[Patches] removal of 'auth methods', 'map untrusted to domain' and 'profile acls'
Stefan Metzmacher
metze at samba.org
Thu Dec 7 13:41:49 UTC 2017
Hi Andrew,
> The removal of the auth_winbind_wbclient pdbtest test removes on of the
> few tests of the NTLM authentication interface in winbindd. I know it
> was rather indirect, but it would be good to keep it.
>
> On the other hand, it has this TODO:
>
> /* TODO:
> * Compre more details from the two info3 structures,
> * then test that an expired/disabled/pwdmustchange account
> * returns the correct errors
> */
>
> If you can show me we have a good test asserting the session key and
> some other details on this then I can let it go.
>
> To be clear, I'm not after the nostalgia, just worried about loss of
> what little testing we have in some areas.
Ok, here's an update that inlines the auth_winbind_wbclient code into
pdbtest.
As well as the reordering Andreas asked for.
Please review and push:-)
Thanks!
metze
-------------- next part --------------
From 757e11f8a88188b407623cbf303260aad2ba96ca Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:34:36 +0100
Subject: [PATCH 01/17] examples/scripts: remove unused shares directory
These scripts are not that useful anymore, as they rely
on parameters to be defined in loadparm.c
It's confusing to get 'git grep' matches for parameters there...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
.../scripts/shares/perl/modify_samba_config.pl | 168 ----------
examples/scripts/shares/python/SambaConfig.py | 314 ------------------
examples/scripts/shares/python/SambaParm.py | 83 -----
.../scripts/shares/python/generate_parm_table.py | 222 -------------
.../scripts/shares/python/modify_samba_config.py | 77 -----
examples/scripts/shares/python/smbparm.py | 364 ---------------------
6 files changed, 1228 deletions(-)
delete mode 100755 examples/scripts/shares/perl/modify_samba_config.pl
delete mode 100644 examples/scripts/shares/python/SambaConfig.py
delete mode 100644 examples/scripts/shares/python/SambaParm.py
delete mode 100755 examples/scripts/shares/python/generate_parm_table.py
delete mode 100755 examples/scripts/shares/python/modify_samba_config.py
delete mode 100644 examples/scripts/shares/python/smbparm.py
diff --git a/examples/scripts/shares/perl/modify_samba_config.pl b/examples/scripts/shares/perl/modify_samba_config.pl
deleted file mode 100755
index 20b613a..0000000
--- a/examples/scripts/shares/perl/modify_samba_config.pl
+++ /dev/null
@@ -1,168 +0,0 @@
-#!/usr/bin/perl
-
-######################################################################
-##
-## Simple add/delete/change share command script for Samba
-##
-## Copyright (C) Gerald Carter 2004.
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 3 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-## GNU General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, see <http://www.gnu.org/licenses/>.
-##
-######################################################################
-
-use POSIX qw(tmpnam);
-
-##
-## local variables
-##
-my $delete_mode = undef;
-my $add_mode = undef;
-my $tmp_file_name = undef;
-
-
-## check for correct parameters
-if ($#ARGV == 1) {
- $delete_mode = 1;
-}
-elsif ($#ARGV == 4) {
- $add_mode = 1;
-}
-else {
- print "Usage: $0 configfile share [path] [comment]\n";
- exit -1;
-}
-
-## first param is always the config file
-open (CONFIGFILE, "$ARGV[0]") || die "Unable to open $ARGV[0] for reading!\n";
-
-## FIXME!! Right now we throw away all comments in the file.
-while (<CONFIGFILE>) {
-
- chomp($_);
-
- ## eat leading whitespace
- $_ =~ s/^\s*//;
-
- ## eat trailing whitespace
- $_ =~ s/\s*$//;
-
-
- ## throw away comments
- next if (($_ =~ /^#/) || ($_ =~ /^;/));
-
- ## set the current section name for storing the hash
- if ($_ =~ /^\[.*\]$/) {
-
- $_ = substr($_, 1, length($_)-2);
-
- if ( length($_) ) {
- $section = $_;
- }
- else {
- print "Bad Section Name - no closing ]\n";
- exit -1;
- }
-
- next;
- }
-
- ## check for a param = value
- if ($_ =~ /=/) {
- ($param, $value) = split (/=/, $_,2);
- $param =~ s/./\l$&/g;
- $param =~ s/\s+//g;
- $value =~ s/^\s+//;
-
- $config{$section}{$param} = $value;
-
- next;
- }
-
- ## should have a hash of hashes indexed by section name
-}
-close (CONFIGFILE);
-
-##
-## We have the smb.conf in our hash of hashes now.
-## Add or delete
-##
-if ($add_mode) {
- $config{$ARGV[1]}{'path'} = $ARGV[2];
- $config{$ARGV[1]}{'comment'} = $ARGV[3];
- $config{$ARGV[1]}{'max connections'} = $ARGV[4];
-}
-elsif ($delete_mode) {
- delete $config{$ARGV[1]};
-}
-
-##
-## Print the resulting configuration
-##
-#do {
-# $tmp_file_name = tmpnam();
-# print "Using temporary file - $tmp_file_name\n";
-#} while (!sysopen(TMP, $tmp_file_name, O_RDWR|O_CREAT|O_EXCL));
-$tmp_file_name = tmpnam();
-open (TMP, ">$tmp_file_name") || die "Unable to open temporary file for writing!\n";
-
-PrintConfigFile(TMP);
-
-## now overwrite the original config file
-close (TMP);
-system ("cp -pf $ARGV[0] $ARGV[0].bak");
-system ("cp -pf $tmp_file_name $ARGV[0]");
-unlink $tmp_file_name;
-
-
-exit 0;
-
-
-
-
-
-#######################################################################################
-## PrintConfigFile()
-##
-sub PrintConfigFile {
- my ($output) = @_;
-
- ## print the file back out, beginning with the global section
- print $output "#\n# Generated by $0\n#\n";
-
- PrintSection ($output, 'global', $config{'global'});
-
- foreach $section (keys %config) {
-
- if ("$section" ne "global") {
- print $output "## Section - [$section]\n";
- PrintSection ($output, $section, $config{$section});
- }
- }
-
- print $output "#\n# end of generated smb.conf\n#\n";
-}
-
-#######################################################################################
-## PrintSection()
-##
-sub PrintSection {
- my ($outfile, $name, $section) = @_;
-
- print $outfile "[$name]\n";
- foreach $param (keys %$section) {
- print $outfile "\t$param".' 'x(25-length($param)). " = $$section{$param}\n";
- }
- print $outfile "\n";
-
-}
diff --git a/examples/scripts/shares/python/SambaConfig.py b/examples/scripts/shares/python/SambaConfig.py
deleted file mode 100644
index 6ceec8a..0000000
--- a/examples/scripts/shares/python/SambaConfig.py
+++ /dev/null
@@ -1,314 +0,0 @@
-import sys, string, SambaParm
-from smbparm import parm_table
-
-######################################################################
-##
-## smb.conf parser class
-##
-## Copyright (C) Gerald Carter 2004.
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 3 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-## GNU General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, see <http://www.gnu.org/licenses/>.
-##
-######################################################################
-
-
-#####################################################################
-## multi line Samba comment
-class SambaComment:
-
- def __init__( self, comment ):
- self.comment = comment
-
- def Dump( self, stream, whitespace=None ):
- if not self.comment:
- return
- for line in self.comment:
- if whitespace:
- stream.write( whitespace )
- stream.write( line )
- stream.write( "\n" )
-
-
-#####################################################################
-## string smb.conf parms
-class SambaParameter :
-
- ## indexs into the parm table tuples
- DisplayName = 0
- ObjectType = 1
- DefaultValue = 2
- Scope = 3
-
- ## Stores a key into the parm_table and creates an
- ## SambaParmXXX object to store the value
- def __init__( self, name, value, comment=None ):
- self.key = string.upper(string.strip(name))
- self.comment = None
- assert parm_table.has_key( self.key ), "Bad parameter name! [%s]" % name
- self.parm = parm_table[self.key][self.ObjectType]( value )
- if comment :
- self.comment = SambaComment( comment )
-
- #if not self.parm.valid:
- # self.parm.SetValue( parm_table[self.key][self.DefaultValue] )
-
- ## simple test for global or service parameter scope
- def isGlobalParm( self ) :
- return parm_table[self.key][Scope]
-
- ## dump <the parameter to stdout
- def Dump( self, stream ):
- if self.comment:
- self.comment.Dump( stream, "\t" )
- stream.write( "\t%s = %s\n" % ( parm_table[self.key][self.DisplayName], self.parm.StringValue() ))
-
-
-#####################################################################
-## Class for parsing and modifying Smb.conf
-class SambaConf:
-
- def __init__( self ):
- self.services = {}
- self.valid = True
- self.services["GLOBAL"] = {}
- self.services_order = []
-
-
- ## always return a non-empty line of input or None
- ## if we hit EOF
- def ReadLine( self, stream ):
- result = None
- input_str = None
-
- while True:
- input_str = stream.readline()
-
- ## Are we done with the file ?
-
- if len(input_str) == 0:
- return result
-
- ## we need one line of valid input at least
- ## continue around the loop again if the result
- ## string is empty
-
- input_str = string.strip( input_str )
- if len(input_str) == 0:
- if not result:
- continue
- else:
- return result
-
- ## we have > 1` character so setup the result
- if not result:
- result = ""
-
- ## Check for comments -- terminated by \n -- no continuation
-
- if input_str[0] == '#' or input_str[0] == ';' :
- result = input_str
- break
-
- ## check for line continuation
-
- if input_str[-1] == "\\" :
- result += input_str[0:-1]
- continue
-
- ## otherwise we have a complete line
- result += input_str
- break
-
- return result
-
- ## convert the parameter name to a form suitable as a dictionary key
- def NormalizeParamName( self, param ):
- return string.upper( string.join(string.split(param), "") )
-
- ## Open the file and parse it into a services dictionary
- ## if possible
- def ReadConfig( self, filename ):
- self.filename = filename
-
- try:
- fconfig = open( filename, "r" )
- except IOError:
- self.valid = False
- return
-
- section_name = None
-
- ## the most recent seen comment is stored as an array
- current_comment = []
-
- while True:
-
- str = self.ReadLine( fconfig )
- if not str:
- break
-
- ## Check for comments
- if str[0] == '#' or str[0] == ';' :
- current_comment.append( str )
- continue
-
- ## look for a next section name
- if str[0]=='[' and str[-1]==']' :
- section_name = str[1:-1]
- self.AddService( section_name, current_comment )
- current_comment = []
- continue
-
- str_list = string.split( str, "=" )
-
- if len(str_list) != 2 :
- continue
-
- if not section_name :
- print "parameter given without section name!"
- break
-
- param = self.NormalizeParamName( str_list[0] )
- value = string.strip(str_list[1])
-
- self.SetServiceOption( section_name, param, value, current_comment )
- self.dirty = False
-
- ## reset the comment strinf if we have one
- current_comment = []
-
- fconfig.close()
-
- ## Add a parameter to the global section
- def SetGlobalOption( self, param, value, comment=None ) :
- self.SetServiceOption( "GLOBAL", param, value, comment )
-
- ## Add a parameter to a specific service
- def SetServiceOption( self, servicename, param, value, comment=None ) :
- service = string.upper(servicename)
- parm = self.NormalizeParamName(param)
- self.services[service]['_order_'].append( parm )
- self.services[service][parm] = SambaParameter( parm, value, comment )
- self.dirty = True
-
- ## remove a service from the config file
- def DelService( self, servicename ) :
- service = string.upper(servicename)
- self.services[service] = None
- self.dirty = True
-
- ## remove a service from the config file
- def AddService( self, servicename, comment=None ) :
- service = string.upper(servicename)
-
- self.services[service] = {}
- self.services[service]['_order_'] = []
-
- if ( comment ):
- self.services[service]['_comment_'] = SambaComment( comment )
-
- self.services_order.append( service )
-
- self.dirty = True
-
- def isService( self, servicename ):
- service = string.upper(servicename)
- return self.services.has_key( service )
-
- ## dump a single service to stream
- def DumpService( self, stream, servicename ):
-
- ## comments first
- if self.services[servicename].has_key( '_comment_' ):
- self.services[servicename]['_comment_'].Dump( stream )
-
- ## section header
- stream.write( "[%s]\n" % (servicename) )
-
- ## parameter = value
- for parm in self.services[servicename]['_order_']:
- self.services[servicename][parm].Dump(stream)
-
- ## dump the config to stream
- def Dump( self, stream ):
- self.DumpService( stream, "GLOBAL" )
- stream.write("\n")
-
- for section in self.services_order:
- ## already handled the global section
- if section == "GLOBAL":
- continue
-
- ## check for deleted sections ##
- if not self.services[section]:
- continue
-
- self.DumpService( stream, section )
- stream.write( "\n" )
-
- ## write out any changes to disk
- def Flush( self ):
- if not self.dirty:
- return
-
- try:
- fconfig = open( self.filename, "w" )
- except IOError:
- sys.stderr.write( "ERROR!\n" )
- return 1
-
- self.Dump( fconfig )
- fconfig.close()
- return 0
-
- def Services( self ):
- service_list = []
- for section in self.services.keys():
- service_list.append( section )
-
- return service_list
-
- def NumServices( self ):
- return len(self.Services())
-
- def Write( self, filename ):
- self.filename = filename
- self.valid = True
-
- if not self.dirty:
- return
-
- self.Flush()
-
-
-
-######################################################################
-## Unit tests
-######################################################################
-
-if __name__ == "__main__" :
-
- x = SambaConf( )
- x.ReadConfig( sys.argv[1] )
- if not x.valid :
- print "Bad file!"
