[Patches] removal of 'use spnego' and 'winbind trusted domains only'
Stefan Metzmacher
metze at samba.org
Thu Dec 7 13:45:00 UTC 2017
Hi,
here're patches to remove the long deprecated options,
'use spnego' and 'winbind trusted domains only' options.
This patchset is based on the removal of 'auth methods', 'map untrusted
to domain' and 'profile acls' patchset.
Please review and push:-)
Thanks!
metze
-------------- next part --------------
From af919f7a1d5d083140874b16d746b5cfbe403799 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 10:54:21 +0100
Subject: [PATCH 1/8] winbindd: remove 'winbind trusted domains only' handling
This parameter is already deprecated in favor of the newer idmap_nss backend.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/wb_getgrsid.c | 11 -----------
source3/winbindd/wb_queryuser.c | 12 ------------
source3/winbindd/winbindd_getpwnam.c | 9 ---------
source3/winbindd/winbindd_util.c | 5 +----
4 files changed, 1 insertion(+), 36 deletions(-)
diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
index b210645..fa26ea8 100644
--- a/source3/winbindd/wb_getgrsid.c
+++ b/source3/winbindd/wb_getgrsid.c
@@ -60,17 +60,6 @@ struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(group_sid, &our_domain->sid) == 0) {
- DEBUG(7, ("winbindd_getgrsid: My domain -- rejecting "
- "getgrsid() for %s\n", sid_string_tos(group_sid)));
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
- return tevent_req_post(req, ev);
- }
- }
-
subreq = wb_lookupsid_send(state, ev, &state->sid);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index 1c91949..17170c3 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -50,18 +50,6 @@ struct tevent_req *wb_queryuser_send(TALLOC_CTX *mem_ctx,
}
state->ev = ev;
- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(user_sid, &our_domain->sid) == 0) {
- char buf[DOM_SID_STR_BUFLEN];
- dom_sid_string_buf(user_sid, buf, sizeof(buf));
- DBG_NOTICE("My domain -- rejecting %s\n", buf);
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return tevent_req_post(req, ev);
- }
- }
-
state->info = talloc_zero(state, struct wbint_userinfo);
if (tevent_req_nomem(state->info, req)) {
return tevent_req_post(req, ev);
diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c
index f2c9336..73d3b33 100644
--- a/source3/winbindd/winbindd_getpwnam.c
+++ b/source3/winbindd/winbindd_getpwnam.c
@@ -71,15 +71,6 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (lp_winbind_trusted_domains_only()
- && strequal(state->domname, lp_workgroup())) {
- DEBUG(7,("winbindd_getpwnam: My domain -- "
- "rejecting getpwnam() for %s\\%s.\n",
- state->domname, state->username));
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return tevent_req_post(req, ev);
- }
-
subreq = wb_lookupname_send(state, ev, state->domname, state->username,
LOOKUP_NAME_NO_NSS);
if (tevent_req_nomem(subreq, req)) {
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 34f38e5..b3439d0 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1085,7 +1085,7 @@ static bool assume_domain(const char *domain)
if ( !strequal(lp_workgroup(), domain) )
return False;
- if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
+ if ( lp_winbind_use_default_domain() )
return True;
}
@@ -1166,9 +1166,6 @@ bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
If we are a PDC or BDC, and this is for our domain, do likewise.
- Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
- username is then unqualified in unix
-
On an AD DC we always fill DOMAIN\\USERNAME.
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
--
1.9.1
From 6de0a28731c8dcec0fcd5ddc9356827d3dea3976 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:10:42 +0100
Subject: [PATCH 2/8] docs-xml: remove deprecated 'winbind trusted domains
only' option
This parameter is already deprecated in favor of the newer idmap_nss backend.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/manpages/idmap_nss.8.xml | 3 +--
.../winbind/winbindtrusteddomainsonly.xml | 22 ----------------------
source3/param/loadparm.c | 1 -
3 files changed, 1 insertion(+), 25 deletions(-)
delete mode 100644 docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
diff --git a/docs-xml/manpages/idmap_nss.8.xml b/docs-xml/manpages/idmap_nss.8.xml
index 303a0f4..f390cd6 100644
--- a/docs-xml/manpages/idmap_nss.8.xml
+++ b/docs-xml/manpages/idmap_nss.8.xml
@@ -20,8 +20,7 @@
<title>DESCRIPTION</title>
<para>The idmap_nss plugin provides a means to map Unix users and groups
- to Windows accounts and obsoletes the "winbind trusted domains only"
- smb.conf option. This provides a simple means of ensuring that the SID
+ to Windows accounts. This provides a simple means of ensuring that the SID
for a Unix user named jsmith is reported as the one assigned to
DOMAIN\jsmith which is necessary for reporting ACLs on files and printers
stored on a Samba member server.
