Samba TODO - HackMD

# Samba TODO ``` TEST: Add echo locDCpass1 | bin/rpcclient ncacn_np:$SERVER -UAdministrator -c getusername echo locDCpass1 | USER=administrator bin/rpcclient ncacn_np:$SERVER -c getusername -> https://gitlab.com/samba-team/samba/-/merge_requests/1271 Migrate s3 client code to cli_credentials -> https://gitlab.com/samba-team/samba/-/merge_requests/1362 SMB.CONF: SMB_SIGNING_VALS="default|off|if_required|desired|required" Create one function translating signing state string to enum see set_cmdline_auth_info_signing_state and enum_smb_signing_vals Add 'server smb encrypt' (done) -> smb encrypt as alias Add 'client smb encrypt' (done) smbclient -e => getop => lp_do_param(client smb encrypt) => cli_creds reads lp_client_smb_encrypt() Add cli_credentials_set_smb_singing(), cli_credentials_set_smb_ipc_signing(), cli_credentials_set_smb_encryption(). - DONE Use cli_creds smb encryption: tig -7 b06e7ea5cbc0e46c0c42d6cdeb3a14f3cf21f1c6 - DONE Check do_connect() in client.c CMDLINE CLI: -> parse popts -> set password callback, if not --use-krb5-ccache and not --use-ccache and not --no-pass and not auth-file --use-kerberos=yes|auto|no|default default only if we add 'client use kerberos' as smb.conf option --use-krb5-ccache imply --use-kerberos=yes --krb5-cache=$PATH - DONE '-U... -k' => --use-kerberos=yes '-k' without -U => --use-krb5-cache --use-krb5-ccache and --use-ccache => not supported, TODO: --use-winbind-ccache that provides generic support for krb5 and ntlm Rename --use-ccache to --use-winbind-ccache (removes --use-ccache?) - DONE Add --smb-signing=$SMB_SIGNING_VALS also set GENSEC_FEATURE_SIGN for desired/required --signing=$SMB_SIGNING_VALS (as legacy) '-S $SMB_SIGNING_VALS' ??? (only smbclient?) '-S' check what smbtorture is actually using Remove -S for signing and use only long option Add --smb-encryption=$SMB_SIGNING_VALS -e => --smb-encryption=required also set GENSEC_FEATURE_SEAL??? => defer to --gensec-protection Remove -e and use only long option Implemented --client-protection=off|sign|encrypt TODO: what about 'net'... break it and use options as above Add the following??? --gensec-client-protection=[default,seal,sign,plain] => see also "ldap client sasl wrapping" => default from "gensec client protection" LATER: TODO: --use-pkinit ``` ## NEW TODO popt pw-nt-hash Remove smb_encrypt from client.c Remove smb_encrypt from cli_cm_connect() Add smb_cmdline_sanity(long_options) POPT_COMMON_LEGACY_S3 POPT_COMMON_LEGACY_S4 client ldap sasl wrapping -> directly use gensec add support for client-protection Remove cli_credentials_set_machine_account_pending()