The Samba-Bugzilla – Attachment 6480 Details for
Bug 8151
deprecate security parameters for 3.6
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Improved patch stream
security-param.patch (text/plain), 28.47 KB, created by
Andrew Bartlett
on 2011-05-24 00:44:14 UTC
(
hide
)
Description:
Improved patch stream
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2011-05-24 00:44:14 UTC
Size:
28.47 KB
patch
obsolete
>From d476877c327a53defa97f9a500e09a9f944b5fa6 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 23 May 2011 10:20:47 +1000 >Subject: [PATCH 1/5] docs: Rewrite 'password server' documentation > >I think this new version is more clear. > >Andrew Bartlett >--- > docs-xml/smbdotconf/security/passwordserver.xml | 106 ++++++++++++----------- > 1 files changed, 54 insertions(+), 52 deletions(-) > >diff --git a/docs-xml/smbdotconf/security/passwordserver.xml b/docs-xml/smbdotconf/security/passwordserver.xml >index 0e92af9..0ac39f1 100644 >--- a/docs-xml/smbdotconf/security/passwordserver.xml >+++ b/docs-xml/smbdotconf/security/passwordserver.xml >@@ -10,54 +10,24 @@ > it is possible to get Samba > to do all its username/password validation using a specific remote server.</para> > >- <para>This option sets the name or IP address of the password server to use. >- New syntax has been added to support defining the port to use when connecting >- to the server the case of an ADS realm. To define a port other than the >- default LDAP port of 389, add the port number using a colon after the >- name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, >- Samba will use the standard LDAP port of tcp/389. Note that port numbers >- have no effect on password servers for Windows NT 4.0 domains or netbios >- connections.</para> >- >- <para>If parameter is a name, it is looked up using the >- parameter <smbconfoption name="name resolve order"/> and so may resolved >- by any method and order described in that parameter.</para> >- >- <para>The password server must be a machine capable of using >- the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in >- user level security mode.</para> >- >- <note><para>Using a password server means your UNIX box (running >- Samba) is only as secure as your password server. <emphasis>DO NOT >- CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>. >- </para></note> >- >- <para>Never point a Samba server at itself for password serving. >- This will cause a loop and could lock up your Samba server!</para> >- >- <para>The name of the password server takes the standard >- substitutions, but probably the only useful one is <parameter moreinfo="none">%m >- </parameter>, which means the Samba server will use the incoming >- client as the password server. If you use this then you better >- trust your clients, and you had better restrict them with hosts allow!</para> >- > <para>If the <parameter moreinfo="none">security</parameter> parameter is set to >- <constant>domain</constant> or <constant>ads</constant>, then the list of machines in this >- option must be a list of Primary or Backup Domain controllers for the >- Domain or the character '*', as the Samba server is effectively >- in that domain, and will use cryptographically authenticated RPC calls >- to authenticate the user logging on. The advantage of using <command moreinfo="none"> >- security = domain</command> is that if you list several hosts in the >- <parameter moreinfo="none">password server</parameter> option then <command moreinfo="none">smbd >- </command> will try each in turn till it finds one that responds. This >- is useful in case your primary server goes down.</para> >+ <constant>domain</constant> or <constant>ads</constant>, then this option >+ <emphasis>should not</emphasis> be used, as the default '*' indicates to Samba >+ to determine the best DC to contact dynamically, just as all other hosts in an >+ AD domain do. This allows the domain to be maintained without modification to >+ the smb.conf file. The cryptograpic protection on the authenticated RPC calls >+ used to verify passwords ensures that this default is safe.