[Patches] removal of 'use spnego' and 'winbind trusted domains only'
Stefan Metzmacher
metze at samba.org
Tue Jan 9 14:32:18 UTC 2018
Hi,
here's an updated patchset that passed a private autobuild.
Please review and push:-)
Thanks!
metze
Am 07.12.2017 um 14:45 schrieb Stefan Metzmacher via samba-technical:
> Hi,
>
> here're patches to remove the long deprecated options,
> 'use spnego' and 'winbind trusted domains only' options.
>
> This patchset is based on the removal of 'auth methods', 'map untrusted
> to domain' and 'profile acls' patchset.
>
> Please review and push:-)
>
> Thanks!
> metze
>
-------------- next part --------------
From 132735bd3ee500e73c54083b789c0d8c3674f1e6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 10:54:21 +0100
Subject: [PATCH 1/8] winbindd: remove 'winbind trusted domains only' handling
This parameter is already deprecated in favor of the newer idmap_nss backend.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/winbindd/wb_getgrsid.c | 11 -----------
source3/winbindd/wb_queryuser.c | 12 ------------
source3/winbindd/winbindd_getpwnam.c | 9 ---------
source3/winbindd/winbindd_util.c | 5 +----
4 files changed, 1 insertion(+), 36 deletions(-)
diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
index b210645..fa26ea8 100644
--- a/source3/winbindd/wb_getgrsid.c
+++ b/source3/winbindd/wb_getgrsid.c
@@ -60,17 +60,6 @@ struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(group_sid, &our_domain->sid) == 0) {
- DEBUG(7, ("winbindd_getgrsid: My domain -- rejecting "
- "getgrsid() for %s\n", sid_string_tos(group_sid)));
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_GROUP);
- return tevent_req_post(req, ev);
- }
- }
-
subreq = wb_lookupsid_send(state, ev, &state->sid);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index 1c91949..17170c3 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -50,18 +50,6 @@ struct tevent_req *wb_queryuser_send(TALLOC_CTX *mem_ctx,
}
state->ev = ev;
- if (lp_winbind_trusted_domains_only()) {
- struct winbindd_domain *our_domain = find_our_domain();
-
- if (dom_sid_compare_domain(user_sid, &our_domain->sid) == 0) {
- char buf[DOM_SID_STR_BUFLEN];
- dom_sid_string_buf(user_sid, buf, sizeof(buf));
- DBG_NOTICE("My domain -- rejecting %s\n", buf);
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return tevent_req_post(req, ev);
- }
- }
-
state->info = talloc_zero(state, struct wbint_userinfo);
if (tevent_req_nomem(state->info, req)) {
return tevent_req_post(req, ev);
diff --git a/source3/winbindd/winbindd_getpwnam.c b/source3/winbindd/winbindd_getpwnam.c
index f2c9336..73d3b33 100644
--- a/source3/winbindd/winbindd_getpwnam.c
+++ b/source3/winbindd/winbindd_getpwnam.c
@@ -71,15 +71,6 @@ struct tevent_req *winbindd_getpwnam_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- if (lp_winbind_trusted_domains_only()
- && strequal(state->domname, lp_workgroup())) {
- DEBUG(7,("winbindd_getpwnam: My domain -- "
- "rejecting getpwnam() for %s\\%s.\n",
- state->domname, state->username));
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return tevent_req_post(req, ev);
- }
-
subreq = wb_lookupname_send(state, ev, state->domname, state->username,
LOOKUP_NAME_NO_NSS);
if (tevent_req_nomem(subreq, req)) {
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 34f38e5..b3439d0 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1085,7 +1085,7 @@ static bool assume_domain(const char *domain)
if ( !strequal(lp_workgroup(), domain) )
return False;
- if ( lp_winbind_use_default_domain() || lp_winbind_trusted_domains_only() )
+ if ( lp_winbind_use_default_domain() )
return True;
}
@@ -1166,9 +1166,6 @@ bool canonicalize_username(fstring username_inout, fstring domain, fstring user)
If we are a PDC or BDC, and this is for our domain, do likewise.