diff --git a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
deleted file mode 100644
index 3d420c7..0000000
--- a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<samba:parameter name="winbind trusted domains only"
- context="G"
- type="boolean"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- This parameter is designed to allow Samba servers that are members
- of a Samba controlled domain to use UNIX accounts distributed via NIS,
- rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
- Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to
- the account user1 in /etc/passwd instead of allocating a new uid for him or her.
- </para>
-
- <para>
- This parameter is now deprecated in favor of the newer idmap_nss backend.
- Refer to the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> man page for more information.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dcb540a..138b266 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -817,7 +817,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_enum_users = false;
Globals.winbind_enum_groups = false;
Globals.winbind_use_default_domain = false;
- Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
--
1.9.1
From 1363cd170d7c1a551a92233d261e7fcf0305b25a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:17:20 +0100
Subject: [PATCH 3/8] WHATSNEW: document removal 'winbind trusted domains only'
option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7eaa13d..dab54f3 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -41,6 +41,7 @@ smb.conf changes
oplock contention limit Removed
prefork children New 1
profile acls Removed
+ winbind trusted domains only Removed
NT4-style replication based net commands removed
--
1.9.1
From 0d5f3235b93c9c1edeba6fe9cdedfe3d1d54d3d7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:00:10 +0100
Subject: [PATCH 4/8] s4:selftest: replace --option=usespnego= with
--option=clientusespnego=
I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/selftest/tests.py | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 9c309fc..1a31719 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -219,18 +219,18 @@ for t in net_tests:
transport = "ncacn_np"
for env in ["ad_dc_ntvfs", "nt4_dc"]:
for ntlmoptions in [
- "-k no --option=usespnego=yes",
- "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no",
- "-k no --option=usespnego=yes --option=ntlmssp_client:56bit=yes",
- "-k no --option=usespnego=yes --option=ntlmssp_client:56bit=no",
- "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes",
- "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=no",
- "-k no --option=usespnego=yes --option=clientntlmv2auth=yes",
- "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no",
- "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes",
- "-k no --option=usespnego=no --option=clientntlmv2auth=yes",
+ "-k no --option=clientusespnego=yes",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:128bit=no",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:56bit=yes",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:56bit=no",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=no",
+ "-k no --option=clientusespnego=yes --option=clientntlmv2auth=yes",
+ "-k no --option=clientusespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no",
+ "-k no --option=clientusespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes",
+ "-k no --option=clientusespnego=no --option=clientntlmv2auth=yes",
"-k no --option=gensec:spnego=no --option=clientntlmv2auth=yes",
- "-k no --option=usespnego=no"]:
+ "-k no --option=clientusespnego=no"]:
name = "rpc.lsa.secrets on %s with with %s" % (transport, ntlmoptions)
plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport), ntlmoptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.%s" % name)
plantestsuite("samba.blackbox.pdbtest(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest", smbclient4, '$SMB_CONF_PATH', configuration])
@@ -452,7 +452,7 @@ plansmbtorture4testsuite("rpc.echo", "rpc_proxy", ['ncacn_ip_tcp:$NETBIOSNAME',
# Tests SMB signing
for mech in [
"-k no",
- "-k no --option=usespnego=no",
+ "-k no --option=clientusespnego=no",
"-k no --option=gensec:spengo=no",
"-k yes",
"-k yes --option=gensec:fake_gssapi_krb5=yes --option=gensec:gssapi_krb5=no"]:
@@ -463,7 +463,7 @@ for mech in [
for mech in [
"-k no",
- "-k no --option=usespnego=no",
+ "-k no --option=clientusespnego=no",
"-k no --option=gensec:spengo=no",
"-k yes"]:
signoptions = "%s --signing=off" % mech
@@ -477,7 +477,7 @@ for mech in [
