From 4f5791ebd03eaec1c7da0865a383175b05102712 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 5 May 2024 19:47:29 +0200
Subject: Adding upstream version 2:4.17.12+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../security/allowdcerpcauthlevelconnect.xml       | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml

(limited to 'docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml')

diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
new file mode 100644
index 0000000..8bccab3
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="allow dcerpc auth level connect"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether DCERPC services are allowed to
+	be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
+	but no per message integrity nor privacy protection.</para>
+
+	<para>Some interfaces like samr, lsarpc and netlogon have a hard-coded default of
+	<constant>no</constant> and epmapper, mgmt and rpcecho have a hard-coded default of
+	<constant>yes</constant>.
+	</para>
+
+	<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+	winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
+
+	<para>This option is over-ridden by the implementation specific restrictions.
+	E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+	The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
+	</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+
+</samba:parameter>
-- 
cgit v1.2.3