mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
This commit is contained in:
parent
acfa107ec6
commit
d7bb961859
@ -670,59 +670,6 @@ chmod 1770 /usr/local/samba/lib/usershares
|
||||
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="VALIDATIONSECT">
|
||||
<title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
|
||||
|
||||
<para>
|
||||
There are a number of ways in which a user can connect to a service. The server uses the following steps
|
||||
in determining if it will allow a connection to a specified service. If all the steps fail, the connection
|
||||
request is rejected. However, if one of the steps succeeds, the following steps are not checked.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If the service is marked <quote>guest only = yes</quote> and the server is running with share-level
|
||||
security (<quote>security = share</quote>, steps 1 to 5 are skipped.
|
||||
</para>
|
||||
|
||||
|
||||
<orderedlist continuation="restarts" inheritnum="ignore" numeration="arabic">
|
||||
<listitem><para>
|
||||
If the client has passed a username/password pair and that username/password pair is validated by the UNIX
|
||||
system's password programs, the connection is made as that username. This includes the
|
||||
<literal>\\server\service</literal>%<replaceable>username</replaceable> method of passing a username.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
If the client has previously registered a username with the system and now supplies a correct password for that
|
||||
username, the connection is allowed.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
The client's NetBIOS name and any previously used usernames are checked against the supplied password. If
|
||||
they match, the connection is allowed as the corresponding user.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
If the client has previously validated a username/password pair with the server and the client has passed
|
||||
the validation token, that username is used.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
If a <literal>user = </literal> field is given in the <filename moreinfo="none">smb.conf</filename> file for the
|
||||
service and the client has supplied a password, and that password matches (according to the UNIX system's
|
||||
password checking) with one of the usernames from the <literal>user =</literal> field, the connection is made as
|
||||
the username in the <literal>user =</literal> line. If one of the usernames in the <literal>user =</literal> list
|
||||
begins with a <literal>@</literal>, that name expands to a list of names in the group of the same name.
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
If the service is a guest service, a connection is made as the username given in the <literal>guest account
|
||||
=</literal> for the service, irrespective of the supplied password.
|
||||
</para></listitem>
|
||||
</orderedlist>
|
||||
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>REGISTRY-BASED CONFIGURATION</title>
|
||||
|
||||
|
@ -3,20 +3,16 @@
|
||||
context="S"
|
||||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||||
<description>
|
||||
<para>This is a boolean option that controls whether
|
||||
connections with usernames not in the <parameter moreinfo="none">user</parameter>
|
||||
list will be allowed. By default this option is disabled so that a
|
||||
client can supply a username to be used by the server. Enabling
|
||||
this parameter will force the server to only use the login
|
||||
names from the <parameter moreinfo="none">user</parameter> list and is only really
|
||||
useful in <smbconfoption name="security">share</smbconfoption> level security.</para>
|
||||
<para>To restrict a service to a particular set of users you
|
||||
can use the <smbconfoption name="valid users"/> parameter.</para>
|
||||
|
||||
<para>This parameter is deprecated</para>
|
||||
|
||||
<para>However, it currently operates only in conjunction with
|
||||
<smbconfoption name="username"/>. The supported way to restrict
|
||||
a service to a particular set of users is the
|
||||
<smbconfoption name="valid users"/> parameter.</para>
|
||||
|
||||
<para>Note that this also means Samba won't try to deduce
|
||||
usernames from the service name. This can be annoying for
|
||||
the [homes] section. To get around this you could use <command moreinfo="none">user =
|
||||
%S</command> which means your <parameter moreinfo="none">user</parameter> list
|
||||
will be just the service name, which for home directories is the
|
||||
name of the user.</para>
|
||||
</description>
|
||||
|
||||
<related>user</related>
|
||||
|
@ -11,34 +11,18 @@
|
||||
Samba and is one of the most important settings in the <filename moreinfo="none">
|
||||
smb.conf</filename> file.</para>
|
||||
|
||||
<para>The option sets the "security mode bit" in replies to
|
||||
protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
|
||||
<manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide
|
||||
based on this bit whether (and how) to transfer user and password
|
||||
information to the server.</para>
|
||||
|
||||
|
||||
<para>The default is <command moreinfo="none">security = user</command>, as this is
|
||||
the most common setting needed when talking to Windows 98 and
|
||||
Windows NT.</para>
|
||||
the most common setting, used for a standalone file server or a DC.</para>
|
||||
|
||||
<para>The alternatives are
|
||||
<command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
|
||||
</command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para>
|
||||
|
||||
<para>In versions of Samba prior to 2.0.0, the default was
|
||||
<command moreinfo="none">security = share</command> mainly because that was
|
||||
the only option at one stage.</para>
|
||||
</command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = server</command>, which is deprecated.</para>
|
||||
|
||||
<para>You should use <command moreinfo="none">security = user</command> and
|
||||
<smbconfoption name="map to guest"/> if you
|
||||
want to mainly setup shares without a password (guest shares). This
|
||||
is commonly used for a shared printer server. </para>
|
||||
|
||||
<para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
|
||||
hybrid mode</emphasis> where it is offers both user and share
|
||||
level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
|
||||
|
||||
<para>The different settings will now be explained.</para>
|
||||
|
||||
|
||||
@ -65,8 +49,6 @@
|
||||
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
|
||||
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
|
||||
|
||||
<para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
|
||||
|
||||
<para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
|
||||
|
||||
<para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
|
||||
@ -94,93 +76,9 @@
|
||||
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
|
||||
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
|
||||
|
||||
<para>See also the section <link linkend="VALIDATIONSECT">
|
||||
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
|
||||
|
||||
<para>See also the <smbconfoption name="password server"/> parameter and
|
||||
the <smbconfoption name="encrypted passwords"/> parameter.</para>
|
||||
|
||||
<para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para>
|
||||
|
||||
<note><para>This option is deprecated as it is incompatible with SMB2</para></note>
|
||||
|
||||
<para>When clients connect to a share level security server, they
|
||||
need not log onto the server with a valid username and password before
|
||||
attempting to connect to a shared resource (although modern clients
|
||||
such as Windows 95/98 and Windows NT will send a logon request with
|
||||
a username but no password when talking to a <command moreinfo="none">security = share
|
||||
</command> server). Instead, the clients send authentication information
|
||||
(passwords) on a per-share basis, at the time they attempt to connect
|
||||
to that share.</para>
|
||||
|
||||
<para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis>
|
||||
uses a valid UNIX user to act on behalf of the client, even in
|
||||
<command moreinfo="none">security = share</command> level security.</para>
|
||||
|
||||
<para>As clients are not required to send a username to the server
|
||||
in share level security, <command moreinfo="none">smbd</command> uses several
|
||||
techniques to determine the correct UNIX user to use on behalf
|
||||
of the client.</para>
|
||||
|
||||
<para>A list of possible UNIX usernames to match with the given
|
||||
client password is constructed using the following methods :</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If the <smbconfoption name="guest only"/> parameter is set, then all the other
|
||||
stages are missed and only the <smbconfoption name="guest account"/> username is checked.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Is a username is sent with the share connection
|
||||
request, then this username (after mapping - see <smbconfoption name="username map"/>),
|
||||
is added as a potential username.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the client did a previous <emphasis>logon
|
||||
</emphasis> request (the SessionSetup SMB call) then the
|
||||
username sent in this SMB will be added as a potential username.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The name of the service the client requested is
|
||||
added as a potential username.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The NetBIOS name of the client is added to
|
||||
the list as a potential username.
|
||||
</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>If the <parameter moreinfo="none">guest only</parameter> parameter is
|
||||
not set, then this list is then tried with the supplied password.