</para> > >- <para>If the <parameter moreinfo="none">password server</parameter> option is set >- to the character '*', then Samba will attempt to auto-locate the >- Primary or Backup Domain controllers to authenticate against by >- doing a query for the name <constant>WORKGROUP<1C></constant> >- and then contacting each server returned in the list of IP >- addresses from the name resolution source. </para> >+ <para><emphasis>It is strongly recommended that you use the >+ default of '*'</emphasis>, however if in your particular >+ environment you have reason to specify a particular DC list, then >+ the list of machines in this option must be a list of names or IP >+ addresses of Domain controllers for the Domain. If you use the >+ default of '*', or list several hosts in the <parameter >+ moreinfo="none">password server</parameter> option then <command >+ moreinfo="none">smbd </command> will try each in turn till it >+ finds one that responds. This is useful in case your primary >+ server goes down.</para> > > <para>If the list of servers contains both names/IP's and the '*' > character, the list is treated as a list of preferred >@@ -65,10 +35,12 @@ > will be added to the list as well. Samba will not attempt to optimize > this list by locating the closest DC.</para> > >+ <para>If parameter is a name, it is looked up using the >+ parameter <smbconfoption name="name resolve order"/> and so may resolved >+ by any method and order described in that parameter.</para> >+ > <para>If the <parameter moreinfo="none">security</parameter> parameter is >- set to <constant>server</constant>, then there are different >- restrictions that <command moreinfo="none">security = domain</command> doesn't >- suffer from:</para> >+ set to <constant>server</constant>, these additional restrictions apply:</para> > > <itemizedlist> > <listitem> >@@ -82,12 +54,42 @@ > </listitem> > > <listitem> >- <para>If you are using a Windows NT server as your >- password server then you will have to ensure that your users >+ <para>You will have to ensure that your users > are able to login from the Samba server, as when in <command moreinfo="none"> > security = server</command> mode the network logon will appear to >- come from there rather than from the users workstation.</para> >+ come from the Samba server rather than from the users workstation.</para> > </listitem> >+ >+ <listitem> >+ <para>The client must not select NTLMv2 authentication.</para> >+ </listitem> >+ >+ <listitem> >+ <para>The password server must be a machine capable of using >+ the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in >+ user level security mode.</para> >+ </listitem> >+ >+ <listitem> >+ <para>Using a password server means your UNIX box (running >+ Samba) is only as secure as (a host masqurading as) your password server. <emphasis>DO NOT >+ CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>. >+ </para> >+ </listitem> >+ >+ <listitem> >+ <para>Never point a Samba server at itself for password serving. >+ This will cause a loop and could lock up your Samba server!</para> >+ </listitem> >+ >+ <listitem> >+ <para>The name of the password server takes the standard >+ substitutions, but probably the only useful one is <parameter moreinfo="none">%m >+ </parameter>, which means the Samba server will use the incoming >+ client as the password server. If you use this then you better >+ trust your clients, and you had better restrict them with hosts allow!</para> >+ </listitem> >+ > </itemizedlist> > </description> > >-- >1.7.4.4 > > >From 19c31e2b34ffbbac13e60acd9994b69b9b8b5d3c Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 23 May 2011 10:42:40 +1000 >Subject: [PATCH 2/5] docs: Clarify the 'security=server' fails for NTLMv2 > >--- > docs-xml/smbdotconf/security/security.xml | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > >diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml >index 514ea54..18b9f6c 100644 >--- a/docs-xml/smbdotconf/security/security.xml >+++ b/docs-xml/smbdotconf/security/security.xml >@@ -210,6 +210,9 @@ > Samba server may fail (from a single client, till it disconnects). > </para></note> > >+ <note><para>If the client selects NTLMv2 authentication, then this mode of operation <emphasis>will fail</emphasis> >+ </para></note> >+ > <note><para>From the client's point of > view, <command moreinfo="none">security = server</command> is the > same as <command moreinfo="none">security = user</command>. It >-- >1.7.4.4 > > >From 90648008e8efe1bfc06ea29b23df392f74216609 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 13 May 2011 17:55:41 +0200 >Subject: [PATCH 3/5] s3-param Deprecate a number of security parameters for > 3.6 > >This follows up on the agreement on the samba-technical list in Jan >2011 to deprecate these options, and to possibly remove these in the >4.0 release after user feedback. > >Andrew Bartlett > >Autobuild-User: Andrew Bartlett <abartlet@samba.org> >Autobuild-Date: Fri May 13 19:51:41 CEST 2011 on sn-devel-104 >--- > docs-xml/smbdotconf/logon/enableprivileges.xml | 2 +- > docs-xml/smbdotconf/protocol/usespnego.xml | 2 +- > docs-xml/smbdotconf/security/passwordlevel.xml | 2 +- > docs-xml/smbdotconf/security/security.xml | 142 +++++++++++------------- > docs-xml/smbdotconf/security/username.xml | 2 +- > source3/param/loadparm.c | 16 ++- > 6 files changed, 81 insertions(+), 85 deletions(-) > >diff --git a/docs-xml/smbdotconf/logon/enableprivileges.xml b/docs-xml/smbdotconf/logon/enableprivileges.xml >index 3e958e0..0fbc504 100644 >--- a/docs-xml/smbdotconf/logon/enableprivileges.xml >+++ b/docs-xml/smbdotconf/logon/enableprivileges.xml >@@ -5,7 +5,7 @@ > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> > <para> >- This parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either >+ This deprecated parameter controls whether or not smbd will honor privileges assigned to specific SIDs via either > <command>net rpc rights</command> or one of the Windows user and group manager tools. This parameter is > enabled by default. It can be disabled to prevent members of the Domain Admins group from being able to > assign privileges to users or groups which can then result in certain smbd operations running as root that >diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml b/docs-xml/smbdotconf/protocol/usespnego.xml >index 8fb559c..e16c7ce 100644 >--- a/docs-xml/smbdotconf/protocol/usespnego.xml >+++ b/docs-xml/smbdotconf/protocol/usespnego.xml >@@ -4,7 +4,7 @@ > developer="1" > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> >- <para>This variable controls controls whether samba will try >+ <para>This deprecated variable controls controls whether samba will try > to use Simple and Protected NEGOciation (as specified by rfc2478) with > WindowsXP and Windows2000 clients to agree upon an authentication mechanism. > </para> >diff --git a/docs-xml/smbdotconf/security/passwordlevel.xml b/docs-xml/smbdotconf/security/passwordlevel.xml >index 1da11e4..eee838f 100644 >--- a/docs-xml/smbdotconf/security/passwordlevel.xml >+++ b/docs-xml/smbdotconf/security/passwordlevel.xml >@@ -13,7 +13,7 @@ > text passwords even when NT LM 0.12 selected by the protocol > negotiation request/response.</para> > >- <para>This parameter defines the maximum number of characters >+ <para>This deprecated parameter defines the maximum number of characters > that may be upper case in passwords.</para> > > <para>For example, say the password given was "FRED". If <parameter moreinfo="none"> >diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml >index 18b9f6c..55e147e 100644 >--- a/docs-xml/smbdotconf/security/security.xml >+++ b/docs-xml/smbdotconf/security/security.xml >@@ -22,32 +22,18 @@ > the most common setting needed when talking to Windows 98 and > Windows NT.</para> > >- <para>The alternatives are <command moreinfo="none">security = share</command>, >- <command moreinfo="none">security = server</command> or <command moreinfo="none">security = domain >- </command>.</para> >+ <para>The alternatives are >+ <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain >+ </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para> > > <para>In versions of Samba prior to 2.0.0, the default was > <command moreinfo="none">security = share</command> mainly because that was > the only option at one stage.</para> > >- <para>There is a bug in WfWg that has relevance to this >- setting. When in user or server level security a WfWg client >- will totally ignore the username and password you type in the "connect >- drive" dialog box. This makes it very difficult (if not impossible) >- to connect to a Samba service as anyone except the user that >- you are logged into WfWg as.</para> >- >- <para>If your PCs use usernames that are the same as their >- usernames on the UNIX machine then you will want to use >- <command moreinfo="none">security = user</command>. If you mostly use usernames >- that don't exist on the UNIX box then use <command moreinfo="none">security = >- share</command>.</para> >- >- <para>You should also use <command moreinfo="none">security = share</command> if you >+ <para>You should use <command moreinfo="none">security = user</command> and >+ <smbconfoption name="map to guest"/> if you > want to mainly setup shares without a password (guest shares). This >- is commonly used for a shared printer server. It is more difficult >- to setup guest shares with <command moreinfo="none">security = user</command>, see >- the <smbconfoption name="map to guest"/> parameter for details.</para> >+ is commonly used for a shared printer server. </para> > > <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis> > hybrid mode</emphasis> where it is offers both user and share >@@ -56,7 +42,62 @@ > <para>The different settings will now be explained.