- sys.exit(1)
-
- x.Dump( sys.stdout )
-
-
-
-## end of SambaConfig.py ######################################################
-###############################################################################
-
diff --git a/examples/scripts/shares/python/SambaParm.py b/examples/scripts/shares/python/SambaParm.py
deleted file mode 100644
index 82c99c8..0000000
--- a/examples/scripts/shares/python/SambaParm.py
+++ /dev/null
@@ -1,83 +0,0 @@
-######################################################################
-##
-## smb.conf parameter classes
-##
-## Copyright (C) Gerald Carter 2004.
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 3 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-## GNU General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, see <http://www.gnu.org/licenses/>.
-##
-######################################################################
-
-import string
-
-#####################################################################
-## Base class for Samba smb.conf parameters
-class SambaParm :
- def __init__( self ) :
- pass
-
- def StringValue( self ) :
- return self.value
-
-#####################################################################
-## Boolean smb,conf parm
-class SambaParmBool( SambaParm ):
- def __init__( self, value ) :
- x = string.upper(value)
- self.valid = True
-
- if x=="YES" or x=="TRUE" or x=="1":
- self.value = True
- elif x=="NO" or x=="FALSE" or x=="0":
- self.value = False
- else:
- self.valid = False
- return self
-
- def SetValue( self, value ) :
- x = string.upper(value)
- self.valid = True
-
- if x=="YES" or x=="TRUE" or x=="1":
- self.value = True
- elif x=="NO" or x=="FALSE" or x=="0":
- self.value = False
- else:
- self.valid = False
- return
-
- def StringValue( self ) :
- if self.value :
- return "yes"
- else:
- return "no"
-
-#####################################################################
-## Boolean smb,conf parm (inverts)
-class SambaParmBoolRev( SambaParmBool ) :
- def __init__( self, value ):
- SambaParmBool.__init__( self, value )
- if self.valid :
- self.value = not self.value
-
-
-#####################################################################
-## string smb.conf parms
-class SambaParmString( SambaParm ):
- def __init__( self, value ):
- self.value = value
- self.valid = True
-
-
-
diff --git a/examples/scripts/shares/python/generate_parm_table.py b/examples/scripts/shares/python/generate_parm_table.py
deleted file mode 100755
index 1d2c5f2..0000000
--- a/examples/scripts/shares/python/generate_parm_table.py
+++ /dev/null
@@ -1,222 +0,0 @@
-#!/usr/bin/env python
-######################################################################
-##
-## Generate parameter dictionary from param/loadparm.c
-##
-## Copyright (C) Gerald Carter 2004.
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 3 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-## GNU General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, see <http://www.gnu.org/licenses/>.
-##
-######################################################################
-
-import re, string, sys, commands
-
-HEADER = """######################################################################
-##
-## autogenerated file of smb.conf parameters
-## generate_parm_table <..../param/loadparm.c>
-##
-## Copyright (C) Gerald Carter 2004.
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 3 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-## GNU General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, see <http://www.gnu.org/licenses/>.
-##
-######################################################################
-
-from SambaParm import SambaParmString, SambaParmBool, SambaParmBoolRev
-
-## boolean defines for parm_table
-P_LOCAL = 0
-P_GLOBAL = 1
-
-"""
-
-FOOTER = """##### end of smbparm.y ##########################################
-#################################################################"""
-
-TESTPARM = "/usr/bin/testparm"
-
-## fields in Samba's parameter table
-displayName = 0
-type = 1
-scope = 2
-variable = 3
-flags = 6
-
-parm_table = {}
-var_table = {}
-def_values = {}
-obj_table = {
- 'P_BOOL' : 'SambaParmBool',
- 'P_BOOLREV' : 'SambaParmBoolRev',
- 'P_STRING' : 'SambaParmString',
- 'P_USTRING' : 'SambaParmString',
- 'P_GSTRING' : 'SambaParmString',
- 'P_LIST' : 'SambaParmString',
- 'P_ENUM' : 'SambaParmString',
- 'P_CHAR' : 'SambaParmString',
- 'P_OCTAL' : 'SambaParmString',
- 'P_INTEGER' : 'SambaParmString',
-}
-
-######################################################################
-## BEGIN MAIN CODE ##
-######################################################################
-
-## First thing is to build the dictionary of parmeter names ##
-## based on the output from testparm ##
-
-cmd = "/usr/bin/testparm -s -v /dev/null"
-( status, testparm_output ) = commands.getstatusoutput( cmd )
-if status:
- sys.stderr.write( "Failed to execute testparm!\n%s\n" % testparm_output )
-
-
-## break the output into a list ##
-
-lines = string.split( testparm_output, "\n" )
-
-## loop through list -- parameters in testparm output have ##
-## whitespace at the beginning of the line ##
-
-pattern = re.compile( "^\s+" )
-for input_str in lines:
- if not pattern.search( input_str ):
- continue
- input_str = string.strip( input_str )
- parts = string.split( input_str, "=" )
- parts[0] = string.strip( parts[0] )
- parts[1] = string.strip( parts[1] )
- key = string.upper( string.join(string.split(parts[0]), "") )
- new = parts[1].replace('\\', '\\\\')
- def_values[key] = new
-
-## open loadparm.c and get the entire list of parameters ##
-## including synonums ##
-
-if len(sys.argv) != 2:
- print "Usage: %s <.../param/loadparm.c>" % ( sys.argv[0] )
- sys.exit( 1 )
-
-try:
- fconfig = open( sys.argv[1], "r" )
-except IOError:
- print "%s does not exist!" % sys.argv[1]
- sys.exit (1)
-
-## Loop through loadparm.c -- all parameters are either ##
-## P_LOCAL or P_GLOBAL ##
-
-synonyms = []
-pattern = re.compile( '{".*P_[GL]' )
-while True:
- input_str= fconfig.readline()
- if len(input_str) == 0 :
- break
- input_str= string.strip(input_str)
-
- ## see if we have a patch for a parameter definition ##
-
- parm = []
- if pattern.search( input_str) :
-
- ## strip the surrounding '{.*},' ##
-
- input_str= input_str[1:-2]
- parm = string.split(input_str, ",")
-
- ## strip the ""'s and upper case ##
-
- name = (string.strip(parm[displayName])[1:-1])
- key = string.upper( string.join(string.split(name), "") )
- var_name = string.strip( parm[variable] )
-
-
- ## try to catch synonyms -- if the parameter was not reported ##
- ## by testparm, then save it and come back after we will out ##
- ## the variable list ##
-
- if not def_values.has_key( key ):
- synonyms.append( input_str)
- continue
-
-
- var_table[var_name] = key
-
- parmType = string.strip(parm[type])
-
- parm_table[key] = [ name , string.strip(parm[type]), string.strip(parm[scope]), def_values[key] ]
-
-## Deal with any synonyms ##
-
-for input_str in synonyms:
- parm = string.split(input_str, ",")
- name = (string.strip(parm[displayName])[1:-1])
- key = string.upper( string.join(string.split(name), "") )
- var_name = string.strip( parm[variable] )
-
- ## if there's no pre-existing key, then testparm doesn't know about it
- if not var_table.has_key( var_name ):
- continue
-
- ## just make a copy
- parm_table[key] = parm_table[var_table[var_name]][:]
- # parm_table[key][1] = parm[1]
- parm_table[key][1] = string.strip(parm[1])
-
-## ##
-## print out smbparm.py ##
-## ##
-
-try:
- smbparm = open ( "smbparm.py", "w" )
-except IOError:
- print "Cannot write to smbparm.py"
- sys.exit( 1 )
-
-smbparm.write( HEADER )
-smbparm.write( "parm_table = {\n" )
-
-for x in parm_table.keys():
- key = "\"%s\"" % x
- smbparm.write("\t%-25s: (\"%s\", %s, %s, \"%s\"),\n" % ( key, parm_table[x][0],
- obj_table[parm_table[x][1]], parm_table[x][2], parm_table[x][3] ))
-
-smbparm.write( "}\n" )
-
-smbparm.write( FOOTER )
-smbparm.write( "\n" )
-
-sys.exit(0)
-
-
-## ##
-## cut-n-paste area ##
-## ##
-
-for x in parm_table.keys():
- if def_values.has_key( x ):
- parm_table[x].append( def_values[x] )
- else:
- parm_table[x].append( "" )
diff --git a/examples/scripts/shares/python/modify_samba_config.py b/examples/scripts/shares/python/modify_samba_config.py
deleted file mode 100755
index 88b3fcb..0000000
--- a/examples/scripts/shares/python/modify_samba_config.py
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/usr/bin/env python
-######################################################################
-##
-## Simple add/delete/change share command script for Samba
-##
-## Copyright (C) Gerald Carter 2004.
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 3 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-## GNU General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, see <http://www.gnu.org/licenses/>.
-##
-######################################################################
-
-import sys, os
-from SambaConfig import SambaConf
-
-
-## ##
-## check the command line args ##
-## ##
-delete_mode = False
-if len(sys.argv) == 3:
- delete_mode = True
- print "Deleting share..."
-elif len(sys.argv) == 5:
- print "Adding/Updating share..."
-else:
- print "Usage: %s configfile share [path] [comments]" % sys.argv[0]
- sys.exit(1)
-
-
-## ##
-## read and parse the config file ##
-## ##
-
-confFile = SambaConf()
-
-confFile.ReadConfig( sys.argv[1] )
-if not confFile.valid:
- exit( 1 )
-
-if delete_mode:
- if not confFile.isService( sys.argv[2] ):
- sys.stderr.write( "Asked to delete non-existent service! [%s]\n" % sys.argv[2] )
- sys.exit( 1 )
-
- confFile.DelService( sys.argv[2] )
-else:
- ## make the path if it doesn't exist. Bail out if that fails
- if ( not os.path.isdir(sys.argv[3]) ):
- try:
- os.makedirs( sys.argv[3] )
- os.chmod( sys.argv[3], 0777 )
- except os.error:
- sys.exit( 1 )
-
- ## only add a new service -- if it already exists, then
- ## just set the options
- if not confFile.isService( sys.argv[2] ):
- confFile.AddService( sys.argv[2], ['##', '## Added by modify_samba_config.py', '##'] )
- confFile.SetServiceOption( sys.argv[2], "path", sys.argv[3] )
- confFile.SetServiceOption( sys.argv[2], "comment", sys.argv[4] )
- confFile.SetServiceOption( sys.argv[2], "read only", "no" )
-
-ret = confFile.Flush()
-
-sys.exit( ret )
-
diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py
deleted file mode 100644
index e0786a4..0000000
--- a/examples/scripts/shares/python/smbparm.py
+++ /dev/null
@@ -1,364 +0,0 @@
-######################################################################
-##
-## autogenerated file of smb.conf parameters
-## generate_parm_table <..../param/loadparm.c>
-##
-## Copyright (C) Gerald Carter 2004.
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 3 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful,
-## but WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-## GNU General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, see <http://www.gnu.org/licenses/>.
