[SCM] Samba Shared Repository - branch master updated

Simo Sorce idra at samba.org
Tue Jun 11 08:26:01 MDT 2013


The branch, master has been updated
       via  c0cbf59 Remove remaining references to "password level" in the tree
       via  3f73002 docs: Do not encourage unix passwords, and remove reference to password level
       via  26279a9 auth: Remove "password level"
      from  3fba9ba dsdb: reset schema->{classes,attributes}_to_remove_size to 0

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c0cbf5936f0385ab93315cc366a0aa16c0ebd237
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jun 3 10:38:29 2013 +1000

    Remove remaining references to "password level" in the tree
    
    Reviewed-by: Simo Sorce <idra at samba.org>
    
    Autobuild-User(master): Simo Sorce <idra at samba.org>
    Autobuild-Date(master): Tue Jun 11 16:25:54 CEST 2013 on sn-devel-104

commit 3f73002f2d5f8a27820e09b024f561fda1560184
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jun 3 10:27:41 2013 +1000

    docs: Do not encourage unix passwords, and remove reference to password level
    
    Reviewed-by: Simo Sorce <idra at samba.org>

commit 26279a969879bfbd943dfda03c511ed7e14057ba
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jun 3 10:02:39 2013 +1000

    auth: Remove "password level"
    
    We now only lowercase the password, we do not attempt to find another case
    combination that the password might be in.
    
    This option is already depricated, so it is now time to remove it.
    
    Andrew Bartlett
    
    Reviewed-by: Simo Sorce <idra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/Samba3-Developers-Guide/unix-smb.xml  |   13 ++--
 docs-xml/Samba3-HOWTO/TOSHARG-Diagnosis.xml    |    2 +-
 docs-xml/Samba3-HOWTO/TOSHARG-ServerType.xml   |    7 +--
 docs-xml/smbdotconf/security/passwordlevel.xml |   48 --------------
 docs-xml/using_samba/appc.xml                  |   14 ----
 docs-xml/using_samba/ch06.xml                  |   14 ----
 examples/dce-dfs/smb.conf                      |    1 -
 examples/scripts/shares/python/smbparm.py      |    1 -
 examples/tridge/smb.conf                       |    1 -
 examples/tridge/smb.conf.fjall                 |    1 -
 lib/param/loadparm.c                           |    1 -
 lib/param/param_functions.c                    |    1 -
 lib/param/param_table.c                        |    9 ---
 packaging/LSB/smb.conf                         |    1 -
 python/samba/upgrade.py                        |    1 -
 source3/auth/pass_check.c                      |   79 ------------------------
 source3/param/loadparm.c                       |    1 -
 17 files changed, 8 insertions(+), 187 deletions(-)
 delete mode 100644 docs-xml/smbdotconf/security/passwordlevel.xml


Changeset truncated at 500 lines:

diff --git a/docs-xml/Samba3-Developers-Guide/unix-smb.xml b/docs-xml/Samba3-Developers-Guide/unix-smb.xml
index ae6bdcd..6964b7f 100644
--- a/docs-xml/Samba3-Developers-Guide/unix-smb.xml
+++ b/docs-xml/Samba3-Developers-Guide/unix-smb.xml
@@ -112,7 +112,7 @@ shares.
 <title>Passwords</title>
 
 <para>
-Many SMB clients uppercase passwords before sending them. I have no
+When plaintext passwords are used, very old SMB clients uppercase passwords before sending them. I have no
 idea why they do this. Interestingly WfWg uppercases the password only
 if the server is running a protocol greater than COREPLUS, so
 obviously it isn't just the data entry routines that are to blame.
@@ -123,12 +123,11 @@ Unix passwords are case sensitive. So if users use mixed case
 passwords they are in trouble.
 </para>
 
-<para>
-Samba can try to cope with this by either using the "password level"
-option which causes Samba to try the offered password with up to the
-specified number of case changes, or by using the "password server"
-option which allows Samba to do its validation via another machine
-(typically a WinNT server).
+<para>Samba will try an additional all lower cased password
+authentication if it receives an all uppercase password. Samba used to
+support an option called "password level" that would try to crack
+password by trying all case permutations, but that option has been
+removed.
 </para>
 
 <para>
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-Diagnosis.xml b/docs-xml/Samba3-HOWTO/TOSHARG-Diagnosis.xml
index 5ea2db2..657cc97 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-Diagnosis.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-Diagnosis.xml
@@ -446,7 +446,7 @@ If it says <quote><errorname>bad password,</errorname></quote> then the likely c
 <listitem>
 	<para>
 	You have explicitly disabled encrypted passwords with
-	<smbconfoption name="encrypt passwords">no</smbconfoption> have a mixed-case password and you haven't enabled the <smbconfoption name="password level"/> option at a high enough level.
+	<smbconfoption name="encrypt passwords">no</smbconfoption> have a mixed-case password.
 	</para>
 </listitem>
 
diff --git a/docs-xml/Samba3-HOWTO/TOSHARG-ServerType.xml b/docs-xml/Samba3-HOWTO/TOSHARG-ServerType.xml
index f0c07d2..4d672c6 100644
--- a/docs-xml/Samba3-HOWTO/TOSHARG-ServerType.xml
+++ b/docs-xml/Samba3-HOWTO/TOSHARG-ServerType.xml
@@ -494,7 +494,6 @@ when using clear-text authentication:
 