|
||||
The first user for whom the password matches will be used as the
|
||||
UNIX user.</para>
|
||||
|
||||
<para>If the <parameter moreinfo="none">guest only</parameter> parameter is
|
||||
set, or no username can be determined then if the share is marked
|
||||
as available to the <parameter moreinfo="none">guest account</parameter>, then this
|
||||
guest user will be used, otherwise access is denied.</para>
|
||||
|
||||
<para>Note that it can be <emphasis>very</emphasis> confusing
|
||||
in share-level security as to which UNIX username will eventually
|
||||
be used in granting access.</para>
|
||||
|
||||
<para>See also the section <link linkend="VALIDATIONSECT">
|
||||
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
|
||||
|
||||
<para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
|
||||
|
||||
<para>
|
||||
@ -221,9 +119,6 @@
|
||||
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
|
||||
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
|
||||
|
||||
<para>See also the section <link linkend="VALIDATIONSECT">
|
||||
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
|
||||
|
||||
<para>See also the <smbconfoption name="password server"/> parameter and the
|
||||
<smbconfoption name="encrypted passwords"/> parameter.</para>
|
||||
|
||||
|
@ -51,9 +51,6 @@
|
||||
exist as well as the account on the Domain Controller to allow
|
||||
Samba to have a valid UNIX account to map file access to. Winbind can provide this.</para>
|
||||
|
||||
<para>See also the section <link linkend="VALIDATIONSECT">
|
||||
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
|
||||
|
||||
<para><anchor id="DC"/><emphasis>SERVER ROLE = DOMAIN CONTROLLER</emphasis></para>
|
||||
|
||||
<para>This mode of operation runs Samba as a domain controller, providing domain logon services to Windows and Samba clients of the domain. Clients must be joined to the domain to create a secure, trusted path across the network.</para>
|
||||
|
@ -5,57 +5,16 @@
|
||||
<synonym>user</synonym>
|
||||
<synonym>users</synonym>
|
||||
<description>
|
||||
<para>Multiple users may be specified in a comma-delimited
|
||||
list, in which case the supplied password will be tested against
|
||||
each username in turn (left to right).</para>
|
||||
|
||||
<para>The deprecated <parameter moreinfo="none">username</parameter> line is needed only when
|
||||
the PC is unable to supply its own username. This is the case
|
||||
for the COREPLUS protocol or where your users have different WfWg
|
||||
usernames to UNIX usernames. In both these cases you may also be
|
||||
better using the \\server\share%user syntax instead.</para>
|
||||
|
||||
<para>The <parameter moreinfo="none">username</parameter> line is not a great
|
||||
solution in many cases as it means Samba will try to validate
|
||||
the supplied password against each of the usernames in the
|
||||
<parameter moreinfo="none">username</parameter> line in turn. This is slow and
|
||||
a bad idea for lots of users in case of duplicate passwords.
|
||||
You may get timeouts or security breaches using this parameter
|
||||
unwisely.</para>
|
||||
|
||||
<para>Samba relies on the underlying UNIX security. This
|
||||
parameter does not restrict who can login, it just offers hints
|
||||
to the Samba server as to what usernames might correspond to the
|
||||
supplied password. Users can login as whoever they please and
|
||||
they will be able to do no more damage than if they started a
|
||||
telnet session. The daemon runs as the user that they log in as,
|
||||
so they cannot do anything that user cannot do.</para>
|
||||
|
||||
<para>To restrict a service to a particular set of users you
|
||||
can use the <smbconfoption name="valid users"/> parameter.</para>
|
||||
|
||||
<para>If any of the usernames begin with a '@' then the name
|
||||
will be looked up first in the NIS netgroups list (if Samba
|
||||
is compiled with netgroup support), followed by a lookup in
|
||||
the UNIX groups database and will expand to a list of all users
|
||||
in the group of that name.</para>
|
||||
|
||||
<para>If any of the usernames begin with a '+' then the name
|
||||
will be looked up only in the UNIX groups database and will
|
||||
expand to a list of all users in the group of that name.</para>
|
||||
<para>This parameter is deprecated</para>
|
||||
|
||||
<para>If any of the usernames begin with a '&' then the name
|
||||
will be looked up only in the NIS netgroups database (if Samba
|
||||
is compiled with netgroup support) and will expand to a list
|
||||
of all users in the netgroup group of that name.</para>
|
||||
<para>However, it currently operates only in conjunction with
|
||||
<smbconfoption name="only user"/>. The supported way to restrict
|
||||
a service to a particular set of users is the
|
||||
<smbconfoption name="valid users"/> parameter.</para>
|
||||
|
||||
<para>Note that searching though a groups database can take
|
||||
quite some time, and some clients may time out during the
|
||||
search.</para>
|
||||
|
||||
<para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
|
||||
USERNAME/PASSWORD VALIDATION</link> for more information on how
|
||||
this parameter determines access to the services.</para>
|
||||
</description>
|
||||
|
||||
<value type="default"><comment>The guest account if a guest service,
|
||||
|
@ -73,11 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
|
||||
role = ROLE_STANDALONE;
|
||||
|
||||
switch (security) {
|
||||
case SEC_SHARE:
|
||||
if (domain_logons) {
|
||||
DEBUG(0, ("Server's Role (logon server) conflicts with share-level security\n"));
|
||||
}
|
||||
break;
|
||||
case SEC_SERVER:
|
||||
if (domain_logons) {
|
||||
DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
|
||||
@ -162,7 +157,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
|
||||
valid = true;
|
||||
break;
|
||||
case ROLE_STANDALONE:
|
||||
if (security == SEC_SHARE || security == SEC_SERVER || security == SEC_USER) {
|
||||
if (security == SEC_SERVER || security == SEC_USER) {
|
||||
valid = true;
|
||||
}
|
||||
break;
|
||||
|
@ -44,7 +44,6 @@ static const struct enum_list enum_protocol[] = {
|
||||
|
||||
static const struct enum_list enum_security[] = {
|
||||
{SEC_AUTO, "AUTO"},
|
||||
{SEC_SHARE, "SHARE"},
|
||||
{SEC_USER, "USER"},
|
||||
{SEC_SERVER, "SERVER"},
|
||||
{SEC_DOMAIN, "DOMAIN"},
|
||||
|
@ -42,9 +42,26 @@ enum server_role {
|
||||
*/
|
||||
#define ROLE_DOMAIN_CONTROLLER ROLE_DOMAIN_BDC
|
||||
|
||||
/* security levels for 'security =' option */
|
||||
/* security levels for 'security =' option
|
||||
|
||||
--------------
|
||||
/ \
|
||||
/ REST \
|
||||
/ IN \
|
||||
/ PEACE \
|
||||
/ \
|
||||
| SEC_SHARE |
|
||||
| security=share |
|
||||
| |
|
||||
| |
|
||||
| 5 March |
|
||||
| |
|
||||
| 2012 |
|
||||
*| * * * | *
|
||||
_________)/\\_//(\/(/\)/\//\/\///|_)_______
|
||||
|
||||
*/
|
||||
enum security_types {SEC_AUTO = 0,
|
||||
SEC_SHARE = 1,
|
||||
SEC_USER = 2,
|
||||
SEC_SERVER = 3,
|
||||
SEC_DOMAIN = 4,
|
||||
|
@ -912,7 +912,7 @@ AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/token_util.o \
|
||||
auth/user_info.o \
|
||||
auth/user_util.o \
|
||||
auth/user_krb5.o \
|
||||
auth/auth_compat.o auth/auth_ntlmssp.o auth/auth_generic.o \
|
||||
auth/auth_ntlmssp.o auth/auth_generic.o \
|
||||
$(PLAINTEXT_AUTH_OBJ) $(SLCACHE_OBJ) $(DCUTIL_OBJ)
|
||||
|
||||
MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_hash2.o
|
||||
|
@ -523,17 +523,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
|
||||
talloc_tos(), "guest unix", NULL);
|
||||
}
|
||||
break;
|
||||
case SEC_SHARE:
|
||||
if (lp_encrypted_passwords()) {
|
||||
DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
|
||||
auth_method_list = str_list_make_v3(
|
||||
talloc_tos(), "guest sam", NULL);
|
||||
} else {
|
||||
DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
|
||||
auth_method_list = str_list_make_v3(
|
||||
talloc_tos(), "guest unix", NULL);
|
||||
}
|
||||
break;
|
||||
case SEC_ADS:
|
||||
DEBUG(5,("Making default auth method list for security=ADS\n"));
|
||||
auth_method_list = str_list_make_v3(
|
||||
|
@ -1,169 +0,0 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
Password and authentication handling
|
||||
Copyright (C) Andrew Bartlett 2001-2002
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "auth.h"
|
||||
#include "../lib/tsocket/tsocket.h"
|
||||
|
||||
extern struct auth_context *negprot_global_auth_context;
|
||||
extern bool global_encrypted_passwords_negotiated;
|
||||
|
||||
#undef DBGC_CLASS
|
||||
#define DBGC_CLASS DBGC_AUTH
|
||||
|
||||
/****************************************************************************
|
||||
COMPATIBILITY INTERFACES:
|
||||
***************************************************************************/
|
||||
|
||||
/****************************************************************************
|
||||
check if a username/password is OK assuming the password is in plaintext
|
||||
return True if the password is correct, False otherwise
|
||||
****************************************************************************/
|
||||
|
||||
NTSTATUS check_plaintext_password(const char *smb_name,
|
||||
const struct tsocket_address *remote_address,
|
||||
DATA_BLOB plaintext_blob,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
{
|
||||
struct auth_context *plaintext_auth_context = NULL;
|
||||
struct auth_usersupplied_info *user_info = NULL;
|
||||
uint8_t chal[8];
|
||||
NTSTATUS nt_status;
|
||||
|
||||
nt_status = make_auth_context_subsystem(talloc_tos(),
|
||||
&plaintext_auth_context);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context,
|
||||
chal);
|
||||
|
||||
if (!make_user_info_for_reply(&user_info,
|
||||
smb_name, lp_workgroup(),
|
||||
remote_address,
|
||||
chal,
|
||||
plaintext_blob)) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context,
|
||||
user_info, server_info);
|
||||
|
||||
TALLOC_FREE(plaintext_auth_context);
|
||||
free_user_info(&user_info);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
static NTSTATUS pass_check_smb(struct auth_context *actx,
|
||||
const char *smb_name,
|
||||
const char *domain,
|
||||
const struct tsocket_address *remote_address,
|
||||
DATA_BLOB lm_pwd,
|
||||
DATA_BLOB nt_pwd)
|
||||
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_usersupplied_info *user_info = NULL;
|
||||
if (actx == NULL) {
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
}
|
||||
make_user_info_for_reply_enc(&user_info, smb_name,
|
||||
domain,
|
||||
remote_address,
|
||||
lm_pwd,
|
||||
nt_pwd);
|
||||
nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
|
||||
free_user_info(&user_info);
|
||||
TALLOC_FREE(server_info);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
check if a username/password pair is ok via the auth subsystem.