-##
-######################################################################
-
-from SambaParm import SambaParmString, SambaParmBool, SambaParmBoolRev
-
-## boolean defines for parm_table
-P_LOCAL = 0
-P_GLOBAL = 1
-
-parm_table = {
- "PRELOADMODULES" : ("preload modules", SambaParmString, P_GLOBAL, ""),
- "ONLYGUEST" : ("guest only", SambaParmBool, P_LOCAL, "No"),
- "PRIVATEDIR" : ("private dir", SambaParmString, P_GLOBAL, "/etc/samba/private"),
- "HIDESPECIALFILES" : ("hide special files", SambaParmBool, P_LOCAL, "No"),
- "WINBINDENUMUSERS" : ("winbind enum users", SambaParmBool, P_GLOBAL, "Yes"),
- "TIMESTAMPLOGS" : ("debug timestamp", SambaParmBool, P_GLOBAL, "Yes"),
- "LDAPPASSWDSYNC" : ("ldap passwd sync", SambaParmString, P_GLOBAL, "no"),
- "READBMPX" : ("read bmpx", SambaParmBool, P_GLOBAL, "No"),
- "PASSWORDSERVER" : ("password server", SambaParmString, P_GLOBAL, "*"),
- "COPY" : ("copy", SambaParmString, P_LOCAL, ""),
- "MAXXMIT" : ("max xmit", SambaParmString, P_GLOBAL, "16644"),
- "MINPRINTSPACE" : ("min print space", SambaParmString, P_LOCAL, "0"),
- "CASESENSITIVE" : ("case sensitive", SambaParmString, P_LOCAL, "Auto"),
- "LDAPIDMAPSUFFIX" : ("ldap idmap suffix", SambaParmString, P_GLOBAL, ""),
- "NAMECACHETIMEOUT" : ("name cache timeout", SambaParmString, P_GLOBAL, "660"),
- "MAPARCHIVE" : ("map archive", SambaParmBool, P_LOCAL, "Yes"),
- "LANMANAUTH" : ("lanman auth", SambaParmBool, P_GLOBAL, "Yes"),
- "NETBIOSSCOPE" : ("netbios scope", SambaParmString, P_GLOBAL, ""),
- "MAXREPORTEDPRINTJOBS" : ("max reported print jobs", SambaParmString, P_LOCAL, "0"),
- "CREATEMODE" : ("create mask", SambaParmString, P_LOCAL, "0744"),
- "READLIST" : ("read list", SambaParmString, P_LOCAL, ""),
- "WINBINDNESTEDGROUPS" : ("winbind nested groups", SambaParmBool, P_GLOBAL, "No"),
- "COMMENT" : ("comment", SambaParmString, P_LOCAL, ""),
- "PRINTER" : ("printer name", SambaParmString, P_LOCAL, ""),
- "LMANNOUNCE" : ("lm announce", SambaParmString, P_GLOBAL, "Auto"),
- "SYSLOGONLY" : ("syslog only", SambaParmBool, P_GLOBAL, "No"),
- "LMINTERVAL" : ("lm interval", SambaParmString, P_GLOBAL, "60"),
- "MANGLINGMETHOD" : ("mangling method", SambaParmString, P_GLOBAL, "hash2"),
- "PROFILEACLS" : ("profile acls", SambaParmBool, P_LOCAL, "No"),
- "LDAPGROUPSUFFIX" : ("ldap group suffix", SambaParmString, P_GLOBAL, ""),
- "MAPTOGUEST" : ("map to guest", SambaParmString, P_GLOBAL, "Never"),
- "NULLPASSWORDS" : ("null passwords", SambaParmBool, P_GLOBAL, "No"),
- "ONLYUSER" : ("only user", SambaParmBool, P_LOCAL, "No"),
- "UTMP" : ("utmp", SambaParmBool, P_GLOBAL, "No"),
- "DONTDESCEND" : ("dont descend", SambaParmString, P_LOCAL, ""),
- "PRINTING" : ("printing", SambaParmString, P_LOCAL, "cups"),
- "SOCKETOPTIONS" : ("socket options", SambaParmString, P_GLOBAL, "TCP_NODELAY"),
- "CLIENTUSESPNEGO" : ("client use spnego", SambaParmBool, P_GLOBAL, "Yes"),
- "USESPNEGO" : ("use spnego", SambaParmBool, P_GLOBAL, "Yes"),
- "FAKEOPLOCKS" : ("fake oplocks", SambaParmBool, P_LOCAL, "No"),
- "FORCECREATEMODE" : ("force create mode", SambaParmString, P_LOCAL, "00"),
- "SMBPORTS" : ("smb ports", SambaParmString, P_GLOBAL, "445 139"),
- "LOCKDIR" : ("lock directory", SambaParmString, P_GLOBAL, "/var/lib/samba"),
- "BROWSEABLE" : ("browseable", SambaParmBool, P_LOCAL, "Yes"),
- "WINSPROXY" : ("wins proxy", SambaParmBool, P_GLOBAL, "No"),
- "FORCEGROUP" : ("force group", SambaParmString, P_LOCAL, ""),
- "NTSTATUSSUPPORT" : ("nt status support", SambaParmBool, P_GLOBAL, "Yes"),
- "EXEC" : ("preexec", SambaParmString, P_LOCAL, ""),
- "DOMAINLOGONS" : ("domain logons", SambaParmBool, P_GLOBAL, "No"),
- "TEMPLATESHELL" : ("template shell", SambaParmString, P_GLOBAL, "/bin/false"),
- "USESENDFILE" : ("use sendfile", SambaParmBool, P_LOCAL, "No"),
- "USEMMAP" : ("use mmap", SambaParmBool, P_GLOBAL, "Yes"),
- "VALIDUSERS" : ("valid users", SambaParmString, P_LOCAL, ""),
- "DEBUGLEVEL" : ("log level", SambaParmString, P_GLOBAL, "0"),
- "PRINTCAPCACHETIME" : ("printcap cache time", SambaParmString, P_GLOBAL, "0"),
- "SOCKETADDRESS" : ("socket address", SambaParmString, P_GLOBAL, "0.0.0.0"),
- "FORCEDIRECTORYMODE" : ("force directory mode", SambaParmString, P_LOCAL, "00"),
- "MSDFSROOT" : ("msdfs root", SambaParmBool, P_LOCAL, "No"),
- "ROOTPREEXEC" : ("root preexec", SambaParmString, P_LOCAL, ""),
- "WRITEOK" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"),
- "MAXLOGSIZE" : ("max log size", SambaParmString, P_GLOBAL, "5000"),
- "VFSOBJECT" : ("vfs objects", SambaParmString, P_LOCAL, ""),
- "CHECKPASSWORDSCRIPT" : ("check password script", SambaParmString, P_GLOBAL, ""),
- "DELETEPRINTERCOMMAND" : ("deleteprinter command", SambaParmString, P_GLOBAL, ""),
- "OSLEVEL" : ("os level", SambaParmString, P_GLOBAL, "20"),
- "ENUMPORTSCOMMAND" : ("enumports command", SambaParmString, P_GLOBAL, ""),
- "DELETEUSERFROMGROUPSCRIPT": ("delete user from group script", SambaParmString, P_GLOBAL, ""),
- "IDMAPGID" : ("idmap gid", SambaParmString, P_GLOBAL, ""),
- "PREEXECCLOSE" : ("preexec close", SambaParmBool, P_LOCAL, "No"),
- "UTMPDIRECTORY" : ("utmp directory", SambaParmString, P_GLOBAL, ""),
- "DOSFILEMODE" : ("dos filemode", SambaParmBool, P_LOCAL, "No"),
- "LOGFILE" : ("log file", SambaParmString, P_GLOBAL, ""),
- "WORKGROUP" : ("workgroup", SambaParmString, P_GLOBAL, "WORKGROUP"),
- "ENCRYPTPASSWORDS" : ("encrypt passwords", SambaParmBool, P_GLOBAL, "Yes"),
- "PRINTABLE" : ("printable", SambaParmBool, P_LOCAL, "No"),
- "MAXPROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"),
- "KERNELOPLOCKS" : ("kernel oplocks", SambaParmBool, P_GLOBAL, "Yes"),
- "NETBIOSALIASES" : ("netbios aliases", SambaParmString, P_GLOBAL, ""),
- "ANNOUNCEAS" : ("announce as", SambaParmString, P_GLOBAL, "NT"),
- "DIRECTORYMASK" : ("directory mask", SambaParmString, P_LOCAL, "0755"),
- "MAPSYSTEM" : ("map system", SambaParmBool, P_LOCAL, "No"),
- "CHANGENOTIFYTIMEOUT" : ("change notify timeout", SambaParmString, P_GLOBAL, "60"),
- "WINBINDTRUSTEDDOMAINSONLY": ("winbind trusted domains only", SambaParmBool, P_GLOBAL, "No"),
- "SHUTDOWNSCRIPT" : ("shutdown script", SambaParmString, P_GLOBAL, ""),
- "FOLLOWSYMLINKS" : ("follow symlinks", SambaParmBool, P_LOCAL, "Yes"),
- "MAPHIDDEN" : ("map hidden", SambaParmBool, P_LOCAL, "No"),
- "GROUP" : ("force group", SambaParmString, P_LOCAL, ""),
- "DENYHOSTS" : ("hosts deny", SambaParmString, P_LOCAL, ""),
- "WINBINDCACHETIME" : ("winbind cache time", SambaParmString, P_GLOBAL, "300"),
- "DELETEVETOFILES" : ("delete veto files", SambaParmBool, P_LOCAL, "No"),
- "DISABLESPOOLSS" : ("disable spoolss", SambaParmBool, P_GLOBAL, "No"),
- "MAXCONNECTIONS" : ("max connections", SambaParmString, P_LOCAL, "0"),
- "WRITERAW" : ("write raw", SambaParmBool, P_GLOBAL, "Yes"),
- "SERVERSIGNING" : ("server signing", SambaParmString, P_GLOBAL, "No"),
- "VOLUME" : ("volume", SambaParmString, P_LOCAL, ""),
- "UNIXPASSWORDSYNC" : ("unix password sync", SambaParmBool, P_GLOBAL, "No"),
- "OBEYPAMRESTRICTIONS" : ("obey pam restrictions", SambaParmBool, P_GLOBAL, "No"),
- "PASSWDCHATTIMEOUT" : ("passwd chat timeout", SambaParmString, P_GLOBAL, "2"),
- "USER" : ("username", SambaParmString, P_LOCAL, ""),
- "HIDEDOTFILES" : ("hide dot files", SambaParmBool, P_LOCAL, "Yes"),
- "ROOTPOSTEXEC" : ("root postexec", SambaParmString, P_LOCAL, ""),
- "PROTOCOL" : ("max protocol", SambaParmString, P_GLOBAL, "NT1"),
- "LDAPADMINDN" : ("ldap admin dn", SambaParmString, P_GLOBAL, ""),
- "DNSPROXY" : ("dns proxy", SambaParmBool, P_GLOBAL, "Yes"),
- "OS2DRIVERMAP" : ("os2 driver map", SambaParmString, P_GLOBAL, ""),
- "QUEUERESUMECOMMAND" : ("queueresume command", SambaParmString, P_LOCAL, ""),
- "SERVERSCHANNEL" : ("server schannel", SambaParmString, P_GLOBAL, "Auto"),
- "IDMAPUID" : ("idmap uid", SambaParmString, P_GLOBAL, ""),
- "WINBINDENABLELOCALACCOUNTS": ("winbind enable local accounts", SambaParmBool, P_GLOBAL, "No"),
- "PRINTERNAME" : ("printer name", SambaParmString, P_LOCAL, ""),
- "NTACLSUPPORT" : ("nt acl support", SambaParmBool, P_LOCAL, "Yes"),
- "LOGLEVEL" : ("log level", SambaParmString, P_GLOBAL, "0"),
- "STATCACHE" : ("stat cache", SambaParmBool, P_GLOBAL, "Yes"),
- "LPQCACHETIME" : ("lpq cache time", SambaParmString, P_GLOBAL, "30"),
- "LEVEL2OPLOCKS" : ("level2 oplocks", SambaParmBool, P_LOCAL, "Yes"),
- "LARGEREADWRITE" : ("large readwrite", SambaParmBool, P_GLOBAL, "Yes"),
- "LDAPREPLICATIONSLEEP" : ("ldap replication sleep", SambaParmString, P_GLOBAL, "1000"),
- "LDAPUSERSUFFIX" : ("ldap user suffix", SambaParmString, P_GLOBAL, ""),
- "NETBIOSNAME" : ("netbios name", SambaParmString, P_GLOBAL, "PANTHER"),
- "LOCKSPINCOUNT" : ("lock spin count", SambaParmString, P_GLOBAL, "3"),
- "OPLOCKS" : ("oplocks", SambaParmBool, P_LOCAL, "Yes"),
- "MINWINSTTL" : ("min wins ttl", SambaParmString, P_GLOBAL, "21600"),
- "HOMEDIRMAP" : ("homedir map", SambaParmString, P_GLOBAL, ""),
- "REMOTEANNOUNCE" : ("remote announce", SambaParmString, P_GLOBAL, ""),
- "PREFERREDMASTER" : ("preferred master", SambaParmString, P_GLOBAL, "Auto"),
- "SECURITY" : ("security", SambaParmString, P_GLOBAL, "USER"),
- "AUTHMETHODS" : ("auth methods", SambaParmString, P_GLOBAL, ""),
- "ENABLERIDALGORITHM" : ("enable rid algorithm", SambaParmBool, P_GLOBAL, "Yes"),