 <?latex \newpage ?>
 <smbconfblock>
-<smbconfoption name="password level"><replaceable>integer</replaceable></smbconfoption>
 <smbconfoption name="username level"><replaceable>integer</replaceable></smbconfoption>
 </smbconfblock>
 
@@ -509,11 +508,7 @@ is rarely needed.
 <indexterm><primary>clear-text</primary></indexterm>
 However, passwords on UNIX systems often make use of mixed-case characters.  This means that in order for a
 user on a Windows 9x/Me client to connect to a Samba server using clear-text authentication, the
-<smbconfoption name="password level"/> must be set to the maximum number of uppercase letters that
-<emphasis>could</emphasis> appear in a password. Note that if the Server OS uses the traditional DES version
-of crypt(), a <smbconfoption name="password level"/> of 8 will result in case-insensitive passwords as seen
-from Windows users. This will also result in longer login times because Samba has to compute the permutations
-of the password string and try them one by one until a match is located (or all combinations fail).
+password must be in lower case.
 </para>
 
 <para>
diff --git a/docs-xml/smbdotconf/security/passwordlevel.xml b/docs-xml/smbdotconf/security/passwordlevel.xml
deleted file mode 100644
index eee838f..0000000
--- a/docs-xml/smbdotconf/security/passwordlevel.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<samba:parameter name="password level"
-                 context="G"
-				 type="integer"
-                 advanced="1" developer="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-    <para>Some client/server combinations have difficulty 
-    with mixed-case passwords.  One offending client is Windows for 
-    Workgroups, which for some reason forces passwords to upper 
-    case when using the LANMAN1 protocol, but leaves them alone when 
-    using COREPLUS!  Another problem child is the Windows 95/98
-    family of operating systems.  These clients upper case clear
-    text passwords even when NT LM 0.12 selected by the protocol
-    negotiation request/response.</para>
-
-    <para>This deprecated parameter defines the maximum number of characters 
-    that may be upper case in passwords.</para>
-
-    <para>For example, say the password given was "FRED". If <parameter moreinfo="none">
-    password level</parameter> is set to 1, the following combinations 
-    would be tried if "FRED" failed:</para>
-
-    <para>"Fred", "fred", "fRed", "frEd","freD"</para>
-
-    <para>If <parameter moreinfo="none">password level</parameter> was set to 2, 
-    the following combinations would also be tried: </para>
-
-    <para>"FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..</para>
-
-    <para>And so on.</para>
-
-    <para>The higher value this parameter is set to the more likely 
-    it is that a mixed case password will be matched against a single 
-    case password. However, you should be aware that use of this 
-    parameter reduces security and increases the time taken to 
-    process a new connection.</para>
-
-    <para>A value of zero will cause only two attempts to be 
-    made - the password as is and the password in all-lower case.</para>
-
-    <para>This parameter is used only when using plain-text passwords. It is
-    not at all used when encrypted passwords as in use (that is the default
-    since samba-3.0.0). Use this only when <smbconfoption name="encrypt passwords">No</smbconfoption>.</para>
-</description>
-
-<value type="default">0</value>
-<value type="example">4</value>
-</samba:parameter>
diff --git a/docs-xml/using_samba/appc.xml b/docs-xml/using_samba/appc.xml
index 69330ff..08a4995 100644
--- a/docs-xml/using_samba/appc.xml
+++ b/docs-xml/using_samba/appc.xml
@@ -1858,20 +1858,6 @@ options.</para>
 </refsynopsisdiv>
 </refentry>
 
-<refentry id="appc-refentry-134">
-<refmeta>
-<refmiscinfo class="allowable values">number</refmiscinfo>
-<refmiscinfo class="default">0</refmiscinfo>
-</refmeta>
-<refnamediv>
-<refname>[global] password level = number</refname>
-</refnamediv>
-<refsynopsisdiv>
-<para>Specifies the number of uppercase letter permutations used to match passwords. Workaround for clients that change passwords to a single case before sending them to the Samba server. Causes repeated login attempts with passwords in different cases, which can trigger account lockouts.</para>
-
-</refsynopsisdiv>
-</refentry>
-
 <refentry id="appc-refentry-135">
 <refmeta>
 <refmiscinfo class="allowable values">list of NetBIOS names</refmiscinfo>
diff --git a/docs-xml/using_samba/ch06.xml b/docs-xml/using_samba/ch06.xml
index b099e96..a4a9160 100644
--- a/docs-xml/using_samba/ch06.xml
+++ b/docs-xml/using_samba/ch06.xml
@@ -1578,20 +1578,6 @@ Password changed for user dave</programlisting>
 
