From 946c10e7508491445ef1376d0a06f681b8a1bce8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 10 Aug 2020 12:18:07 +1200 Subject: [PATCH 01/10] selftest: Add test for suppression of deprecation warnings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit d3ff49f48507d8a64b9c4847f79d7939f647e6f0) --- selftest/knownfail.d/testparm | 1 + source3/script/tests/test_testparm_s3.sh | 33 ++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 selftest/knownfail.d/testparm diff --git a/selftest/knownfail.d/testparm b/selftest/knownfail.d/testparm new file mode 100644 index 00000000000..c3adb529940 --- /dev/null +++ b/selftest/knownfail.d/testparm @@ -0,0 +1 @@ +^samba3.blackbox.testparm.test_deprecated_warning_suppressed \ No newline at end of file diff --git a/source3/script/tests/test_testparm_s3.sh b/source3/script/tests/test_testparm_s3.sh index 6dcdeff07d7..9ef3f7e0097 100755 --- a/source3/script/tests/test_testparm_s3.sh +++ b/source3/script/tests/test_testparm_s3.sh @@ -58,6 +58,36 @@ EOF ${TESTPARM} ${TEMP_CONFFILE} } +test_testparm_deprecated() +{ + name=$1 + old_SAMBA_DEPRECATED_SUPPRESS=$SAMBA_DEPRECATED_SUPPRESS + SAMBA_DEPRECATED_SUPPRESS= + export SAMBA_DEPRECATED_SUPPRESS + testit_grep $name 'WARNING: The "lsaovernetlogon" option is deprecated' $VALGRIND ${TESTPARM} ${TEMP_CONFFILE} --option='lsaovernetlogon=true' + SAMBA_DEPRECATED_SUPPRESS=$old_SAMBA_DEPRECATED_SUPPRESS + export SAMBA_DEPRECATED_SUPPRESS +} + +test_testparm_deprecated_suppress() +{ + name=$1 + subunit_start_test "$name" + output=$(SAMBA_DEPRECATED_SUPPRESS=1 $VALGRIND ${TESTPARM} ${TEMP_CONFFILE} --option='lsa over netlogon = true' 2>&1) + status=$? + if [ "$status" = "0" ]; then + echo "$output" | grep --quiet 'WARNING: The "lsa over netlogon " option is deprecated' + status=$? + if [ "$status" = "1" ]; then + subunit_pass_test "$name" + else + echo $output | subunit_fail_test "$name" + fi + else + echo $output | subunit_fail_test "$name" + fi +} + testit "name resolve order = lmhosts wins host bcast"\ test_one_global_option "name resolve order = lmhosts wins host bcast" || \ failed=`expr ${failed} + 1` @@ -112,6 +142,9 @@ testit "copy" \ test_copy || \ failed=`expr ${failed} + 1` +test_testparm_deprecated "test_deprecated_warning_printed" +test_testparm_deprecated_suppress "test_deprecated_warning_suppressed" + rm -f ${TEMP_CONFFILE} testok $0 ${failed} -- 2.26.2 From d2b21822bfc5b02f5dbf05ccfe679c6769009d6c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 29 Jul 2020 21:26:55 +1200 Subject: [PATCH 02/10] param: Allow tests to silence deprecation warnings This helps make output sensitive tests more reliable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit d14cc45c98a77fb8a6ac96181eec33f368b8dbd8) --- lib/param/loadparm.c | 22 ++++++++++++++++++---- selftest/knownfail.d/testparm | 1 - 2 files changed, 18 insertions(+), 5 deletions(-) delete mode 100644 selftest/knownfail.d/testparm diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index da639a8b0ff..e041f4fb01b 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -1863,8 +1863,15 @@ bool lpcfg_do_global_parameter(struct loadparm_context *lp_ctx, } if (parm_table[parmnum].flags & FLAG_DEPRECATED) { - DEBUG(1, ("WARNING: The \"%s\" option is deprecated\n", - pszParmName)); + char *suppress_env = getenv("SAMBA_DEPRECATED_SUPPRESS"); + bool print_warning = (suppress_env == NULL + || suppress_env[0] == '\0'); + if (print_warning) { + DBG_WARNING("WARNING: The \"%s\" option " + "is deprecated\n", + pszParmName); + + } } parm_ptr = lpcfg_parm_ptr(lp_ctx, NULL, &parm_table[parmnum]); @@ -1896,8 +1903,15 @@ bool lpcfg_do_service_parameter(struct loadparm_context *lp_ctx, } if (parm_table[parmnum].flags & FLAG_DEPRECATED) { - DEBUG(1, ("WARNING: The \"%s\" option is deprecated\n", - pszParmName)); + char *suppress_env = getenv("SAMBA_DEPRECATED_SUPPRESS"); + bool print_warning = (suppress_env == NULL + || suppress_env[0] == '\0'); + if (print_warning) { + DBG_WARNING("WARNING: The \"%s\" option " + "is deprecated\n", + pszParmName); + + } } if (parm_table[parmnum].p_class == P_GLOBAL) { diff --git a/selftest/knownfail.d/testparm b/selftest/knownfail.d/testparm deleted file mode 100644 index c3adb529940..00000000000 --- a/selftest/knownfail.d/testparm +++ /dev/null @@ -1 +0,0 @@ -^samba3.blackbox.testparm.test_deprecated_warning_suppressed \ No newline at end of file -- 2.26.2 From cdbe996048d20ebe09f6ac4147a9e6628707e919 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 10 Aug 2020 20:36:53 +1200 Subject: [PATCH 03/10] selftest: Do not let deprecated option warnings muck this test up BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 9e212dd15e6c484d69f236f3c6d7186f0e6353b4) --- source3/script/tests/test_smbclient_s3.