- "LPRMCOMMAND" : ("lprm command", SambaParmString, P_LOCAL, ""),
- "KERNELCHANGENOTIFY" : ("kernel change notify", SambaParmBool, P_GLOBAL, "Yes"),
- "LOGONSCRIPT" : ("logon script", SambaParmString, P_GLOBAL, ""),
- "PRESERVECASE" : ("preserve case", SambaParmBool, P_LOCAL, "Yes"),
- "UNIXCHARSET" : ("unix charset", SambaParmString, P_GLOBAL, "UTF-8"),
- "FORCEPRINTERNAME" : ("force printername", SambaParmBool, P_LOCAL, "No"),
- "LDAPFILTER" : ("ldap filter", SambaParmString, P_GLOBAL, "(uid"),
- "DELETEREADONLY" : ("delete readonly", SambaParmBool, P_LOCAL, "No"),
- "ABORTSHUTDOWNSCRIPT" : ("abort shutdown script", SambaParmString, P_GLOBAL, ""),
- "DFREECOMMAND" : ("dfree command", SambaParmString, P_GLOBAL, ""),
- "VETOFILES" : ("veto files", SambaParmString, P_LOCAL, ""),
- "LOCKING" : ("locking", SambaParmBool, P_LOCAL, "Yes"),
- "EASUPPORT" : ("ea support", SambaParmBool, P_LOCAL, "No"),
- "MAXSMBDPROCESSES" : ("max smbd processes", SambaParmString, P_GLOBAL, "0"),
- "HIDEFILES" : ("hide files", SambaParmString, P_LOCAL, ""),
- "PASSWDCHATDEBUG" : ("passwd chat debug", SambaParmBool, P_GLOBAL, "No"),
- "SMBPASSWDFILE" : ("smb passwd file", SambaParmString, P_GLOBAL, "/etc/samba/private/smbpasswd"),
- "GETQUOTACOMMAND" : ("get quota command", SambaParmString, P_GLOBAL, ""),
- "DOMAINMASTER" : ("domain master", SambaParmString, P_GLOBAL, "Auto"),
- "DELETESHARECOMMAND" : ("delete share command", SambaParmString, P_GLOBAL, ""),
- "INVALIDUSERS" : ("invalid users", SambaParmString, P_LOCAL, ""),
- "POSIXLOCKING" : ("posix locking", SambaParmBool, P_LOCAL, "Yes"),
- "INCLUDE" : ("include", SambaParmString, P_LOCAL, ""),
- "ALGORITHMICRIDBASE" : ("algorithmic rid base", SambaParmString, P_GLOBAL, "1000"),
- "ANNOUNCEVERSION" : ("announce version", SambaParmString, P_GLOBAL, "4.9"),
- "USERNAMEMAP" : ("username map", SambaParmString, P_GLOBAL, ""),
- "MANGLEDNAMES" : ("mangled names", SambaParmBool, P_LOCAL, "Yes"),
- "ROOTDIRECTORY" : ("root directory", SambaParmString, P_GLOBAL, ""),
- "DEBUGHIRESTIMESTAMP" : ("debug hires timestamp", SambaParmBool, P_GLOBAL, "No"),
- "LOGONDRIVE" : ("logon drive", SambaParmString, P_GLOBAL, ""),
- "LOCALMASTER" : ("local master", SambaParmBool, P_GLOBAL, "Yes"),
- "ROOTPREEXECCLOSE" : ("root preexec close", SambaParmBool, P_LOCAL, "No"),
- "CONFIGFILE" : ("config file", SambaParmString, P_GLOBAL, ""),
- "USECLIENTDRIVER" : ("use client driver", SambaParmBool, P_LOCAL, "No"),
- "MINPROTOCOL" : ("min protocol", SambaParmString, P_GLOBAL, "CORE"),
- "ADDUSERTOGROUPSCRIPT" : ("add user to group script", SambaParmString, P_GLOBAL, ""),
- "MAPACLINHERIT" : ("map acl inherit", SambaParmBool, P_LOCAL, "No"),
- "DELETEUSERSCRIPT" : ("delete user script", SambaParmString, P_GLOBAL, ""),
- "WINBINDUID" : ("idmap uid", SambaParmString, P_GLOBAL, ""),
- "READRAW" : ("read raw", SambaParmBool, P_GLOBAL, "Yes"),
- "WINBINDENUMGROUPS" : ("winbind enum groups", SambaParmBool, P_GLOBAL, "Yes"),
- "MAXPRINTJOBS" : ("max print jobs", SambaParmString, P_LOCAL, "1000"),
- "PRINTCAP" : ("printcap name", SambaParmString, P_GLOBAL, ""),
- "LOADPRINTERS" : ("load printers", SambaParmBool, P_GLOBAL, "Yes"),
- "DEFAULT" : ("default service", SambaParmString, P_GLOBAL, ""),
- "GUESTACCOUNT" : ("guest account", SambaParmString, P_GLOBAL, "nobody"),
- "AUTOSERVICES" : ("preload", SambaParmString, P_GLOBAL, ""),
- "WRITEABLE" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"),
- "CLIENTLANMANAUTH" : ("client lanman auth", SambaParmBool, P_GLOBAL, "Yes"),
- "MESSAGECOMMAND" : ("message command", SambaParmString, P_GLOBAL, ""),
- "UNIXEXTENSIONS" : ("unix extensions", SambaParmBool, P_GLOBAL, "Yes"),
- "LDAPPASSWORDSYNC" : ("ldap passwd sync", SambaParmString, P_GLOBAL, "no"),
- "AFSUSERNAMEMAP" : ("afs username map", SambaParmString, P_GLOBAL, ""),
- "SYSLOG" : ("syslog", SambaParmString, P_GLOBAL, "1"),
- "SETPRIMARYGROUPSCRIPT" : ("set primary group script", SambaParmString, P_GLOBAL, ""),
- "DEADTIME" : ("deadtime", SambaParmString, P_GLOBAL, "0"),
- "RESTRICTANONYMOUS" : ("restrict anonymous", SambaParmString, P_GLOBAL, "0"),
- "USERNAMELEVEL" : ("username level", SambaParmString, P_GLOBAL, "0"),
- "DISPLAYCHARSET" : ("display charset", SambaParmString, P_GLOBAL, "LOCALE"),
- "FORCEUSER" : ("force user", SambaParmString, P_LOCAL, ""),
- "HOSTSDENY" : ("hosts deny", SambaParmString, P_LOCAL, ""),
- "HIDEUNWRITEABLEFILES" : ("hide unwriteable files", SambaParmBool, P_LOCAL, "No"),
- "DOSCHARSET" : ("dos charset", SambaParmString, P_GLOBAL, "CP850"),
- "DOSFILETIMES" : ("dos filetimes", SambaParmBool, P_LOCAL, "No"),
- "REALM" : ("realm", SambaParmString, P_GLOBAL, ""),
- "LDAPSUFFIX" : ("ldap suffix", SambaParmString, P_GLOBAL, ""),
- "LPPAUSECOMMAND" : ("lppause command", SambaParmString, P_LOCAL, ""),
- "FAKEDIRECTORYCREATETIMES": ("fake directory create times", SambaParmBool, P_LOCAL, "No"),
- "MAGICSCRIPT" : ("magic script", SambaParmString, P_LOCAL, ""),
- "WRITECACHESIZE" : ("write cache size", SambaParmString, P_LOCAL, "0"),
- "BLOCKSIZE" : ("block size", SambaParmString, P_LOCAL, "1024"),
- "LOCKSPINTIME" : ("lock spin time", SambaParmString, P_GLOBAL, "10"),
- "ACLCOMPATIBILITY" : ("acl compatibility", SambaParmString, P_GLOBAL, ""),
- "MSDFSPROXY" : ("msdfs proxy", SambaParmString, P_LOCAL, ""),
- "POSTEXEC" : ("postexec", SambaParmString, P_LOCAL, ""),
- "HIDEUNREADABLE" : ("hide unreadable", SambaParmBool, P_LOCAL, "No"),
- "WIDELINKS" : ("wide links", SambaParmBool, P_LOCAL, "Yes"),
- "STRICTSYNC" : ("strict sync", SambaParmBool, P_LOCAL, "No"),
- "PRINTCAPNAME" : ("printcap name", SambaParmString, P_GLOBAL, ""),
- "PREFEREDMASTER" : ("preferred master", SambaParmString, P_GLOBAL, "Auto"),
- "MAXMUX" : ("max mux", SambaParmString, P_GLOBAL, "50"),
- "VETOOPLOCKFILES" : ("veto oplock files", SambaParmString, P_LOCAL, ""),
- "WINBINDSEPARATOR" : ("winbind separator", SambaParmString, P_GLOBAL, "\\"),
- "NISHOMEDIR" : ("NIS homedir", SambaParmBool, P_GLOBAL, "No"),
- "AVAILABLE" : ("available", SambaParmBool, P_LOCAL, "Yes"),
- "KEEPALIVE" : ("keepalive", SambaParmString, P_GLOBAL, "300"),
- "USERNAME" : ("username", SambaParmString, P_LOCAL, ""),
- "PRINTCOMMAND" : ("print command", SambaParmString, P_LOCAL, ""),
- "LPRESUMECOMMAND" : ("lpresume command", SambaParmString, P_LOCAL, ""),
- "USEKERBEROSKEYTAB" : ("use kerberos keytab", SambaParmBool, P_GLOBAL, "No"),
- "HOSTSALLOW" : ("hosts allow", SambaParmString, P_LOCAL, ""),
- "MAXOPENFILES" : ("max open files", SambaParmString, P_GLOBAL, "10000"),
- "PARANOIDSERVERSECURITY" : ("paranoid server security", SambaParmBool, P_GLOBAL, "Yes"),
- "WTMPDIRECTORY" : ("wtmp directory", SambaParmString, P_GLOBAL, ""),
- "ADDPRINTERCOMMAND" : ("addprinter command", SambaParmString, P_GLOBAL, ""),
- "WINSSERVER" : ("wins server", SambaParmString, P_GLOBAL, ""),
- "LDAPTIMEOUT" : ("ldap timeout", SambaParmString, P_GLOBAL, "15"),
- "LOCKDIRECTORY" : ("lock directory", SambaParmString, P_GLOBAL, "/var/lib/samba"),
- "LOGONHOME" : ("logon home", SambaParmString, P_GLOBAL, "\\%N\%U"),
- "MINPASSWDLENGTH" : ("min password length", SambaParmString, P_GLOBAL, "5"),
- "CLIENTPLAINTEXTAUTH" : ("client plaintext auth", SambaParmBool, P_GLOBAL, "Yes"),
- "CSCPOLICY" : ("csc policy", SambaParmString, P_LOCAL, "manual"),
- "ADDSHARECOMMAND" : ("add share command", SambaParmString, P_GLOBAL, ""),
- "MANGLINGCHAR" : ("mangling char", SambaParmString, P_LOCAL, "~"),
- "DIRECTORY" : ("path", SambaParmString, P_LOCAL, ""),
- "DEBUGTIMESTAMP" : ("debug timestamp", SambaParmBool, P_GLOBAL, "Yes"),
- "ALLOWHOSTS" : ("hosts allow", SambaParmString, P_LOCAL, ""),
- "FSTYPE" : ("fstype", SambaParmString, P_LOCAL, "NTFS"),
- "BLOCKINGLOCKS" : ("blocking locks", SambaParmBool, P_LOCAL, "Yes"),
- "LDAPSSL" : ("ldap ssl", SambaParmString, P_GLOBAL, ""),
- "PAMPASSWORDCHANGE" : ("pam password change", SambaParmBool, P_GLOBAL, "No"),
- "GUESTOK" : ("guest ok", SambaParmBool, P_LOCAL, "No"),
- "DEFAULTDEVMODE" : ("default devmode", SambaParmBool, P_LOCAL, "No"),
- "MAXDISKSIZE" : ("max disk size", SambaParmString, P_GLOBAL, "0"),
- "ADDMACHINESCRIPT" : ("add machine script", SambaParmString, P_GLOBAL, ""),
- "MANGLEPREFIX" : ("mangle prefix", SambaParmString, P_GLOBAL, "1"),
- "DISABLENETBIOS" : ("disable netbios", SambaParmBool, P_GLOBAL, "No"),
- "LOGONPATH" : ("logon path", SambaParmString, P_GLOBAL, "\\%N\%U\profile"),
- "IDMAPBACKEND" : ("idmap backend", SambaParmString, P_GLOBAL, ""),
- "SHORTPRESERVECASE" : ("short preserve case", SambaParmBool, P_LOCAL, "Yes"),
- "CUPSSERVER" : ("cups server", SambaParmString, P_GLOBAL, ""),
- "NTPIPESUPPORT" : ("nt pipe support", SambaParmBool, P_GLOBAL, "Yes"),
- "READONLY" : ("read only", SambaParmBool, P_LOCAL, "Yes"),
- "MACHINEPASSWORDTIMEOUT" : ("machine password timeout", SambaParmString, P_GLOBAL, "604800"),
- "PIDDIRECTORY" : ("pid directory", SambaParmString, P_GLOBAL, "/var/run"),
- "PUBLIC" : ("guest ok", SambaParmBool, P_LOCAL, "No"),
- "DEBUGPID" : ("debug pid", SambaParmBool, P_GLOBAL, "No"),
- "GUESTONLY" : ("guest only", SambaParmBool, P_LOCAL, "No"),
- "DELETEGROUPSCRIPT" : ("delete group script", SambaParmString, P_GLOBAL, ""),