|
||||
return True if the password is correct, False otherwise
|
||||
****************************************************************************/
|
||||
|
||||
bool password_ok(struct auth_context *actx, bool global_encrypted,
|
||||
const char *session_workgroup,
|
||||
const char *smb_name,
|
||||
const struct tsocket_address *remote_address,
|
||||
DATA_BLOB password_blob)
|
||||
{
|
||||
|
||||
DATA_BLOB null_password = data_blob_null;
|
||||
bool encrypted = (global_encrypted && (password_blob.length == 24 || password_blob.length > 46));
|
||||
|
||||
if (encrypted) {
|
||||
/*
|
||||
* The password could be either NTLM or plain LM. Try NTLM first,
|
||||
* but fall-through as required.
|
||||
* Vista sends NTLMv2 here - we need to try the client given workgroup.
|
||||
*/
|
||||
if (session_workgroup) {
|
||||
if (NT_STATUS_IS_OK(pass_check_smb(actx,
|
||||
smb_name,
|
||||
session_workgroup,
|
||||
remote_address,
|
||||
null_password,
|
||||
password_blob))) {
|
||||
return True;
|
||||
}
|
||||
if (NT_STATUS_IS_OK(pass_check_smb(actx,
|
||||
smb_name,
|
||||
session_workgroup,
|
||||
remote_address,
|
||||
password_blob,
|
||||
null_password))) {
|
||||
return True;
|
||||
}
|
||||
}
|
||||
|
||||
if (NT_STATUS_IS_OK(pass_check_smb(actx,
|
||||
smb_name,
|
||||
lp_workgroup(),
|
||||
remote_address,
|
||||
null_password,
|
||||
password_blob))) {
|
||||
return True;
|
||||
}
|
||||
|
||||
if (NT_STATUS_IS_OK(pass_check_smb(actx,
|
||||
smb_name,
|
||||
lp_workgroup(),
|
||||
remote_address,
|
||||
password_blob,
|
||||
null_password))) {
|
||||
return True;
|
||||
}
|
||||
} else {
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
NTSTATUS nt_status = check_plaintext_password(smb_name,
|
||||
remote_address,
|
||||
password_blob,
|
||||
&server_info);
|
||||
TALLOC_FREE(server_info);
|
||||
if (NT_STATUS_IS_OK(nt_status)) {
|
||||
return True;
|
||||
}
|
||||
}
|
||||
|
||||
return False;
|
||||
}
|
@ -48,18 +48,6 @@ NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
|
||||
|
||||
NTSTATUS auth_builtin_init(void);
|
||||
|
||||
/* The following definitions come from auth/auth_compat.c */
|
||||
|
||||
NTSTATUS check_plaintext_password(const char *smb_name,
|
||||
const struct tsocket_address *remote_address,
|
||||
DATA_BLOB plaintext_password,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
bool password_ok(struct auth_context *actx, bool global_encrypted,
|
||||
const char *session_workgroup,
|
||||
const char *smb_name,
|
||||
const struct tsocket_address *remote_address,
|
||||
DATA_BLOB password_blob);
|
||||
|
||||
/* The following definitions come from auth/auth_domain.c */
|
||||
|
||||
void attempt_machine_password_change(void);
|
||||
|
@ -12,7 +12,7 @@ AUTH_NETLOGOND_SRC = 'auth_netlogond.c'
|
||||
|
||||
AUTH_SRC = '''auth.c
|
||||
user_krb5.c
|
||||
auth_compat.c auth_ntlmssp.c auth_generic.c'''
|
||||
auth_ntlmssp.c auth_generic.c'''
|
||||
|
||||
bld.SAMBA3_SUBSYSTEM('TOKEN_UTIL',
|
||||
source='token_util.c',
|
||||
|
@ -1892,7 +1892,6 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
|
||||
if (!valid_security) {
|
||||
const char *sec = NULL;
|
||||
switch (lp_security()) {
|
||||
case SEC_SHARE: sec = "share"; break;
|
||||
case SEC_USER: sec = "user"; break;
|
||||
case SEC_DOMAIN: sec = "domain"; break;
|
||||
case SEC_ADS: sec = "ads"; break;
|
||||
|
@ -5286,18 +5286,7 @@ FN_GLOBAL_INTEGER(lp_passwordlevel, pwordlevel)
|
||||
FN_GLOBAL_INTEGER(lp_usernamelevel, unamelevel)
|
||||
FN_GLOBAL_INTEGER(lp_deadtime, deadtime)
|
||||
FN_GLOBAL_BOOL(lp_getwd_cache, getwd_cache)
|
||||
static FN_GLOBAL_INTEGER(_lp_srv_maxprotocol, srv_maxprotocol)
|
||||
int lp_srv_maxprotocol(void)
|
||||
{
|
||||
int ret = _lp_srv_maxprotocol();
|
||||
if ((ret >= PROTOCOL_SMB2_02) && (lp_security() == SEC_SHARE)) {
|
||||
DEBUG(2,("WARNING!!: \"security = share\" is incompatible "
|
||||
"with the SMB2 protocol. Resetting to SMB1.\n" ));
|
||||
lp_do_parameter(-1, "server max protocol", "NT1");
|
||||
return PROTOCOL_NT1;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
FN_GLOBAL_INTEGER(lp_srv_maxprotocol, srv_maxprotocol)
|
||||
FN_GLOBAL_INTEGER(lp_srv_minprotocol, srv_minprotocol)
|
||||
FN_GLOBAL_INTEGER(lp_security, security)
|
||||
FN_GLOBAL_LIST(lp_auth_methods, AuthMethods)
|
||||
@ -9050,9 +9039,7 @@ static bool lp_load_ex(const char *pszFname,
|
||||
|
||||
set_allowed_client_auth();
|
||||
|
||||
if (lp_security() == SEC_SHARE) {
|
||||
DEBUG(1, ("WARNING: The security=share option is deprecated\n"));
|
||||
} else if (lp_security() == SEC_SERVER) {
|
||||
if (lp_security() == SEC_SERVER) {
|
||||
DEBUG(1, ("WARNING: The security=server option is deprecated\n"));
|
||||
}
|
||||
|
||||
|
@ -531,10 +531,6 @@ struct smbd_server_connection {
|
||||
int max_send;
|
||||
uint16_t last_session_tag;
|
||||
|
||||
/* users from session setup */
|
||||
char *session_userlist;
|
||||
/* workgroup from session setup. */
|
||||
char *session_workgroup;
|
||||
/*
|
||||
* this holds info on user ids that are already
|
||||
* validated for this VC
|
||||
|
@ -299,7 +299,6 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
|
||||
supports it and we can do encrypted passwords */
|
||||
|
||||
if (sconn->smb1.negprot.encrypted_passwords &&
|
||||
(lp_security() != SEC_SHARE) &&
|
||||
lp_use_spnego() &&
|
||||
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
|
||||
negotiate_spnego = True;
|
||||
|
@ -172,12 +172,6 @@ int register_initial_vuid(struct smbd_server_connection *sconn)
|
||||
{
|
||||
user_struct *vuser;
|
||||
|
||||
/* Paranoia check. */
|
||||
if(lp_security() == SEC_SHARE) {
|
||||
smb_panic("register_initial_vuid: "
|
||||
"Tried to register uid in security=share");
|
||||
}
|
||||
|
||||
/* Limit allowed vuids to 16bits - VUID_OFFSET. */
|
||||
if (sconn->smb1.sessions.num_validated_vuids >= 0xFFFF-VUID_OFFSET) {
|
||||
return UID_FIELD_INVALID;
|
||||
@ -352,394 +346,3 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
|
||||
}
|
||||
return UID_FIELD_INVALID;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Add a name to the session users list.
