[Patches] removal of 'auth methods', 'map untrusted to domain' and 'profile acls'
Stefan Metzmacher
metze at samba.org
Thu Dec 7 09:36:18 UTC 2017
Hi,
here're patches to remove the already deprecated options
'auth methods', 'map untrusted to domain' and 'profile acls'.
Please review and push:-)
Thanks!
metze
-------------- next part --------------
From 0ed178d614f96599ceb3375efa78a41beed94269 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 12 Jun 2017 15:35:41 +0200
Subject: [PATCH 01/15] s3:auth: remove "map untrusted to domain" handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_util.c | 37 ++++---------------------------------
1 file changed, 4 insertions(+), 33 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 8e7fa91..fbc3642 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -110,12 +110,6 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
NTSTATUS result;
bool was_mapped;
char *internal_username = NULL;
- bool upn_form = false;
- int map_untrusted = lp_map_untrusted_to_domain();
-
- if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
- upn_form = true;
- }
was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
if (!internal_username) {
@@ -125,35 +119,12 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, workstation_name));
+ /*
+ * We let the auth stack canonicalize, username
+ * and domain.
+ */
domain = client_domain;
- /* If you connect to a Windows domain member using a bogus domain name,
- * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
- * the Windows box is a DC the name will become DOMAIN\user and be
- * authenticated against AD, if the Windows box is a member server but
- * not a DC the name will become WORKSTATION\user. A standalone
- * non-domain member box will also map to WORKSTATION\user.
- * This also deals with the client passing in a "" domain */
-
- if (map_untrusted != Auto && !upn_form &&
- !strequal(domain, my_sam_name()) &&
- !strequal(domain, get_global_sam_name()) &&
- !is_trusted_domain(domain))
- {
- if (map_untrusted) {
- domain = my_sam_name();
- } else {
- domain = get_global_sam_name();
- }
- DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
- "workstation [%s]\n",
- client_domain, domain, smb_name, workstation_name));
- }
-
- /* We know that the given domain is trusted (and we are allowing them),
- * it is our global SAM name, or for legacy behavior it is our
- * primary domain name */
-
result = make_user_info(mem_ctx, user_info, smb_name, internal_username,
client_domain, domain, workstation_name,
remote_address, local_address,
--
1.9.1
From b512eb1c868f8bbee6d0bc7fd76255a8c90834e4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:48:49 +0200
Subject: [PATCH 02/15] docs-xml: remove unused "map untrusted to domain"
option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
.../smbdotconf/security/mapuntrustedtodomain.xml | 55 ----------------------
lib/param/loadparm.c | 2 -
source3/param/loadparm.c | 1 -
3 files changed, 58 deletions(-)
delete mode 100644 docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
deleted file mode 100644
index f782a51..0000000
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ /dev/null
@@ -1,55 +0,0 @@
-<samba:parameter name="map untrusted to domain"
- context="G"
- type="enum"
- enumlist="enum_bool_auto"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- By default, and with <smbconfoption name="map untrusted to domain">auto</smbconfoption>
- smbd will defer the decision whether the domain name provided by the
- client is a valid domain name to the Domain Controller (DC) of
- the domain it is a member of, if it is not a DC. If the DC indicates
- that the domain portion is unknown, then a local authentication is performed.
- Standalone servers always ignore the domain. This is basically the same as
- the behavior implemented in Windows.
- </para>
-
- <para>
- With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
- if a client connects to smbd using an untrusted domain name, such as
- BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
- (forcing local authentication) before
- attempting to authenticate that user. In the case where smbd is acting as
- a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a
- domain member server or a standalone server this will be WORKSTATION\user.
- While this appears similar to the behaviour of
- <smbconfoption name="map untrusted to domain">auto</smbconfoption>,
- the difference is that smbd will use a cached (maybe incomplete) list
- of trusted domains in order to classify a domain as "untrusted"
- before contacting any DC first.
- </para>
-
- <para>
- With <smbconfoption name="map untrusted to domain">yes</smbconfoption>,
- smbd provides the legacy behavior matching that of versions of Samba pre 3.4:
- the BOGUS domain name would always be replaced by the
- primary domain before attempting to authenticate that user.
- This will be DOMAIN\user in all server roles except active directory domain controller.
- </para>
-
- <para>
- <smbconfoption name="map untrusted to domain">no</smbconfoption>,
- was the default up to Samba 4.6.
