[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Nov 16 18:11:02 MST 2011
The branch, master has been updated
via 2de232a s3-nmbd Remove AD netlogon response from s3 nmbd server
via 47d3499 s4-s3-upgrade Test getdomainsid as well
via 87bbe1b s3-net Do not look for a local SID when we are a DC
via cd23028 lib/param simplify server role values specified in smb.conf
via afcd3c6 docs: Add documentation for server role
via a01a186 libds: Make server role values explicit for easier debugging
via eb4fa13 param: use lp_is_security_and_server_role_valid()
via e743fbc param: Check if server role and security parameters are conflicting
via ea7cb8c lib/param: Add tests for security= behaviour now it operates with server role
via 3ac3de7 param: Connect lp_security to the lib/param code to allow tests
via 29cd8ae s4-provision permit server role to be the ROLE_ strings from s3
via 31ba7af param: Add tests for automatic server role guessing
via 42406d6 py-param: Add python interface to get server_role
via 15b8cfc param: Move enum values into a common (included) .c file
via 1f96a59 param: move server role helpers into loadparm.h
via b8c119f s4-s3-upgrade Add test of net getlocalsid after the upgrade
via 9524e2f param: calculate server role from security, and security from server role
via f099fea s3-param remove lp_domain_logons(), always use IS_DC
via df9a1ea param: make server role list common and include auto (for the new default)
via 299ed45 roles: Add ROLE_AUTO to indicate that the server role is calculated
via d97acc8 s3-param: Add "server role" as global parameter
via 7b175e8 param: Add "domain logons" and "domain master" parameters
from 948e010 s3-libsmb/passchange.c: remove some cli_nt_error() calls
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2de232ae2a187941f8114ff0948ca50082007761
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 17:41:28 2011 +1100
s3-nmbd Remove AD netlogon response from s3 nmbd server
I do not want users with misconfigurations to have nmbd respond
with this partially correct packet. For example, it hardcodes
the site as Default-First-Site-Name.
If nmbd wishes to return this information, it would need to query
the AD database using the same APIs that the source4/ nbt server
does.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Thu Nov 17 02:10:54 CET 2011 on sn-devel-104
commit 47d34997e84e8f9c05be7b95b9ae4dbd6ea7298e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 20:16:23 2011 +1100
s4-s3-upgrade Test getdomainsid as well
commit 87bbe1be5f79107cb96227510588f222b7061c92
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 19:57:05 2011 +1100
s3-net Do not look for a local SID when we are a DC
If we are actually a DC, then the only SID we have is the domain SID,
and looking for it under the local name fails if we are a Samba4 AD DC.
Andrew Bartlett
commit cd23028ed05feaace335fb96247cfe344a776c71
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 21:27:13 2011 +1100
lib/param simplify server role values specified in smb.conf
The pdc/bdc split is only in smb.conf for Samba3 DCs, and so is
too confusing to document in this paramter. It will be clearer
to sort out "domain master" into a "pdc emulator" paramter
to conver this distinction.
Andrew Bartlett
commit afcd3c625d883e84666990ce759615f16d45c596
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 21:16:18 2011 +1100
docs: Add documentation for server role
commit a01a186a6cfd3b6f1f49ea6d3e7363d2a58d3d4a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 19:48:06 2011 +1100
libds: Make server role values explicit for easier debugging
commit eb4fa13fd967a2604284de357ee8e8bfbee0a507
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 19:34:36 2011 +1100
param: use lp_is_security_and_server_role_valid()
This also permits a few more valid combinations, due to the layer at which this is
being used.
Andrew Bartlett
commit e743fbc26ef64f8f3e4164f809140a12b304c90f
Author: Amitay Isaacs <amitay at gmail.com>
Date: Thu Nov 10 17:45:28 2011 +1100
param: Check if server role and security parameters are conflicting
commit ea7cb8ccb7f19fa8f4c5e6c61147dd6a4a877e22
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 17:11:56 2011 +1100
lib/param: Add tests for security= behaviour now it operates with server role
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit 3ac3de73b4e2cfb8dfe21c502de8432abb29d685
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 17:11:18 2011 +1100
param: Connect lp_security to the lib/param code to allow tests
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit 29cd8ae6fd58bd968958447e1438ff05a3bf4b48
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 16:26:57 2011 +1100
s4-provision permit server role to be the ROLE_ strings from s3
Also convert between the aliases in one single place.