|
||||
****************************************************************************/
|
||||
|
||||
void add_session_user(struct smbd_server_connection *sconn,
|
||||
const char *user)
|
||||
{
|
||||
struct passwd *pw;
|
||||
char *tmp;
|
||||
|
||||
pw = Get_Pwnam_alloc(talloc_tos(), user);
|
||||
|
||||
if (pw == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (sconn->smb1.sessions.session_userlist == NULL) {
|
||||
sconn->smb1.sessions.session_userlist = SMB_STRDUP(pw->pw_name);
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (in_list(pw->pw_name,sconn->smb1.sessions.session_userlist,false)) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (strlen(sconn->smb1.sessions.session_userlist) > 128 * 1024) {
|
||||
DEBUG(3,("add_session_user: session userlist already "
|
||||
"too large.\n"));
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (asprintf(&tmp, "%s %s",
|
||||
sconn->smb1.sessions.session_userlist, pw->pw_name) == -1) {
|
||||
DEBUG(3, ("asprintf failed\n"));
|
||||
goto done;
|
||||
}
|
||||
|
||||
SAFE_FREE(sconn->smb1.sessions.session_userlist);
|
||||
sconn->smb1.sessions.session_userlist = tmp;
|
||||
done:
|
||||
TALLOC_FREE(pw);
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
In security=share mode we need to store the client workgroup, as that's
|
||||
what Vista uses for the NTLMv2 calculation.
|
||||
****************************************************************************/
|
||||
|
||||
void add_session_workgroup(struct smbd_server_connection *sconn,
|
||||
const char *workgroup)
|
||||
{
|
||||
if (sconn->smb1.sessions.session_workgroup) {
|
||||
SAFE_FREE(sconn->smb1.sessions.session_workgroup);
|
||||
}
|
||||
sconn->smb1.sessions.session_workgroup = smb_xstrdup(workgroup);
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
In security=share mode we need to return the client workgroup, as that's
|
||||
what Vista uses for the NTLMv2 calculation.
|
||||
****************************************************************************/
|
||||
|
||||
const char *get_session_workgroup(struct smbd_server_connection *sconn)
|
||||
{
|
||||
return sconn->smb1.sessions.session_workgroup;
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Check if a username is valid.
|
||||
****************************************************************************/
|
||||
|
||||
static bool user_ok(const char *user, int snum)
|
||||
{
|
||||
bool ret;
|
||||
|
||||
ret = True;
|
||||
|
||||
if (lp_invalid_users(snum)) {
|
||||
char **invalid = str_list_copy(talloc_tos(),
|
||||
lp_invalid_users(snum));
|
||||
if (invalid &&
|
||||
str_list_substitute(invalid, "%S", lp_servicename(snum))) {
|
||||
|
||||
/* This is used in sec=share only, so no current user
|
||||
* around to pass to str_list_sub_basic() */
|
||||
|
||||
if ( invalid && str_list_sub_basic(invalid, "", "") ) {
|
||||
ret = !user_in_list(talloc_tos(), user,
|
||||
(const char **)invalid);
|
||||
}
|
||||
}
|
||||
TALLOC_FREE(invalid);
|
||||
}
|
||||
|
||||
if (ret && lp_valid_users(snum)) {
|
||||
char **valid = str_list_copy(talloc_tos(),
|
||||
lp_valid_users(snum));
|
||||
if ( valid &&
|
||||
str_list_substitute(valid, "%S", lp_servicename(snum)) ) {
|
||||
|
||||
/* This is used in sec=share only, so no current user
|
||||
* around to pass to str_list_sub_basic() */
|
||||
|
||||
if ( valid && str_list_sub_basic(valid, "", "") ) {
|
||||
ret = user_in_list(talloc_tos(), user,
|
||||
(const char **)valid);
|
||||
}
|
||||
}
|
||||
TALLOC_FREE(valid);
|
||||
}
|
||||
|
||||
if (ret && lp_onlyuser(snum)) {
|
||||
char **user_list = str_list_make_v3(
|
||||
talloc_tos(), lp_username(snum), NULL);
|
||||
if (user_list &&
|
||||
str_list_substitute(user_list, "%S",
|
||||
lp_servicename(snum))) {
|
||||
ret = user_in_list(talloc_tos(), user,
|
||||
(const char **)user_list);
|
||||
}
|
||||
TALLOC_FREE(user_list);
|
||||
}
|
||||
|
||||
return(ret);
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Validate a group username entry. Return the username or NULL.
|
||||
****************************************************************************/
|
||||
|
||||
static char *validate_group(struct smbd_server_connection *sconn,
|
||||
char *group, DATA_BLOB password,int snum)
|
||||
{
|
||||
#ifdef HAVE_NETGROUP
|
||||
{
|
||||
char *host, *user, *domain;
|
||||
struct auth_context *actx = sconn->smb1.negprot.auth_context;
|
||||
bool enc = sconn->smb1.negprot.encrypted_passwords;
|
||||
setnetgrent(group);
|
||||
while (getnetgrent(&host, &user, &domain)) {
|
||||
if (user) {
|
||||
if (user_ok(user, snum) &&
|
||||
password_ok(actx, enc,
|
||||
get_session_workgroup(sconn),
|
||||
user,
|
||||
sconn->remote_address,
|
||||
password)) {
|
||||
endnetgrent();
|
||||
return(user);
|
||||
}
|
||||
}
|
||||
}
|
||||
endnetgrent();
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_GETGRENT
|
||||
{
|
||||
struct group *gptr;
|
||||
struct auth_context *actx = sconn->smb1.negprot.auth_context;
|
||||
bool enc = sconn->smb1.negprot.encrypted_passwords;
|
||||
|
||||
setgrent();
|
||||
while ((gptr = (struct group *)getgrent())) {
|
||||
if (strequal(gptr->gr_name,group))
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* As user_ok can recurse doing a getgrent(), we must
|
||||
* copy the member list onto the heap before
|
||||
* use. Bug pointed out by leon@eatworms.swmed.edu.