- </para>
-
- <para>
- <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
- and become the default with Samba 4.7.0. As the option is marked as
- <constant>deprecated</constant> it will be removed in a future release, while the behavior of
- <smbconfoption name="map untrusted to domain">auto</smbconfoption> will be kept.
- </para>
-</description>
-
-<value type="default">auto</value>
-</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d788ffb..1a06af9 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2838,8 +2838,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
- lpcfg_do_global_parameter(lp_ctx, "map untrusted to domain", "auto");
-
lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 01c022e..82f9d8e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -867,7 +867,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.min_receivefile_size = 0;
- Globals.map_untrusted_to_domain = Auto;
Globals.multicast_dns_register = true;
Globals.smb2_max_read = DEFAULT_SMB2_MAX_READ;
--
1.9.1
From 69b9a0c4a19c2534d2f37bcdf0d3c1f85fb437c9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Dec 2017 13:25:19 +0100
Subject: [PATCH 03/15] s4:selftest: remove
samba.blackbox.pdbtest.s4winbind_wbclient test
The "winbind_wbclient" backend is unused and will be removed soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/selftest/tests.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 8d3d526..e9d3e78 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -236,7 +236,6 @@ for env in ["ad_dc_ntvfs", "nt4_dc"]:
plantestsuite("samba.blackbox.pdbtest(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest", smbclient4, '$SMB_CONF_PATH', configuration])
plantestsuite("samba.blackbox.pdbtest.s4winbind(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest3", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=winbind'"])
-plantestsuite("samba.blackbox.pdbtest.s4winbind_wbclient(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest4", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=winbind_wbclient'"])
gpo = smbtorture4_testsuites("gpo.")
for t in gpo:
--
1.9.1
From b60294e30392d81739b55238d4094a5f496744e9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Dec 2017 13:28:27 +0100
Subject: [PATCH 04/15] s4:selftest: remove samba.blackbox.pdbtest.s4winbind
test
This is marked as knownfail for quite some time.
I don't think such a test is a reason to the 'auth methods' option.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/knownfail | 4 ----
source4/selftest/tests.py | 2 --
2 files changed, 6 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index a28329c..710fd33 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -256,10 +256,6 @@
^samba4.winbind.struct.lookup_name_sid\(ad_member:local\)
^samba4.winbind.struct.getdcname\(nt4_member:local\) # Works in other modes, just not against the classic/NT4 DC
#
-# This test is no longer valid given s4winbind needs a live NETLOGON server
-#
-^samba.blackbox.pdbtest.s4winbind\(ad_dc_ntvfs\).pdbtest
-#
# Differences in our KDC compared to windows
#
^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index e9d3e78..9c309fc 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -235,8 +235,6 @@ for env in ["ad_dc_ntvfs", "nt4_dc"]:
plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport), ntlmoptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.%s" % name)
plantestsuite("samba.blackbox.pdbtest(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest", smbclient4, '$SMB_CONF_PATH', configuration])
-plantestsuite("samba.blackbox.pdbtest.s4winbind(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest3", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=winbind'"])
-
gpo = smbtorture4_testsuites("gpo.")
for t in gpo:
plansmbtorture4testsuite(t, 'ad_dc:local', ['//$SERVER/sysvol', '-U$USERNAME%$PASSWORD'])
--
1.9.1
From ce35add1418bb53eeb7700cda1cc0e1fef2251bf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:55:35 +0200
Subject: [PATCH 05/15] s3:auth: remove lp_auth_methods() handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 31 +------------------------------
1 file changed, 1 insertion(+), 30 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 3890cbc..4df74f9 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -504,26 +504,13 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context)
{
const char *methods = NULL;
- NTSTATUS nt_status;
switch (lp_server_role()) {
case ROLE_ACTIVE_DIRECTORY_DC:
DEBUG(5,("Making default auth method list for server role = "
"'active directory domain controller'\n"));
- return make_auth_context_specific(mem_ctx, auth_context, "samba4");
- default:
+ methods = "samba4";
break;
- }
-
- if (lp_auth_methods()) {
- DEBUG(5,("Using specified auth order\n"));
- nt_status = make_auth_context_text_list(
- mem_ctx, auth_context,
- discard_const_p(char *, lp_auth_methods()));
- return nt_status;
- }
-
- switch (lp_server_role()) {
case ROLE_DOMAIN_MEMBER:
DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
methods = "guest sam winbind sam_ignoredomain";
@@ -554,22 +541,6 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context)
{
const char *methods = NULL;
- NTSTATUS nt_status;
-
- /*
- * We do the lp_auth_methods check before
- * the lp_server_role check in order to
- * backward compatible. The "auth methods" option
- * is deprecated now, so this will go away in a future
- * release.