Andrew Bartlett
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit 31ba7af757bc7a872140b6fc91e67dab28c9ac8f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 16:07:52 2011 +1100
param: Add tests for automatic server role guessing
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit 42406d63a4475ed167ca46ae21c850ee77a071ef
Author: Amitay Isaacs <amitay at gmail.com>
Date: Thu Nov 10 15:42:44 2011 +1100
py-param: Add python interface to get server_role
commit 15b8cfcd83ab502c99bb5c02d2198c46a22f165e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 15:19:33 2011 +1100
param: Move enum values into a common (included) .c file
This #include hack is required as it is not possible to declare a
compile-time sized array in a header file.
Andrew Bartlett
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit 1f96a59ddac772689fda863d1d4a62cd916c3488
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 15:22:37 2011 +1100
param: move server role helpers into loadparm.h
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit b8c119f3ba0872e4416caecb8fb508cd70781c56
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 1 12:59:38 2011 +1100
s4-s3-upgrade Add test of net getlocalsid after the upgrade
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit 9524e2fce1b7f644fef5f7c8134f72681d786e65
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 12:45:54 2011 +1100
param: calculate server role from security, and security from server role
This allows smb.conf files from either the samba3 or samba4 tradition
to come to the same value of server role, using the information in the
smb.conf file.
This is important so that tools like 'net getlocalsid' work against a
Samba4 AD installation (yes, users have tried this).
Andrew Bartlett
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit f099feaa01b6548cb60cb9d7d50b1f196b1af878
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 13:37:54 2011 +1100
s3-param remove lp_domain_logons(), always use IS_DC
This makes the code internally consistant.
Andrew Bartlett
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit df9a1ea6cb18d4e701471ddd0144dbc970c4eb88
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 10 12:50:09 2011 +1100
param: make server role list common and include auto (for the new default)
Pair-Programmed-With: Amitay Isaacs <amitay at samba.org>
commit 299ed456705944c0b6f848d4fce1fbf6853df965
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue Nov 8 13:22:37 2011 +1100
roles: Add ROLE_AUTO to indicate that the server role is calculated
commit d97acc8fb9710c41c9758801af1e79c38f9ffdcc
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue Nov 8 12:12:06 2011 +1100
s3-param: Add "server role" as global parameter
This will help extracting server role processing code in common
library.
commit 7b175e875ea4cdfa27c21369a28e9c4ef14c925b
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue Nov 8 11:36:00 2011 +1100
param: Add "domain logons" and "domain master" parameters
This makes parsing of config files with s3 loadparm code and s4 loadparm
code consistent.
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/security.xml | 7 +-
docs-xml/smbdotconf/security/serverrole.xml | 69 +++++++++++
lib/param/loadparm.c | 122 +++++++-----------
lib/param/loadparm.h | 5 +
{source3 => lib}/param/loadparm_server_role.c | 129 ++++++++++++++++----
lib/param/param_enums.c | 108 ++++++++++++++++
lib/param/wscript_build | 7 +-
libds/common/roles.h | 12 ++-
script/mks3param.pl | 2 +
source3/Makefile.in | 2 +-
source3/include/proto.h | 3 +-
source3/nmbd/nmbd_become_dmb.c | 2 +-
source3/nmbd/nmbd_processlogon.c | 109 +++--------------
source3/param/loadparm.c | 91 ++++-----------
source3/param/loadparm_ctx.c | 1 +
source3/utils/net.c | 15 ++-
source3/wscript_build | 2 +-
source4/param/pyparam.c | 15 +++
source4/param/tests/loadparm.c | 122 ++++++++++++++++++
.../scripting/python/samba/provision/__init__.py | 18 +++-
source4/scripting/python/samba/upgrade.py | 13 +--
source4/setup/provision | 7 +-
source4/setup/tests/blackbox_s3upgrade.sh | 6 +
23 files changed, 570 insertions(+), 297 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/serverrole.xml
rename {source3 => lib}/param/loadparm_server_role.c (51%)
create mode 100644 lib/param/param_enums.c
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
index 55e147e..74ea569 100644
--- a/docs-xml/smbdotconf/security/security.xml
+++ b/docs-xml/smbdotconf/security/security.xml
@@ -42,9 +42,14 @@
<para>The different settings will now be explained.</para>
+ <para><anchor id="SECURITYEQUALSAUTO"/><emphasis>SECURITY = AUTO</emphasis></para>
+
+ <para>This is the default security setting in Samba, and causes Samba to consult
+ the <smbconfoption name="server role"/> parameter (if set) to determine the security mode.</para>
+
<para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY = USER</emphasis></para>
- <para>This is the default security setting in Samba.
