From e79bc99868efb526fe681892d96df8de03b6c9f9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 13 May 2011 17:55:41 +0200 Subject: [PATCH 3/4] s3-param Deprecate a number of security parameters for 3.6 This follows up on the agreement on the samba-technical list in Jan 2011 to deprecate these options, and to possibly remove these in the 4.0 release after user feedback. Andrew Bartlett Autobuild-User: Andrew Bartlett Autobuild-Date: Fri May 13 19:51:41 CEST 2011 on sn-devel-104 --- docs-xml/smbdotconf/logon/enableprivileges.xml | 2 +- docs-xml/smbdotconf/protocol/usespnego.xml | 2 +- docs-xml/smbdotconf/security/passwordlevel.xml | 2 +- docs-xml/smbdotconf/security/security.xml | 142 +++++++++++------------- docs-xml/smbdotconf/security/username.xml | 2 +- source3/param/loadparm.c | 16 ++- 6 files changed, 81 insertions(+), 85 deletions(-) diff --git a/docs-xml/smbdotconf/logon/enableprivileges.xml b/docs-xml/smbdotconf/logon/enableprivileges.xml index 3e958e0..0fbc504 100644 --- a/docs-xml/smbdotconf/logon/enableprivileges.xml +++ b/docs-xml/smbdotconf/logon/enableprivileges.xml @@ -5,7 +5,7 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either + This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either net rpc rights or one of the Windows user and group manager tools. This parameter is enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to assign privileges to users or groups which can then result in certain smbd operations running as root that diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml b/docs-xml/smbdotconf/protocol/usespnego.xml index 8fb559c..e16c7ce 100644 --- a/docs-xml/smbdotconf/protocol/usespnego.xml +++ b/docs-xml/smbdotconf/protocol/usespnego.xml @@ -4,7 +4,7 @@ developer="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This variable controls controls whether samba will try + This deprecated variable controls controls whether samba will try to use Simple and Protected NEGOciation (as specified by rfc2478) with WindowsXP and Windows2000 clients to agree upon an authentication mechanism. diff --git a/docs-xml/smbdotconf/security/passwordlevel.xml b/docs-xml/smbdotconf/security/passwordlevel.xml index 1da11e4..eee838f 100644 --- a/docs-xml/smbdotconf/security/passwordlevel.xml +++ b/docs-xml/smbdotconf/security/passwordlevel.xml @@ -13,7 +13,7 @@ text passwords even when NT LM 0.12 selected by the protocol negotiation request/response. - This parameter defines the maximum number of characters + This deprecated parameter defines the maximum number of characters that may be upper case in passwords. For example, say the password given was "FRED". If diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml index 18b9f6c..55e147e 100644 --- a/docs-xml/smbdotconf/security/security.xml +++ b/docs-xml/smbdotconf/security/security.xml @@ -22,32 +22,18 @@ the most common setting needed when talking to Windows 98 and Windows NT. - The alternatives are security = share, - security = server or security = domain - . + The alternatives are + security = ads or security = domain + , which support joining Samba to a Windows domain, along with security = share and security = server, both of which are deprecated. In versions of Samba prior to 2.0.0, the default was security = share mainly because that was the only option at one stage. - There is a bug in WfWg that has relevance to this - setting. When in user or server level security a WfWg client - will totally ignore the username and password you type in the "connect - drive" dialog box. This makes it very difficult (if not impossible) - to connect to a Samba service as anyone except the user that - you are logged into WfWg as. - - If your PCs use usernames that are the same as their - usernames on the UNIX machine then you will want to use - security = user. If you mostly use usernames - that don't exist on the UNIX box then use security = - share. - - You should also use security = share if you + You should use security = user and + if you want to mainly setup shares without a password (guest shares). This - is commonly used for a shared printer server. It is more difficult - to setup guest shares with security = user, see - the parameter for details. + is commonly used for a shared printer server. It is possible to use smbd in a hybrid mode where it is offers both user and share @@ -56,7 +42,62 @@ The different settings will now be explained. + SECURITY = USER + + This is the default security setting in Samba. + With user-level security a client must first "log-on" with a + valid username and password (which can be mapped using the + parameter). Encrypted passwords (see the parameter) can also + be used in this security mode. Parameters such as and if set are then applied and + may change the UNIX user to use on this connection, but only after + the user has been successfully authenticated. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the . + See the parameter for details on doing this. + + See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + SECURITY = DOMAIN + + This mode will only work correctly if net + 8 has been used to add this + machine into a Windows NT Domain. It expects the + parameter to be set to yes. In this + mode Samba will try to validate the username/password by passing + it to a Windows NT Primary or Backup Domain Controller, in exactly + the same way that a Windows NT Server would do. + + Note that a valid UNIX user must still + exist as well as the account on the Domain Controller to allow + Samba to have a valid UNIX account to map file access to. + + Note that from the client's point + of view security = domain is the same + as security = user. It only + affects how the server deals with the authentication, + it does not in any way affect what the client sees. + + Note that the name of the resource being + requested is not sent to the server until after + the server has successfully authenticated the client. This is why + guest