 <row>
 
-<entry colname="col1"><para><literal>password level</literal></para></entry>
-
-<entry colname="col2"><para>numeric</para></entry>
-
-<entry colname="col3"><para>Sets the number of capital letter permutations to attempt when matching a client's password.</para></entry>
-
-<entry colname="col4"><para>None</para></entry>
-
-<entry colname="col5"><para>Global</para></entry>
-
-</row>
-
-<row>
-
 <entry colname="col1"><para><literal>null passwords</literal></para></entry>
 
 <entry colname="col2"><para>boolean</para></entry>
diff --git a/examples/dce-dfs/smb.conf b/examples/dce-dfs/smb.conf
index f5f155b..1f06028 100644
--- a/examples/dce-dfs/smb.conf
+++ b/examples/dce-dfs/smb.conf
@@ -5,7 +5,6 @@
    guest account = guest
    log file = /usr/local/samba/var/log.%m
    log level = 8
-   password level = 8
 
 [homes]
    comment = Home Directories
diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py
index 287b357..f182f57 100644
--- a/examples/scripts/shares/python/smbparm.py
+++ b/examples/scripts/shares/python/smbparm.py
@@ -197,7 +197,6 @@ parm_table = {
 	"WINBINDUID"             : ("idmap uid", SambaParmString, P_GLOBAL, ""),
 	"READRAW"                : ("read raw", SambaParmBool, P_GLOBAL, "Yes"),
 	"WINBINDENUMGROUPS"      : ("winbind enum groups", SambaParmBool, P_GLOBAL, "Yes"),
-	"PASSWORDLEVEL"          : ("password level", SambaParmString, P_GLOBAL, "0"),
 	"MAXPRINTJOBS"           : ("max print jobs", SambaParmString, P_LOCAL, "1000"),
 	"PRINTCAP"               : ("printcap name", SambaParmString, P_GLOBAL, ""),
 	"LOADPRINTERS"           : ("load printers", SambaParmBool, P_GLOBAL, "Yes"),
diff --git a/examples/tridge/smb.conf b/examples/tridge/smb.conf
index 4aa40d8..d1d18db 100644
--- a/examples/tridge/smb.conf
+++ b/examples/tridge/smb.conf
@@ -9,7 +9,6 @@
    log file = /usr/local/samba/var/log.%m
    guest account = pcguest
    hosts allow = 192.0.2. localhost 
-   password level = 2
    auto services = tridge susan
    message command = csh -c '/usr/bin/X11/xedit -display :0 %s;rm %s' &
    read prediction = yes
diff --git a/examples/tridge/smb.conf.fjall b/examples/tridge/smb.conf.fjall
index 76f4d0e..8406596 100644
--- a/examples/tridge/smb.conf.fjall
+++ b/examples/tridge/smb.conf.fjall
@@ -1,7 +1,6 @@
 ;log level = 4
 ;readraw = no
 ;writeraw = no
-;password level = 4
 ;mangled map = (;1 )
 ;protocol = lanman1
 ;user = susan
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 25997d3..310f95a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2144,7 +2144,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "max xmit", "12288");
 	lpcfg_do_global_parameter(lp_ctx, "host msdfs", "true");
 
-	lpcfg_do_global_parameter(lp_ctx, "password level", "0");
 	lpcfg_do_global_parameter(lp_ctx, "LargeReadwrite", "True");
 	lpcfg_do_global_parameter(lp_ctx, "server min protocol", "CORE");
 	lpcfg_do_global_parameter(lp_ctx, "server max protocol", "NT1");
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index 6fc7801..fed2e95 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -320,7 +320,6 @@ FN_GLOBAL_INTEGER(open_files_db_hash_size, open_files_db_hash_size)
 FN_GLOBAL_INTEGER(oplock_break_wait_time, oplock_break_wait_time)
 FN_GLOBAL_INTEGER(os_level, os_level)
 FN_GLOBAL_INTEGER(passwd_chat_timeout, iPasswdChatTimeout)
-FN_GLOBAL_INTEGER(passwordlevel, pwordlevel)
 FN_GLOBAL_INTEGER(printcap_cache_time, PrintcapCacheTime)
 FN_GLOBAL_INTEGER(restrict_anonymous, restrict_anonymous)
 FN_GLOBAL_INTEGER(_security, security)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 7ff9d0c..1b1497c 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -661,15 +661,6 @@ static struct parm_struct parm_table[] = {
 		.flags		= FLAG_ADVANCED,
 	},
 	{
-		.label		= "password level",
-		.type		= P_INTEGER,
-		.p_class	= P_GLOBAL,
-		.offset		= GLOBAL_VAR(pwordlevel),
-		.special	= NULL,
-		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED | FLAG_DEPRECATED,
-	},
-	{
 		.label		= "username level",
 		.type		= P_INTEGER,
 		.p_class	= P_GLOBAL,
diff --git a/packaging/LSB/smb.conf b/packaging/LSB/smb.conf
index d08cd20..36c9839 100644
--- a/packaging/LSB/smb.conf
+++ b/packaging/LSB/smb.conf
@@ -56,7 +56,6 @@
 