+ <para>If <smbconfoption name="server role"/> is not specified, this is the default security setting in Samba.
With user-level security a client must first "log-on" with a
valid username and password (which can be mapped using the <smbconfoption name="username map"/>
parameter). Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) can also
diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml
new file mode 100644
index 0000000..5832887
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverrole.xml
@@ -0,0 +1,69 @@
+<samba:parameter name="server role"
+ context="G"
+ type="enum"
+ basic="1" advanced="1" wizard="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option determines the basic operating mode of a Samba
+ server and is one of the most important settings in the <filename
+ moreinfo="none"> smb.conf</filename> file.</para>
+
+ <para>The default is <command moreinfo="none">server role = auto</command>, as causes
+ Samba to operate according to the <smbconfoption name="security"/> setting, or if not
+ specified as a simple file server that is not connected to any domain.</para>
+
+ <para>The alternatives are
+ <command moreinfo="none">server role = standalone</command> or <command moreinfo="none">server role = member server
+ </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">server role = domain controller</command>, which run Samba as a Windows domain controller.</para>
+
+ <para>You should use <command moreinfo="none">server role = standalone</command> and
+ <smbconfoption name="map to guest"/> if you
+ want to mainly setup shares without a password (guest shares). This
+ is commonly used for a shared printer server. </para>
+
+ <para><anchor id="AUTO"/><emphasis>SERVER ROLE = AUTO</emphasis></para>
+
+ <para>This is the default server role in Samba, and causes Samba to consult
+ the <smbconfoption name="security"/> parameter (if set) to determine the server role, giving compatable behaviours to previous Samba versions.</para>
+
+ <para><anchor id="STANDALONE"/><emphasis>SERVER ROLE = STANDALONE</emphasis></para>
+
+ <para>If <smbconfoption name="security"/> is also not specified, this is the default security setting in Samba.
+ In standalone operation, a client must first "log-on" with a
+ valid username and password (which can be mapped using the <smbconfoption name="username map"/>
+ parameter) stored on this machine. Encrypted passwords (see the <smbconfoption name="encrypted passwords"/> parameter) are by default
+ used in this security mode. Parameters such as <smbconfoption name="user"/> and <smbconfoption
+ name="guest only"/> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><anchor id="MEMBER SERVER"/><emphasis>SERVER ROLE = MEMBER SERVER</emphasis></para>
+
+ <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> has been used to add this
+ machine into a Windows Domain. It expects the <smbconfoption name="encrypted passwords"/>
+ parameter to be set to <constant>yes</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows or Samba Domain Controller, in exactly
+ the same way that a Windows Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to. Winbind can provide this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="DC"/><emphasis>SERVER ROLE = DOMAIN CONTROLLER</emphasis></para>
+
+ <para>This mode of operation runs Samba as a domain controller, providing domain logon services to Windows and Samba clients of the domain. Clients must be joined to the domain to create a secure, trusted path across the network.</para>
