1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3-auth: remove "security=server" (depricated since 3.6)

"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!

Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).

metze
                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SERVER      |
                  |    security=server   |
                  |                      |
                  |                      |
                  |       12 May         |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
This commit is contained in:
Stefan Metzmacher 2012-05-12 12:00:00 +02:00
parent 053fcfef0f
commit b4abd3faaf
6 changed files with 20 additions and 25 deletions

View File

@ -73,13 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
role = ROLE_STANDALONE;
switch (security) {
case SEC_SERVER:
if (domain_logons) {
DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
}
/* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */
role = ROLE_STANDALONE;
break;
case SEC_DOMAIN:
if (domain_logons) {
DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n"));
@ -157,7 +150,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
valid = true;
break;
case ROLE_STANDALONE:
if (security == SEC_SERVER || security == SEC_USER) {
if (security == SEC_USER) {
valid = true;
}
break;

View File

@ -46,7 +46,6 @@ static const struct enum_list enum_protocol[] = {
static const struct enum_list enum_security[] = {
{SEC_AUTO, "AUTO"},
{SEC_USER, "USER"},
{SEC_SERVER, "SERVER"},
{SEC_DOMAIN, "DOMAIN"},
#if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4)
{SEC_ADS, "ADS"},

View File

@ -60,10 +60,25 @@ enum server_role {
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
*/
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SERVER |
| security=server |
| |
| |
| 12 May |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
*/
enum security_types {SEC_AUTO = 0,
SEC_USER = 2,
SEC_SERVER = 3,
SEC_DOMAIN = 4,
SEC_ADS = 5};

View File

@ -494,12 +494,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
talloc_tos(), "guest sam winbind:ntdomain",
NULL);
break;
case SEC_SERVER:
DEBUG(5,("Making default auth method list for security=server\n"));
auth_method_list = str_list_make_v3(
talloc_tos(), "guest sam smbserver",
NULL);
break;
case SEC_USER:
if (lp_encrypted_passwords()) {
if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {

View File

@ -9049,10 +9049,6 @@ static bool lp_load_ex(const char *pszFname,
set_allowed_client_auth();
if (lp_security() == SEC_SERVER) {
DEBUG(1, ("WARNING: The security=server option is deprecated\n"));
}
if (lp_security() == SEC_ADS && strchr(lp_passwordserver(), ':')) {
DEBUG(1, ("WARNING: The optional ':port' in password server = %s is deprecated\n",
lp_passwordserver()));

View File

@ -129,11 +129,9 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.\n");
* Password server sanity checks.
*/
if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
if((lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
const char *sec_setting;
if(lp_security() == SEC_SERVER)
sec_setting = "server";
else if(lp_security() == SEC_DOMAIN)
if(lp_security() == SEC_DOMAIN)
sec_setting = "domain";
else if(lp_security() == SEC_ADS)
sec_setting = "ads";