svn commit: samba r6885 - in trunk/source: param rpc_server smbd

Wed May 18 14:35:11 GMT 2005

Author: jerry
Date: 2005-05-18 14:35:11 +0000 (Wed, 18 May 2005)
New Revision: 6885

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6885

Log:
add new parameter 'enable asu support' which defaults to yes.
Way back in Samba 2.x days (maybe 2.0.x) the ADMIN$ share was
added as an IPC share to allow an ASU client to join a Samba domain.
I haven't been able to get traces to confirm that this is in 
fact the case.  But until it can be proven otherwise, we have to assume
this is true.

This parameter is used to turn on/off those hacks that are needed
for ASU clients.  

By setting 'enable asu support = no', an administrator can add
an [ADMIN$] share to smb.conf.  Which is required by certain
apps like  Microsoft's Print Migrator.



Modified:
   trunk/source/param/loadparm.c
   trunk/source/rpc_server/srv_srvsvc_nt.c
   trunk/source/smbd/service.c


Changeset:
Modified: trunk/source/param/loadparm.c
===================================================================

--- trunk/source/param/loadparm.c	2005-05-18 14:29:23 UTC (rev 6884)
+++ trunk/source/param/loadparm.c	2005-05-18 14:35:11 UTC (rev 6885)
@@ -308,6 +308,7 @@
 	BOOL bUseKerberosKeytab;
 	BOOL bDeferSharingViolations;
 	BOOL bEnablePrivileges;
+	BOOL bASUSupport;
 	int restrict_anonymous;
 	int name_cache_timeout;
 	int client_signing;
@@ -952,6 +953,7 @@
 	{"server signing", P_ENUM, P_GLOBAL, &Globals.server_signing, NULL, enum_smb_signing_vals, FLAG_ADVANCED}, 
 	{"client use spnego", P_BOOL, P_GLOBAL, &Globals.bClientUseSpnego, NULL, NULL, FLAG_ADVANCED}, 
 
+	{"enable asu support", P_BOOL, P_GLOBAL, &Globals.bASUSupport, NULL, NULL, FLAG_ADVANCED}, 
 	{"enable svcctl", P_LIST, P_GLOBAL, &Globals.szServicesList, NULL, NULL, FLAG_ADVANCED},
 
 	{N_("Tuning Options"), P_SEP, P_SEPARATOR}, 
@@ -1603,6 +1605,8 @@
 	   operations as root */
 
 	Globals.bEnablePrivileges = False;
+
+	Globals.bASUSupport       = True;
 	
 	Globals.szServicesList = str_list_make( "Spooler NETLOGON", NULL );
 }
@@ -1858,6 +1862,7 @@
 FN_GLOBAL_BOOL(lp_use_kerberos_keytab, &Globals.bUseKerberosKeytab)
 FN_GLOBAL_BOOL(lp_defer_sharing_violations, &Globals.bDeferSharingViolations)
 FN_GLOBAL_BOOL(lp_enable_privileges, &Globals.bEnablePrivileges)
+FN_GLOBAL_BOOL(lp_enable_asu_support, &Globals.bASUSupport)
 FN_GLOBAL_INTEGER(lp_os_level, &Globals.os_level)
 FN_GLOBAL_INTEGER(lp_max_ttl, &Globals.max_ttl)
 FN_GLOBAL_INTEGER(lp_max_wins_ttl, &Globals.max_wins_ttl)
@@ -4035,7 +4040,8 @@
 		/* When 'restrict anonymous = 2' guest connections to ipc$
 		   are denied */
 		lp_add_ipc("IPC$", (lp_restrict_anonymous() < 2));
-		/* lp_add_ipc("ADMIN$", False); */
+		if ( lp_enable_asu_support() )
+			lp_add_ipc("ADMIN$", False);
 	}
 
 	set_server_role();

Modified: trunk/source/rpc_server/srv_srvsvc_nt.c
===================================================================
--- trunk/source/rpc_server/srv_srvsvc_nt.c	2005-05-18 14:29:23 UTC (rev 6884)
+++ trunk/source/rpc_server/srv_srvsvc_nt.c	2005-05-18 14:35:11 UTC (rev 6885)
@@ -1480,7 +1480,7 @@
  Check a given DOS pathname is valid for a share.
 ********************************************************************/
 
-static char *valid_share_pathname(char *dos_pathname)
+char *valid_share_pathname(char *dos_pathname)
 {
 	char *ptr;
 
@@ -1493,7 +1493,7 @@
 	if (strlen(dos_pathname) > 2 && ptr[1] == ':' && ptr[0] != '/')
 		ptr += 2;
 
-	/* Only abolute paths allowed. */
+	/* Only absolute paths allowed. */
 	if (*ptr != '/')
 		return NULL;
 
@@ -1525,8 +1525,12 @@
 
 	r_u->parm_error = 0;
 
-	if (strequal(share_name,"IPC$") || strequal(share_name,"ADMIN$") || strequal(share_name,"global"))
+	if ( strequal(share_name,"IPC$") 
+		|| ( lp_enable_asu_support() && strequal(share_name,"ADMIN$") )
+		|| strequal(share_name,"global") )
+	{
 		return WERR_ACCESS_DENIED;
+	}
 
 	snum = find_service(share_name);
 
@@ -1756,8 +1760,12 @@
 		return WERR_UNKNOWN_LEVEL;
 	}
 
-	if (strequal(share_name,"IPC$") || strequal(share_name,"ADMIN$") || strequal(share_name,"global"))
+	if ( strequal(share_name,"IPC$") 
+		|| ( lp_enable_asu_support() && strequal(share_name,"ADMIN$") )
+		|| strequal(share_name,"global") )
+	{
 		return WERR_ACCESS_DENIED;
+	}
 
 	snum = find_service(share_name);
 
@@ -1839,8 +1847,12 @@
 
 	unistr2_to_ascii(share_name, &q_u->uni_share_name, sizeof(share_name));
 
-	if (strequal(share_name,"IPC$") || strequal(share_name,"ADMIN$") || strequal(share_name,"global"))
+	if ( strequal(share_name,"IPC$") 
+		|| ( lp_enable_asu_support() && strequal(share_name,"ADMIN$") )
+		|| strequal(share_name,"global") )
+	{
 		return WERR_ACCESS_DENIED;
+	}
 
 	snum = find_service(share_name);
 

Modified: trunk/source/smbd/service.c
===================================================================
--- trunk/source/smbd/service.c	2005-05-18 14:29:23 UTC (rev 6884)
+++ trunk/source/smbd/service.c	2005-05-18 14:35:11 UTC (rev 6885)
@@ -362,7 +362,7 @@
 	conn->service = snum;
 	conn->used = True;
 	conn->printer = (strncmp(dev,"LPT",3) == 0);
-	conn->ipc = ((strncmp(dev,"IPC",3) == 0) || strequal(dev,"ADMIN$"));
+	conn->ipc = ( (strncmp(dev,"IPC",3) == 0) || ( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
 	conn->dirptr = NULL;
 
 	/* Case options for the share. */
@@ -783,7 +783,9 @@
 	snum = find_service(service);
 
 	if (snum < 0) {
-		if (strequal(service,"IPC$") || strequal(service,"ADMIN$")) {
+		if (strequal(service,"IPC$") 
+			|| (lp_enable_asu_support() && strequal(service,"ADMIN$"))) 
+		{
 			DEBUG(3,("refusing IPC connection to %s\n", service));
 			*status = NT_STATUS_ACCESS_DENIED;
 			return NULL;