+
+</description>
+
+<related>security</related>
+<related>realm</related>
+<related>encrypt passwords</related>
+
+<value type="default">AUTO</value>
+<value type="example">DOMAIN CONTROLLER</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 2a251c1..9abd11f 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -81,6 +81,10 @@ static bool defaults_saved = false;
char *tls_dhpfile; \
char *loglevel; \
char *panic_action; \
+ int server_role; \
+ int security; \
+ int domain_master; \
+ bool domain_logons; \
int bPreferredMaster;
#include "param_global.h"
@@ -100,77 +104,7 @@ static bool handle_debuglevel(struct loadparm_context *lp_ctx, int unused,
static bool handle_logfile(struct loadparm_context *lp_ctx, int unused,
const char *pszParmValue, char **ptr);
-static const struct enum_list enum_protocol[] = {
- {PROTOCOL_SMB2_02, "SMB2"},
- {PROTOCOL_SMB2_02, "SMB2_02"},
- {PROTOCOL_NT1, "NT1"},
- {PROTOCOL_LANMAN2, "LANMAN2"},
- {PROTOCOL_LANMAN1, "LANMAN1"},
- {PROTOCOL_CORE, "CORE"},
- {PROTOCOL_COREPLUS, "COREPLUS"},
- {PROTOCOL_COREPLUS, "CORE+"},
- {-1, NULL}
-};
-
-static const struct enum_list enum_security[] = {
- {SEC_SHARE, "SHARE"},
- {SEC_USER, "USER"},
- {SEC_ADS, "ADS"},
- {-1, NULL}
-};
-
-static const struct enum_list enum_bool_auto[] = {
- {false, "No"},
- {false, "False"},
- {false, "0"},
- {true, "Yes"},
- {true, "True"},
- {true, "1"},
- {Auto, "Auto"},
- {-1, NULL}
-};
-
-/* Client-side offline caching policy types */
-
-static const struct enum_list enum_csc_policy[] = {
- {CSC_POLICY_MANUAL, "manual"},
- {CSC_POLICY_DOCUMENTS, "documents"},
- {CSC_POLICY_PROGRAMS, "programs"},
- {CSC_POLICY_DISABLE, "disable"},
- {-1, NULL}
-};
-
-/* SMB signing types. */
-static const struct enum_list enum_smb_signing_vals[] = {
- {SMB_SIGNING_DEFAULT, "default"},
- {SMB_SIGNING_OFF, "No"},
- {SMB_SIGNING_OFF, "False"},
- {SMB_SIGNING_OFF, "0"},
- {SMB_SIGNING_OFF, "Off"},
- {SMB_SIGNING_OFF, "disabled"},
- {SMB_SIGNING_IF_REQUIRED, "if_required"},
- {SMB_SIGNING_IF_REQUIRED, "Yes"},
- {SMB_SIGNING_IF_REQUIRED, "True"},
- {SMB_SIGNING_IF_REQUIRED, "1"},
- {SMB_SIGNING_IF_REQUIRED, "On"},
- {SMB_SIGNING_IF_REQUIRED, "enabled"},
- {SMB_SIGNING_IF_REQUIRED, "auto"},
- {SMB_SIGNING_REQUIRED, "required"},
- {SMB_SIGNING_REQUIRED, "mandatory"},
- {SMB_SIGNING_REQUIRED, "force"},
- {SMB_SIGNING_REQUIRED, "forced"},
- {SMB_SIGNING_REQUIRED, "enforced"},
- {-1, NULL}
-};
-
-static const struct enum_list enum_server_role[] = {
- {ROLE_STANDALONE, "standalone"},
- {ROLE_DOMAIN_MEMBER, "member server"},
- {ROLE_DOMAIN_MEMBER, "member"},
- {ROLE_DOMAIN_CONTROLLER, "domain controller"},
- {ROLE_DOMAIN_CONTROLLER, "dc"},
- {-1, NULL}
-};
+#include "param_enums.c"
#define GLOBAL_VAR(name) offsetof(struct loadparm_global, name)
#define LOCAL_VAR(name) offsetof(struct loadparm_service, name)
@@ -185,6 +119,22 @@ static struct parm_struct parm_table[] = {
.enum_list = enum_server_role
},
{
+ .label = "domain logons",
+ .type = P_ENUM,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(domain_logons),
+ .special = NULL,
+ .enum_list = enum_bool_auto
+ },
+ {
+ .label = "domain master",
+ .type = P_ENUM,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(domain_master),
+ .special = NULL,
+ .enum_list = enum_bool_auto
+ },
+ {
.label = "dos charset",
.type = P_STRING,
