[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Mon Aug 16 04:49:40 MDT 2010
The branch, master has been updated
via a482b3e... s3-auth: Remove docs about obsolete 'update encrypted' option.
via 66b6a8c... s3-auth: Remove obsolete 'update encrypted' option.
from f03ac22... s3-selftest: add samba3.posix_s3.rpc.spoolss.notify to knownfail list.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a482b3e14ec4e3eada9c2477c9eae2bfbe017f53
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 29 13:18:35 2010 +0200
s3-auth: Remove docs about obsolete 'update encrypted' option.
commit 66b6a8cf62c2fe9b1eafeb094916e6046f686359
Author: Andreas Schneider <asn at samba.org>
Date: Thu Jul 29 13:16:09 2010 +0200
s3-auth: Remove obsolete 'update encrypted' option.
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/updateencrypted.xml | 34 -------------
docs-xml/using_samba/appc.xml | 14 -----
docs-xml/using_samba/ch06.xml | 37 +-------------
examples/scripts/shares/python/smbparm.py | 1 -
source3/auth/auth_unix.c | 58 +---------------------
source3/auth/pass_check.c | 13 ++---
source3/include/proto.h | 3 +-
source3/param/loadparm.c | 9 ---
source3/web/cgi.c | 4 +-
source4/TODO | 1 -
10 files changed, 10 insertions(+), 164 deletions(-)
delete mode 100644 docs-xml/smbdotconf/security/updateencrypted.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/updateencrypted.xml b/docs-xml/smbdotconf/security/updateencrypted.xml
deleted file mode 100644
index eb54ed9..0000000
--- a/docs-xml/smbdotconf/security/updateencrypted.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<samba:parameter name="update encrypted"
- context="G"
- type="boolean"
- basic="1" advanced="1" developer="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-
- <para>
- This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed)
- password in the smbpasswd file to be updated automatically as they log on. This option allows a site to
- migrate from plaintext password authentication (users authenticate with plaintext password over the
- wire, and are checked against a UNIX account database) to encrypted password authentication (the SMB
- challenge/response authentication mechanism) without forcing all users to re-enter their passwords via
- smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted
- passwords to be made over a longer period. Once all users have encrypted representations of their passwords
- in the smbpasswd file this parameter should be set to <constant>no</constant>.
- </para>
-
- <para>
- In order for this parameter to be operative the <smbconfoption name="encrypt passwords"/> parameter must
- be set to <constant>no</constant>. The default value of <smbconfoption name="encrypt
- passwords">Yes</smbconfoption>. Note: This must be set to <constant>no</constant> for this <smbconfoption
- name="update encrypted"/> to work.
- </para>
-
- <para>
- Note that even when this parameter is set, a user authenticating to <command moreinfo="none">smbd</command>
- must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd)
- passwords.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/docs-xml/using_samba/appc.xml b/docs-xml/using_samba/appc.xml
index 76fc5e8..f4b4666 100644
--- a/docs-xml/using_samba/appc.xml
+++ b/docs-xml/using_samba/appc.xml
@@ -2728,20 +2728,6 @@ compatibility with older-client bugs.</para>
</refsynopsisdiv>
</refentry>
-<refentry id="appc-refentry-194">
-<refmeta>
-<refmiscinfo class="allowable values">YES, NO</refmiscinfo>
-<refmiscinfo class="default">NO</refmiscinfo>
-</refmeta>
-<refnamediv>
-<refname>update encrypted = boolean</refname>
-</refnamediv>
-<refsynopsisdiv>
-<para>Updates the Microsoft-format password file when a user logs in with unencrypted passwords. Provided to ease conversion to encryped passwords for Windows 95/98 and NT. Added in Samba 1.9.18p5.</para>
-
-</refsynopsisdiv>
-</refentry>
-
<refentry id="appc-refentry-195">
<refmeta>
<refmiscinfo class="allowable values">comma-separated list of user names</refmiscinfo>
diff --git a/docs-xml/using_samba/ch06.xml b/docs-xml/using_samba/ch06.xml
index e0973b6..b099e96 100644
--- a/docs-xml/using_samba/ch06.xml
+++ b/docs-xml/using_samba/ch06.xml
@@ -1592,20 +1592,6 @@ Password changed for user dave</programlisting>
<row>
-<entry colname="col1"><para><literal>update encrypted</literal></para></entry>
-
-<entry colname="col2"><para>boolean</para></entry>