- */
- if (lp_auth_methods()) {
- DBG_INFO("Using specified auth order for netlogon\n");
- nt_status = make_auth_context_text_list(
- mem_ctx, auth_context,
- discard_const_p(char *, lp_auth_methods()));
- return nt_status;
- }
switch (lp_server_role()) {
case ROLE_DOMAIN_BDC:
--
1.9.1
From b7ac01031460fb19d7a0ba6f0d51becc8111a7b6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:56:00 +0200
Subject: [PATCH 06/15] s4:auth/ntlm: remove lpcfg_auth_methods() handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth.c | 40 +++++++---------------------------------
1 file changed, 7 insertions(+), 33 deletions(-)
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 56c1bcf..7e10a55 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -748,20 +748,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char *
const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
char **auth_methods = NULL;
- const char **const_auth_methods = NULL;
-
- /*
- * As 'auth methods' is deprecated it will be removed
- * in future releases again, but for now give
- * admins the flexibility to configure, the behavior
- * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
- * for a while.
- */
- const_auth_methods = lpcfg_auth_methods(lp_ctx);
- if (const_auth_methods != NULL) {
- DBG_NOTICE("using deprecated 'auth methods' values.\n");
- return const_auth_methods;
- }
switch (lpcfg_server_role(lp_ctx)) {
case ROLE_STANDALONE:
@@ -814,27 +800,15 @@ _PUBLIC_ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
const char **auth_methods = NULL;
/*
- * As 'auth methods' is deprecated it will be removed
- * in future releases again, but for now give
- * admins the flexibility to configure, the behavior
- * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
- * for a while.
+ * Here we only allow 'sam winbind' instead of
+ * the 'anonymous sam winbind sam_ignoredomain'
+ * we typically use for authentication from clients.
*/
- auth_methods = lpcfg_auth_methods(lp_ctx);
- if (auth_methods != NULL) {
- DBG_NOTICE("using deprecated 'auth methods' values.\n");
- } else {
- /*
- * Here we only allow 'sam winbind' instead of
- * the 'anonymous sam winbind sam_ignoredomain'
- * we typically use for authentication from clients.
- */
- _auth_methods = str_list_make(mem_ctx, "sam winbind", NULL);
- if (_auth_methods == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- auth_methods = discard_const_p(const char *, _auth_methods);
+ _auth_methods = str_list_make(mem_ctx, "sam winbind", NULL);
+ if (_auth_methods == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
+ auth_methods = discard_const_p(const char *, _auth_methods);
status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg,
lp_ctx, NULL, auth_ctx);
--
1.9.1
From 95a263806e39bd2119da2b3c11e2ffbd18a3aabc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 28 Nov 2017 07:40:09 +0100
Subject: [PATCH 07/15] s4:auth_sam: remove unused 'sam_failtrusts' backend
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_sam.c | 96 --------------------------------------------
1 file changed, 96 deletions(-)
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 24fe167..5e2a584 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -847,90 +847,6 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
return NT_STATUS_OK;
}
-static NTSTATUS authsam_failtrusts_want_check(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info)
-{
- const char *effective_domain = user_info->mapped.domain_name;
- struct dsdb_trust_routing_table *trt = NULL;
- const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
- NTSTATUS status;
-
- /* check whether or not we service this domain/workgroup name */
- switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
- case ROLE_ACTIVE_DIRECTORY_DC:
- /* handled later */
- break;
-
- default:
- DBG_ERR("lpcfg_server_role() has an undefined value\n");
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
- * Now we handle the AD DC case...
- */
- if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- if (effective_domain == NULL || strequal(effective_domain, "")) {
- const char *p = NULL;
-
- p = strchr_m(user_info->mapped.account_name, '@');
- if (p != NULL) {
- effective_domain = p + 1;
- }
- }
-
- if (effective_domain == NULL || strequal(effective_domain, "")) {
- DBG_DEBUG("%s is not a trusted domain\n",
- effective_domain);
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
- * as last option we check the routing table if the
- * domain is within our forest.