- "CUPSOPTIONS" : ("cups options", SambaParmString, P_LOCAL, ""),
- "PASSWDCHAT" : ("passwd chat", SambaParmString, P_GLOBAL, "*new*password* %n\n *new*password* %n\n *changed*"),
- "STRICTLOCKING" : ("strict locking", SambaParmString, P_LOCAL, "Yes"),
- "TEMPLATEHOMEDIR" : ("template homedir", SambaParmString, P_GLOBAL, "/home/%D/%U"),
- "WINBINDGID" : ("idmap gid", SambaParmString, P_GLOBAL, ""),
- "INHERITPERMISSIONS" : ("inherit permissions", SambaParmBool, P_LOCAL, "No"),
- "TIMESERVER" : ("time server", SambaParmBool, P_GLOBAL, "No"),
- "BROWSELIST" : ("browse list", SambaParmBool, P_GLOBAL, "Yes"),
- "HOSTNAMELOOKUPS" : ("hostname lookups", SambaParmBool, P_GLOBAL, "No"),
- "DOSFILETIMERESOLUTION" : ("dos filetime resolution", SambaParmBool, P_LOCAL, "No"),
- "CREATEMASK" : ("create mask", SambaParmString, P_LOCAL, "0744"),
- "WINSHOOK" : ("wins hook", SambaParmString, P_GLOBAL, ""),
- "DEFAULTCASE" : ("default case", SambaParmString, P_LOCAL, "lower"),
- "PATH" : ("path", SambaParmString, P_LOCAL, ""),
- "SHOWADDPRINTERWIZARD" : ("show add printer wizard", SambaParmBool, P_GLOBAL, "Yes"),
- "WINSPARTNERS" : ("wins partners", SambaParmString, P_GLOBAL, ""),
- "ENABLEPRIVILEGES" : ("enable privileges", SambaParmBool, P_GLOBAL, "No"),
- "VFSOBJECTS" : ("vfs objects", SambaParmString, P_LOCAL, ""),
- "STRICTALLOCATE" : ("strict allocate", SambaParmBool, P_LOCAL, "No"),
- "PREEXEC" : ("preexec", SambaParmString, P_LOCAL, ""),
- "WINSSUPPORT" : ("wins support", SambaParmBool, P_GLOBAL, "No"),
- "HOSTMSDFS" : ("host msdfs", SambaParmBool, P_GLOBAL, "No"),
- "AFSTOKENLIFETIME" : ("afs token lifetime", SambaParmString, P_GLOBAL, "604800"),
- "PRINTOK" : ("printable", SambaParmBool, P_LOCAL, "No"),
- "TEMPLATEPRIMARYGROUP" : ("template primary group", SambaParmString, P_GLOBAL, "nobody"),
- "PASSWDPROGRAM" : ("passwd program", SambaParmString, P_GLOBAL, ""),
- "SYNCALWAYS" : ("sync always", SambaParmBool, P_LOCAL, "No"),
- "QUEUEPAUSECOMMAND" : ("queuepause command", SambaParmString, P_LOCAL, ""),
- "BINDINTERFACESONLY" : ("bind interfaces only", SambaParmBool, P_GLOBAL, "No"),
- "MAXWINSTTL" : ("max wins ttl", SambaParmString, P_GLOBAL, "518400"),
- "GETWDCACHE" : ("getwd cache", SambaParmBool, P_GLOBAL, "Yes"),
- "MAGICOUTPUT" : ("magic output", SambaParmString, P_LOCAL, ""),
- "ADMINUSERS" : ("admin users", SambaParmString, P_LOCAL, ""),
- "DIRECTORYMODE" : ("directory mask", SambaParmString, P_LOCAL, "0755"),
- "CLIENTSIGNING" : ("client signing", SambaParmString, P_GLOBAL, "auto"),
- "PASSDBBACKEND" : ("passdb backend", SambaParmString, P_GLOBAL, "smbpasswd"),
- "CASESIGNAMES" : ("case sensitive", SambaParmString, P_LOCAL, "Auto"),
- "SETQUOTACOMMAND" : ("set quota command", SambaParmString, P_GLOBAL, ""),
- "LPQCOMMAND" : ("lpq command", SambaParmString, P_LOCAL, ""),
- "SERVERSTRING" : ("server string", SambaParmString, P_GLOBAL, "Samba 3.0.11pre2-SVN-build-4840"),
- "DEFAULTSERVICE" : ("default service", SambaParmString, P_GLOBAL, ""),
- "WINBINDUSEDEFAULTDOMAIN": ("winbind use default domain", SambaParmBool, P_GLOBAL, "No"),
- "INTERFACES" : ("interfaces", SambaParmString, P_GLOBAL, ""),
- "ROOTDIR" : ("root directory", SambaParmString, P_GLOBAL, ""),
- "ADDUSERSCRIPT" : ("add user script", SambaParmString, P_GLOBAL, ""),
- "CLIENTNTLMV2AUTH" : ("client NTLMv2 auth", SambaParmBool, P_GLOBAL, "No"),
- "FORCEUNKNOWNACLUSER" : ("force unknown acl user", SambaParmBool, P_LOCAL, "No"),
- "MANGLEDMAP" : ("mangled map", SambaParmString, P_LOCAL, ""),
- "NTLMAUTH" : ("ntlm auth", SambaParmBool, P_GLOBAL, "Yes"),
- "INHERITACLS" : ("inherit acls", SambaParmBool, P_LOCAL, "No"),
- "HOSTSEQUIV" : ("hosts equiv", SambaParmString, P_GLOBAL, ""),
- "ALLOWTRUSTEDDOMAINS" : ("allow trusted domains", SambaParmBool, P_GLOBAL, "Yes"),
- "MINPASSWORDLENGTH" : ("min password length", SambaParmString, P_GLOBAL, "5"),
- "USERS" : ("username", SambaParmString, P_LOCAL, ""),
- "PRELOAD" : ("preload", SambaParmString, P_GLOBAL, ""),
- "DEBUGUID" : ("debug uid", SambaParmBool, P_GLOBAL, "No"),
- "CHANGESHARECOMMAND" : ("change share command", SambaParmString, P_GLOBAL, ""),
- "BROWSABLE" : ("browseable", SambaParmBool, P_LOCAL, "Yes"),
- "ENHANCEDBROWSING" : ("enhanced browsing", SambaParmBool, P_GLOBAL, "Yes"),
- "PANICACTION" : ("panic action", SambaParmString, P_GLOBAL, ""),
- "LDAPMACHINESUFFIX" : ("ldap machine suffix", SambaParmString, P_GLOBAL, ""),
- "MAXTTL" : ("max ttl", SambaParmString, P_GLOBAL, "259200"),
- "WRITABLE" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"),
- "SHAREMODES" : ("share modes", SambaParmBool, P_LOCAL, "Yes"),
- "REMOTEBROWSESYNC" : ("remote browse sync", SambaParmString, P_GLOBAL, ""),
- "STOREDOSATTRIBUTES" : ("store dos attributes", SambaParmBool, P_LOCAL, "No"),
- "CLIENTSCHANNEL" : ("client schannel", SambaParmString, P_GLOBAL, "Auto"),
- "WRITELIST" : ("write list", SambaParmString, P_LOCAL, ""),
- "ADDGROUPSCRIPT" : ("add group script", SambaParmString, P_GLOBAL, ""),
- "OPLOCKBREAKWAITTIME" : ("oplock break wait time", SambaParmString, P_GLOBAL, "0"),
- "TIMEOFFSET" : ("time offset", SambaParmString, P_GLOBAL, "0"),
- "LDAPDELETEDN" : ("ldap delete dn", SambaParmBool, P_GLOBAL, "No"),
- "AFSSHARE" : ("afs share", SambaParmBool, P_LOCAL, "No"),
- "ROOT" : ("root directory", SambaParmString, P_GLOBAL, ""),
- "NAMERESOLVEORDER" : ("name resolve order", SambaParmString, P_GLOBAL, "lmhosts wins host bcast"),
-}
-##### end of smbparm.y ##########################################
-#################################################################
--
1.9.1
From d0b1f798d53758cfb0594f83693c83c803092121 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 12 Jun 2017 15:35:41 +0200
Subject: [PATCH 02/17] s3:auth: remove "map untrusted to domain" handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_util.c | 37 ++++---------------------------------
1 file changed, 4 insertions(+), 33 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 8e7fa91..fbc3642 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -110,12 +110,6 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
NTSTATUS result;
bool was_mapped;
char *internal_username = NULL;
- bool upn_form = false;
- int map_untrusted = lp_map_untrusted_to_domain();
-
- if (client_domain[0] == '\0' && strchr(smb_name, '@')) {
- upn_form = true;
- }
was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
if (!internal_username) {
@@ -125,35 +119,12 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
client_domain, smb_name, workstation_name));
+ /*
+ * We let the auth stack canonicalize, username
+ * and domain.
+ */
domain = client_domain;
- /* If you connect to a Windows domain member using a bogus domain name,
- * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
- * the Windows box is a DC the name will become DOMAIN\user and be
- * authenticated against AD, if the Windows box is a member server but
- * not a DC the name will become WORKSTATION\user. A standalone
- * non-domain member box will also map to WORKSTATION\user.
- * This also deals with the client passing in a "" domain */
-
- if (map_untrusted != Auto && !upn_form &&
- !strequal(domain, my_sam_name()) &&
- !strequal(domain, get_global_sam_name()) &&
- !is_trusted_domain(domain))
- {
- if (map_untrusted) {
- domain = my_sam_name();
- } else {
- domain = get_global_sam_name();
- }
- DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
- "workstation [%s]\n",
- client_domain, domain, smb_name, workstation_name));
- }
-
- /* We know that the given domain is trusted (and we are allowing them),
- * it is our global SAM name, or for legacy behavior it is our
- * primary domain name */
-
result = make_user_info(mem_ctx, user_info, smb_name, internal_username,
client_domain, domain, workstation_name,
remote_address, local_address,
--
1.9.1
From b121c64c60ad8a50d9cd6c04f77e2417e68c8291 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:48:49 +0200
Subject: [PATCH 03/17] docs-xml: remove unused "map untrusted to domain"
option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
.../smbdotconf/security/mapuntrustedtodomain.xml | 55 ----------------------
lib/param/loadparm.c | 2 -
source3/param/loadparm.c | 1 -
3 files changed, 58 deletions(-)
delete mode 100644 docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
diff --git a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml b/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
deleted file mode 100644
index f782a51..0000000
--- a/docs-xml/smbdotconf/security/mapuntrustedtodomain.xml
+++ /dev/null
@@ -1,55 +0,0 @@
-<samba:parameter name="map untrusted to domain"
- context="G"
- type="enum"
- enumlist="enum_bool_auto"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- By default, and with <smbconfoption name="map untrusted to domain">auto</smbconfoption>
- smbd will defer the decision whether the domain name provided by the
- client is a valid domain name to the Domain Controller (DC) of
- the domain it is a member of, if it is not a DC. If the DC indicates
- that the domain portion is unknown, then a local authentication is performed.
- Standalone servers always ignore the domain. This is basically the same as
- the behavior implemented in Windows.