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh index 3ea55f54107..62662690415 100755 --- a/source3/script/tests/test_smbclient_s3.sh +++ b/source3/script/tests/test_smbclient_s3.sh @@ -33,6 +33,10 @@ incdir=`dirname $0`/../../../testprogs/blackbox failed=0 +# Do not let deprecated option warnings muck this up +SAMBA_DEPRECATED_SUPPRESS=1 +export SAMBA_DEPRECATED_SUPPRESS + # Test that a noninteractive smbclient does not prompt test_noninteractive_no_prompt() { -- 2.26.2 From dee8c47155f8d0f87ea23980da7f3df929e71d6b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Jun 2020 21:46:33 +1200 Subject: [PATCH 04/10] docs: Deprecate NT4-like domains and SMBv1-only protocol options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit c6aa710f8da9ef92b388f1c0c59b2dd3c602ad2d) --- WHATSNEW.txt | 10 ++++++++++ docs-xml/smbdotconf/logon/domainlogons.xml | 7 +++++++ 2 files changed, 17 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index cac8cecd2b7..b996363f7c3 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -52,6 +52,15 @@ causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the "vfs objects =" parameter lists. The release notes will be updated to note this change when it occurs. +NT4-like 'classic' Samba domain controllers +------------------------------------------- + +Samba 4.13 deprecates Samba's original domain controller mode. + +Sites using Samba as a Domain Controller should upgrade from the +NT4-like 'classic' Domain Controller to a Samba Active Directory DC +to ensure full operation with modern windows clients. + REMOVED FEATURES ================ @@ -64,6 +73,7 @@ smb.conf changes -------------- ----------- ------- ldap ssl ads removed smb2 disable lock sequence checking No + domain logons Deprecated no CHANGES SINCE 4.13.0rc1 diff --git a/docs-xml/smbdotconf/logon/domainlogons.xml b/docs-xml/smbdotconf/logon/domainlogons.xml index 7ee419e15af..7f849751a9e 100644 --- a/docs-xml/smbdotconf/logon/domainlogons.xml +++ b/docs-xml/smbdotconf/logon/domainlogons.xml @@ -2,8 +2,15 @@ context="G" type="boolean" function="_domain_logons" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + This parameter has been deprecated since Samba 4.13 and + support for NT4-style domain logons(as distinct from the Samba + AD DC) will be removed in a future Samba release. + That is, in the future, the current default of + domain logons = no + will be the enforced behaviour. If set to yes, the Samba server will provide the netlogon service for Windows 9X network logons for the -- 2.26.2 From 8c76f25d35c8543b622f782c40185daac310089e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Sep 2019 16:53:20 +1200 Subject: [PATCH 05/10] docs: deprecate "client use spnego" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 1b85db57e53533ce14beb79f6d949a08f6ef9f91) --- docs-xml/smbdotconf/protocol/clientusespnego.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml index b2f3b1257fb..2d45f912f17 100644 --- a/docs-xml/smbdotconf/protocol/clientusespnego.xml +++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml @@ -1,8 +1,16 @@ + This parameter has been deprecated since Samba 4.13 and + support for NTLMv2, NTLM and LanMan authentication outside NTLMSSP + will be removed in a future Samba release. + That is, in the future, the current default of + client use spnego = yes + will be the enforced behaviour. + This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba -- 2.26.2 From fbab8da1bf0a32d6b659ce09a439185641d30eb7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Sep 2019 16:53:46 +1200 Subject: [PATCH 06/10] docs: deprecate "client lanman auth" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit ac8e5ea22d9f9b16a79f519f69852b46ac798541) --- docs-xml/smbdotconf/security/clientlanmanauth.