 # Password Level allows matching of _n_ characters of the password for
 # all combinations of upper and lower case.
-;  password level = 8
 ;  username level = 8
 
 # You may wish to use password encryption. Please read
diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py
index 817981e..532e1de 100644
--- a/python/samba/upgrade.py
+++ b/python/samba/upgrade.py
@@ -410,7 +410,6 @@ smbconf_keep = [
     "smb passwd file",
     "private dir",
     "passwd chat",
-    "password level",
     "lanman auth",
     "ntlm auth",
     "client NTLMv2 auth",
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index f2d1fc2..21694b3 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -494,68 +494,6 @@ static char *osf1_bigcrypt(char *password, char *salt1)
 
 
 /****************************************************************************
-apply a function to upper/lower case combinations
-of a string and return true if one of them returns true.
-try all combinations with N uppercase letters.
-offset is the first char to try and change (start with 0)
-it assumes the string starts lowercased
-****************************************************************************/
-static NTSTATUS string_combinations2(char *s, int offset,
-				     NTSTATUS (*fn)(const char *s,
-						    const void *private_data),
-				     int N, const void *private_data)
-{
-	int len = strlen(s);
-	int i;
-	NTSTATUS nt_status;
-
-#ifdef PASSWORD_LENGTH
-	len = MIN(len, PASSWORD_LENGTH);
-#endif
-
-	if (N <= 0 || offset >= len)
-		return (fn(s, private_data));
-
-	for (i = offset; i < (len - (N - 1)); i++) {
-		char c = s[i];
-		if (!islower_m(c))
-			continue;
-		s[i] = toupper_m(c);
-		nt_status = string_combinations2(s, i + 1, fn, N - 1,
-						 private_data);
-		if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
-			return nt_status;
-		}
-		s[i] = c;
-	}
-	return (NT_STATUS_WRONG_PASSWORD);
-}
-
-/****************************************************************************
-apply a function to upper/lower case combinations
-of a string and return true if one of them returns true.
-try all combinations with up to N uppercase letters.
-offset is the first char to try and change (start with 0)
-it assumes the string starts lowercased
-****************************************************************************/
-static NTSTATUS string_combinations(char *s,
-				    NTSTATUS (*fn)(const char *s,
-						   const void *private_data),
-				    int N, const void *private_data)
-{
-	int n;
-	NTSTATUS nt_status;
-	for (n = 1; n <= N; n++) {
-		nt_status = string_combinations2(s, 0, fn, n, private_data);
-		if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
-			return nt_status;
-		}
-	}
-	return NT_STATUS_WRONG_PASSWORD;
-}
-
-
-/****************************************************************************
 core of password checking routine
 ****************************************************************************/
 static NTSTATUS password_check(const char *password, const void *private_data)
@@ -673,7 +611,6 @@ NTSTATUS pass_check(const struct passwd *pass,
 		    bool run_cracker)
 {
 	char *pass2 = NULL;
-	int level = lp_passwordlevel();
 
 	NTSTATUS nt_status;
 
@@ -876,21 +813,5 @@ NTSTATUS pass_check(const struct passwd *pass,
 		}
 	}
 
-	/* give up? */
-	if (level < 1) {
-		return NT_STATUS_WRONG_PASSWORD;
-	}
-
-	/* last chance - all combinations of up to level chars upper! */
-	if (!strlower_m(pass2)) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	nt_status = string_combinations(pass2, password_check, level,
-					(const void *)rhost);
-        if (NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
-
 	return NT_STATUS_WRONG_PASSWORD;
 }
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index b9d316b..fa2f9b6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -819,7 +819,6 @@ static void init_globals(bool reinit_globals)
 	Globals.lpqcachetime = 30;	/* changed to handle large print servers better -- jerry */
 	Globals.bDisableSpoolss = false;
 	Globals.iMaxSmbdProcesses = 0;/* no limit specified */
-	Globals.pwordlevel = 0;
 	Globals.unamelevel = 0;
 	Globals.deadtime = 0;
 	Globals.getwd_cache = true;


-- 
Samba Shared Repository


More information about the samba-cvs mailing list