plantestsuite("samba4.blackbox.bogusdomain", "ad_member", ["testprogs/blackbox/bogus.sh", "$NETBIOSNAME", "xcopy_share", '$USERNAME', '$PASSWORD', '$DC_USERNAME', '$DC_PASSWORD', smbclient4])
for mech in [
"-k no",
- "-k no --option=usespnego=no",
+ "-k no --option=clientusespnego=no",
"-k no --option=gensec:spengo=no"]:
signoptions = "%s --signing=off" % mech
plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', signoptions, '-U$NETBIOSNAME/$USERNAME%$PASSWORD'], modname="samba4.smb.signing on with %s local-creds" % signoptions)
--
1.9.1
From fe80a2f957c73c5e660cb3079357eb7a002b2cce Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:35:26 +0100
Subject: [PATCH 5/8] s3:smbd: remove deprecated 'use spnego = no" handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/negprot.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index cdbc2c4..3a9363d 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -282,7 +282,6 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
supports it and we can do encrypted passwords */
if (xconn->smb1.negprot.encrypted_passwords &&
- lp_use_spnego() &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = True;
capabilities |= CAP_EXTENDED_SECURITY;
--
1.9.1
From 554e0b375d21935b1a4334f4d2e507e13a797e39 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:35:26 +0100
Subject: [PATCH 6/8] s4:smb_server: remove deprecated 'use spnego = no"
handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/smb_server/smb/negprot.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c
index 79f5069..cc95a60 100644
--- a/source4/smb_server/smb/negprot.c
+++ b/source4/smb_server/smb/negprot.c
@@ -297,7 +297,6 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
supports it and we can do encrypted passwords */
if (req->smb_conn->negotiate.encrypted_passwords &&
- lpcfg_use_spnego(req->smb_conn->lp_ctx) &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = true;
capabilities |= CAP_EXTENDED_SECURITY;
--
1.9.1
From decc98a762371999787852683b07e7cbd0d416c1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:35:26 +0100
Subject: [PATCH 7/8] docs-xml: remove deprecated 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/protocol/usespnego.xml | 19 -------------------
lib/param/loadparm.c | 2 --
source3/param/loadparm.c | 1 -
3 files changed, 22 deletions(-)
delete mode 100644 docs-xml/smbdotconf/protocol/usespnego.xml
diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml b/docs-xml/smbdotconf/protocol/usespnego.xml
deleted file mode 100644
index 0c9ffbf..0000000
--- a/docs-xml/smbdotconf/protocol/usespnego.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<samba:parameter name="use spnego"
- context="G"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>This deprecated variable controls whether samba will try
- to use Simple and Protected NEGOciation (as specified by rfc2478) with
- WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
-</para>
-
-<para>
- Unless further issues are discovered with our SPNEGO
- implementation, there is no reason this should ever be
- disabled.</para>
-</description>
-
-<value type="default">yes</value>
-</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 1a06af9..d01ea66 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2747,8 +2747,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "client ipc signing", "default");
lpcfg_do_global_parameter(lp_ctx, "server signing", "default");
- lpcfg_do_global_parameter(lp_ctx, "use spnego", "True");
-
lpcfg_do_global_parameter(lp_ctx, "use mmap", "True");
lpcfg_do_global_parameter(lp_ctx, "smb ports", "445 139");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 138b266..8f91547 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -830,7 +830,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.name_cache_timeout = 660; /* In seconds */
- Globals.use_spnego = true;
Globals.client_use_spnego = true;
Globals.client_signing = SMB_SIGNING_DEFAULT;
--
1.9.1
From 17a7ce487adc08325870e5f8903c9c8ab0045992 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:35:26 +0100
Subject: [PATCH 8/8] WHATSNEW: document removal of 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index dab54f3..b37c2c1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -41,6 +41,7 @@ smb.conf changes
oplock contention limit Removed
prefork children New 1
profile acls Removed
+ use spnego Removed
winbind trusted domains only Removed
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171207/643d3127/signature.sig>
More information about the samba-technical
mailing list