-
-<entry colname="col3"><para>If <literal>yes</literal>, Samba updates the encrypted password file when a client connects to a share with a plaintext password.</para></entry>
-
-<entry colname="col4"><para><literal>no</literal></para></entry>
-
-<entry colname="col5"><para>Global</para></entry>
-
-</row>
-
-<row>
-
<entry colname="col1"><para><literal>null passwords</literal></para></entry>
<entry colname="col2"><para>boolean</para></entry>
@@ -1769,23 +1755,6 @@ password level</title>
<sect3 role="" label="6.4.4.7" id="ch06-SECT-4.3.7">
-<indexterm id="ch06-idx-969481-0"><primary>pdate encrypted option</primary></indexterm>
-<title>update encrypted</title>
-
-
-<para>For sites switching over to the <indexterm id="ch06-idx-967799-0"><primary>encrypted passwords</primary><secondary>Microsoft format</secondary></indexterm>encrypted password format, Samba provides an option that should help with the transition. The <literal>update</literal> <literal>encrypted</literal> option allows a site to ease into using encrypted passwords from plaintext passwords. You can activate this option as follows:</para>
-
-
-<programlisting>[global]
- update encrypted = yes</programlisting>
-
-
-<para>This instructs Samba to create an encrypted version of each user's Unix password in the <filename>smbpasswd</filename> file each time he or she connects to a share. When this option is enabled, you must have the <literal>encrypt</literal> <literal>passwords</literal> option set to <literal>no</literal> so that the client will pass plaintext passwords to Samba to use to update the files. Once each user has connected at least once, you can set <literal>encrypted</literal> <literal>passwords</literal> <literal>=</literal> <literal>yes</literal>, allowing you to use only the encrypted passwords. The user must already have a valid entry in the <filename>smbpasswd</filename> file for this option to work.</para>
-</sect3>
-
-
-
-<sect3 role="" label="6.4.4.8" id="ch06-SECT-4.3.8">
<title>null passwords</title>
@@ -1801,7 +1770,7 @@ password level</title>
-<sect3 role="" label="6.4.4.9" id="ch06-SECT-4.3.9">
+<sect3 role="" label="6.4.4.8" id="ch06-SECT-4.3.8">
<indexterm id="ch06-idx-969483-0"><primary>smb passwd file option</primary></indexterm>
<title>
smb passwd file</title>
@@ -1820,7 +1789,7 @@ smb passwd file</title>
-<sect3 role="" label="6.4.4.10" id="ch06-SECT-4.3.10">
+<sect3 role="" label="6.4.4.9" id="ch06-SECT-4.3.9">
<indexterm id="ch06-idx-969486-0"><primary>hosts equiv option</primary></indexterm>
<title>
hosts equiv</title>
@@ -1838,7 +1807,7 @@ hosts equiv</title>
-<sect3 role="" label="6.4.4.11" id="ch06-SECT-4.3.11">
+<sect3 role="" label="6.4.4.10" id="ch06-SECT-4.3.10">
<indexterm id="ch06-idx-969487-0"><primary>use rhosts option</primary></indexterm>
<title>
use rhosts</title>
diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py
index 73637a7..3793992 100644
--- a/examples/scripts/shares/python/smbparm.py
+++ b/examples/scripts/shares/python/smbparm.py
@@ -353,7 +353,6 @@ parm_table = {
"ENHANCEDBROWSING" : ("enhanced browsing", SambaParmBool, P_GLOBAL, "Yes"),
"PANICACTION" : ("panic action", SambaParmString, P_GLOBAL, ""),
"LDAPMACHINESUFFIX" : ("ldap machine suffix", SambaParmString, P_GLOBAL, ""),
- "UPDATEENCRYPTED" : ("update encrypted", SambaParmBool, P_GLOBAL, "No"),
"MAXTTL" : ("max ttl", SambaParmString, P_GLOBAL, "259200"),
"WRITABLE" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"),
"SHAREMODES" : ("share modes", SambaParmBool, P_LOCAL, "Yes"),
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index a9a4c53..8668a2f 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -23,60 +23,6 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-/**
- * update the encrypted smbpasswd file from the plaintext username and password
- *
- * this ugly hack needs to die, but not quite yet, I think people still use it...
- **/
-static bool update_smbpassword_file(const char *user, const char *password)
-{
- struct samu *sampass;
- bool ret;
-
- if ( !(sampass = samu_new( NULL )) ) {
- return False;
- }
-
- become_root();
- ret = pdb_getsampwnam(sampass, user);
- unbecome_root();
-
- if(ret == False) {
- DEBUG(0,("pdb_getsampwnam returned NULL\n"));
- TALLOC_FREE(sampass);
- return False;
- }
-
- /*
- * Remove the account disabled flag - we are updating the
- * users password from a login.