|
||||
*/
|
||||
|
||||
if (gptr) {
|
||||
char *member_list = NULL;
|
||||
size_t list_len = 0;
|
||||
char *member;
|
||||
int i;
|
||||
|
||||
for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
|
||||
list_len += strlen(gptr->gr_mem[i])+1;
|
||||
}
|
||||
list_len++;
|
||||
|
||||
member_list = (char *)SMB_MALLOC(list_len);
|
||||
if (!member_list) {
|
||||
endgrent();
|
||||
return NULL;
|
||||
}
|
||||
|
||||
*member_list = '\0';
|
||||
member = member_list;
|
||||
|
||||
for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
|
||||
size_t member_len = strlen(gptr->gr_mem[i])+1;
|
||||
|
||||
DEBUG(10,("validate_group: = gr_mem = "
|
||||
"%s\n", gptr->gr_mem[i]));
|
||||
|
||||
strlcpy(member, gptr->gr_mem[i],
|
||||
list_len - (member-member_list));
|
||||
member += member_len;
|
||||
}
|
||||
|
||||
endgrent();
|
||||
|
||||
member = member_list;
|
||||
while (*member) {
|
||||
if (user_ok(member,snum) &&
|
||||
password_ok(actx, enc,
|
||||
get_session_workgroup(sconn),
|
||||
member,
|
||||
sconn->remote_address,
|
||||
password)) {
|
||||
char *name = talloc_strdup(talloc_tos(),
|
||||
member);
|
||||
SAFE_FREE(member_list);
|
||||
return name;
|
||||
}
|
||||
|
||||
DEBUG(10,("validate_group = member = %s\n",
|
||||
member));
|
||||
|
||||
member += strlen(member) + 1;
|
||||
}
|
||||
|
||||
SAFE_FREE(member_list);
|
||||
} else {
|
||||
endgrent();
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
return(NULL);
|
||||
}
|
||||
|
||||
/****************************************************************************
|
||||
Check for authority to login to a service with a given username/password.
|
||||
Note this is *NOT* used when logging on using sessionsetup_and_X.
|
||||
****************************************************************************/
|
||||
|
||||
bool authorise_login(struct smbd_server_connection *sconn,
|
||||
int snum, fstring user, DATA_BLOB password,
|
||||
bool *guest)
|
||||
{
|
||||
bool ok = False;
|
||||
struct auth_context *actx = sconn->smb1.negprot.auth_context;
|
||||
bool enc = sconn->smb1.negprot.encrypted_passwords;
|
||||
|
||||
#ifdef DEBUG_PASSWORD
|
||||
DEBUG(100,("authorise_login: checking authorisation on "
|
||||
"user=%s pass=%s\n", user,password.data));
|
||||
#endif
|
||||
|
||||
*guest = False;
|
||||
|
||||
/* there are several possibilities:
|
||||
1) login as the given user with given password
|
||||
2) login as a previously registered username with the given
|
||||
password
|
||||
3) login as a session list username with the given password
|
||||
4) login as a previously validated user/password pair
|
||||
5) login as the "user =" user with given password
|
||||
6) login as the "user =" user with no password
|
||||
(guest connection)
|
||||
7) login as guest user with no password
|
||||
|
||||
if the service is guest_only then steps 1 to 5 are skipped
|
||||
*/
|
||||
|
||||
/* now check the list of session users */
|
||||
if (!ok) {
|
||||
char *auser;
|
||||
char *user_list = NULL;
|
||||
char *saveptr;
|
||||
|
||||
if (sconn->smb1.sessions.session_userlist)
|
||||
user_list = SMB_STRDUP(sconn->smb1.sessions.session_userlist);
|
||||
else
|
||||
user_list = SMB_STRDUP("");
|
||||
|
||||
if (!user_list)
|
||||
return(False);
|
||||
|
||||
for (auser = strtok_r(user_list, LIST_SEP, &saveptr);
|
||||
!ok && auser;
|
||||
auser = strtok_r(NULL, LIST_SEP, &saveptr)) {
|
||||
fstring user2;
|
||||
fstrcpy(user2,auser);
|
||||
if (!user_ok(user2,snum))
|
||||
continue;
|
||||
|
||||
if (password_ok(actx, enc,
|
||||
get_session_workgroup(sconn),
|
||||
user2,
|
||||
sconn->remote_address,
|
||||
password)) {
|
||||
ok = True;
|
||||
strlcpy(user,user2,sizeof(fstring));
|
||||
DEBUG(3,("authorise_login: ACCEPTED: session "
|
||||
"list username (%s) and given "
|
||||
"password ok\n", user));
|
||||
}
|
||||
}
|
||||
|
||||
SAFE_FREE(user_list);
|
||||
}
|
||||
|
||||
/* check the user= fields and the given password */
|
||||
if (!ok && lp_username(snum)) {
|
||||
TALLOC_CTX *ctx = talloc_tos();
|
||||
char *auser;
|
||||
char *user_list = talloc_strdup(ctx, lp_username(snum));
|
||||
char *saveptr;
|
||||
|
||||
if (!user_list) {
|
||||
goto check_guest;
|
||||
}
|
||||
|
||||
user_list = talloc_string_sub(ctx,
|
||||
user_list,
|
||||
"%S",
|
||||
lp_servicename(snum));
|
||||
|
||||
if (!user_list) {
|
||||
goto check_guest;
|
||||
}
|
||||
|
||||
for (auser = strtok_r(user_list, LIST_SEP, &saveptr);
|
||||
auser && !ok;
|
||||
auser = strtok_r(NULL, LIST_SEP, &saveptr)) {
|
||||
if (*auser == '@') {
|
||||
auser = validate_group(sconn,auser+1,
|
||||
password,snum);
|
||||
if (auser) {
|
||||
ok = True;
|
||||
fstrcpy(user,auser);
|
||||
DEBUG(3,("authorise_login: ACCEPTED: "
|
||||
"group username and given "
|
||||
"password ok (%s)\n", user));
|
||||
}
|
||||
} else {
|
||||
fstring user2;
|
||||
fstrcpy(user2,auser);
|
||||
if (user_ok(user2,snum) &&
|
||||
password_ok(actx, enc,
|
||||
get_session_workgroup(sconn),
|
||||
user2,
|
||||
sconn->remote_address,
|
||||
password)) {
|
||||
ok = True;
|
||||
strlcpy(user,user2,sizeof(fstring));
|
||||
DEBUG(3,("authorise_login: ACCEPTED: "
|
||||
"user list username and "
|
||||
"given password ok (%s)\n",
|
||||
user));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
check_guest:
|
||||
|
||||
/* check for a normal guest connection */
|
||||
if (!ok && GUEST_OK(snum)) {
|
||||
struct passwd *guest_pw;
|
||||
fstring guestname;
|
||||
fstrcpy(guestname,lp_guestaccount());
|
||||
guest_pw = Get_Pwnam_alloc(talloc_tos(), guestname);
|
||||
if (guest_pw != NULL) {
|
||||
strlcpy(user,guestname,sizeof(fstring));
|
||||
ok = True;
|
||||
DEBUG(3,("authorise_login: ACCEPTED: guest account "
|
||||
"and guest ok (%s)\n", user));
|
||||
} else {
|
||||
DEBUG(0,("authorise_login: Invalid guest account "
|
||||
"%s??\n",guestname));
|
||||
}
|
||||
TALLOC_FREE(guest_pw);
|
||||
*guest = True;
|
||||
}
|
||||
|
||||
if (ok && !user_ok(user, snum)) {
|
||||
DEBUG(0,("authorise_login: rejected invalid user %s\n",user));
|
||||
ok = False;
|
||||
}
|
||||
|
||||
return(ok);
|
||||
}
|
||||
|
@ -1364,8 +1364,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
|
||||
flags = smb_messages[type].flags;
|
||||
|
||||
/* In share mode security we must ignore the vuid. */
|
||||
session_tag = (lp_security() == SEC_SHARE)
|
||||
? UID_FIELD_INVALID : req->vuid;
|
||||
session_tag = req->vuid;
|
||||
conn = req->conn;
|
||||
|
||||
DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
|
||||
@ -3257,10 +3256,6 @@ void smbd_process(struct tevent_context *ev_ctx,
|
||||
sconn->smb1.sessions.done_sesssetup = false;
|
||||
sconn->smb1.sessions.max_send = BUFFER_SIZE;
|
||||
sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
|
||||
/* users from session setup */
|
||||
sconn->smb1.sessions.session_userlist = NULL;
|
||||
/* workgroup from session setup. */
|
||||
sconn->smb1.sessions.session_workgroup = NULL;
|
||||
/* this holds info on user ids that are already validated for this VC */
|
||||
sconn->smb1.sessions.validated_users = NULL;
|
||||
sconn->smb1.sessions.next_vuid = VUID_OFFSET;
|
||||
|
@ -707,13 +707,6 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
|
||||
uint16 vuid,
|
||||
struct auth_session_info *session_info,
|
||||
DATA_BLOB response_blob);
|
||||
void add_session_user(struct smbd_server_connection *sconn, const char *user);
|
||||
void add_session_workgroup(struct smbd_server_connection *sconn,
|
||||
const char *workgroup);
|
||||
const char *get_session_workgroup(struct smbd_server_connection *sconn);
|
||||
bool authorise_login(struct smbd_server_connection *sconn,
|
||||
int snum, fstring user, DATA_BLOB password,
|
||||
bool *guest);
|
||||
|
||||
/* The following definitions come from smbd/pipes.c */
|
||||
|
||||
@ -986,11 +979,10 @@ struct smbd_smb2_tcon;
|
||||
connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
|
||||
struct smbd_smb2_tcon *tcon,
|
||||
user_struct *vuser,
|
||||
DATA_BLOB password,
|
||||
const char *pdev,
|
||||
NTSTATUS *pstatus);
|
||||
connection_struct *make_connection(struct smbd_server_connection *sconn,
|
||||
const char *service_in, DATA_BLOB password,
|
||||
const char *service_in,
|
||||
const char *pdev, uint16 vuid,
|
||||
NTSTATUS *status);
|
||||
void close_cnum(connection_struct *conn, uint16 vuid);
|
||||
|
@ -599,13 +599,6 @@ void reply_special(struct smbd_server_connection *sconn, char *inbuf, size_t inb
|
||||
break;
|
||||
}
|
||||
|
||||
/* only add the client's machine name to the list
|
||||
of possibly valid usernames if we are operating
|
||||
in share mode security */
|
||||
if (lp_security() == SEC_SHARE) {
|
||||
add_session_user(sconn, get_remote_machine_name());
|
||||
}
|
||||
|
||||
reload_services(sconn, conn_snum_used, true);
|
||||
reopen_logs();
|
||||
|
||||
@ -656,7 +649,6 @@ void reply_tcon(struct smb_request *req)
|
||||
int pwlen=0;
|
||||
NTSTATUS nt_status;
|
||||
const char *p;
|
||||
DATA_BLOB password_blob;
|
||||
TALLOC_CTX *ctx = talloc_tos();
|
||||
struct smbd_server_connection *sconn = req->sconn;
|
||||
|
||||
@ -688,14 +680,10 @@ void reply_tcon(struct smb_request *req)
|
||||
service = service_buf;
|
||||
}
|
||||
|
||||
password_blob = data_blob(password, pwlen+1);
|
||||
|
||||
conn = make_connection(sconn,service,password_blob,dev,
|
||||
conn = make_connection(sconn,service,dev,
|
||||
req->vuid,&nt_status);
|
||||
req->conn = conn;
|
||||
|
||||
data_blob_clear_free(&password_blob);
|
||||
|
||||
if (!conn) {
|
||||
reply_nterror(req, nt_status);
|
||||
END_PROFILE(SMBtcon);
|
||||
@ -723,7 +711,6 @@ void reply_tcon_and_X(struct smb_request *req)
|
||||
{
|
||||
connection_struct *conn = req->conn;
|
||||
const char *service = NULL;
|
||||
DATA_BLOB password;
|
||||
TALLOC_CTX *ctx = talloc_tos();
|
||||
/* what the cleint thinks the device is */
|
||||
char *client_devicetype = NULL;
|
||||
@ -761,27 +748,14 @@ void reply_tcon_and_X(struct smb_request *req)
|
||||
}
|
||||
|
||||
if (sconn->smb1.negprot.encrypted_passwords) {
|
||||
password = data_blob_talloc(talloc_tos(), req->buf, passlen);
|
||||
if (lp_security() == SEC_SHARE) {
|
||||
/*
|
||||
* Security = share always has a pad byte
|
||||
* after the password.
|
||||
*/
|
||||
p = (const char *)req->buf + passlen + 1;
|
||||
} else {
|
||||
p = (const char *)req->buf + passlen;
|
||||
}
|
||||
p = (const char *)req->buf + passlen;
|
||||
} else {
|
||||
password = data_blob_talloc(talloc_tos(), req->buf, passlen+1);
|
||||
/* Ensure correct termination */
|
||||
password.data[passlen]=0;
|
||||
p = (const char *)req->buf + passlen + 1;
|
||||
}
|
||||
|
||||
p += srvstr_pull_req_talloc(ctx, req, &path, p, STR_TERMINATE);
|
||||
|
||||
if (path == NULL) {
|
||||
data_blob_clear_free(&password);
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
END_PROFILE(SMBtconX);
|
||||
return;
|
||||
@ -794,7 +768,6 @@ void reply_tcon_and_X(struct smb_request *req)
|
||||
if (*path=='\\') {
|
||||
q = strchr_m(path+2,'\\');
|
||||
if (!q) {
|
||||
data_blob_clear_free(&password);
|
||||
reply_nterror(req, NT_STATUS_BAD_NETWORK_NAME);
|
||||
END_PROFILE(SMBtconX);
|
||||
return;
|
||||
@ -809,7 +782,6 @@ void reply_tcon_and_X(struct smb_request *req)
|
||||
MIN(6, smbreq_bufrem(req, p)), STR_ASCII);
|
||||
|
||||
if (client_devicetype == NULL) {
|
||||
data_blob_clear_free(&password);
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
END_PROFILE(SMBtconX);
|
||||
return;
|
||||
@ -817,12 +789,10 @@ void reply_tcon_and_X(struct smb_request *req)
|
||||
|
||||
DEBUG(4,("Client requested device type [%s] for share [%s]\n", client_devicetype, service));
|
||||
|
||||
conn = make_connection(sconn, service, password, client_devicetype,
|
||||
conn = make_connection(sconn, service, client_devicetype,
|
||||
req->vuid, &nt_status);
|
||||
req->conn =conn;
|
||||
|
||||
data_blob_clear_free(&password);
|
||||
|
||||
if (!conn) {
|
||||
reply_nterror(req, nt_status);
|
||||
END_PROFILE(SMBtconX);
|
||||
@ -2117,7 +2087,7 @@ void reply_ulogoffX(struct smb_request *req)
|
||||
|
||||
/* in user level security we are supposed to close any files
|
||||
open by this user */
|
||||
if ((vuser != NULL) && (lp_security() != SEC_SHARE)) {
|
||||
if (vuser != NULL) {
|
||||
file_close_user(sconn, req->vuid);
|
||||
}
|
||||
|
||||
|
@ -381,7 +381,6 @@ static NTSTATUS find_forced_group(bool force_user,
|
||||
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
|
||||
TALLOC_CTX *mem_ctx, int snum,
|
||||
struct auth_session_info *session_info,
|
||||
DATA_BLOB password,
|
||||
struct auth_session_info **presult)
|
||||
{
|
||||
if (lp_guest_only(snum)) {
|
||||
@ -425,29 +424,7 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
if (lp_security() == SEC_SHARE) {
|
||||
|
||||
fstring user;
|
||||
bool guest;
|
||||
|
||||
/* add the sharename as a possible user name if we
|
||||
are in share mode security */
|
||||
|
||||
add_session_user(sconn, lp_servicename(snum));
|
||||
|
||||
/* shall we let them in? */
|
||||
|
||||
if (!authorise_login(sconn, snum,user,password,&guest)) {
|
||||
DEBUG( 2, ( "Invalid username/password for [%s]\n",
|
||||
lp_servicename(snum)) );
|
||||
return NT_STATUS_WRONG_PASSWORD;
|
||||
}
|
||||
|
||||
return make_session_info_from_username(mem_ctx, user, guest,
|
||||
presult);
|
||||
}
|
||||
|
||||
DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
|
||||
DEBUG(0, ("invalid VUID (vuser)\n"));
