/common">
+		<term><anchor id="SERVERSCHANNEL"/>server schannel (G)</term>
+		<listitem>
+
+		<para>This controls whether the server offers or even
+		demands the use of the netlogon schannel.
+		<parameter>server schannel = no</parameter> does not
+		offer the schannel, <parameter>server schannel =
+		auto</parameter> offers the schannel but does not
+		enforce it, and <parameter>server schannel =
+		yes</parameter> denies access if the client is not
+		able to speak netlogon schannel. This is only the case
+		for Windows NT4 before SP4.</para>
+
+		<para>Please note that with this set to
+		<parameter>no</parameter> you will have to apply the
+		WindowsXP requireSignOrSeal-Registry patch found in
+		the docs/Registry subdirectory.</para
+
+		<para>Default: <command>server schannel = auto</command></para>
+
+		<para>Example: <command>server schannel = yes</command>/para>
+		</listitem>
+		<samba:parameter>
\ No newline at end of file