[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Aug 18 01:33:03 UTC 2020
The branch, master has been updated
via 20606fd0a4c WHATSNEW: list deprecated parameters
via 8c9d9441edc docs: deprecate "raw NTLMv2 auth"
via 37583b19d2c docs: deprecate "client plaintext auth"
via 5543c11c8b0 docs: deprecate "client NTLMv2 auth"
via ac8e5ea22d9 docs: deprecate "client lanman auth"
via 1b85db57e53 docs: deprecate "client use spnego"
via c6aa710f8da docs: Deprecate NT4-like domains and SMBv1-only protocol options
via 9e212dd15e6 selftest: Do not let deprecated option warnings muck this test up
via d14cc45c98a param: Allow tests to silence deprecation warnings
via d3ff49f4850 selftest: Add test for suppression of deprecation warnings
from 546a0f99e86 auth: Fix a typo
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 20606fd0a4c4697ff99da59f748af6908d929901
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 16 22:23:32 2020 +1200
WHATSNEW: list deprecated parameters
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Aug 18 01:32:21 UTC 2020 on sn-devel-184
commit 8c9d9441edce2e8d7f0428d0ec5e209ed8a55dbc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 5 16:55:35 2019 +1200
docs: deprecate "raw NTLMv2 auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 37583b19d2c3dbf3e9d0498a39b8b9d9c727e1d4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 5 16:55:23 2019 +1200
docs: deprecate "client plaintext auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5543c11c8b007b49641758428af7ba3976683438
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 5 16:54:01 2019 +1200
docs: deprecate "client NTLMv2 auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ac8e5ea22d9f9b16a79f519f69852b46ac798541
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 5 16:53:46 2019 +1200
docs: deprecate "client lanman auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1b85db57e53533ce14beb79f6d949a08f6ef9f91
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Sep 5 16:53:20 2019 +1200
docs: deprecate "client use spnego"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c6aa710f8da9ef92b388f1c0c59b2dd3c602ad2d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Jun 16 21:46:33 2020 +1200
docs: Deprecate NT4-like domains and SMBv1-only protocol options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9e212dd15e6c484d69f236f3c6d7186f0e6353b4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 10 20:36:53 2020 +1200
selftest: Do not let deprecated option warnings muck this test up
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d14cc45c98a77fb8a6ac96181eec33f368b8dbd8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 29 21:26:55 2020 +1200
param: Allow tests to silence deprecation warnings
This helps make output sensitive tests more reliable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d3ff49f48507d8a64b9c4847f79d7939f647e6f0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Aug 10 12:18:07 2020 +1200
selftest: Add test for suppression of deprecation warnings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 21 ++++++++++++++
docs-xml/smbdotconf/logon/domainlogons.xml | 7 +++++
docs-xml/smbdotconf/protocol/clientusespnego.xml | 8 ++++++
docs-xml/smbdotconf/security/clientlanmanauth.xml | 9 ++++++
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 9 ++++++
.../smbdotconf/security/clientplaintextauth.xml | 9 ++++++
docs-xml/smbdotconf/security/rawntlmv2auth.xml | 8 ++++++
lib/param/loadparm.c | 22 ++++++++++++---
source3/script/tests/test_smbclient_s3.sh | 4 +++
source3/script/tests/test_testparm_s3.sh | 33 ++++++++++++++++++++++
10 files changed, 126 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7c155d89a39..23210d351d8 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -34,6 +34,21 @@ CTDB CHANGES
recmaster".
+NT4-like 'classic' Samba domain controllers
+-------------------------------------------
+
+Samba 4.13 deprecates Samba's original domain controller mode.
+
+Sites using Samba as a Domain Controller should upgrade from the
+NT4-like 'classic' Domain Controller to a Samba Active Directory DC
+to ensure full operation with modern windows clients.
+
+SMBv1 only protocol options deprecated
+--------------------------------------
+
+A number of smb.conf parameters for less-secure authentication methods
+which are only possible over SMBv1 are deprecated in this release.