.p_class = P_GLOBAL,
@@ -1460,7 +1410,6 @@ static struct loadparm_context *global_loadparm_context;
#include "lib/param/param_functions.c"
-FN_GLOBAL_INTEGER(server_role, server_role)
FN_GLOBAL_LIST(smb_ports, smb_ports)
FN_GLOBAL_INTEGER(nbt_port, nbt_port)
FN_GLOBAL_INTEGER(dgram_port, dgram_port)
@@ -1544,7 +1493,6 @@ FN_GLOBAL_INTEGER(srv_maxprotocol, srv_maxprotocol)
FN_GLOBAL_INTEGER(srv_minprotocol, srv_minprotocol)
FN_GLOBAL_INTEGER(cli_maxprotocol, cli_maxprotocol)
FN_GLOBAL_INTEGER(cli_minprotocol, cli_minprotocol)
-FN_GLOBAL_INTEGER(security, security)
FN_GLOBAL_BOOL(paranoid_server_security, paranoid_server_security)
FN_GLOBAL_INTEGER(server_signing, server_signing)
@@ -3280,7 +3228,9 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "share backend", "classic");
- lpcfg_do_global_parameter(lp_ctx, "server role", "standalone");
+ lpcfg_do_global_parameter(lp_ctx, "server role", "auto");
+ lpcfg_do_global_parameter(lp_ctx, "domain logons", "No");
+ lpcfg_do_global_parameter(lp_ctx, "domain master", "Auto");
/* options that can be set on the command line must be initialised via
the slower lpcfg_do_global_parameter() to ensure that FLAG_CMDLINE is obeyed */
@@ -3342,7 +3292,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "server max protocol", "NT1");
lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE");
lpcfg_do_global_parameter(lp_ctx, "client max protocol", "NT1");
- lpcfg_do_global_parameter(lp_ctx, "security", "USER");
+ lpcfg_do_global_parameter(lp_ctx, "security", "AUTO");
lpcfg_do_global_parameter(lp_ctx, "paranoid server security", "True");
lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True");
lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
@@ -3771,3 +3721,25 @@ struct gensec_settings *lpcfg_gensec_settings(TALLOC_CTX *mem_ctx, struct loadpa
return settings;
}
+int lpcfg_server_role(struct loadparm_context *lp_ctx)
+{
+ if (lp_ctx->s3_fns) {
+ return lp_ctx->s3_fns->server_role();
+ }
+
+ return lp_find_server_role(lp_ctx->globals->server_role,
+ lp_ctx->globals->security,
+ lp_ctx->globals->domain_logons,
+ (lp_ctx->globals->domain_master == true) ||
+ (lp_ctx->globals->domain_master == Auto));
+}
+
+int lpcfg_security(struct loadparm_context *lp_ctx)
+{
+ if (lp_ctx->s3_fns) {
+ return lp_ctx->s3_fns->security();
+ }
+
+ return lp_find_security(lp_ctx->globals->server_role,
+ lp_ctx->globals->security);
+}
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index 1fa06b6..a50384d 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -132,3 +132,8 @@ struct parm_struct {
char dummy[3]; /* for alignment */
#include "lib/param/param_local.h"
+
+const char* server_role_str(uint32_t role);
+int lp_find_server_role(int server_role, int security, bool domain_logons, bool domain_master);
+int lp_find_security(int server_role, int security);
+bool lp_is_security_and_server_role_valid(int server_role, int security);
diff --git a/source3/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
similarity index 51%
rename from source3/param/loadparm_server_role.c
rename to lib/param/loadparm_server_role.c
index 1f18b4f..06c4421 100644
--- a/source3/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -26,14 +26,15 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "lib/param/loadparm.h"
+#include "libds/common/roles.h"
/*******************************************************************
Set the server type we will announce as via nmbd.