</para> > > >+ <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para> >+ >+ <para>This is the default security setting in Samba. >+ With user-level security a client must first "log-on" with a >+ valid username and password (which can be mapped using the <smbconfoption name="username map"/> >+ parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also >+ be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption >+ name="guest only"/> if set are then applied and >+ may change the UNIX user to use on this connection, but only after >+ the user has been successfully authenticated.</para> >+ >+ <para><emphasis>Note</emphasis> that the name of the resource being >+ requested is <emphasis>not</emphasis> sent to the server until after >+ the server has successfully authenticated the client. This is why >+ guest shares don't work in user level security without allowing >+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>. >+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> >+ >+ <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> >+ >+ <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para> >+ >+ <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle> >+ <manvolnum>8</manvolnum></citerefentry> has been used to add this >+ machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/> >+ parameter to be set to <constant>yes</constant>. In this >+ mode Samba will try to validate the username/password by passing >+ it to a Windows NT Primary or Backup Domain Controller, in exactly >+ the same way that a Windows NT Server would do.</para> >+ >+ <para><emphasis>Note</emphasis> that a valid UNIX user must still >+ exist as well as the account on the Domain Controller to allow >+ Samba to have a valid UNIX account to map file access to.</para> >+ >+ <para><emphasis>Note</emphasis> that from the client's point >+ of view <command moreinfo="none">security = domain</command> is the same >+ as <command moreinfo="none">security = user</command>. It only >+ affects how the server deals with the authentication, >+ it does not in any way affect what the client sees.</para> >+ >+ <para><emphasis>Note</emphasis> that the name of the resource being >+ requested is <emphasis>not</emphasis> sent to the server until after >+ the server has successfully authenticated the client. This is why >+ guest shares don't work in user level security without allowing >+ the server to automatically map unknown users into the <smbconfoption name="guest account"/>. >+ See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> >+ >+ <para>See also the section <link linkend="VALIDATIONSECT"> >+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> >+ >+ <para>See also the <smbconfoption name="password server"/> parameter and >+ the <smbconfoption name="encrypted passwords"/> parameter.</para> >+ > <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para> >+ >+ <note><para>This option is deprecated as it is incompatible with SMB2</para></note> > > <para>When clients connect to a share level security server, they > need not log onto the server with a valid username and password before >@@ -135,63 +176,10 @@ > <para>See also the section <link linkend="VALIDATIONSECT"> > NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> > >- <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para> >- >- <para>This is the default security setting in Samba 3.0. >- With user-level security a client must first "log-on" with a >- valid username and password (which can be mapped using the <smbconfoption name="username map"/> >- parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also >- be used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption >- name="guest only"/> if set are then applied and >- may change the UNIX user to use on this connection, but only after >- the user has been successfully authenticated.</para> >- >- <para><emphasis>Note</emphasis> that the name of the resource being >- requested is <emphasis>not</emphasis> sent to the server until after >- the server has successfully authenticated the client. This is why >- guest shares don't work in user level security without allowing >- the server to automatically map unknown users into the <smbconfoption name="guest account"/>. >- See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> >- >- <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> >- >- <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para> >- >- <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle> >- <manvolnum>8</manvolnum></citerefentry> has been used to add this >- machine into a Windows NT Domain. It expects the <smbconfoption name="encrypted passwords"/> >- parameter to be set to <constant>yes</constant>. In this >- mode Samba will try to validate the username/password by passing >- it to a Windows NT Primary or Backup Domain Controller, in exactly >- the same way that a Windows NT Server would do.