+
REMOVED FEATURES
================
@@ -45,6 +60,12 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
ldap ssl ads removed
+ domain logons Deprecated no
+ raw NTLMv2 auth Deprecated no
+ client plaintext auth Deprecated no
+ client NTLMv2 auth Deprecated yes
+ client lanman auth Deprecated no
+ client use spnego Deprecated yes
diff --git a/docs-xml/smbdotconf/logon/domainlogons.xml b/docs-xml/smbdotconf/logon/domainlogons.xml
index 7ee419e15af..7f849751a9e 100644
--- a/docs-xml/smbdotconf/logon/domainlogons.xml
+++ b/docs-xml/smbdotconf/logon/domainlogons.xml
@@ -2,8 +2,15 @@
context="G"
type="boolean"
function="_domain_logons"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for NT4-style domain logons(as distinct from the Samba
+ AD DC) will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>domain logons = no</command>
+ will be the enforced behaviour.</para>
<para>
If set to <constant>yes</constant>, the Samba server will
provide the netlogon service for Windows 9X network logons for the
diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml
index b2f3b1257fb..2d45f912f17 100644
--- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
+++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
@@ -1,8 +1,16 @@
<samba:parameter name="client use spnego"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for NTLMv2, NTLM and LanMan authentication outside NTLMSSP
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>client use spnego = yes</command>
+ will be the enforced behaviour.</para>
+
<para> This variable controls whether Samba clients will try
to use Simple and Protected NEGOciation (as specified by rfc2478) with
supporting servers (including WindowsXP, Windows2000 and Samba
diff --git a/docs-xml/smbdotconf/security/clientlanmanauth.xml b/docs-xml/smbdotconf/security/clientlanmanauth.xml
index c026b8f429b..60e1c86809e 100644
--- a/docs-xml/smbdotconf/security/clientlanmanauth.xml
+++ b/docs-xml/smbdotconf/security/clientlanmanauth.xml
@@ -1,8 +1,17 @@
<samba:parameter name="client lanman auth"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for LanMan (as distinct from NTLM, NTLMv2 or
+ Kerberos) authentication as a client
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>client NTLMv2 auth = yes</command>
+ will be the enforced behaviour.</para>
+
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> and other samba client
tools will attempt to authenticate itself to servers using the
diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
index f42f627bc08..9b47944dfcc 100644
--- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -1,8 +1,17 @@
<samba:parameter name="client NTLMv2 auth"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for NTLM and LanMan (as distinct from NTLMv2 or
+ Kerberos authentication)
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>client NTLMv2 auth = yes</command>
+ will be the enforced behaviour.</para>
+
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will attempt to
authenticate itself to servers using the NTLMv2 encrypted password
diff --git a/docs-xml/smbdotconf/security/clientplaintextauth.xml b/docs-xml/smbdotconf/security/clientplaintextauth.xml
index 1c4d3566f82..5a51c33216c 100644
--- a/docs-xml/smbdotconf/security/clientplaintextauth.xml
+++ b/docs-xml/smbdotconf/security/clientplaintextauth.xml
@@ -1,8 +1,17 @@
<samba:parameter name="client plaintext auth"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for plaintext (as distinct from NTLM, NTLMv2 or
+ Kerberos authentication)
+ will be removed in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>client plaintext auth = no</command>
+ will be the enforced behaviour.</para>
+
<para>Specifies whether a client should send a plaintext
password if the server does not support encrypted passwords.</para>
</description>
diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
index 30e7280bc5d..c4d75546388 100644