- */
- status = dsdb_trust_routing_table_load(ctx->auth_ctx->sam_ctx,
- mem_ctx, &trt);
- if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("authsam_check_password: dsdb_trust_routing_table_load() %s\n",
- nt_errstr(status));
- return status;
- }
-
- tdo = dsdb_trust_routing_by_name(trt, effective_domain);
- if (tdo == NULL) {
- DBG_DEBUG("%s is not a known TLN (DC)\n",
- effective_domain);
- TALLOC_FREE(trt);
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
- * We now about the domain...
- */
- TALLOC_FREE(trt);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS authsam_failtrusts_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_user_info_dc **user_info_dc,
- bool *authoritative)
-{
- /*
- * This should a good error for now,
- * until this module gets removed
- * and we have a full async path
- * to winbind.
- */
- return NT_STATUS_NO_TRUST_LSA_SECRET;
-}
-
/* Wrapper for the auth subsystem pointer */
static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context,
@@ -955,12 +871,6 @@ static const struct auth_operations sam_ops = {
.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
};
-static const struct auth_operations sam_failtrusts_ops = {
- .name = "sam_failtrusts",
- .want_check = authsam_failtrusts_want_check,
- .check_password = authsam_failtrusts_check_password,
-};
-
_PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
_PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *ctx)
{
@@ -978,11 +888,5 @@ _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *ctx)
return ret;
}
- ret = auth_register(ctx, &sam_failtrusts_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register 'sam_failtrusts' auth backend!\n"));
- return ret;
- }
-
return ret;
}
--
1.9.1
From e2b4c67816cf8b8abd2a33cd1023e50cd934573a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 27 Nov 2017 13:48:34 +0100
Subject: [PATCH 08/15] s4:auth_winbind: remove unused 'winbind_rodc' backend
This is no longer useful as the 'winbind' backend also
handles the rodc case now.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_winbind.c | 55 ----------------------------------------
1 file changed, 55 deletions(-)
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 018940f..40e6bcf 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -49,48 +49,6 @@ static NTSTATUS winbind_want_check(struct auth_method_context *ctx,
return NT_STATUS_OK;
}
-static NTSTATUS winbind_rodc_want_check(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info)
-{
- int ret;
- bool am_rodc;
-
- if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- if (ctx->auth_ctx->sam_ctx == NULL) {
- DBG_ERR("ctx->auth_ctx->sam_ctx == NULL, don't check.\n");
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- ret = samdb_rodc(ctx->auth_ctx->sam_ctx, &am_rodc);
- if (ret != LDB_SUCCESS) {
- DBG_ERR("samdb_rodc() failed %d %s, don't check.\n",
- ret, ldb_errstring(ctx->auth_ctx->sam_ctx));
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- if (!am_rodc) {
- /*
- * We don't support trusts yet and we
- * don't want to add them using the
- * semi-async irpc call that uses
- * a nested event loop.
- */
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
- * We're a RODC, so we forward the request to our winbind.
- * As the RODC is not yet production ready anyway, we keep
- * the semi-async behavior with nested event loops in order
- * to keep autobuild happy.
- */
- return NT_STATUS_OK;
-}
-
struct winbind_check_password_state {
struct auth_method_context *ctx;
const struct auth_usersupplied_info *user_info;
@@ -440,13 +398,6 @@ static const struct auth_operations winbind_ops = {
.check_password_recv = winbind_check_password_recv
};
-static const struct auth_operations winbind_rodc_ops = {
- .name = "winbind_rodc",
- .want_check = winbind_rodc_want_check,
- .check_password_send = winbind_check_password_send,
- .check_password_recv = winbind_check_password_recv
-};
-
static const struct auth_operations winbind_wbclient_ops = {
.name = "winbind_wbclient",
.want_check = winbind_want_check,
@@ -463,12 +414,6 @@ _PUBLIC_ NTSTATUS auth4_winbind_init(TALLOC_CTX *ctx)
return ret;
}
- ret = auth_register(ctx, &winbind_rodc_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register 'winbind_rodc' auth backend!\n"));
- return ret;
- }
-
ret = auth_register(ctx, &winbind_wbclient_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register 'winbind_wbclient' auth backend!\n"));
--
1.9.1
From c239f6a2f7081dde34c54fcf320a0034645c4b6d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 27 Nov 2017 13:48:34 +0100
Subject: [PATCH 09/15] s4:auth_winbind: remove unused 'winbind_wbclient'
backend
This is no longer useful as it doesn't support async requests.