</para> >- >- <para><emphasis>Note</emphasis> that a valid UNIX user must still >- exist as well as the account on the Domain Controller to allow >- Samba to have a valid UNIX account to map file access to.</para> >- >- <para><emphasis>Note</emphasis> that from the client's point >- of view <command moreinfo="none">security = domain</command> is the same >- as <command moreinfo="none">security = user</command>. It only >- affects how the server deals with the authentication, >- it does not in any way affect what the client sees.</para> >- >- <para><emphasis>Note</emphasis> that the name of the resource being >- requested is <emphasis>not</emphasis> sent to the server until after >- the server has successfully authenticated the client. This is why >- guest shares don't work in user level security without allowing >- the server to automatically map unknown users into the <smbconfoption name="guest account"/>. >- See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para> >- >- <para>See also the section <link linkend="VALIDATIONSECT"> >- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para> >- >- <para>See also the <smbconfoption name="password server"/> parameter and >- the <smbconfoption name="encrypted passwords"/> parameter.</para> >- > <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para> > > <para> >- In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an >+ In this depicted mode Samba will try to validate the username/password by passing it to another SMB server, such as an > NT box. If this fails it will revert to <command moreinfo="none">security = user</command>. It expects the > <smbconfoption name="encrypted passwords"/> parameter to be set to <constant>yes</constant>, unless the remote > server does not support them. However note that if encrypted passwords have been negotiated then Samba cannot >@@ -203,10 +191,10 @@ > <note><para>This mode of operation has > significant pitfalls since it is more vulnerable to > man-in-the-middle attacks and server impersonation. In particular, >- this mode of operation can cause significant resource consuption on >+ this mode of operation can cause significant resource consumption on > the PDC, as it must maintain an active connection for the duration > of the user's session. Furthermore, if this connection is lost, >- there is no way to reestablish it, and futher authentications to the >+ there is no way to reestablish it, and further authentications to the > Samba server may fail (from a single client, till it disconnects). > </para></note> > >@@ -219,6 +207,8 @@ > only affects how the server deals with the authentication, it does > not in any way affect what the client sees.</para></note> > >+ <note><para>This option is deprecated, and may be removed in future</para></note> >+ > <para><emphasis>Note</emphasis> that the name of the resource being > requested is <emphasis>not</emphasis> sent to the server until after > the server has successfully authenticated the client. This is why >diff --git a/docs-xml/smbdotconf/security/username.xml b/docs-xml/smbdotconf/security/username.xml >index 3a45d4d..19d8a2e 100644 >--- a/docs-xml/smbdotconf/security/username.xml >+++ b/docs-xml/smbdotconf/security/username.xml >@@ -9,7 +9,7 @@ > list, in which case the supplied password will be tested against > each username in turn (left to right).</para> > >- <para>The <parameter moreinfo="none">username</parameter> line is needed only when >+ <para>The deprecated <parameter moreinfo="none">username</parameter> line is needed only when > the PC is unable to supply its own username. This is the case > for the COREPLUS protocol or where your users have different WfWg > usernames to UNIX usernames. In both these cases you may also be >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 73406c1..fc19656 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -1160,7 +1160,7 @@ static struct parm_struct parm_table[] = { > .ptr = &Globals.bNullPasswords, > .special = NULL, > .enum_list = NULL, >- .flags = FLAG_ADVANCED, >+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED, > }, > { > .label = "obey pam restrictions", >@@ -1259,7 +1259,7 @@ static struct parm_struct parm_table[] = { > .ptr = &Globals.bEnablePrivileges, > .special = NULL, > .enum_list = NULL, >- .flags = FLAG_ADVANCED, >+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED, > }, > > { >@@ -1332,7 +1332,7 @@ static struct parm_struct parm_table[] = { > .ptr = &Globals.pwordlevel, > .special = NULL, > .enum_list = NULL, >- .flags = FLAG_ADVANCED, >+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED, > }, > { > .label = "username level", >@@ -1431,7 +1431,7 @@ static struct parm_struct parm_table[] = { > .ptr = &sDefault.szUsername, > .special = NULL, > .enum_list = NULL, >- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE, >+ .