- </para>
-
- <para>
- With <smbconfoption name="map untrusted to domain">no</smbconfoption>,
- if a client connects to smbd using an untrusted domain name, such as
- BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
- (forcing local authentication) before
- attempting to authenticate that user. In the case where smbd is acting as
- a NT4 PDC/BDC this will be DOMAIN\user. In the case where smbd is acting as a
- domain member server or a standalone server this will be WORKSTATION\user.
- While this appears similar to the behaviour of
- <smbconfoption name="map untrusted to domain">auto</smbconfoption>,
- the difference is that smbd will use a cached (maybe incomplete) list
- of trusted domains in order to classify a domain as "untrusted"
- before contacting any DC first.
- </para>
-
- <para>
- With <smbconfoption name="map untrusted to domain">yes</smbconfoption>,
- smbd provides the legacy behavior matching that of versions of Samba pre 3.4:
- the BOGUS domain name would always be replaced by the
- primary domain before attempting to authenticate that user.
- This will be DOMAIN\user in all server roles except active directory domain controller.
- </para>
-
- <para>
- <smbconfoption name="map untrusted to domain">no</smbconfoption>,
- was the default up to Samba 4.6.
- </para>
-
- <para>
- <smbconfoption name="map untrusted to domain">auto</smbconfoption> was added
- and become the default with Samba 4.7.0. As the option is marked as
- <constant>deprecated</constant> it will be removed in a future release, while the behavior of
- <smbconfoption name="map untrusted to domain">auto</smbconfoption> will be kept.
- </para>
-</description>
-
-<value type="default">auto</value>
-</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d788ffb..1a06af9 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2838,8 +2838,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "guest account", GUEST_ACCOUNT);
- lpcfg_do_global_parameter(lp_ctx, "map untrusted to domain", "auto");
-
lpcfg_do_global_parameter(lp_ctx, "client schannel", "auto");
lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 01c022e..82f9d8e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -867,7 +867,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.min_receivefile_size = 0;
- Globals.map_untrusted_to_domain = Auto;
Globals.multicast_dns_register = true;
Globals.smb2_max_read = DEFAULT_SMB2_MAX_READ;
--
1.9.1
From b637dad3892083d9cb0d310c306ad3e8eb79d64c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:03:55 +0100
Subject: [PATCH 04/17] pdbtest: also verify the authentication path for local
users via winbindd
This basically inlines the logic from the 'winbind_wbclient' backend,
which will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/torture/pdbtest.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c
index 251dbbf..9e2a742 100644
--- a/source3/torture/pdbtest.c
+++ b/source3/torture/pdbtest.c
@@ -32,6 +32,8 @@
#include "../auth/common_auth.h"
#include "lib/tsocket/tsocket.h"
#include "include/auth.h"
+#include "nsswitch/libwbclient/wbclient.h"
+#include "auth/auth_sam_reply.h"
#define TRUST_DOM "trustdom"
#define TRUST_PWD "trustpwd1232"
@@ -268,6 +270,11 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
unsigned char local_nt_session_key[16];
struct netr_SamInfo3 *info3_sam, *info3_auth;
struct auth_serversupplied_info *server_info;
+ struct wbcAuthUserParams params = { .flags = 0 };
+ struct wbcAuthUserInfo *info = NULL;
+ struct wbcAuthErrorInfo *err = NULL;
+ wbcErr wbc_status;
+ struct netr_SamInfo6 *info6_wbc = NULL;
NTSTATUS status;
bool ok;
uint8_t authoritative = 0;
@@ -363,6 +370,72 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry)
* returns the correct errors
*/
+ params.parameter_control = user_info->logon_parameters;
+ params.parameter_control |= WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
+ WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+ params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
+
+ params.account_name = user_info->client.account_name;
+ params.domain_name = user_info->client.domain_name;
+ params.workstation_name = user_info->workstation_name;
+
+ memcpy(params.password.response.challenge,
+ challenge.data,
+ sizeof(params.password.response.challenge));
+
+ params.password.response.lm_length =
+ user_info->password.response.lanman.length;
+ params.password.response.nt_length =
+ user_info->password.response.nt.length;
+
+ params.password.response.lm_data =
+ user_info->password.response.lanman.data;
+ params.password.response.nt_data =
+ user_info->password.response.nt.data;
+
+ wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err);
+ if (wbc_status != WBC_ERR_WINBIND_NOT_AVAILABLE) {
+ if (wbc_status == WBC_ERR_AUTH_ERROR) {
+ if (err) {
+ DEBUG(1, ("error was %s (0x%08x)\nerror message was '%s'\n",
+ err->nt_string, err->nt_status, err->display_string));
+ status = NT_STATUS(err->nt_status);
+ wbcFreeMemory(err);
+ } else {
+ status = NT_STATUS_LOGON_FAILURE;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+ } else if (!WBC_ERROR_IS_OK(wbc_status)) {
+ DEBUG(1, ("wbcAuthenticateUserEx: failed with %u - %s\n",
+ wbc_status, wbcErrorString(wbc_status)));
+ if (err) {
+ DEBUG(1, ("error was %s (0x%08x)\nerror message was '%s'\n",
+ err->nt_string, err->nt_status, err->display_string));
+ }
+ return false;
+ }
+ info6_wbc = wbcAuthUserInfo_to_netr_SamInfo6(mem_ctx, info);
+ wbcFreeMemory(info);
+ if (!info6_wbc) {
+ DEBUG(1, ("wbcAuthUserInfo_to_netr_SamInfo6 failed\n"));
+ return false;
+ }
+
+ if (memcmp(info6_wbc->base.key.key, local_nt_session_key, 16) != 0) {
+ DEBUG(0, ("Returned NT session key is incorrect\n"));
+ return false;
+ }
+
+ if (!dom_sid_equal(info3_sam->base.domain_sid, info6_wbc->base.domain_sid)) {
+ DEBUG(0, ("domain_sid in SAM info3 %s does not match domain_sid in AUTH info3 %s\n",
+ dom_sid_string(NULL, info3_sam->base.domain_sid),
+ dom_sid_string(NULL, info6_wbc->base.domain_sid)));
+ return false;
+ }
+ }
+
return True;
}
--
1.9.1
From 5287610947583b5cddbee7fa2b5da2b1f1bf6ffc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Dec 2017 13:25:19 +0100
Subject: [PATCH 05/17] s4:selftest: remove
samba.blackbox.pdbtest.s4winbind_wbclient test
The "winbind_wbclient" backend is unused and will be removed soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/selftest/tests.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 8d3d526..e9d3e78 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -236,7 +236,6 @@ for env in ["ad_dc_ntvfs", "nt4_dc"]:
plantestsuite("samba.blackbox.pdbtest(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest", smbclient4, '$SMB_CONF_PATH', configuration])
plantestsuite("samba.blackbox.pdbtest.s4winbind(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest3", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=winbind'"])
-plantestsuite("samba.blackbox.pdbtest.s4winbind_wbclient(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest4", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=winbind_wbclient'"])
gpo = smbtorture4_testsuites("gpo.")
for t in gpo:
--
1.9.1
From 3f95e7ed005bc07a1cae192553100b67278fbd2e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 6 Dec 2017 13:28:27 +0100
Subject: [PATCH 06/17] s4:selftest: remove samba.blackbox.pdbtest.s4winbind
test
This is marked as knownfail for quite some time.
I don't think such a test is a reason to the 'auth methods' option.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/knownfail | 4 ----
source4/selftest/tests.py | 2 --
2 files changed, 6 deletions(-)
diff --git a/selftest/knownfail b/selftest/knownfail
index a28329c..710fd33 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -256,10 +256,6 @@
^samba4.winbind.struct.lookup_name_sid\(ad_member:local\)
^samba4.winbind.struct.getdcname\(nt4_member:local\) # Works in other modes, just not against the classic/NT4 DC
#
-# This test is no longer valid given s4winbind needs a live NETLOGON server
-#
-^samba.blackbox.pdbtest.s4winbind\(ad_dc_ntvfs\).pdbtest
-#
# Differences in our KDC compared to windows
#
^samba4.krb5.kdc .*.as-req-pac-request # We should reply to a request for a PAC over UDP with KRB5KRB_ERR_RESPONSE_TOO_BIG unconditionally
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index e9d3e78..9c309fc 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -235,8 +235,6 @@ for env in ["ad_dc_ntvfs", "nt4_dc"]:
plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport), ntlmoptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.%s" % name)
plantestsuite("samba.blackbox.pdbtest(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest", smbclient4, '$SMB_CONF_PATH', configuration])
-plantestsuite("samba.blackbox.pdbtest.s4winbind(ad_dc_ntvfs)", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest3", smbclient4, '$SMB_CONF_PATH', configuration + " --option='authmethods=winbind'"])
-
gpo = smbtorture4_testsuites("gpo.")
for t in gpo:
plansmbtorture4testsuite(t, 'ad_dc:local', ['//$SERVER/sysvol', '-U$USERNAME%$PASSWORD'])
--
1.9.1
From d1c74c1d7fc625f8cad17595ab3d31a20cef15f1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:55:35 +0200
Subject: [PATCH 07/17] s3:auth: remove lp_auth_methods() handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth.c | 31 +------------------------------
1 file changed, 1 insertion(+), 30 deletions(-)
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 3890cbc..4df74f9 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -504,26 +504,13 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context)
{
const char *methods = NULL;
- NTSTATUS nt_status;
switch (lp_server_role()) {
case ROLE_ACTIVE_DIRECTORY_DC:
DEBUG(5,("Making default auth method list for server role = "
"'active directory domain controller'\n"));
- return make_auth_context_specific(mem_ctx, auth_context, "samba4");
- default:
+ methods = "samba4";
break;
- }
-
- if (lp_auth_methods()) {
- DEBUG(5,("Using specified auth order\n"));
- nt_status = make_auth_context_text_list(
- mem_ctx, auth_context,
- discard_const_p(char *, lp_auth_methods()));
- return nt_status;
- }
-
- switch (lp_server_role()) {
case ROLE_DOMAIN_MEMBER:
DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
methods = "guest sam winbind sam_ignoredomain";
@@ -554,22 +541,6 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
struct auth_context **auth_context)
{
const char *methods = NULL;
- NTSTATUS nt_status;
-
- /*
- * We do the lp_auth_methods check before
- * the lp_server_role check in order to
- * backward compatible. The "auth methods" option
- * is deprecated now, so this will go away in a future
- * release.
- */
- if (lp_auth_methods()) {
- DBG_INFO("Using specified auth order for netlogon\n");
- nt_status = make_auth_context_text_list(
- mem_ctx, auth_context,
- discard_const_p(char *, lp_auth_methods()));
- return nt_status;
- }
switch (lp_server_role()) {
case ROLE_DOMAIN_BDC:
--
1.9.1
From 15d33cd715f90d7a8ca62ec783efd9a4f3cd8d7d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:56:00 +0200
Subject: [PATCH 08/17] s4:auth/ntlm: remove lpcfg_auth_methods() handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth.c | 40 +++++++---------------------------------
1 file changed, 7 insertions(+), 33 deletions(-)
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 56c1bcf..7e10a55 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -748,20 +748,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char *
const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
char **auth_methods = NULL;
- const char **const_auth_methods = NULL;
-
- /*
- * As 'auth methods' is deprecated it will be removed
- * in future releases again, but for now give
- * admins the flexibility to configure, the behavior
- * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
- * for a while.
- */
- const_auth_methods = lpcfg_auth_methods(lp_ctx);
- if (const_auth_methods != NULL) {
- DBG_NOTICE("using deprecated 'auth methods' values.\n");
- return const_auth_methods;
- }
switch (lpcfg_server_role(lp_ctx)) {
case ROLE_STANDALONE:
@@ -814,27 +800,15 @@ _PUBLIC_ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
const char **auth_methods = NULL;
/*
- * As 'auth methods' is deprecated it will be removed
- * in future releases again, but for now give
- * admins the flexibility to configure, the behavior
- * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
- * for a while.
+ * Here we only allow 'sam winbind' instead of
+ * the 'anonymous sam winbind sam_ignoredomain'
+ * we typically use for authentication from clients.
*/
- auth_methods = lpcfg_auth_methods(lp_ctx);
- if (auth_methods != NULL) {
- DBG_NOTICE("using deprecated 'auth methods' values.\n");
- } else {
- /*
- * Here we only allow 'sam winbind' instead of
- * the 'anonymous sam winbind sam_ignoredomain'
- * we typically use for authentication from clients.