It could be readded using pthreadpool_tevent_job_send()
and wbcCtxAuthenticateUserEx() if required.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_winbind.c | 108 ---------------------------------------
1 file changed, 108 deletions(-)
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 40e6bcf..e887d5e 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -295,102 +295,6 @@ static NTSTATUS winbind_check_password_recv(struct tevent_req *req,
return NT_STATUS_OK;
}
-/*
- Authenticate a user with a challenge/response
- using the samba3 winbind protocol via libwbclient
-*/
-static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_user_info_dc **user_info_dc,
- bool *authoritative)
-{
- struct wbcAuthUserParams params;
- struct wbcAuthUserInfo *info = NULL;
- struct wbcAuthErrorInfo *err = NULL;
- wbcErr wbc_status;
- NTSTATUS nt_status;
- struct netr_SamInfo6 *info6 = NULL;
- union netr_Validation validation;
-
- /* Send off request */
- const struct auth_usersupplied_info *user_info_temp;
- nt_status = encrypt_user_info(mem_ctx, ctx->auth_ctx,
- AUTH_PASSWORD_RESPONSE,
- user_info, &user_info_temp);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- user_info = user_info_temp;
-
- ZERO_STRUCT(params);
- ZERO_STRUCT(validation);
- /*params.flags = WBFLAG_PAM_INFO3_NDR;*/
-
- params.parameter_control = user_info->logon_parameters;
- params.parameter_control |= WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
- WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
- params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
-
- params.account_name = user_info->client.account_name;
- params.domain_name = user_info->client.domain_name;
- params.workstation_name = user_info->workstation_name;
-
- DEBUG(5,("looking up %s@%s logging in from %s\n",
- params.account_name, params.domain_name,
- params.workstation_name));
-
- memcpy(params.password.response.challenge,
- ctx->auth_ctx->challenge.data.data,
- sizeof(params.password.response.challenge));
-
- params.password.response.lm_length =
- user_info->password.response.lanman.length;
- params.password.response.nt_length =
- user_info->password.response.nt.length;
-
- params.password.response.lm_data =
- user_info->password.response.lanman.data;
- params.password.response.nt_data =
- user_info->password.response.nt.data;
-
- wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err);
- if (wbc_status == WBC_ERR_AUTH_ERROR) {
- if (err) {
- DEBUG(1, ("error was %s (0x%08x)\nerror message was '%s'\n",
- err->nt_string, err->nt_status, err->display_string));
- nt_status = NT_STATUS(err->nt_status);
- wbcFreeMemory(err);
- } else {
- nt_status = NT_STATUS_LOGON_FAILURE;
- }
- NT_STATUS_NOT_OK_RETURN(nt_status);
- } else if (!WBC_ERROR_IS_OK(wbc_status)) {
- DEBUG(1, ("wbcAuthenticateUserEx: failed with %u - %s\n",
- wbc_status, wbcErrorString(wbc_status)));
- if (err) {
- DEBUG(1, ("error was %s (0x%08x)\nerror message was '%s'\n",
- err->nt_string, err->nt_status, err->display_string));
- }
- return NT_STATUS_LOGON_FAILURE;
- }
- info6 = wbcAuthUserInfo_to_netr_SamInfo6(mem_ctx, info);
- wbcFreeMemory(info);
- if (!info6) {
- DEBUG(1, ("wbcAuthUserInfo_to_netr_SamInfo6 failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- validation.sam6 = info6;
- nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
- user_info->client.account_name,
- 6, &validation,
- true, /* This user was authenticated */
- user_info_dc);
- return nt_status;
-
-}
-
static const struct auth_operations winbind_ops = {
.name = "winbind",
.want_check = winbind_want_check,
@@ -398,12 +302,6 @@ static const struct auth_operations winbind_ops = {
.check_password_recv = winbind_check_password_recv
};
-static const struct auth_operations winbind_wbclient_ops = {
- .name = "winbind_wbclient",
- .want_check = winbind_want_check,
- .check_password = winbind_check_password_wbclient
-};
-
_PUBLIC_ NTSTATUS auth4_winbind_init(TALLOC_CTX *ctx)
{
NTSTATUS ret;
@@ -414,11 +312,5 @@ _PUBLIC_ NTSTATUS auth4_winbind_init(TALLOC_CTX *ctx)
return ret;
}
- ret = auth_register(ctx, &winbind_wbclient_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register 'winbind_wbclient' auth backend!\n"));
- return ret;
- }
-
return NT_STATUS_OK;
}
--
1.9.1
From b469a276ab0621ac13230bc87eb35fe83ae53e4a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:56:38 +0200
Subject: [PATCH 10/15] docs-xml: remove unused "auth methods" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/security/authmethods.xml | 34 ----------------------------
1 file changed, 34 deletions(-)
delete mode 100644 docs-xml/smbdotconf/security/authmethods.xml
diff --git a/docs-xml/smbdotconf/security/authmethods.xml b/docs-xml/smbdotconf/security/authmethods.xml
deleted file mode 100644
index 17323aa..0000000
--- a/docs-xml/smbdotconf/security/authmethods.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<samba:parameter name="auth methods"
- context="G"
- type="cmdlist"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-
- <para>
- This option allows the administrator to chose what authentication methods <command moreinfo="none">smbd</command>
- will use when authenticating a user. This option defaults to sensible values based on <smbconfoption name="security"/>.