- Also, if omit DOMAIN if 'winbind trusted domains only = true', as the
- username is then unqualified in unix
-
On an AD DC we always fill DOMAIN\\USERNAME.
We always canonicalize as UPPERCASE DOMAIN, lowercase username.
--
1.9.1
From 60f863243110d31b1fcc88c4188ce40a0fe4f402 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:10:42 +0100
Subject: [PATCH 2/8] docs-xml: remove deprecated of 'winbind trusted domains
only' option
This parameter is already deprecated in favor of the newer idmap_nss backend.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/manpages/idmap_nss.8.xml | 3 +--
.../winbind/winbindtrusteddomainsonly.xml | 22 ----------------------
source3/param/loadparm.c | 1 -
3 files changed, 1 insertion(+), 25 deletions(-)
delete mode 100644 docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
diff --git a/docs-xml/manpages/idmap_nss.8.xml b/docs-xml/manpages/idmap_nss.8.xml
index b7c5977..fa8a208 100644
--- a/docs-xml/manpages/idmap_nss.8.xml
+++ b/docs-xml/manpages/idmap_nss.8.xml
@@ -20,8 +20,7 @@
<title>DESCRIPTION</title>
<para>The idmap_nss plugin provides a means to map Unix users and groups
- to Windows accounts and obsoletes the "winbind trusted domains only"
- smb.conf option. This provides a simple means of ensuring that the SID
+ to Windows accounts. This provides a simple means of ensuring that the SID
for a Unix user named jsmith is reported as the one assigned to
DOMAIN\jsmith which is necessary for reporting ACLs on files and printers
stored on a Samba member server.
diff --git a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml b/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
deleted file mode 100644
index 3d420c7..0000000
--- a/docs-xml/smbdotconf/winbind/winbindtrusteddomainsonly.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<samba:parameter name="winbind trusted domains only"
- context="G"
- type="boolean"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>
- This parameter is designed to allow Samba servers that are members
- of a Samba controlled domain to use UNIX accounts distributed via NIS,
- rsync, or LDAP as the uid's for winbindd users in the hosts primary domain.
- Therefore, the user <literal>DOMAIN\user1</literal> would be mapped to
- the account user1 in /etc/passwd instead of allocating a new uid for him or her.
- </para>
-
- <para>
- This parameter is now deprecated in favor of the newer idmap_nss backend.
- Refer to the <citerefentry><refentrytitle>idmap_nss</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> man page for more information.
- </para>
-</description>
-
-<value type="default">no</value>
-</samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index a2fcc42..6fa13c1 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -817,7 +817,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_enum_users = false;
Globals.winbind_enum_groups = false;
Globals.winbind_use_default_domain = false;
- Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
--
1.9.1
From 8e23ac2dce8d82c1867071cb401216fe77e119d0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:17:20 +0100
Subject: [PATCH 3/8] WHATSNEW: document removal 'winbind trusted domains only'
option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 9bcd03c..252604e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -99,6 +99,7 @@ smb.conf changes
mdns name Added netbios
fruit:time machine Added false
profile acls Removed
+ winbind trusted domains only Removed
NT4-style replication based net commands removed
--
1.9.1
From 022174fe6607aef130dbcdfbba7dad2faf16517e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 13:00:10 +0100
Subject: [PATCH 4/8] s4:selftest: replace --option=usespnego= with
--option=clientusespnego=
I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.