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE | FLAG_DEPRECATED, > }, > { > .label = "user", >@@ -2294,7 +2294,7 @@ static struct parm_struct parm_table[] = { > .ptr = &Globals.bUseSpnego, > .special = NULL, > .enum_list = NULL, >- .flags = FLAG_ADVANCED, >+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED, > }, > { > .label = "client signing", >@@ -9580,6 +9580,12 @@ static bool lp_load_ex(const char *pszFname, > set_default_server_announce_type(); > set_allowed_client_auth(); > >+ if (lp_security() == SEC_SHARE) { >+ DEBUG(1, ("WARNING: The security=share option is deprecated\n")); >+ } else if (lp_security() == SEC_SERVER) { >+ DEBUG(1, ("WARNING: The security=server option is deprecated\n")); >+ } >+ > bLoaded = True; > > /* Now we check bWINSsupport and set szWINSserver to 127.0.0.1 */ >-- >1.7.4.4 > > >From 2747a334252b1e237406f432bfa6219f2f52cb0c Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 23 May 2011 10:42:57 +1000 >Subject: [PATCH 4/5] s3-param Depricate 'password server = foo:12389' syntax > >This was originally intended to allow the LDAP port on a DC to be >varied, but makes little sense to change one port when in an >environment where krb5, ldap, smb and potentially DCE/RPC over TCP are >involved. > >Andrew Bartlett >--- > source3/param/loadparm.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index fc19656..6b0d127 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -9586,6 +9586,11 @@ static bool lp_load_ex(const char *pszFname, > DEBUG(1, ("WARNING: The security=server option is deprecated\n")); > } > >+ if (lp_security() == SEC_ADS && strchr(lp_passwordserver(), ':')) { >+ DEBUG(1, ("WARNING: The optional ':port' in password server = %s is deprecated\n", >+ lp_passwordserver())); >+ } >+ > bLoaded = True; > > /* Now we check bWINSsupport and set szWINSserver to 127.0.0.1 */ >-- >1.7.4.4 > > >From a25dc325bab2fb7c98849046c83fc4c2c8f67afb Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 18 May 2011 11:53:34 +1000 >Subject: [PATCH 5/5] s3-testparm Warn about incorrect use of 'password > server' > >--- > source3/utils/testparm.c | 21 ++++++++++++++++++--- > 1 files changed, 18 insertions(+), 3 deletions(-) > >diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c >index 978ada2..6076a57 100644 >--- a/source3/utils/testparm.c >+++ b/source3/utils/testparm.c >@@ -128,20 +128,35 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.\n"); > * Password server sanity checks. > */ > >- if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) && !lp_passwordserver()) { >+ if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) { > const char *sec_setting; > if(lp_security() == SEC_SERVER) > sec_setting = "server"; > else if(lp_security() == SEC_DOMAIN) > sec_setting = "domain"; >+ else if(lp_security() == SEC_ADS) >+ sec_setting = "ads"; > else > sec_setting = ""; > >- fprintf(stderr, "ERROR: The setting 'security=%s' requires the 'password server' parameter be set \ >-to a valid password server.\n", sec_setting ); >+ fprintf(stderr, "ERROR: The setting 'security=%s' requires the 'password server' parameter be set\n" >+ "to the default value * or a valid password server.\n", sec_setting ); > ret = 1; > } > >+ if((lp_security() >= SEC_DOMAIN) && (strcmp(lp_passwordserver(), "*") != 0)) { >+ const char *sec_setting; >+ if(lp_security() == SEC_DOMAIN) >+ sec_setting = "domain"; >+ else if(lp_security() == SEC_ADS) >+ sec_setting = "ads"; >+ else >+ sec_setting = ""; >+ >+ fprintf(stderr, "WARNING: The setting 'security=%s' should NOT be combined with the 'password server' parameter.\n" >+ "(by default Samba will discover the correct DC to contact automatically).\n", sec_setting ); >+ } >+ > /* > * Password chat sanity checks. > */ >-- >1.7.4.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6480">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 8151
:
6468
|
6469
|
6470
|
6471
|
6473
| 6480