shares don't work in user level security without allowing + the server to automatically map unknown users into the . + See the parameter for details on doing this. + + See also the section + NOTE ABOUT USERNAME/PASSWORD VALIDATION. + + See also the parameter and + the parameter. + SECURITY = SHARE + + This option is deprecated as it is incompatible with SMB2 When clients connect to a share level security server, they need not log onto the server with a valid username and password before @@ -135,63 +176,10 @@ See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. - SECURITY = USER - - This is the default security setting in Samba 3.0. - With user-level security a client must first "log-on" with a - valid username and password (which can be mapped using the - parameter). Encrypted passwords (see the parameter) can also - be used in this security mode. Parameters such as and if set are then applied and - may change the UNIX user to use on this connection, but only after - the user has been successfully authenticated. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the . - See the parameter for details on doing this. - - See also the section NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - SECURITY = DOMAIN - - This mode will only work correctly if net - 8 has been used to add this - machine into a Windows NT Domain. It expects the - parameter to be set to yes. In this - mode Samba will try to validate the username/password by passing - it to a Windows NT Primary or Backup Domain Controller, in exactly - the same way that a Windows NT Server would do. - - Note that a valid UNIX user must still - exist as well as the account on the Domain Controller to allow - Samba to have a valid UNIX account to map file access to. - - Note that from the client's point - of view security = domain is the same - as security = user. It only - affects how the server deals with the authentication, - it does not in any way affect what the client sees. - - Note that the name of the resource being - requested is not sent to the server until after - the server has successfully authenticated the client. This is why - guest shares don't work in user level security without allowing - the server to automatically map unknown users into the . - See the parameter for details on doing this. - - See also the section - NOTE ABOUT USERNAME/PASSWORD VALIDATION. - - See also the parameter and - the parameter. - SECURITY = SERVER - In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an + In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user. It expects the parameter to be set to yes, unless the remote server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot @@ -203,10 +191,10 @@ This mode of operation has significant pitfalls since it is more vulnerable to man-in-the-middle attacks and server impersonation. In particular, - this mode of operation can cause significant resource consuption on + this mode of operation can cause significant resource consumption on the PDC, as it must maintain an active connection for the duration of the user's session. Furthermore, if this connection is lost, - there is no way to reestablish it, and futher authentications to the + there is no way to reestablish it, and further authentications to the Samba server may fail (from a single client, till it disconnects). @@ -219,6 +207,8 @@ only affects how the server deals with the authentication, it does not in any way affect what the client sees. + This option is deprecated, and may be removed in future + Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why diff --git a/docs-xml/smbdotconf/security/username.xml b/docs-xml/smbdotconf/security/username.xml index 3a45d4d..19d8a2e 100644 --- a/docs-xml/smbdotconf/security/username.xml +++ b/docs-xml/smbdotconf/security/username.xml @@ -9,7 +9,7 @@ list, in which case the supplied password will be tested against each username in turn (left to right). - The username line is needed only when + The deprecated username line is needed only when the PC is unable to supply its own username. This is the case for the COREPLUS protocol or where your users have different WfWg usernames to UNIX usernames. In both these cases you may also be diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 73406c1..fc19656 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -1160,7 +1160,7 @@ static struct parm_struct parm_table[] = { .ptr = &Globals.bNullPasswords, .special = NULL, .enum_list = NULL, - .flags = FLAG_ADVANCED, + .flags = FLAG_ADVANCED | FLAG_DEPRECATED, }, { .label = "obey pam restrictions", @@ -1259,7 +1259,7 @@ static struct parm_struct parm_table[] = { .ptr = &Globals.bEnablePrivileges, .special = NULL, .enum_list = NULL, - .flags = FLAG_ADVANCED, + .flags = FLAG_ADVANCED | FLAG_DEPRECATED, }, { @@ -1332,7 +1332,7 @@ static struct parm_struct parm_table[] = { .ptr = &Globals.pwordlevel, .special = NULL, .enum_list = NULL, - .flags = FLAG_ADVANCED, + .flags = FLAG_ADVANCED | FLAG_DEPRECATED, }, { .label = "username level", @@ -1431,7 +1431,7 @@ static struct parm_struct parm_table[] = { .ptr = &sDefault.szUsername, .special = NULL, .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, + .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED, }, { .label = "user", @@ -2294,7 +2294,7 @@ static struct parm_struct parm_table[] = { .ptr = &Globals.bUseSpnego, .special = NULL, .enum_list = NULL, - .flags = FLAG_ADVANCED, + .flags = FLAG_ADVANCED | FLAG_DEPRECATED, }, { .label = "client signing", @@ -9580,6 +9580,12 @@ static bool lp_load_ex(const char *pszFname, set_default_server_announce_type(); set_allowed_client_auth(); + if (lp_security() == SEC_SHARE) { + DEBUG(1, ("WARNING: The security=share option is deprecated\n")); + } else if (lp_security() == SEC_SERVER) { + DEBUG(1, ("WARNING: The security=server option is deprecated\n")); + } + bLoaded = True; /* Now we check bWINSsupport and set szWINSserver to 127.0.0.1 */ -- 1.7.4.4