- */
- _auth_methods = str_list_make(mem_ctx, "sam winbind", NULL);
- if (_auth_methods == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- auth_methods = discard_const_p(const char *, _auth_methods);
+ _auth_methods = str_list_make(mem_ctx, "sam winbind", NULL);
+ if (_auth_methods == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
+ auth_methods = discard_const_p(const char *, _auth_methods);
status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg,
lp_ctx, NULL, auth_ctx);
--
1.9.1
From 4d0654f0045b7c629202f9ae7b05d9acb3bf7b7a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 28 Nov 2017 07:40:09 +0100
Subject: [PATCH 09/17] s4:auth_sam: remove unused 'sam_failtrusts' backend
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_sam.c | 96 --------------------------------------------
1 file changed, 96 deletions(-)
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 24fe167..5e2a584 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -847,90 +847,6 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
return NT_STATUS_OK;
}
-static NTSTATUS authsam_failtrusts_want_check(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info)
-{
- const char *effective_domain = user_info->mapped.domain_name;
- struct dsdb_trust_routing_table *trt = NULL;
- const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
- NTSTATUS status;
-
- /* check whether or not we service this domain/workgroup name */
- switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
- case ROLE_ACTIVE_DIRECTORY_DC:
- /* handled later */
- break;
-
- default:
- DBG_ERR("lpcfg_server_role() has an undefined value\n");
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
- * Now we handle the AD DC case...
- */
- if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- if (effective_domain == NULL || strequal(effective_domain, "")) {
- const char *p = NULL;
-
- p = strchr_m(user_info->mapped.account_name, '@');
- if (p != NULL) {
- effective_domain = p + 1;
- }
- }
-
- if (effective_domain == NULL || strequal(effective_domain, "")) {
- DBG_DEBUG("%s is not a trusted domain\n",
- effective_domain);
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
- * as last option we check the routing table if the
- * domain is within our forest.
- */
- status = dsdb_trust_routing_table_load(ctx->auth_ctx->sam_ctx,
- mem_ctx, &trt);
- if (!NT_STATUS_IS_OK(status)) {
- DBG_ERR("authsam_check_password: dsdb_trust_routing_table_load() %s\n",
- nt_errstr(status));
- return status;
- }
-
- tdo = dsdb_trust_routing_by_name(trt, effective_domain);
- if (tdo == NULL) {
- DBG_DEBUG("%s is not a known TLN (DC)\n",
- effective_domain);
- TALLOC_FREE(trt);
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
- * We now about the domain...
- */
- TALLOC_FREE(trt);
- return NT_STATUS_OK;
-}
-
-static NTSTATUS authsam_failtrusts_check_password(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_user_info_dc **user_info_dc,
- bool *authoritative)
-{
- /*
- * This should a good error for now,
- * until this module gets removed
- * and we have a full async path
- * to winbind.
- */
- return NT_STATUS_NO_TRUST_LSA_SECRET;
-}
-
/* Wrapper for the auth subsystem pointer */
static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context,
@@ -955,12 +871,6 @@ static const struct auth_operations sam_ops = {
.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
};
-static const struct auth_operations sam_failtrusts_ops = {
- .name = "sam_failtrusts",
- .want_check = authsam_failtrusts_want_check,
- .check_password = authsam_failtrusts_check_password,
-};
-
_PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
_PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *ctx)
{
@@ -978,11 +888,5 @@ _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *ctx)
return ret;
}
- ret = auth_register(ctx, &sam_failtrusts_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register 'sam_failtrusts' auth backend!\n"));
- return ret;
- }
-
return ret;
}
--
1.9.1
From 07c2a44e3880f4c4e71cad0bbc85187ac029c9ef Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 27 Nov 2017 13:48:34 +0100
Subject: [PATCH 10/17] s4:auth_winbind: remove unused 'winbind_rodc' backend
This is no longer useful as the 'winbind' backend also
handles the rodc case now.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_winbind.c | 55 ----------------------------------------
1 file changed, 55 deletions(-)
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 018940f..40e6bcf 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -49,48 +49,6 @@ static NTSTATUS winbind_want_check(struct auth_method_context *ctx,
return NT_STATUS_OK;
}
-static NTSTATUS winbind_rodc_want_check(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info)
-{
- int ret;
- bool am_rodc;
-
- if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- if (ctx->auth_ctx->sam_ctx == NULL) {
- DBG_ERR("ctx->auth_ctx->sam_ctx == NULL, don't check.\n");
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- ret = samdb_rodc(ctx->auth_ctx->sam_ctx, &am_rodc);
- if (ret != LDB_SUCCESS) {
- DBG_ERR("samdb_rodc() failed %d %s, don't check.\n",
- ret, ldb_errstring(ctx->auth_ctx->sam_ctx));
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- if (!am_rodc) {
- /*
- * We don't support trusts yet and we
- * don't want to add them using the
- * semi-async irpc call that uses
- * a nested event loop.
- */
- return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
- * We're a RODC, so we forward the request to our winbind.
- * As the RODC is not yet production ready anyway, we keep
- * the semi-async behavior with nested event loops in order
- * to keep autobuild happy.
- */
- return NT_STATUS_OK;
-}
-
struct winbind_check_password_state {
struct auth_method_context *ctx;
const struct auth_usersupplied_info *user_info;
@@ -440,13 +398,6 @@ static const struct auth_operations winbind_ops = {
.check_password_recv = winbind_check_password_recv
};
-static const struct auth_operations winbind_rodc_ops = {
- .name = "winbind_rodc",
- .want_check = winbind_rodc_want_check,
- .check_password_send = winbind_check_password_send,
- .check_password_recv = winbind_check_password_recv
-};
-
static const struct auth_operations winbind_wbclient_ops = {
.name = "winbind_wbclient",
.want_check = winbind_want_check,
@@ -463,12 +414,6 @@ _PUBLIC_ NTSTATUS auth4_winbind_init(TALLOC_CTX *ctx)
return ret;
}
- ret = auth_register(ctx, &winbind_rodc_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register 'winbind_rodc' auth backend!\n"));
- return ret;
- }
-
ret = auth_register(ctx, &winbind_wbclient_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register 'winbind_wbclient' auth backend!\n"));
--
1.9.1
From 9b4f46ab56ee72ac29514f0170a2f7c8f0b1f7cd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 27 Nov 2017 13:48:34 +0100
Subject: [PATCH 11/17] s4:auth_winbind: remove unused 'winbind_wbclient'
backend
This is no longer useful as it doesn't support async requests.
It could be readded using pthreadpool_tevent_job_send()
and wbcCtxAuthenticateUserEx() if required.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_winbind.c | 108 ---------------------------------------
1 file changed, 108 deletions(-)
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 40e6bcf..e887d5e 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -295,102 +295,6 @@ static NTSTATUS winbind_check_password_recv(struct tevent_req *req,
return NT_STATUS_OK;
}
-/*
- Authenticate a user with a challenge/response
- using the samba3 winbind protocol via libwbclient
-*/
-static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
- TALLOC_CTX *mem_ctx,
- const struct auth_usersupplied_info *user_info,
- struct auth_user_info_dc **user_info_dc,
- bool *authoritative)
-{
- struct wbcAuthUserParams params;
- struct wbcAuthUserInfo *info = NULL;
- struct wbcAuthErrorInfo *err = NULL;
- wbcErr wbc_status;
- NTSTATUS nt_status;
- struct netr_SamInfo6 *info6 = NULL;
- union netr_Validation validation;
-
- /* Send off request */
- const struct auth_usersupplied_info *user_info_temp;
- nt_status = encrypt_user_info(mem_ctx, ctx->auth_ctx,
- AUTH_PASSWORD_RESPONSE,
- user_info, &user_info_temp);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- user_info = user_info_temp;
-
- ZERO_STRUCT(params);
- ZERO_STRUCT(validation);
- /*params.flags = WBFLAG_PAM_INFO3_NDR;*/
-
- params.parameter_control = user_info->logon_parameters;
- params.parameter_control |= WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
- WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
- params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
-
- params.account_name = user_info->client.account_name;
- params.domain_name = user_info->client.domain_name;
- params.workstation_name = user_info->workstation_name;
-
- DEBUG(5,("looking up %s@%s logging in from %s\n",
- params.account_name, params.domain_name,
- params.workstation_name));
-
- memcpy(params.password.response.challenge,
- ctx->auth_ctx->challenge.data.data,
- sizeof(params.password.response.challenge));
-
- params.password.response.lm_length =
- user_info->password.response.lanman.length;
- params.password.response.nt_length =
- user_info->password.response.nt.length;
-
- params.password.response.lm_data =
- user_info->password.response.lanman.data;
- params.password.response.nt_data =
- user_info->password.response.nt.data;
-
- wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err);
- if (wbc_status == WBC_ERR_AUTH_ERROR) {
- if (err) {
- DEBUG(1, ("error was %s (0x%08x)\nerror message was '%s'\n",
- err->nt_string, err->nt_status, err->display_string));
- nt_status = NT_STATUS(err->nt_status);
- wbcFreeMemory(err);
- } else {
- nt_status = NT_STATUS_LOGON_FAILURE;
- }
- NT_STATUS_NOT_OK_RETURN(nt_status);
- } else if (!WBC_ERROR_IS_OK(wbc_status)) {
- DEBUG(1, ("wbcAuthenticateUserEx: failed with %u - %s\n",
- wbc_status, wbcErrorString(wbc_status)));
- if (err) {
- DEBUG(1, ("error was %s (0x%08x)\nerror message was '%s'\n",
- err->nt_string, err->nt_status, err->display_string));
- }
- return NT_STATUS_LOGON_FAILURE;
- }
- info6 = wbcAuthUserInfo_to_netr_SamInfo6(mem_ctx, info);
- wbcFreeMemory(info);
- if (!info6) {
- DEBUG(1, ("wbcAuthUserInfo_to_netr_SamInfo6 failed\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- validation.sam6 = info6;
- nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
- user_info->client.account_name,
- 6, &validation,
- true, /* This user was authenticated */
- user_info_dc);
- return nt_status;
-
-}
-
static const struct auth_operations winbind_ops = {
.name = "winbind",
.want_check = winbind_want_check,
@@ -398,12 +302,6 @@ static const struct auth_operations winbind_ops = {
.check_password_recv = winbind_check_password_recv
};
-static const struct auth_operations winbind_wbclient_ops = {
- .name = "winbind_wbclient",
- .want_check = winbind_want_check,
- .check_password = winbind_check_password_wbclient
-};
-
_PUBLIC_ NTSTATUS auth4_winbind_init(TALLOC_CTX *ctx)
{
NTSTATUS ret;
@@ -414,11 +312,5 @@ _PUBLIC_ NTSTATUS auth4_winbind_init(TALLOC_CTX *ctx)
return ret;
}
- ret = auth_register(ctx, &winbind_wbclient_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register 'winbind_wbclient' auth backend!\n"));
- return ret;
- }
-
return NT_STATUS_OK;
}
--
1.9.1
From 2f838fe60ce8f540a7d060faa69b3b9a7c0389e7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:56:38 +0200
Subject: [PATCH 12/17] docs-xml: remove unused "auth methods" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/security/authmethods.xml | 34 ----------------------------
1 file changed, 34 deletions(-)
delete mode 100644 docs-xml/smbdotconf/security/authmethods.xml
diff --git a/docs-xml/smbdotconf/security/authmethods.xml b/docs-xml/smbdotconf/security/authmethods.xml
deleted file mode 100644
index 17323aa..0000000
--- a/docs-xml/smbdotconf/security/authmethods.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<samba:parameter name="auth methods"
- context="G"
- type="cmdlist"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
-
- <para>
- This option allows the administrator to chose what authentication methods <command moreinfo="none">smbd</command>
- will use when authenticating a user. This option defaults to sensible values based on <smbconfoption name="security"/>.
- This should be considered a developer option and used only in rare circumstances. In the majority (if not all)
- of production servers, the default setting should be adequate.
- </para>
-
- <para>
- Each entry in the list attempts to authenticate the user in turn, until
- the user authenticates. In practice only one method will ever actually
- be able to complete the authentication.
- </para>
-
- <para>
- Possible options include <constant>guest</constant> (anonymous access),
- <constant>sam</constant> (lookups in local list of accounts based on netbios
- name or domain name), <constant>winbind</constant> (relay authentication requests
- for remote users through winbindd), <constant>ntdomain</constant> (pre-winbindd
- method of authentication for remote domain users; deprecated in favour of winbind method),
- <constant>trustdomain</constant> (authenticate trusted users by contacting the
- remote DC directly from smbd; deprecated in favour of winbind method).