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
@ -557,7 +534,6 @@ static void create_share_access_mask(connection_struct *conn, int snum)
|
||||
static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
|
||||
connection_struct *conn,
|
||||
int snum, user_struct *vuser,
|
||||
DATA_BLOB password,
|
||||
const char *pdev)
|
||||
{
|
||||
struct smb_filename *smb_fname_cpath = NULL;
|
||||
@ -582,7 +558,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
|
||||
conn->params->service = snum;
|
||||
|
||||
status = create_connection_session_info(sconn,
|
||||
conn, snum, vuser ? vuser->session_info : NULL, password,
|
||||
conn, snum, vuser ? vuser->session_info : NULL,
|
||||
&conn->session_info);
|
||||
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
@ -591,12 +567,10 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
|
||||
goto err_root_exit;
|
||||
}
|
||||
|
||||
if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
|
||||
if (lp_guest_only(snum)) {
|
||||
conn->force_user = true;
|
||||
}
|
||||
|
||||
add_session_user(sconn, conn->session_info->unix_info->unix_name);
|
||||
|
||||
conn->num_files_open = 0;
|
||||
conn->lastused = conn->lastused_count = time(NULL);
|
||||
conn->used = True;
|
||||
@ -630,7 +604,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
|
||||
goto err_root_exit;
|
||||
}
|
||||
|
||||
conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
|
||||
conn->vuid = vuser->vuid;
|
||||
|
||||
{
|
||||
char *s = talloc_sub_advanced(talloc_tos(),
|
||||
@ -930,7 +904,6 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
|
||||
|
||||
static connection_struct *make_connection_smb1(struct smbd_server_connection *sconn,
|
||||
int snum, user_struct *vuser,
|
||||
DATA_BLOB password,
|
||||
const char *pdev,
|
||||
NTSTATUS *pstatus)
|
||||
{
|
||||
@ -944,7 +917,6 @@ static connection_struct *make_connection_smb1(struct smbd_server_connection *sc
|
||||
conn,
|
||||
snum,
|
||||
vuser,
|
||||
password,
|
||||
pdev);
|
||||
if (!NT_STATUS_IS_OK(*pstatus)) {
|
||||
conn_free(conn);
|
||||
@ -961,7 +933,6 @@ static connection_struct *make_connection_smb1(struct smbd_server_connection *sc
|
||||
connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
|
||||
struct smbd_smb2_tcon *tcon,
|
||||
user_struct *vuser,
|
||||
DATA_BLOB password,
|
||||
const char *pdev,
|
||||
NTSTATUS *pstatus)
|
||||
{
|
||||
@ -976,7 +947,6 @@ connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
|
||||
conn,
|
||||
tcon->snum,
|
||||
vuser,
|
||||
password,
|
||||
pdev);
|
||||
if (!NT_STATUS_IS_OK(*pstatus)) {
|
||||
conn_free(conn);
|
||||
@ -992,7 +962,7 @@ connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
|
||||
****************************************************************************/
|
||||
|
||||
connection_struct *make_connection(struct smbd_server_connection *sconn,
|
||||
const char *service_in, DATA_BLOB password,
|
||||
const char *service_in,
|
||||
const char *pdev, uint16 vuid,
|
||||
NTSTATUS *status)
|
||||
{
|
||||
@ -1017,14 +987,12 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if(lp_security() != SEC_SHARE) {
|
||||
vuser = get_valid_user_struct(sconn, vuid);
|
||||
if (!vuser) {
|
||||
DEBUG(1,("make_connection: refusing to connect with "
|
||||
"no session setup\n"));
|
||||
*status = NT_STATUS_ACCESS_DENIED;
|
||||
return NULL;
|
||||
}
|
||||
vuser = get_valid_user_struct(sconn, vuid);
|
||||
if (!vuser) {
|
||||
DEBUG(1,("make_connection: refusing to connect with "
|
||||
"no session setup\n"));
|
||||
*status = NT_STATUS_ACCESS_DENIED;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* Logic to try and connect to the correct [homes] share, preferably
|
||||
@ -1037,57 +1005,28 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
|
||||
*/
|
||||
|
||||
if (strequal(service_in,HOMES_NAME)) {
|
||||
if(lp_security() != SEC_SHARE) {
|
||||
DATA_BLOB no_pw = data_blob_null;
|
||||
if (vuser->homes_snum == -1) {
|
||||
DEBUG(2, ("[homes] share not available for "
|
||||
"this user because it was not found "
|
||||
"or created at session setup "
|
||||
"time\n"));
|
||||
*status = NT_STATUS_BAD_NETWORK_NAME;
|
||||
return NULL;
|
||||
}
|
||||
DEBUG(5, ("making a connection to [homes] service "
|
||||
"created at session setup time\n"));
|
||||
return make_connection_smb1(sconn,
|
||||
vuser->homes_snum,
|
||||
vuser, no_pw,
|
||||
dev, status);
|
||||
} else {
|
||||
/* Security = share. Try with
|
||||
* current_user_info.smb_name as the username. */
|
||||
if (*current_user_info.smb_name) {
|
||||
char *unix_username = NULL;
|
||||
(void)map_username(talloc_tos(),
|
||||
current_user_info.smb_name,
|
||||
&unix_username);
|
||||
snum = find_service(talloc_tos(),
|
||||
unix_username,
|
||||
&unix_username);
|
||||
if (!unix_username) {
|
||||
*status = NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
if (snum != -1) {
|
||||
DEBUG(5, ("making a connection to 'homes' "
|
||||
"service %s based on "
|
||||
"security=share\n", service_in));
|
||||
return make_connection_smb1(sconn,
|
||||
snum, NULL,
|
||||
password,
|
||||
dev, status);
|
||||
}
|
||||
if (vuser->homes_snum == -1) {
|
||||
DEBUG(2, ("[homes] share not available for "
|
||||
"this user because it was not found "
|
||||
"or created at session setup "
|
||||
"time\n"));
|
||||
*status = NT_STATUS_BAD_NETWORK_NAME;
|
||||
return NULL;
|
||||
}
|
||||
} else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
|
||||
DEBUG(5, ("making a connection to [homes] service "
|
||||
"created at session setup time\n"));
|
||||
return make_connection_smb1(sconn,
|
||||
vuser->homes_snum,
|
||||
vuser,
|
||||
dev, status);
|
||||
} else if ((vuser->homes_snum != -1)
|
||||
&& strequal(service_in,
|
||||
lp_servicename(vuser->homes_snum))) {
|
||||
DATA_BLOB no_pw = data_blob_null;
|
||||
DEBUG(5, ("making a connection to 'homes' service [%s] "
|
||||
"created at session setup time\n", service_in));
|
||||
return make_connection_smb1(sconn,
|
||||
vuser->homes_snum,
|
||||
vuser, no_pw,
|
||||
vuser,
|
||||
dev, status);
|
||||
}
|
||||
|
||||
@ -1134,7 +1073,6 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
|
||||
DEBUG(5, ("making a connection to 'normal' service %s\n", service));
|
||||
|
||||
return make_connection_smb1(sconn, snum, vuser,
|
||||
password,
|
||||
dev, status);
|
||||
}
|
||||
|
||||
|
@ -561,11 +561,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
|
||||
if (doencrypt) {
|
||||
lm_resp = data_blob(p, passlen1);
|
||||
nt_resp = data_blob(p+passlen1, passlen2);
|
||||
} else if (lp_security() != SEC_SHARE) {
|
||||
/*
|
||||
* In share level we should ignore any passwords, so
|
||||
* only read them if we're not.