- This should be considered a developer option and used only in rare circumstances. In the majority (if not all)
- of production servers, the default setting should be adequate.
- </para>
-
- <para>
- Each entry in the list attempts to authenticate the user in turn, until
- the user authenticates. In practice only one method will ever actually
- be able to complete the authentication.
- </para>
-
- <para>
- Possible options include <constant>guest</constant> (anonymous access),
- <constant>sam</constant> (lookups in local list of accounts based on netbios
- name or domain name), <constant>winbind</constant> (relay authentication requests
- for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd
- method of authentication for remote domain users; deprecated in favour of winbind method),
- <constant>trustdomain</constant> (authenticate trusted users by contacting the
- remote DC directly from smbd; deprecated in favour of winbind method).
- </para>
-
-</description>
-<value type="default"/>
-<value type="example">guest sam winbind</value>
-</samba:parameter>
--
1.9.1
From fa8e8c6c4be51a7aa77b722a208d01e18cc6ec5c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:43:25 +0200
Subject: [PATCH 11/15] s3:auth: is_trusted_domain() is now only useful (and
used as DC)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_util.c | 59 ++++++++----------------------------------------
1 file changed, 10 insertions(+), 49 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index fbc3642..464fe25 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1505,6 +1505,8 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
/**
* Verify whether or not given domain is trusted.
*
+ * This should only be used on a DC.
+ *
* @param domain_name name of the domain to be verified
* @return true if domain is one of the trusted ones or
* false if otherwise
@@ -1512,13 +1514,11 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
bool is_trusted_domain(const char* dom_name)
{
- struct dom_sid trustdom_sid;
bool ret;
- /* no trusted domains for a standalone server */
-
- if ( lp_server_role() == ROLE_STANDALONE )
+ if (!IS_DC) {
return false;
+ }
if (dom_name == NULL || dom_name[0] == '\0') {
return false;
@@ -1528,52 +1528,13 @@ bool is_trusted_domain(const char* dom_name)
return false;
}
- /* if we are a DC, then check for a direct trust relationships */
-
- if ( IS_DC ) {
- become_root();
- DEBUG (5,("is_trusted_domain: Checking for domain trust with "
- "[%s]\n", dom_name ));
- ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
- unbecome_root();
- if (ret)
- return true;
- }
- else {
- wbcErr result;
-
- /* If winbind is around, ask it */
-
- result = wb_is_trusted_domain(dom_name);
-
- if (result == WBC_ERR_SUCCESS) {
- return true;
- }
-
- if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
- /* winbind could not find the domain */
- return false;
- }
-
- DEBUG(10, ("wb_is_trusted_domain returned error: %s\n",
- wbcErrorString(result)));
-
- /* The only other possible result is that winbind is not up
- and running. We need to update the trustdom_cache
- ourselves */
-
- update_trustdom_cache();
- }
-
- /* now the trustdom cache should be available a DC could still
- * have a transitive trust so fall back to the cache of trusted
- * domains (like a domain member would use */
+ become_root();
+ DEBUG (5,("is_trusted_domain: Checking for domain trust with "
+ "[%s]\n", dom_name ));
+ ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
+ unbecome_root();
- if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
- return true;
- }
-
- return false;
+ return ret;
}
--
1.9.1
From 92c06e501135f19da091d8dc7eeab71c102bb9a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 7 Aug 2017 17:24:19 +0200
Subject: [PATCH 12/15] s3:smbd: remove deprecated handling of "profile acls =
yes"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/posix_acls.c | 83 +----------------------------------------------
1 file changed, 1 insertion(+), 82 deletions(-)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index e4b16b9..8d42535 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3237,41 +3237,6 @@ static size_t merge_default_aces( struct security_ace *nt_ace_list, size_t num_a
return num_aces;
}
-/*
- * Add or Replace ACE entry.