********************************************************************/
-static int server_role;
static const struct srv_role_tab {
- uint32 role;
+ uint32_t role;
const char *role_str;
} srv_role_tab [] = {
{ ROLE_STANDALONE, "ROLE_STANDALONE" },
@@ -43,7 +44,7 @@ static const struct srv_role_tab {
{ 0, NULL }
};
-const char* server_role_str(uint32 role)
+const char* server_role_str(uint32_t role)
{
int i = 0;
for (i=0; srv_role_tab[i].role_str; i++) {
@@ -54,43 +55,60 @@ const char* server_role_str(uint32 role)
return NULL;
}
-void set_server_role(void)
+/**
+ * Set the server role based on security, domain logons and domain master
+ */
+int lp_find_server_role(int server_role, int security, bool domain_logons, bool domain_master)
{
- server_role = ROLE_STANDALONE;
+ int role;
- switch (lp_security()) {
+ if (server_role != ROLE_AUTO) {
+ if (lp_is_security_and_server_role_valid(server_role, security)) {
+ return server_role;
+ }
+ }
+
+ /* If server_role is set to ROLE_AUTO, or conflicted with the
+ * chosen security setting, figure out the correct role */
+ role = ROLE_STANDALONE;
+
+ switch (security) {
case SEC_SHARE:
- if (lp_domain_logons())
+ if (domain_logons) {
DEBUG(0, ("Server's Role (logon server) conflicts with share-level security\n"));
+ }
break;
case SEC_SERVER:
- if (lp_domain_logons())
+ if (domain_logons) {
DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
+ }
/* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */
- server_role = ROLE_STANDALONE;
+ role = ROLE_STANDALONE;
break;
case SEC_DOMAIN:
- if (lp_domain_logons()) {
+ if (domain_logons) {
DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n"));
- server_role = ROLE_DOMAIN_BDC;
+ role = ROLE_DOMAIN_BDC;
break;
}
- server_role = ROLE_DOMAIN_MEMBER;
+ role = ROLE_DOMAIN_MEMBER;
break;
case SEC_ADS:
- if (lp_domain_logons()) {
- server_role = ROLE_DOMAIN_CONTROLLER;
+ if (domain_logons) {
+ role = ROLE_DOMAIN_CONTROLLER;
break;
}
- server_role = ROLE_DOMAIN_MEMBER;
+ role = ROLE_DOMAIN_MEMBER;
break;
+ case SEC_AUTO:
case SEC_USER:
- if (lp_domain_logons()) {
+ if (domain_logons) {
- if (lp_domain_master_true_or_auto()) /* auto or yes */
- server_role = ROLE_DOMAIN_PDC;
- else
- server_role = ROLE_DOMAIN_BDC;
+ if (domain_master) {
+ role = ROLE_DOMAIN_PDC;
+ } else {
+ role = ROLE_DOMAIN_BDC;
+ }
}
break;
default:
@@ -98,14 +116,73 @@ void set_server_role(void)
break;
}
- DEBUG(10, ("set_server_role: role = %s\n", server_role_str(server_role)));
+ return role;
+}
+
+/**
+ * Set the server role based on security, domain logons and domain master
+ */
+int lp_find_security(int server_role, int security)
+{
+ if (security != SEC_AUTO) {
+ return security;
+ }
+
+ switch (server_role) {
+ case ROLE_AUTO:
+ case ROLE_STANDALONE:
+ return SEC_USER;
+ case ROLE_DOMAIN_MEMBER:
+#if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4)
+ return SEC_ADS;
+#else
+ return SEC_DOMAIN;
+#endif
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ default:
+ return SEC_USER;
+ }
}
-/***********************************************************
- returns role of Samba server
-************************************************************/
-int lp_server_role(void)
+/**
+ * Check if server role and security parameters are contradictory
+ */
+bool lp_is_security_and_server_role_valid(int server_role, int security)
{
- return server_role;
+ bool valid = false;
+
+ if (security == SEC_AUTO) {
+ return true;
+ }
+
+ switch (server_role) {
+ case ROLE_AUTO:
+ valid = true;
+ break;
+ case ROLE_STANDALONE:
+ if (security == SEC_SHARE || security == SEC_SERVER || security == SEC_USER) {
+ valid = true;
+ }
+ break;
+
+ case ROLE_DOMAIN_MEMBER:
+ if (security == SEC_ADS || security == SEC_DOMAIN) {
+ valid = true;
+ }
+ break;
+
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ if (security == SEC_USER || security == SEC_ADS || security == SEC_DOMAIN) {
+ valid = true;
+ }
+ break;
+
+ default:
+ break;
+ }
+
+ return valid;
}
diff --git a/lib/param/param_enums.c b/lib/param/param_enums.c
new file mode 100644
index 0000000..cdc5b5e
--- /dev/null
+++ b/lib/param/param_enums.c
@@ -0,0 +1,108 @@
+/*
+ Unix SMB/CIFS implementation.
+ Parameter loading functions
+ Copyright (C) Karl Auer 1993-1998
+
+ Largely re-written by Andrew Tridgell, September 1994
+
+ Copyright (C) Simo Sorce 2001
+ Copyright (C) Alexander Bokovoy 2002
+ Copyright (C) Stefan (metze) Metzmacher 2002
+ Copyright (C) Jim McDonough <jmcd at us.ibm.com> 2003
+ Copyright (C) Michael Adam 2008
+ Copyright (C) Jelmer Vernooij <jelmer at samba.org> 2007
+ Copyright (C) Andrew Bartlett 2011
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list