[PATCH] remove "only user" and "username" options

Uri Simchoni uri at samba.org
Wed Apr 6 06:05:35 UTC 2016


Hi,

Following patch removes "only user" and "username" parameters.

These parameters have been deprecated 5 years ago in commit
46168e99f7c6116b96335635ad974c7d8e20948e, and then 4 years ago, in
commit d7bb961859a3501aec4d28842bfffb6190d19a73 , they became completely
redundant with "valid users". So we have a parameter that's been
redundant for over 4 years now.

Pls come out with the pitchforks...

Uri.

-------------- next part --------------
From 42ececbcca0ec5057ae4015151906c2232702049 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Wed, 6 Apr 2016 07:44:48 +0300
Subject: [PATCH 1/3] Reset WHATSNEW.txt for 4.5.x series

Signed-off-by: Uri Simchoni <uri at samba.org>
---
 WHATSNEW.txt | 206 +----------------------------------------------------------
 1 file changed, 2 insertions(+), 204 deletions(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d81e1ed6..ae4f4c0 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,12 +1,12 @@
 Release Announcements
 =====================
 
-This is the first release candidate of Samba 4.4.  This is *not*
+This is the first release candidate of Samba 4.5.  This is *not*
 intended for production environments and is designed for testing
 purposes only.  Please report any defects via the Samba bug reporting
 system at https://bugzilla.samba.org/.
 
-Samba 4.4 will be the next version of the Samba suite.
+Samba 4.5 will be the next version of the Samba suite.
 
 
 UPGRADING
@@ -18,216 +18,14 @@ Nothing special.
 NEW FEATURES/CHANGES
 ====================
 
-Asynchronous flush requests
----------------------------
-
-Flush requests from SMB2/3 clients are handled asynchronously and do
-not block the processing of other requests. Note that 'strict sync'
-has to be set to 'yes' for Samba to honor flush requests from SMB
-clients.
-
-s3: smbd
---------
-
-Remove '--with-aio-support' configure option. We no longer would ever prefer
-POSIX-RT aio, use pthread_aio instead.
-
-samba-tool sites
-----------------
-
-The 'samba-tool sites' subcommand can now be run against another server by
-specifying an LDB URL using the '-H' option and not against the local database
-only (which is still the default when no URL is given).
-
-samba-tool domain demote
-------------------------
-
-Add '--remove-other-dead-server' option to 'samba-tool domain demote'
-subcommand. The new version of this tool now can remove another DC that is
-itself offline.  The '--remove-other-dead-server' removes as many references
-to the DC as possible.
-
-samba-tool drs clone-dc-database
---------------------------------
-
-Replicate an initial clone of domain, but do not join it.
-This is developed for debugging purposes, but not for setting up another DC.
-
-pdbedit
--------
-
-Add '--set-nt-hash' option to pdbedit to update user password from nt-hash
-hexstring. 'pdbedit -vw' shows also password hashes.
-
-smbstatus
----------
-
-'smbstatus' was enhanced to show the state of signing and encryption for
-sessions and shares.
-
-smbget
-------
-The -u and -p options for user and password were replaced by the -U option that
-accepts username[%password] as in many other tools of the Samba suite.
-Similary, smbgetrc files do not accept username and password options any more,
-only a single "user" option which also accepts user%password combinations.
-The -P option was removed.
-
-s4-rpc_server
--------------
-
-Add a GnuTLS based backupkey implementation.
-
-ntlm_auth
----------
-
-Using the '--offline-logon' enables ntlm_auth to use cached passwords when the
-DC is offline.
-
-Allow '--password' force a local password check for ntlm-server-1 mode.
-
-vfs_offline
------------
-
-A new VFS module called vfs_offline has been added to mark all files in the
-share as offline. It can be useful for shares mounted on top of a remote file
-system (either through a samba VFS module or via FUSE).
-
-KCC
----
-
-The Samba KCC has been improved, but is still disabled by default.
-
-DNS
----
-
-There were several improvements concerning the Samba DNS server.
-
-Active Directory
-----------------
-
-There were some improvements in the Active Directory area.
-
-WINS nsswitch module
---------------------
-
-The WINS nsswitch module has been rewritten to address memory issues and to
-simplify the code. The module now uses libwbclient to do WINS queries. This
-means that winbind needs to be running in order to resolve WINS names using
-the nss_wins module. This does not affect smbd.
-
-CTDB changes
-------------
-
-* CTDB now uses a newly implemented parallel database recovery scheme
-  that avoids deadlocks with smbd.
-
-  In certain circumstances CTDB and smbd could deadlock.  The new
-  recovery implementation avoid this.  It also provides improved
-  recovery performance.
-
-* All files are now installed into and referred to by the paths
-  configured at build time.  Therefore, CTDB will now work properly
-  when installed into the default location at /usr/local.
-
-* Public CTDB header files are no longer installed, since Samba and
-  CTDB are built from within the same source tree.
-
-* CTDB_DBDIR can now be set to tmpfs[:<tmpfs-options>]
-
-  This will cause volatile TDBs to be located in a tmpfs.  This can
-  help to avoid performance problems associated with contention on the
-  disk where volatile TDBs are usually stored.  See ctdbd.conf(5) for
-  more details.
-
-* Configuration variable CTDB_NATGW_SLAVE_ONLY is no longer used.
-  Instead, nodes should be annotated with the "slave-only" option in
-  the CTDB NAT gateway nodes file.  This file must be consistent
-  across nodes in a NAT gateway group.  See ctdbd.conf(5) for more
-  details.
-
-* New event script 05.system allows various system resources to be
-  monitored
-
-  This can be helpful for explaining poor performance or unexpected
-  behaviour.  New configuration variables are
-  CTDB_MONITOR_FILESYSTEM_USAGE, CTDB_MONITOR_MEMORY_USAGE and
-  CTDB_MONITOR_SWAP_USAGE.  Default values cause warnings to be
-  logged.  See the SYSTEM RESOURCE MONITORING CONFIGURATION in
-  ctdbd.conf(5) for more information.
-
-  The memory, swap and filesystem usage monitoring previously found in
-  00.ctdb and 40.fs_use is no longer available.  Therefore,
-  configuration variables CTDB_CHECK_FS_USE, CTDB_MONITOR_FREE_MEMORY,
-  CTDB_MONITOR_FREE_MEMORY_WARN and CTDB_CHECK_SWAP_IS_NOT_USED are
-  now ignored.
-
-* The 62.cnfs eventscript has been removed.  To get a similar effect
-  just do something like this:
-
-      mmaddcallback ctdb-disable-on-quorumLoss \
-        --command /usr/bin/ctdb \
-        --event quorumLoss --parms "disable"
-
-      mmaddcallback ctdb-enable-on-quorumReached \
-        --command /usr/bin/ctdb \
-        --event quorumReached --parms "enable"
-
-* The CTDB tunable parameter EventScriptTimeoutCount has been renamed
-  to MonitorTimeoutCount
-
-  It has only ever been used to limit timed-out monitor events.
-
-  Configurations containing CTDB_SET_EventScriptTimeoutCount=<n> will
-  cause CTDB to fail at startup.  Useful messages will be logged.
-
-* The commandline option "-n all" to CTDB tool has been removed.
-
-  The option was not uniformly implemented for all the commands.
-  Instead of command "ctdb ip -n all", use "ctdb ip all".
-
-* All CTDB current manual pages are now correctly installed
-
-
 REMOVED FEATURES
 ================
 