- * In some cases we need to add a specific ACE for compatibility reasons.
- * When doing that we must make sure we are not actually creating a duplicate
- * entry. So we need to search whether an ACE entry already exist and eventually
- * replacce the access mask, or add a completely new entry if none was found.
- *
- * This function assumes the array has enough space to add a new entry without
- * any reallocation of memory.
- */
-
-static void add_or_replace_ace(struct security_ace *nt_ace_list, size_t *num_aces,
- const struct dom_sid *sid, enum security_ace_type type,
- uint32_t mask, uint8_t flags)
-{
- size_t i;
-
- /* first search for a duplicate */
- for (i = 0; i < *num_aces; i++) {
- if (dom_sid_equal(&nt_ace_list[i].trustee, sid) &&
- (nt_ace_list[i].flags == flags)) break;
- }
-
- if (i < *num_aces) { /* found */
- nt_ace_list[i].type = type;
- nt_ace_list[i].access_mask = mask;
- DEBUG(10, ("Replacing ACE %zu with SID %s and flags %02x\n",
- i, sid_string_dbg(sid), flags));
- return;
- }
-
- /* not found, append it */
- init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
-}
-
/****************************************************************************
Reply to query a security descriptor from an fsp. If it succeeds it allocates
@@ -3300,8 +3265,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
struct security_ace *nt_ace_list = NULL;
- size_t num_profile_acls = 0;
- struct dom_sid orig_owner_sid;
struct security_descriptor *psd = NULL;
/*
@@ -3310,14 +3273,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
create_file_sids(sbuf, &owner_sid, &group_sid);
- if (lp_profile_acls(SNUM(conn))) {
- /* For WXP SP1 the owner must be administrators. */
- sid_copy(&orig_owner_sid, &owner_sid);
- sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
- sid_copy(&group_sid, &global_sid_Builtin_Users);
- num_profile_acls = 3;
- }
-
if (security_info & SECINFO_DACL) {
/*
@@ -3362,7 +3317,7 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
nt_ace_list = talloc_zero_array(
talloc_tos(), struct security_ace,
- num_acls + num_profile_acls + num_def_acls);
+ num_acls + num_def_acls);
if (nt_ace_list == NULL) {
DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
@@ -3385,15 +3340,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
ace->ace_flags);
}
- /* The User must have access to a profile share - even
- * if we can't map the SID. */
- if (lp_profile_acls(SNUM(conn))) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &global_sid_Builtin_Users,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- FILE_GENERIC_ALL, 0);
- }
-
for (ace = dir_ace; ace != NULL; ace = ace->next) {
uint32_t acc = map_canon_ace_perms(SNUM(conn),
&nt_acl_type,
@@ -3409,18 +3355,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
SEC_ACE_FLAG_INHERIT_ONLY);
}
- /* The User must have access to a profile share - even
- * if we can't map the SID. */
- if (lp_profile_acls(SNUM(conn))) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &global_sid_Builtin_Users,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- FILE_GENERIC_ALL,
- SEC_ACE_FLAG_OBJECT_INHERIT |
- SEC_ACE_FLAG_CONTAINER_INHERIT |
- SEC_ACE_FLAG_INHERIT_ONLY);
- }
-
/*
* Merge POSIX default ACLs and normal ACLs into one NT ACE.