|
||||
*/
|
||||
} else {
|
||||
char *pass = NULL;
|
||||
bool unic= smb_flag2 & FLAGS2_UNICODE_STRINGS;
|
||||
|
||||
@ -673,27 +669,6 @@ void reply_sesssetup_and_X(struct smb_request *req)
|
||||
|
||||
reload_services(sconn, conn_snum_used, true);
|
||||
|
||||
if (lp_security() == SEC_SHARE) {
|
||||
char *sub_user_mapped = NULL;
|
||||
/* In share level we should ignore any passwords */
|
||||
|
||||
data_blob_free(&lm_resp);
|
||||
data_blob_free(&nt_resp);
|
||||
data_blob_clear_free(&plaintext_password);
|
||||
|
||||
(void)map_username(talloc_tos(), sub_user, &sub_user_mapped);
|
||||
if (!sub_user_mapped) {
|
||||
reply_nterror(req, NT_STATUS_NO_MEMORY);
|
||||
END_PROFILE(SMBsesssetupX);
|
||||
return;
|
||||
}
|
||||
fstrcpy(sub_user, sub_user_mapped);
|
||||
add_session_user(sconn, sub_user);
|
||||
add_session_workgroup(sconn, domain);
|
||||
/* Then force it to null for the benfit of the code below */
|
||||
user = "";
|
||||
}
|
||||
|
||||
if (!*user) {
|
||||
|
||||
nt_status = check_guest_password(sconn->remote_address, &server_info);
|
||||
@ -796,36 +771,31 @@ void reply_sesssetup_and_X(struct smb_request *req)
|
||||
/* register the name and uid as being validated, so further connections
|
||||
to a uid can get through without a password, on the same VC */
|
||||
|
||||
if (lp_security() == SEC_SHARE) {
|
||||
sess_vuid = UID_FIELD_INVALID;
|
||||
TALLOC_FREE(session_info);
|
||||
} else {
|
||||
/* Ignore the initial vuid. */
|
||||
sess_vuid = register_initial_vuid(sconn);
|
||||
if (sess_vuid == UID_FIELD_INVALID) {
|
||||
data_blob_free(&nt_resp);
|
||||
data_blob_free(&lm_resp);
|
||||
reply_nterror(req, nt_status_squash(
|
||||
NT_STATUS_LOGON_FAILURE));
|
||||
END_PROFILE(SMBsesssetupX);
|
||||
return;
|
||||
}
|
||||
/* register_existing_vuid keeps the session_info */
|
||||
sess_vuid = register_existing_vuid(sconn, sess_vuid,
|
||||
session_info,
|
||||
nt_resp.data ? nt_resp : lm_resp);
|
||||
if (sess_vuid == UID_FIELD_INVALID) {
|
||||
data_blob_free(&nt_resp);
|
||||
data_blob_free(&lm_resp);
|
||||
reply_nterror(req, nt_status_squash(
|
||||
NT_STATUS_LOGON_FAILURE));
|
||||
END_PROFILE(SMBsesssetupX);
|
||||
return;
|
||||
}
|
||||
|
||||
/* current_user_info is changed on new vuid */
|
||||
reload_services(sconn, conn_snum_used, true);
|
||||
/* Ignore the initial vuid. */
|
||||
sess_vuid = register_initial_vuid(sconn);
|
||||
if (sess_vuid == UID_FIELD_INVALID) {
|
||||
data_blob_free(&nt_resp);
|
||||
data_blob_free(&lm_resp);
|
||||
reply_nterror(req, nt_status_squash(
|
||||
NT_STATUS_LOGON_FAILURE));
|
||||
END_PROFILE(SMBsesssetupX);
|
||||
return;
|
||||
}
|
||||
/* register_existing_vuid keeps the session_info */
|
||||
sess_vuid = register_existing_vuid(sconn, sess_vuid,
|
||||
session_info,
|
||||
nt_resp.data ? nt_resp : lm_resp);
|
||||
if (sess_vuid == UID_FIELD_INVALID) {
|
||||
data_blob_free(&nt_resp);
|
||||
data_blob_free(&lm_resp);
|
||||
reply_nterror(req, nt_status_squash(
|
||||
NT_STATUS_LOGON_FAILURE));
|
||||
END_PROFILE(SMBsesssetupX);
|
||||
return;
|
||||
}
|
||||
|
||||
/* current_user_info is changed on new vuid */
|
||||
reload_services(sconn, conn_snum_used, true);
|
||||
|
||||
data_blob_free(&nt_resp);
|
||||
data_blob_free(&lm_resp);
|
||||
|
@ -232,7 +232,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
|
||||
compat_conn = make_connection_smb2(req->sconn,
|
||||
tcon,
|
||||
req->session->compat_vuser,
|
||||
data_blob_null, "???",
|
||||
"???",
|
||||
&status);
|
||||
if (compat_conn == NULL) {
|
||||
TALLOC_FREE(tcon);
|
||||
|
@ -288,19 +288,7 @@ bool change_to_user(connection_struct *conn, uint16_t vuid)
|
||||
|
||||
vuser = get_valid_user_struct(conn->sconn, vuid);
|
||||
|
||||
/*
|
||||
* We need a separate check in security=share mode due to vuid
|
||||
* always being UID_FIELD_INVALID. If we don't do this then
|
||||
* in share mode security we are *always* changing uid's between
|
||||
* SMB's - this hurts performance - Badly.
|
||||
*/
|
||||
|
||||
if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
|
||||
(current_user.ut.uid == conn->session_info->unix_token->uid)) {
|
||||
DEBUG(4,("Skipping user change - already "
|
||||
"user\n"));
|
||||
return(True);
|
||||
} else if ((current_user.conn == conn) &&
|
||||
if ((current_user.conn == conn) &&
|
||||
(vuser != NULL) && (current_user.vuid == vuid) &&
|
||||
(current_user.ut.uid == vuser->session_info->unix_token->uid)) {
|
||||
DEBUG(4,("Skipping user change - already "
|
||||
@ -308,16 +296,15 @@ bool change_to_user(connection_struct *conn, uint16_t vuid)
|
||||
return(True);
|
||||
}
|
||||
|
||||
session_info = vuser ? vuser->session_info : conn->session_info;
|
||||
|
||||
if (session_info == NULL) {
|
||||
/* Invalid vuid sent - even with security = share. */
|
||||
if (vuser == NULL) {
|
||||
/* Invalid vuid sent */
|
||||
DEBUG(2,("Invalid vuid %d used on "
|
||||
"share %s.\n", vuid, lp_servicename(snum) ));
|
||||
return false;
|
||||
}
|
||||
|
||||
/* security = share sets force_user. */
|
||||
session_info = vuser->session_info;
|
||||
|
||||
if (!conn->force_user && vuser == NULL) {
|
||||
DEBUG(2,("Invalid vuid used %d in accessing "
|
||||
"share %s.\n", vuid, lp_servicename(snum) ));
|
||||
|
@ -418,10 +418,6 @@ static int traverse_sessionid(const char *key, struct sessionid *session,
|
||||
d_printf("\nSamba version %s\n",samba_version_string());
|
||||
d_printf("PID Username Group Machine \n");
|
||||
d_printf("-------------------------------------------------------------------\n");
|
||||
if (lp_security() == SEC_SHARE) {
|
||||
d_printf(" <processes do not show up in "
|
||||
"anonymous mode>\n");
|
||||
}
|
||||
|
||||
sessionid_traverse_read(traverse_sessionid, NULL);
|
||||
|
||||
|
@ -237,15 +237,6 @@ static bool test_server_role_security_domain(struct torture_context *tctx)
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool test_server_role_security_share(struct torture_context *tctx)
|
||||
{
|
||||
struct loadparm_context *lp_ctx = loadparm_init(tctx);
|
||||
torture_assert(tctx, lpcfg_set_option(lp_ctx, "security=share"), "lpcfg_set_option failed");
|
||||
torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_STANDALONE, "ROLE should be STANDALONE");
|
||||
torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_SHARE, "security should be share");
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool test_server_role_security_server(struct torture_context *tctx)
|
||||
{
|
||||
struct loadparm_context *lp_ctx = loadparm_init(tctx);
|
||||
@ -282,7 +273,6 @@ struct torture_suite *torture_local_loadparm(TALLOC_CTX *mem_ctx)
|
||||
torture_suite_add_simple_test(suite, "test_server_role_dc_domain_logons_and_not_master", test_server_role_dc_domain_logons_and_not_master);
|
||||
torture_suite_add_simple_test(suite, "test_server_role_security_ads", test_server_role_security_ads);
|
||||
torture_suite_add_simple_test(suite, "test_server_role_security_domain", test_server_role_security_domain);
|
||||
torture_suite_add_simple_test(suite, "test_server_role_security_share", test_server_role_security_share);
|
||||
torture_suite_add_simple_test(suite, "test_server_role_security_server", test_server_role_security_server);
|
||||
|
||||
return suite;
|
||||
|
Loading…
Reference in New Issue
Block a user