-Public headers
---------------
-
-Several public headers are not installed any longer. They are made for internal
-use only. More public headers will very likely be removed in future releases.
-
-The following headers are not installed any longer:
-dlinklist.h, gen_ndr/epmapper.h, gen_ndr/mgmt.h, gen_ndr/ndr_atsvc_c.h,
-gen_ndr/ndr_epmapper_c.h, gen_ndr/ndr_epmapper.h, gen_ndr/ndr_mgmt_c.h,
-gen_ndr/ndr_mgmt.h,gensec.h, ldap_errors.h, ldap_message.h, ldap_ndr.h,
-ldap-util.h, pytalloc.h, read_smb.h, registry.h, roles.h, samba_util.h,
-smb2_constants.h, smb2_create_blob.h, smb2.h, smb2_lease.h, smb2_signing.h,
-smb_cli.h, smb_cliraw.h, smb_common.h, smb_composite.h, smb_constants.h,
-smb_raw.h, smb_raw_interfaces.h, smb_raw_signing.h, smb_raw_trans2.h,
-smb_request.h, smb_seal.h, smb_signing.h, smb_unix_ext.h, smb_util.h,
-torture.h, tstream_smbXcli_np.h.
-
-vfs_smb_traffic_analyzer
-------------------------
-
-The SMB traffic analyzer VFS module has been removed, because it is not
-maintained any longer and not widely used.
-
-vfs_scannedonly
----------------
-
-The scannedonly VFS module has been removed, because it is not maintained
-any longer.
-
 smb.conf changes
 ----------------
 
   Parameter Name		Description		Default
   --------------		-----------		-------
-  aio max threads               New                     100
-  ldap page size		Changed default		1000
 
 
 KNOWN ISSUES
-- 
2.5.5


From 37246139f3c91ca4845424e9ad4815a543318e74 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Wed, 6 Apr 2016 08:50:27 +0300
Subject: [PATCH 2/3] smbd: remove "only user" and "username" parameters

These have long been superseded by "valid users"