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs-xml/smbdotconf/security/clientlanmanauth.xml b/docs-xml/smbdotconf/security/clientlanmanauth.xml index c026b8f429b..60e1c86809e 100644 --- a/docs-xml/smbdotconf/security/clientlanmanauth.xml +++ b/docs-xml/smbdotconf/security/clientlanmanauth.xml @@ -1,8 +1,17 @@ + This parameter has been deprecated since Samba 4.13 and + support for LanMan (as distinct from NTLM, NTLMv2 or + Kerberos) authentication as a client + will be removed in a future Samba release. + That is, in the future, the current default of + client NTLMv2 auth = yes + will be the enforced behaviour. + This parameter determines whether or not smbclient 8 and other samba client tools will attempt to authenticate itself to servers using the -- 2.26.2 From 4df3ddac78ca29a4d2ee363d17ba6e0e290dff01 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Sep 2019 16:54:01 +1200 Subject: [PATCH 07/10] docs: deprecate "client NTLMv2 auth" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 5543c11c8b007b49641758428af7ba3976683438) --- docs-xml/smbdotconf/security/clientntlmv2auth.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml index f42f627bc08..9b47944dfcc 100644 --- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml @@ -1,8 +1,17 @@ + This parameter has been deprecated since Samba 4.13 and + support for NTLM and LanMan (as distinct from NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release. + That is, in the future, the current default of + client NTLMv2 auth = yes + will be the enforced behaviour. + This parameter determines whether or not smbclient 8 will attempt to authenticate itself to servers using the NTLMv2 encrypted password -- 2.26.2 From e495a84c4bf68288db52aee7f69cf40f0df2c187 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Sep 2019 16:55:23 +1200 Subject: [PATCH 08/10] docs: deprecate "client plaintext auth" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 37583b19d2c3dbf3e9d0498a39b8b9d9c727e1d4) --- docs-xml/smbdotconf/security/clientplaintextauth.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs-xml/smbdotconf/security/clientplaintextauth.xml b/docs-xml/smbdotconf/security/clientplaintextauth.xml index 1c4d3566f82..5a51c33216c 100644 --- a/docs-xml/smbdotconf/security/clientplaintextauth.xml +++ b/docs-xml/smbdotconf/security/clientplaintextauth.xml @@ -1,8 +1,17 @@ + This parameter has been deprecated since Samba 4.13 and + support for plaintext (as distinct from NTLM, NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release. + That is, in the future, the current default of + client plaintext auth = no + will be the enforced behaviour. + Specifies whether a client should send a plaintext password if the server does not support encrypted passwords. -- 2.26.2 From a8ff7be33d4301e247922420bb4a42bc0d348212 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 5 Sep 2019 16:55:35 +1200 Subject: [PATCH 09/10] docs: deprecate "raw NTLMv2 auth" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 8c9d9441edce2e8d7f0428d0ec5e209ed8a55dbc) --- docs-xml/smbdotconf/security/rawntlmv2auth.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml index 30e7280bc5d..c4d75546388 100644 --- a/docs-xml/smbdotconf/security/rawntlmv2auth.xml +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml @@ -1,8 +1,16 @@ + This parameter has been deprecated since Samba 4.13 and + support for NTLMv2 authentication without NTLMSSP will be removed + in a future Samba release. + That is, in the future, the current default of + raw NTLMv2 auth = no + will be the enforced behaviour. + This parameter determines whether or not smbd 8 will allow SMB1 clients without extended security (without SPNEGO) to use NTLMv2 authentication. -- 2.26.2 From 2115078a5273e91a1b06655c464381f1ae533793 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 16 Jun 2020 22:23:32 +1200 Subject: [PATCH 10/10] WHATSNEW: list deprecated parameters BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Aug 18 01:32:21 UTC 2020 on sn-devel-184 (cherry picked from commit 20606fd0a4c4697ff99da59f748af6908d929901) --- WHATSNEW.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b996363f7c3..e8b7cb4574c 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -61,6 +61,12 @@ Sites using Samba as a Domain Controller should upgrade from the NT4-like 'classic' Domain Controller to a Samba Active Directory DC to ensure full operation with modern windows clients. +SMBv1 only protocol options deprecated +-------------------------------------- + +A number of smb.conf parameters for less-secure authentication methods +which are only possible over SMBv1 are deprecated in this release. + REMOVED FEATURES ================ @@ -74,6 +80,11 @@ smb.conf changes ldap ssl ads removed smb2 disable lock sequence checking No domain logons Deprecated no + raw NTLMv2 auth Deprecated no + client plaintext auth Deprecated no + client NTLMv2 auth Deprecated yes + client lanman auth Deprecated no + client use spnego Deprecated yes CHANGES SINCE 4.13.0rc1 -- 2.26.2