mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3-auth: remove "security=server" (depricated since 3.6)
"security=server" has a lot of problems in the world with modern security (ntlmv2 and krb5). It was also not very reliable, as it needed a stable connection to the password server for the lifetime of the whole client connection! Please use "security=domain" or "security=ads" is you authentication against remote servers (domain controllers). metze -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SERVER | | security=server | | | | | | 12 May | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
This commit is contained in:
parent
053fcfef0f
commit
b4abd3faaf
@ -73,13 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
|
||||
role = ROLE_STANDALONE;
|
||||
|
||||
switch (security) {
|
||||
case SEC_SERVER:
|
||||
if (domain_logons) {
|
||||
DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
|
||||
}
|
||||
/* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */
|
||||
role = ROLE_STANDALONE;
|
||||
break;
|
||||
case SEC_DOMAIN:
|
||||
if (domain_logons) {
|
||||
DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n"));
|
||||
@ -157,7 +150,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
|
||||
valid = true;
|
||||
break;
|
||||
case ROLE_STANDALONE:
|
||||
if (security == SEC_SERVER || security == SEC_USER) {
|
||||
if (security == SEC_USER) {
|
||||
valid = true;
|
||||
}
|
||||
break;
|
||||
|
@ -46,7 +46,6 @@ static const struct enum_list enum_protocol[] = {
|
||||
static const struct enum_list enum_security[] = {
|
||||
{SEC_AUTO, "AUTO"},
|
||||
{SEC_USER, "USER"},
|
||||
{SEC_SERVER, "SERVER"},
|
||||
{SEC_DOMAIN, "DOMAIN"},
|
||||
#if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4)
|
||||
{SEC_ADS, "ADS"},
|
||||
|
@ -60,10 +60,25 @@ enum server_role {
|
||||
*| * * * | *
|
||||
_________)/\\_//(\/(/\)/\//\/\///|_)_______
|
||||
|
||||
*/
|
||||
--------------
|
||||
/ \
|
||||
/ REST \
|
||||
/ IN \
|
||||
/ PEACE \
|
||||
/ \
|
||||
| SEC_SERVER |
|
||||
| security=server |
|
||||
| |
|
||||
| |
|
||||
| 12 May |
|
||||
| |
|
||||
| 2012 |
|
||||
*| * * * | *
|
||||
_________)/\\_//(\/(/\)/\//\/\///|_)_______
|
||||
|
||||
*/
|
||||
enum security_types {SEC_AUTO = 0,
|
||||
SEC_USER = 2,
|
||||
SEC_SERVER = 3,
|
||||
SEC_DOMAIN = 4,
|
||||
SEC_ADS = 5};
|
||||
|
||||
|
@ -494,12 +494,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
|
||||
talloc_tos(), "guest sam winbind:ntdomain",
|
||||
NULL);
|
||||
break;
|
||||
case SEC_SERVER:
|
||||
DEBUG(5,("Making default auth method list for security=server\n"));
|
||||
auth_method_list = str_list_make_v3(
|
||||
talloc_tos(), "guest sam smbserver",
|
||||
NULL);
|
||||
break;
|
||||
case SEC_USER:
|
||||
if (lp_encrypted_passwords()) {
|
||||
if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
|
||||
|
@ -9049,10 +9049,6 @@ static bool lp_load_ex(const char *pszFname,
|
||||
|
||||
set_allowed_client_auth();
|
||||
|
||||
if (lp_security() == SEC_SERVER) {
|
||||
DEBUG(1, ("WARNING: The security=server option is deprecated\n"));
|
||||
}
|
||||
|
||||
if (lp_security() == SEC_ADS && strchr(lp_passwordserver(), ':')) {
|
||||
DEBUG(1, ("WARNING: The optional ':port' in password server = %s is deprecated\n",
|
||||
lp_passwordserver()));
|
||||
|
@ -129,11 +129,9 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.\n");
|
||||
* Password server sanity checks.
|
||||
*/
|
||||
|
||||
if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
|
||||
if((lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
|
||||
const char *sec_setting;
|
||||
if(lp_security() == SEC_SERVER)
|
||||
sec_setting = "server";
|
||||
else if(lp_security() == SEC_DOMAIN)
|
||||
if(lp_security() == SEC_DOMAIN)
|
||||
sec_setting = "domain";
|
||||
else if(lp_security() == SEC_ADS)
|
||||
sec_setting = "ads";
|
||||
|
Loading…
Reference in New Issue
Block a user