Signed-off-by: Uri Simchoni <uri at samba.org>
---
 docs-xml/smbdotconf/security/onlyuser.xml | 22 ----------------------
 docs-xml/smbdotconf/security/username.xml | 25 -------------------------
 source3/param/loadparm.c                  |  3 ---
 source3/smbd/share_access.c               | 20 ++------------------
 4 files changed, 2 insertions(+), 68 deletions(-)
 delete mode 100644 docs-xml/smbdotconf/security/onlyuser.xml
 delete mode 100644 docs-xml/smbdotconf/security/username.xml

diff --git a/docs-xml/smbdotconf/security/onlyuser.xml b/docs-xml/smbdotconf/security/onlyuser.xml
deleted file mode 100644
index 3b62ba6..0000000
--- a/docs-xml/smbdotconf/security/onlyuser.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<samba:parameter name="only user"
-                 type="boolean"
-                 context="S"
-                 deprecated="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-    <para>To restrict a service to a particular set of users you
-    can use the <smbconfoption name="valid users"/> parameter.</para>
-
-    <para>This parameter is deprecated</para>
-
-    <para>However, it currently operates only in conjunction with
-    <smbconfoption name="username"/>.  The supported way to restrict
-    a service to a particular set of users is the
-    <smbconfoption name="valid users"/> parameter.</para>
-
-</description>
-
-<related>user</related>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/username.xml b/docs-xml/smbdotconf/security/username.xml
deleted file mode 100644
index a04a997..0000000
--- a/docs-xml/smbdotconf/security/username.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<samba:parameter name="username"
-                 context="S"
-                 type="string"
-                 deprecated="1"
-                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<synonym>user</synonym>
-<synonym>users</synonym>
-<description>
-    <para>To restrict a service to a particular set of users you 
-    can use the <smbconfoption name="valid users"/> parameter.</para>
-
-    <para>This parameter is deprecated</para>
-
-    <para>However, it currently operates only in conjunction with
-    <smbconfoption name="only user"/>.  The supported way to restrict
-    a service to a particular set of users is the
-    <smbconfoption name="valid users"/> parameter.</para>
-
-</description>
-
-<value type="default"><comment>The guest account if a guest service, 
-		else <empty string>.</comment></value>
-
-<value type="example">fred, mary, jack, jane, @users, @pcgroup</value>
-</samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 1f8e578..1dcd76a 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -117,7 +117,6 @@ static struct loadparm_service sDefault =
 	.usershare_last_mod = {0, 0},
 	.szService = NULL,
 	.path = NULL,
-	.username = NULL,
 	.invalid_users = NULL,
 	.valid_users = NULL,
 	.admin_users = NULL,
@@ -201,7 +200,6 @@ static struct loadparm_service sDefault =
 	.oplocks = true,
 	.kernel_oplocks = false,
 	.level2_oplocks = true,
-	.only_user = false,
 	.mangled_names = true,
 	.wide_links = false,
 	.follow_symlinks = true,
@@ -1560,7 +1558,6 @@ static bool lp_add_ipc(const char *ipc_name, bool guest_ok)
 	}
 
 	lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->path, tmpdir());
-	lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->username, "");
 	lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->comment, comment);
 	lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->fstype, "IPC");
 	ServicePtrs[i]->max_connections = 0;
diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
index 8b165e6..fa56063 100644
--- a/source3/smbd/share_access.c
+++ b/source3/smbd/share_access.c
@@ -183,7 +183,7 @@ bool token_contains_name_in_list(const char *username,
 /*
  * Check whether the user described by "token" has access to share snum.
  *
- * This looks at "invalid users", "valid users" and "only user/username"
+ * This looks at "invalid users" and "valid users".
  *
  * Please note that the user name and share names passed in here mainly for
  * the substitution routines that expand the parameter values, the decision
@@ -217,22 +217,6 @@ bool user_ok_token(const char *username, const char *domain,
 		}
 	}
 
-	if (lp_only_user(snum)) {
-		const char *list[2];
-		list[0] = lp_username(talloc_tos(), snum);
-		list[1] = NULL;
-		if ((list[0] == NULL) || (*list[0] == '\0')) {
-			DEBUG(0, ("'only user = yes' and no 'username ='\n"));
-			return False;
-		}
-		if (!token_contains_name_in_list(NULL, domain,
-						 lp_servicename(talloc_tos(), snum),
-						 token, list)) {
-			DEBUG(10, ("%s != 'username'\n", username));
-			return False;
-		}
-	}
-
 	DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
 		   lp_servicename(talloc_tos(), snum), username));
 
@@ -243,7 +227,7 @@ bool user_ok_token(const char *username, const char *domain,
  * Check whether the user described by "token" is restricted to read-only
  * access on share snum.
  *
- * This looks at "invalid users", "valid users" and "only user/username"
+ * This looks at "read list", "write list" and "read only".
  *
  * Please note that the user name and share names passed in here mainly for
  * the substitution routines that expand the parameter values, the decision
-- 
2.5.5


From 438446810cd7ed966fac38b3f19f153c5e141c03 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Wed, 6 Apr 2016 07:54:19 +0300
Subject: [PATCH 3/3] WHATSNEW: Document "only user" removal

Signed-off-by: Uri Simchoni <uri at samba.org>
---
 WHATSNEW.txt | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ae4f4c0..f0c5f77 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -21,12 +21,18 @@ NEW FEATURES/CHANGES
 REMOVED FEATURES
 ================
 
+only user and username parameters
+---------------------------------
+These two parameters have long been deprecated and superseded by
+"valid users" and "invalid users".
+
 smb.conf changes
 ----------------
 
   Parameter Name		Description		Default
   --------------		-----------		-------
-
+  only user			Removed
+  username			Removed
 
 KNOWN ISSUES
 ============
-- 
2.5.5



More information about the samba-technical mailing list