* Win2K needs this to get the inheritance correct when replacing ACLs
@@ -3428,21 +3362,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
*/
num_aces = merge_default_aces(nt_ace_list, num_aces);
-
- if (lp_profile_acls(SNUM(conn))) {
- size_t i;
-
- for (i = 0; i < num_aces; i++) {
- if (dom_sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &orig_owner_sid,
- nt_ace_list[i].type,
- nt_ace_list[i].access_mask,
- nt_ace_list[i].flags);
- break;
- }
- }
- }
}
if (num_aces) {
--
1.9.1
From fc5a1d74b13d591b9868d502d5acfbde3b99e534 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 7 Aug 2017 17:29:41 +0200
Subject: [PATCH 13/15] tests/posixacl.py: remove useless 'profile acls' based
test
test_setntacl_smbd_dont_invalidate_getntacl_smbd() is basically
the same as test_setntacl_smbd_getntacl_smbd()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
python/samba/tests/posixacl.py | 17 -----------------
1 file changed, 17 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 8dc2098..f34c7d6 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -119,23 +119,6 @@ class PosixAclMappingTests(TestCaseInTempDir):
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
- def test_setntacl_smbd_dont_invalidate_getntacl_smbd(self):
- # set an ACL on a tempfile
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- os.chmod(self.tempf, 0750)
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
-
- # now influence the POSIX ACL->SD mapping it returns something else than
- # what was set previously
- # this should not invalidate the hash and the complete ACL should still
- # be returned
- self.lp.set("profile acls", "yes")
- # we should still get back the ACL (and not one mapped from POSIX ACL)
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
- self.lp.set("profile acls", "no")
- anysid = security.dom_sid(security.SID_NT_SELF)
- self.assertEquals(acl, facl.as_sddl(anysid))
-
def test_setntacl_getntacl_smbd(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
--
1.9.1
From 19bfe1a2339e2814ba2547722e00b5d9bc6e5fbd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 7 Aug 2017 17:31:13 +0200
Subject: [PATCH 14/15] docs-xml: remove deprecated 'profile acls' option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/protocol/profileacls.xml | 62 ----------------------------
source3/param/loadparm.c | 1 -
2 files changed, 63 deletions(-)
delete mode 100644 docs-xml/smbdotconf/protocol/profileacls.xml
diff --git a/docs-xml/smbdotconf/protocol/profileacls.xml b/docs-xml/smbdotconf/protocol/profileacls.xml
deleted file mode 100644
index a660c52..0000000
--- a/docs-xml/smbdotconf/protocol/profileacls.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-<samba:parameter name="profile acls"
- context="S"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- As most system support support posix acls and extended attributes
- today. The "acl_xattr" vfs module should be used instead of
- using <smbconfoption name="profile acls">yes</smbconfoption>.
- Using an vfs module that provides nfs4 acls may also work.
- </para>
-
- <para>
- With modern clients (as of 2017) it's not possible to
- use <smbconfoption name="profile acls">yes</smbconfoption> anymore.
- </para>
-
- <para>
- This boolean parameter was added to fix the problems that people have been
- having with storing user profiles on Samba shares from Windows 2000 or
- Windows XP clients. New versions of Windows 2000 or Windows XP service
- packs do security ACL checking on the owner and ability to write of the
- profile directory stored on a local workstation when copied from a Samba
- share.
- </para>
-
- <para>
- When not in domain mode with winbindd then the security info copied
- onto the local workstation has no meaning to the logged in user (SID) on
- that workstation so the profile storing fails. Adding this parameter
- onto a share used for profile storage changes two things about the
- returned Windows ACL. Firstly it changes the owner and group owner
- of all reported files and directories to be BUILTIN\\Administrators,
- BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
- it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
- every returned ACL. This will allow any Windows 2000 or XP workstation
- user to access the profile.
- </para>
-
- <para>
- Note that if you have multiple users logging
- on to a workstation then in order to prevent them from being able to access
- each others profiles you must remove the "Bypass traverse checking" advanced
- user right. This will prevent access to other users profile directories as
- the top level profile directory (named after the user) is created by the
- workstation profile code and has an ACL restricting entry to the directory
- tree to the owning user.
- </para>
-
- <para>
- Note that this parameter should be set to yes on dedicated profile shares only.
- On other shares, it might cause incorrect file ownerships.
- </para>
-
- <para>
- This parameter is deprecated with Samba 4.7 and will be removed in future versions.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 82f9d8e..dcb540a 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -229,7 +229,6 @@ static const struct loadparm_service _sDefault =
.nt_acl_support = true,
.force_unknown_acl_user = false,
._use_sendfile = false,
- .profile_acls = false,
.map_acl_inherit = false,
.afs_share = false,
.ea_support = false,
--
1.9.1
From 3cadd065abf29e104bc3525b1ee6541f5a9974e4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 7 Aug 2017 17:32:09 +0200
Subject: [PATCH 15/15] WHATSNEW: document the removal of 'auth methods', 'map
untrusted to domain' and 'profile acls'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8f5986e..7eaa13d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -34,10 +34,13 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
- binddns dir New
- gpo update command New
+ auth methods Removed
+ binddns dir New
+ gpo update command New
+ map untrusted to domain Removed
oplock contention limit Removed
- prefork children New 1
+ prefork children New 1
+ profile acls Removed
NT4-style replication based net commands removed
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171207/3d17415b/signature.sig>
More information about the samba-technical
mailing list