- */
- if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED, PDB_CHANGED)) {
- TALLOC_FREE(sampass);
- return False;
- }
-
- if (!pdb_set_plaintext_passwd (sampass, password)) {
- TALLOC_FREE(sampass);
- return False;
- }
-
- /* Now write it into the file. */
- become_root();
-
- ret = NT_STATUS_IS_OK(pdb_update_sam_account (sampass));
-
- unbecome_root();
-
- if (ret) {
- DEBUG(3,("pdb_update_sam_account returned %d\n",ret));
- }
-
- TALLOC_FREE(sampass);
- return ret;
-}
-
-
/** Check a plaintext username/password
*
* Cannot deal with an encrupted password in any manner whatsoever,
@@ -102,9 +48,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
nt_status = pass_check(pass,
pass ? pass->pw_name : user_info->mapped.account_name,
user_info->password.plaintext,
- lp_update_encrypted() ?
- update_smbpassword_file : NULL,
- True);
+ true);
unbecome_root();
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index d1b720c..ee35fba 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -647,8 +647,10 @@ match is found and is used to update the encrypted password file
return NT_STATUS_OK on correct match, appropriate error otherwise
****************************************************************************/
-NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password,
- bool (*fn) (const char *, const char *), bool run_cracker)
+NTSTATUS pass_check(const struct passwd *pass,
+ const char *user,
+ const char *password,
+ bool run_cracker)
{
char *pass2 = NULL;
int level = lp_passwordlevel();
@@ -820,9 +822,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
/* try it as it came to us */
nt_status = password_check(password);
if NT_STATUS_IS_OK(nt_status) {
- if (fn) {
- fn(user, password);
- }
return (nt_status);
} else if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
/* No point continuing if its not the password thats to blame (ie PAM disabled). */
@@ -850,8 +849,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
if (strhasupper(pass2)) {
strlower_m(pass2);
if NT_STATUS_IS_OK(nt_status = password_check(pass2)) {
- if (fn)
- fn(user, pass2);
return (nt_status);
}
}
@@ -865,8 +862,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
strlower_m(pass2);
if (NT_STATUS_IS_OK(nt_status = string_combinations(pass2, password_check, level))) {
- if (fn)
- fn(user, pass2);
return nt_status;
}
diff --git a/source3/include/proto.h b/source3/include/proto.h
index c6061fc..850710b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -232,7 +232,7 @@ bool smb_pam_close_session(char *in_user, char *tty, char *rhost);
void dfs_unlogin(void);
NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password,
- bool (*fn) (const char *, const char *), bool run_cracker);
+ bool run_cracker);
/* The following definitions come from auth/token_util.c */
@@ -3708,7 +3708,6 @@ bool _lp_writeraw(void);
bool lp_null_passwords(void);
bool lp_obey_pam_restrictions(void);
bool lp_encrypted_passwords(void);
-bool lp_update_encrypted(void);
int lp_client_schannel(void);
int lp_server_schannel(void);
bool lp_syslog_only(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index b20b565..f200022 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1102,15 +1102,6 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_BASIC | FLAG_ADVANCED | FLAG_WIZARD,
},
{
- .label = "update encrypted",
- .type = P_BOOL,
- .p_class = P_GLOBAL,
- .ptr = &Globals.bUpdateEncrypt,
- .special = NULL,
- .enum_list = NULL,
- .flags = FLAG_ADVANCED,
- },
- {
.label = "client schannel",
.type = P_ENUM,
.p_class = P_GLOBAL,
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 0c1c80e..3d7b32c 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -373,9 +373,7 @@ static bool cgi_handle_authorization(char *line)
* Validate the password they have given.
*/
- if NT_STATUS_IS_OK(pass_check(pass, user, user_pass,
- NULL, False)) {
-
+ if NT_STATUS_IS_OK(pass_check(pass, user, user_pass, false)) {
if (pass) {
/*
* Password was ok.
diff --git a/source4/TODO b/source4/TODO
index 2d7853f..9a29c20 100644
--- a/source4/TODO
+++ b/source4/TODO
@@ -18,7 +18,6 @@ The following options don't exist in Samba4 yet
or are not converted by the upgrade script
or will be removed:
-- update encrypted
- public
- guest ok
- client schannel
--
Samba Shared Repository
More information about the samba-cvs
mailing list