The basically tests the 'raw NTLMv2 auth' option, we set it to yes on
some environments, but keep a knownfail for the ad_member.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/knownfail.d/ntlmv2-restrictions | 2 ++
selftest/target/Samba4.pm | 2 ++
source4/selftest/tests.py | 28 ++++++++++++++--------------
3 files changed, 18 insertions(+), 14 deletions(-)
create mode 100644 selftest/knownfail.d/ntlmv2-restrictions
diff --git a/selftest/knownfail.d/ntlmv2-restrictions b/selftest/knownfail.d/ntlmv2-restrictions
new file mode 100644
index 0000000..eb50b13
--- /dev/null
+++ b/selftest/knownfail.d/ntlmv2-restrictions
@@ -0,0 +1,2 @@
+# 'raw NTLMv2 auth' is not enabled on ad_member
+^samba4.smb.signing.disabled.on.with.-k.no.--option=clientusespnego=no.--signing=off.domain-creds.xcopy\(ad_member\)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e2e78ab..8c17d77 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1031,6 +1031,7 @@ winbindd:use external pipes = true
# the source4 smb server doesn't allow signing by default
server signing = enabled
+raw NTLMv2 auth = yes
rpc_server:default = external
rpc_server:svcctl = embedded
@@ -1461,6 +1462,7 @@ sub provision_ad_dc_ntvfs($$)
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
allow nt4 crypto = yes
+ raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
auth event notification = true
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 91f8a5c..73bdce6 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -219,18 +219,18 @@ for t in net_tests:
transport = "ncacn_np"
for env in ["ad_dc_ntvfs", "nt4_dc"]:
for ntlmoptions in [
- "-k no --option=usespnego=yes",
- "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no",
- "-k no --option=usespnego=yes --option=ntlmssp_client:56bit=yes",
- "-k no --option=usespnego=yes --option=ntlmssp_client:56bit=no",
- "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes",
- "-k no --option=usespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=no",
- "-k no --option=usespnego=yes --option=clientntlmv2auth=yes",
- "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no",
- "-k no --option=usespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes",
- "-k no --option=usespnego=no --option=clientntlmv2auth=yes",
+ "-k no --option=clientusespnego=yes",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:128bit=no",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:56bit=yes",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:56bit=no",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes",
+ "-k no --option=clientusespnego=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=no",
+ "-k no --option=clientusespnego=yes --option=clientntlmv2auth=yes",
+ "-k no --option=clientusespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no",
+ "-k no --option=clientusespnego=yes --option=clientntlmv2auth=yes --option=ntlmssp_client:128bit=no --option=ntlmssp_client:56bit=yes",
+ "-k no --option=clientusespnego=no --option=clientntlmv2auth=yes",
"-k no --option=gensec:spnego=no --option=clientntlmv2auth=yes",
- "-k no --option=usespnego=no"]:
+ "-k no --option=clientusespnego=no"]:
name = "rpc.lsa.secrets on %s with with %s" % (transport, ntlmoptions)
plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport), ntlmoptions, '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.%s" % name)
plantestsuite("samba.blackbox.pdbtest(%s)" % env, "%s:local" % env, [os.path.join(bbdir, "test_pdbtest.sh"), '$SERVER', "$PREFIX", "pdbtest", smbclient4, '$SMB_CONF_PATH', configuration])
@@ -452,7 +452,7 @@ plansmbtorture4testsuite("rpc.echo", "rpc_proxy", ['ncacn_ip_tcp:$NETBIOSNAME',
# Tests SMB signing
for mech in [
"-k no",
- "-k no --option=usespnego=no",
+ "-k no --option=clientusespnego=no",
"-k no --option=gensec:spengo=no",
"-k yes",
"-k yes --option=gensec:fake_gssapi_krb5=yes --option=gensec:gssapi_krb5=no"]:
@@ -463,7 +463,7 @@ for mech in [
for mech in [
"-k no",
- "-k no --option=usespnego=no",
+ "-k no --option=clientusespnego=no",
"-k no --option=gensec:spengo=no",
"-k yes"]:
signoptions = "%s --signing=off" % mech
@@ -477,7 +477,7 @@ for mech in [
plantestsuite("samba4.blackbox.bogusdomain", "ad_member", ["testprogs/blackbox/bogus.sh", "$NETBIOSNAME", "xcopy_share", '$USERNAME', '$PASSWORD', '$DC_USERNAME', '$DC_PASSWORD', smbclient4])
for mech in [
"-k no",
- "-k no --option=usespnego=no",
+ "-k no --option=clientusespnego=no",
"-k no --option=gensec:spengo=no"]:
signoptions = "%s --signing=off" % mech
plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', signoptions, '-U$NETBIOSNAME/$USERNAME%$PASSWORD'], modname="samba4.smb.signing on with %s local-creds" % signoptions)
--
1.9.1
From fcff934737222f1ee91f68d7f8e0806e98de1ac0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:35:26 +0100
Subject: [PATCH 5/8] s3:smbd: remove deprecated 'use spnego = no" handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/negprot.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index cdbc2c4..3a9363d 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -282,7 +282,6 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
supports it and we can do encrypted passwords */
if (xconn->smb1.negprot.encrypted_passwords &&
- lp_use_spnego() &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = True;
capabilities |= CAP_EXTENDED_SECURITY;
--
1.9.1
From 031c3536646137677d8d1cf394310546ce3cee55 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:35:26 +0100
Subject: [PATCH 6/8] s4:smb_server: remove deprecated 'use spnego = no"
handling
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/smb_server/smb/negprot.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c
index 79f5069..cc95a60 100644
--- a/source4/smb_server/smb/negprot.c
+++ b/source4/smb_server/smb/negprot.c
@@ -297,7 +297,6 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
supports it and we can do encrypted passwords */
if (req->smb_conn->negotiate.encrypted_passwords &&
- lpcfg_use_spnego(req->smb_conn->lp_ctx) &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = true;
capabilities |= CAP_EXTENDED_SECURITY;
--
1.9.1
From 3964549f3f9f62b1269500dfc28b57835c7b8cde Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:35:26 +0100
Subject: [PATCH 7/8] docs-xml: remove deprecated 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
docs-xml/smbdotconf/protocol/usespnego.xml | 19 -------------------
lib/param/loadparm.c | 2 --
source3/param/loadparm.c | 1 -
3 files changed, 22 deletions(-)
delete mode 100644 docs-xml/smbdotconf/protocol/usespnego.xml
diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml b/docs-xml/smbdotconf/protocol/usespnego.xml
deleted file mode 100644
index 0c9ffbf..0000000
--- a/docs-xml/smbdotconf/protocol/usespnego.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<samba:parameter name="use spnego"
- context="G"
- type="boolean"
- deprecated="1"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
-<description>
- <para>This deprecated variable controls whether samba will try
- to use Simple and Protected NEGOciation (as specified by rfc2478) with
- WindowsXP and Windows2000 clients to agree upon an authentication mechanism.
-</para>
-
-<para>
- Unless further issues are discovered with our SPNEGO
- implementation, there is no reason this should ever be
- disabled.</para>
-</description>
-
-<value type="default">yes</value>
-</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index ddb4507..3a4a41a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2749,8 +2749,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "client ipc signing", "default");
lpcfg_do_global_parameter(lp_ctx, "server signing", "default");
- lpcfg_do_global_parameter(lp_ctx, "use spnego", "True");
-
lpcfg_do_global_parameter(lp_ctx, "use mmap", "True");
lpcfg_do_global_parameter(lp_ctx, "smb ports", "445 139");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 6fa13c1..f8f76a6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -830,7 +830,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.name_cache_timeout = 660; /* In seconds */
- Globals.use_spnego = true;
Globals.client_use_spnego = true;
Globals.client_signing = SMB_SIGNING_DEFAULT;
--
1.9.1
From 00ab29e22d08672b3d7c50514a01d3d49c18e2aa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 7 Dec 2017 11:35:26 +0100
Subject: [PATCH 8/8] WHATSNEW: document removal of 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
WHATSNEW.txt | 1 +
1 file changed, 1 insertion(+)
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 252604e..1eecc5c 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -99,6 +99,7 @@ smb.conf changes
mdns name Added netbios
fruit:time machine Added false
profile acls Removed
+ use spnego Removed
winbind trusted domains only Removed
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180109/5e9f1316/signature.sig>
More information about the samba-technical
mailing list