- </para>
-
-</description>
-<value type="default"/>
-<value type="example">guest sam winbind</value>
-</samba:parameter>
--
1.9.1
From f3c70d928d6c3b2cac53118e3f1d3de591c41c00 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 19 Jun 2017 10:43:25 +0200
Subject: [PATCH 13/17] s3:auth: is_trusted_domain() is now only useful (and
used as DC)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_util.c | 59 ++++++++----------------------------------------
1 file changed, 10 insertions(+), 49 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index fbc3642..464fe25 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1505,6 +1505,8 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
/**
* Verify whether or not given domain is trusted.
*
+ * This should only be used on a DC.
+ *
* @param domain_name name of the domain to be verified
* @return true if domain is one of the trusted ones or
* false if otherwise
@@ -1512,13 +1514,11 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
bool is_trusted_domain(const char* dom_name)
{
- struct dom_sid trustdom_sid;
bool ret;
- /* no trusted domains for a standalone server */
-
- if ( lp_server_role() == ROLE_STANDALONE )
+ if (!IS_DC) {
return false;
+ }
if (dom_name == NULL || dom_name[0] == '\0') {
return false;
@@ -1528,52 +1528,13 @@ bool is_trusted_domain(const char* dom_name)
return false;
}
- /* if we are a DC, then check for a direct trust relationships */
-
- if ( IS_DC ) {
- become_root();
- DEBUG (5,("is_trusted_domain: Checking for domain trust with "
- "[%s]\n", dom_name ));
- ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
- unbecome_root();
- if (ret)
- return true;
- }
- else {
- wbcErr result;
-
- /* If winbind is around, ask it */
-
- result = wb_is_trusted_domain(dom_name);
-
- if (result == WBC_ERR_SUCCESS) {
- return true;
- }
-
- if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
- /* winbind could not find the domain */
- return false;
- }
-
- DEBUG(10, ("wb_is_trusted_domain returned error: %s\n",
- wbcErrorString(result)));
-
- /* The only other possible result is that winbind is not up
- and running. We need to update the trustdom_cache
- ourselves */
-
- update_trustdom_cache();
- }
-
- /* now the trustdom cache should be available a DC could still
- * have a transitive trust so fall back to the cache of trusted
- * domains (like a domain member would use */
+ become_root();
+ DEBUG (5,("is_trusted_domain: Checking for domain trust with "
+ "[%s]\n", dom_name ));
+ ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
+ unbecome_root();
- if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
- return true;
- }
-
- return false;
+ return ret;
}
--
1.9.1
From f13b4a10b061c5f81bb387fd90c82f2ce52ff192 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 7 Aug 2017 17:29:41 +0200
Subject: [PATCH 14/17] tests/posixacl.py: remove useless 'profile acls' based
test
test_setntacl_smbd_dont_invalidate_getntacl_smbd() is basically
the same as test_setntacl_smbd_getntacl_smbd()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
python/samba/tests/posixacl.py | 17 -----------------
1 file changed, 17 deletions(-)
diff --git a/python/samba/tests/posixacl.py b/python/samba/tests/posixacl.py
index 8dc2098..f34c7d6 100644
--- a/python/samba/tests/posixacl.py
+++ b/python/samba/tests/posixacl.py
@@ -119,23 +119,6 @@ class PosixAclMappingTests(TestCaseInTempDir):
anysid = security.dom_sid(security.SID_NT_SELF)
self.assertEquals(simple_acl_from_posix, facl.as_sddl(anysid))
- def test_setntacl_smbd_dont_invalidate_getntacl_smbd(self):
- # set an ACL on a tempfile
- acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
- os.chmod(self.tempf, 0750)
- setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=False)
-
- # now influence the POSIX ACL->SD mapping it returns something else than
- # what was set previously
- # this should not invalidate the hash and the complete ACL should still
- # be returned
- self.lp.set("profile acls", "yes")
- # we should still get back the ACL (and not one mapped from POSIX ACL)
- facl = getntacl(self.lp, self.tempf, direct_db_access=False)
- self.lp.set("profile acls", "no")
- anysid = security.dom_sid(security.SID_NT_SELF)
- self.assertEquals(acl, facl.as_sddl(anysid))
-
def test_setntacl_getntacl_smbd(self):
acl = "O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512)"
setntacl(self.lp, self.tempf, acl, "S-1-5-21-2212615479-2695158682-2101375467", use_ntvfs=True)
--
1.9.1
From 88eddecdb44669f9832040978cfbd043c6f31383 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 7 Aug 2017 17:24:19 +0200
Subject: [PATCH 15/17] s3:smbd: remove deprecated handling of "profile acls =
yes"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/posix_acls.c | 83 +----------------------------------------------
1 file changed, 1 insertion(+), 82 deletions(-)
diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index e4b16b9..8d42535 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -3237,41 +3237,6 @@ static size_t merge_default_aces( struct security_ace *nt_ace_list, size_t num_a
return num_aces;
}
-/*
- * Add or Replace ACE entry.
- * In some cases we need to add a specific ACE for compatibility reasons.
- * When doing that we must make sure we are not actually creating a duplicate
- * entry. So we need to search whether an ACE entry already exist and eventually
- * replacce the access mask, or add a completely new entry if none was found.
- *
- * This function assumes the array has enough space to add a new entry without
- * any reallocation of memory.
- */
-
-static void add_or_replace_ace(struct security_ace *nt_ace_list, size_t *num_aces,
- const struct dom_sid *sid, enum security_ace_type type,
- uint32_t mask, uint8_t flags)
-{
- size_t i;
-
- /* first search for a duplicate */
- for (i = 0; i < *num_aces; i++) {
- if (dom_sid_equal(&nt_ace_list[i].trustee, sid) &&
- (nt_ace_list[i].flags == flags)) break;
- }
-
- if (i < *num_aces) { /* found */
- nt_ace_list[i].type = type;
- nt_ace_list[i].access_mask = mask;
- DEBUG(10, ("Replacing ACE %zu with SID %s and flags %02x\n",
- i, sid_string_dbg(sid), flags));
- return;
- }
-
- /* not found, append it */
- init_sec_ace(&nt_ace_list[(*num_aces)++], sid, type, mask, flags);
-}
-
/****************************************************************************
Reply to query a security descriptor from an fsp. If it succeeds it allocates
@@ -3300,8 +3265,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
canon_ace *file_ace = NULL;
canon_ace *dir_ace = NULL;
struct security_ace *nt_ace_list = NULL;
- size_t num_profile_acls = 0;
- struct dom_sid orig_owner_sid;
struct security_descriptor *psd = NULL;
/*
@@ -3310,14 +3273,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
create_file_sids(sbuf, &owner_sid, &group_sid);
- if (lp_profile_acls(SNUM(conn))) {
- /* For WXP SP1 the owner must be administrators. */
- sid_copy(&orig_owner_sid, &owner_sid);
- sid_copy(&owner_sid, &global_sid_Builtin_Administrators);
- sid_copy(&group_sid, &global_sid_Builtin_Users);
- num_profile_acls = 3;
- }
-
if (security_info & SECINFO_DACL) {
/*
@@ -3362,7 +3317,7 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
nt_ace_list = talloc_zero_array(
talloc_tos(), struct security_ace,
- num_acls + num_profile_acls + num_def_acls);
+ num_acls + num_def_acls);
if (nt_ace_list == NULL) {
DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
@@ -3385,15 +3340,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
ace->ace_flags);
}
- /* The User must have access to a profile share - even
- * if we can't map the SID. */
- if (lp_profile_acls(SNUM(conn))) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &global_sid_Builtin_Users,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- FILE_GENERIC_ALL, 0);
- }
-
for (ace = dir_ace; ace != NULL; ace = ace->next) {
uint32_t acc = map_canon_ace_perms(SNUM(conn),
&nt_acl_type,
@@ -3409,18 +3355,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
SEC_ACE_FLAG_INHERIT_ONLY);
}
- /* The User must have access to a profile share - even
- * if we can't map the SID. */
- if (lp_profile_acls(SNUM(conn))) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &global_sid_Builtin_Users,
- SEC_ACE_TYPE_ACCESS_ALLOWED,
- FILE_GENERIC_ALL,
- SEC_ACE_FLAG_OBJECT_INHERIT |
- SEC_ACE_FLAG_CONTAINER_INHERIT |
- SEC_ACE_FLAG_INHERIT_ONLY);
- }
-
/*
* Merge POSIX default ACLs and normal ACLs into one NT ACE.
* Win2K needs this to get the inheritance correct when replacing ACLs
@@ -3428,21 +3362,6 @@ static NTSTATUS posix_get_nt_acl_common(struct connection_struct *conn,
*/
num_aces = merge_default_aces(nt_ace_list, num_aces);
-
- if (lp_profile_acls(SNUM(conn))) {
- size_t i;
-
- for (i = 0; i < num_aces; i++) {
- if (dom_sid_equal(&nt_ace_list[i].trustee, &owner_sid)) {
- add_or_replace_ace(nt_ace_list, &num_aces,
- &orig_owner_sid,
- nt_ace_list[i].type,
- nt_ace_list[i].access_mask,
- nt_ace_list[i].flags);
- break;
- }
- }
- }
}
if (num_aces) {
--
1.9.1
From 99f362bc08eb5f1172bbebcb4b794c053f0bbb76 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 7 Aug 2017 17:31:13 +0200
Subject: [PATCH 16/17] docs-xml: remove deprecated 'profile acls' option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/protocol/profileacls.xml | 62 ----------------------------
source3/param/loadparm.c | 1 -
2 files changed, 63 deletions(-)
delete mode 100644 docs-xml/smbdotconf/protocol/profileacls.xml
diff --git a/docs-xml/smbdotconf/protocol/profileacls.xml b/docs-xml/smbdotconf/protocol/profileacls.xml
deleted file mode 100644
index a660c52..0000000
--- a/docs-xml/smbdotconf/protocol/profileacls.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-<samba:parameter name="profile acls"
- context="S"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- As most system support support posix acls and extended attributes
- today. The "acl_xattr" vfs module should be used instead of
- using <smbconfoption name="profile acls">yes</smbconfoption>.
- Using an vfs module that provides nfs4 acls may also work.
- </para>
-
- <para>
- With modern clients (as of 2017) it's not possible to
- use <smbconfoption name="profile acls">yes</smbconfoption> anymore.
- </para>
-
- <para>
- This boolean parameter was added to fix the problems that people have been
- having with storing user profiles on Samba shares from Windows 2000 or
- Windows XP clients. New versions of Windows 2000 or Windows XP service
- packs do security ACL checking on the owner and ability to write of the
- profile directory stored on a local workstation when copied from a Samba
- share.
- </para>
-
- <para>
- When not in domain mode with winbindd then the security info copied
- onto the local workstation has no meaning to the logged in user (SID) on
- that workstation so the profile storing fails. Adding this parameter
- onto a share used for profile storage changes two things about the
- returned Windows ACL. Firstly it changes the owner and group owner
- of all reported files and directories to be BUILTIN\\Administrators,
- BUILTIN\\Users respectively (SIDs S-1-5-32-544, S-1-5-32-545). Secondly
- it adds an ACE entry of "Full Control" to the SID BUILTIN\\Users to
- every returned ACL. This will allow any Windows 2000 or XP workstation
- user to access the profile.
- </para>
-
- <para>
- Note that if you have multiple users logging
- on to a workstation then in order to prevent them from being able to access
- each others profiles you must remove the "Bypass traverse checking" advanced
- user right. This will prevent access to other users profile directories as
- the top level profile directory (named after the user) is created by the
- workstation profile code and has an ACL restricting entry to the directory
- tree to the owning user.
- </para>
-
- <para>
- Note that this parameter should be set to yes on dedicated profile shares only.
- On other shares, it might cause incorrect file ownerships.
- </para>
-
- <para>
- This parameter is deprecated with Samba 4.7 and will be removed in future versions.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 82f9d8e..dcb540a 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -229,7 +229,6 @@ static const struct loadparm_service _sDefault =
.nt_acl_support = true,
.force_unknown_acl_user = false,
._use_sendfile = false,
- .profile_acls = false,
.map_acl_inherit = false,
.afs_share = false,
.ea_support = false,
--
1.9.1
From 0d102cf380bf1ff06022f06e1be8576007dd91f6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 7 Aug 2017 17:32:09 +0200
Subject: [PATCH 17/17] WHATSNEW: document the removal of 'auth methods', 'map
untrusted to domain' and 'profile acls'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8f5986e..7eaa13d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -34,10 +34,13 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
- binddns dir New
- gpo update command New
+ auth methods Removed
+ binddns dir New
+ gpo update command New
+ map untrusted to domain Removed
oplock contention limit Removed
- prefork children New 1
+ prefork children New 1
+ profile acls Removed
NT4-style replication based net commands removed
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171207/27d0eda8/signature.sig>
More information about the samba-technical
mailing list