--- a/docs-xml/smbdotconf/security/rawntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -1,8 +1,16 @@
<samba:parameter name="raw NTLMv2 auth"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>This parameter has been deprecated since Samba 4.13 and
+ support for NTLMv2 authentication without NTLMSSP will be removed
+ in a future Samba release.</para>
+ <para>That is, in the future, the current default of
+ <command>raw NTLMv2 auth = no</command>
+ will be the enforced behaviour.</para>
+
<para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
extended security (without SPNEGO) to use NTLMv2 authentication.</para>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 7e9767590f9..3d4033eb2a4 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -1864,8 +1864,15 @@ bool lpcfg_do_global_parameter(struct loadparm_context *lp_ctx,
}
if (parm_table[parmnum].flags & FLAG_DEPRECATED) {
- DEBUG(1, ("WARNING: The \"%s\" option is deprecated\n",
- pszParmName));
+ char *suppress_env = getenv("SAMBA_DEPRECATED_SUPPRESS");
+ bool print_warning = (suppress_env == NULL
+ || suppress_env[0] == '\0');
+ if (print_warning) {
+ DBG_WARNING("WARNING: The \"%s\" option "
+ "is deprecated\n",
+ pszParmName);
+
+ }
}
parm_ptr = lpcfg_parm_ptr(lp_ctx, NULL, &parm_table[parmnum]);
@@ -1897,8 +1904,15 @@ bool lpcfg_do_service_parameter(struct loadparm_context *lp_ctx,
}
if (parm_table[parmnum].flags & FLAG_DEPRECATED) {
- DEBUG(1, ("WARNING: The \"%s\" option is deprecated\n",
- pszParmName));
+ char *suppress_env = getenv("SAMBA_DEPRECATED_SUPPRESS");
+ bool print_warning = (suppress_env == NULL
+ || suppress_env[0] == '\0');
+ if (print_warning) {
+ DBG_WARNING("WARNING: The \"%s\" option "
+ "is deprecated\n",
+ pszParmName);
+
+ }
}
if (parm_table[parmnum].p_class == P_GLOBAL) {
diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
index 3ea55f54107..62662690415 100755
--- a/source3/script/tests/test_smbclient_s3.sh
+++ b/source3/script/tests/test_smbclient_s3.sh
@@ -33,6 +33,10 @@ incdir=`dirname $0`/../../../testprogs/blackbox
failed=0
+# Do not let deprecated option warnings muck this up
+SAMBA_DEPRECATED_SUPPRESS=1
+export SAMBA_DEPRECATED_SUPPRESS
+
# Test that a noninteractive smbclient does not prompt
test_noninteractive_no_prompt()
{
diff --git a/source3/script/tests/test_testparm_s3.sh b/source3/script/tests/test_testparm_s3.sh
index 6dcdeff07d7..9ef3f7e0097 100755
--- a/source3/script/tests/test_testparm_s3.sh
+++ b/source3/script/tests/test_testparm_s3.sh
@@ -58,6 +58,36 @@ EOF
${TESTPARM} ${TEMP_CONFFILE}
}
+test_testparm_deprecated()
+{
+ name=$1
+ old_SAMBA_DEPRECATED_SUPPRESS=$SAMBA_DEPRECATED_SUPPRESS
+ SAMBA_DEPRECATED_SUPPRESS=
+ export SAMBA_DEPRECATED_SUPPRESS
+ testit_grep $name 'WARNING: The "lsaovernetlogon" option is deprecated' $VALGRIND ${TESTPARM} ${TEMP_CONFFILE} --option='lsaovernetlogon=true'
+ SAMBA_DEPRECATED_SUPPRESS=$old_SAMBA_DEPRECATED_SUPPRESS
+ export SAMBA_DEPRECATED_SUPPRESS
+}
+
+test_testparm_deprecated_suppress()
+{
+ name=$1
+ subunit_start_test "$name"
+ output=$(SAMBA_DEPRECATED_SUPPRESS=1 $VALGRIND ${TESTPARM} ${TEMP_CONFFILE} --option='lsa over netlogon = true' 2>&1)
+ status=$?
+ if [ "$status" = "0" ]; then
+ echo "$output" | grep --quiet 'WARNING: The "lsa over netlogon " option is deprecated'
+ status=$?
+ if [ "$status" = "1" ]; then
+ subunit_pass_test "$name"
+ else
+ echo $output | subunit_fail_test "$name"
+ fi
+ else
+ echo $output | subunit_fail_test "$name"
+ fi
+}
+
testit "name resolve order = lmhosts wins host bcast"\
test_one_global_option "name resolve order = lmhosts wins host bcast" || \
failed=`expr ${failed} + 1`
@@ -112,6 +142,9 @@ testit "copy" \
test_copy || \
failed=`expr ${failed} + 1`
+test_testparm_deprecated "test_deprecated_warning_printed"
+test_testparm_deprecated_suppress "test_deprecated_warning_suppressed"
+
rm -f ${TEMP_CONFFILE}
testok $0 ${failed}
--
Samba Shared Repository
More information about the samba-cvs
mailing list