1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

707 Commits

Author SHA1 Message Date
Gary Lockyer
dfa341c1eb smb.conf: Add dsdb group change notification parameter
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-16 04:07:16 +02:00
Gary Lockyer
5d068123f1 smb conf: Add DSDB event notification parameter
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-16 04:07:16 +02:00
Gary Lockyer
2ba55f81a9 logging: add ldb audit classes
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-16 04:07:16 +02:00
Jeremy Allison
506c520503 smbd: fileserver: Change defaults to work with EA support out of the box.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 15 12:40:48 CEST 2018 on sn-devel-144
2018-05-15 12:40:48 +02:00
Andrew Bartlett
6fda57d309 build: Make --with-json-audit the default
Thanks to Rowland for a clear description of the behaviour for the smb.conf manpage.

This means that those not wanting to link to libarchive will just need to
build --without-json-audit.

In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-15 03:36:08 +02:00
Mathieu Parent
fe53f0b3d6 Fix spelling s/allows to/allows one to/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-12 02:09:25 +02:00
Ralph Boehme
66052fdccd s3:smbd: don't use the directory cache for SMB2/3
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13363

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 30 03:51:48 CEST 2018 on sn-devel-144
2018-03-30 03:51:48 +02:00
Jeremy Allison
fc922bd29b s3: docs: Add documentation for "smb2" and "smb2_credits" debug classes.
https://bugzilla.samba.org/show_bug.cgi?id=13347

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
2018-03-22 02:15:13 +01:00
Ralph Boehme
84f07a8dcb s3/smbd: fix handling of delete-on-close on directories
This implements a check to test the delete-on-close flag of a directory
for requests to create files in this directory.

Windows server implement this check, Samba doesn't as it has performance
implications.

This commit implements the check and a new option to control it. By
default the check is skipped, setting "check parent directory delete on
close = yes" enables it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb  3 23:42:16 CET 2018 on sn-devel-144
2018-02-03 23:42:16 +01:00
David Mulder
c90cf067e6 gpo: Correct documentation
The doc still contains a reference to env var
policy (which isn't present in this release).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13223

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-01 03:20:26 +01:00
Garming Sam
0eec2b6e04 docs: Remove reference to environment variables for now
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 14 03:08:01 CET 2018 on sn-devel-144
2018-01-14 03:08:01 +01:00
David Mulder
2ca73cba53 gpo: Add the winbind call to gpupdate
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 22:38:05 +01:00
Stefan Metzmacher
b4e1e3019a winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Björn Jacke
98ba88a7e4 params: mark "ldap ssl ads" as deprecated
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Björn Jacke
a79df4e7ce params: mark "unicode" parameter as deprecated
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-01-13 08:24:08 +01:00
Stefan Metzmacher
0341e83d40 docs-xml: deprecate "server schannel" and change the default to "yes"
No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
c7acae9043 docs-xml: deprecate "client schannel" and change the default to "yes"
This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
cb5e19271d docs-xml: remove deprecated 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
c4659908ab docs-xml: remove deprecated of 'winbind trusted domains only' option
This parameter is already deprecated in favor of the newer idmap_nss backend.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Bjoern Jacke
5621139fca doc: document wins server's smb.conf parameters
this is from the WINS server, which was released earlier as samba4wins.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-01-08 03:34:18 +01:00
Stefan Metzmacher
19ba1b7503 docs-xml: remove deprecated 'profile acls' option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
e2a052b3bb docs-xml: remove unused "auth methods" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
443984b829 docs-xml: remove unused "map untrusted to domain" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Bjoern Jacke
fc5bdac501 doc: move wins related man page to wins subdir
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Volker Lendecke
35eb4962a0 smbd: Enable async I/O by default
We've had this code in for long enough that we should enable it by default.
Modern clients do overlapping I/O, we should utilize that if possible.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-12 20:37:08 +01:00
Kevin Anderson
18307f8711 Add mdns name configuration option
Add the mdns name configuration variable to control the mdns hostname.
The default is to use the NETBIOS name of the system to match previous
versions which is typically the hostname in all capitals. A value of mdns
can be provided to defer the hostname to the mdns library.

With the recent patch to support time machine being merged this patch
allows for a user to configure the server name that is advertised to
be lower cased through Avahi advertisements.

Signed-off-by: Kevin Anderson <andersonkw2@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-08 22:58:17 +01:00
Timur I. Bakeyev
e9e4cd4d2b Fix typo in the "wide links" description for the getwd cache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12934

Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-11-29 12:52:28 +01:00
Volker Lendecke
8212c34ae4 docs: Fix the "aio r/w size" smb.conf entries
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Nov 21 15:45:20 CET 2017 on sn-devel-144
2017-11-21 15:45:20 +01:00
Garming Sam
5662e49b49 gpo: Create the gpo update service
Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Signed-off-by: David Mulder <dmulder@suse.com>

Then adapted to current master

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Gary Lockyer
123042c2e3 source4/smbd: add a prefork process model.
Add a pre fork process model to bound the number processes forked by
samba.  Currently workers are only pre-forked for the ldap server,  all
the other services have pre-fork support disabled.

When pre-fork support is disabled a new process is started for each
service, and requests are processed by that process.

This commit partially reverts commit
b5be45c453.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00
Christof Schmitt
267cd25290 Removed unused 'oplock contention limit' config parameter
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-19 00:55:24 +02:00
Noel Power
2c50bdfed0 docs: Improve wording around 'winbind expand groups' param
Signed-off-by: Noel Power <noel.power@suse.com>

Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>

Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Fri Sep 29 22:37:08 CEST 2017 on sn-devel-144
2017-09-29 22:37:08 +02:00
Justin Maggard via samba-technical
0ac94ad963 smb.conf: Update multi-channel warning text
Since Samba 4.4.x is going EOL soon, update the server multi channel
support warning text to reflect the fact that it's still experimental in
4.7, and it won't be getting fixed in a future 4.4.x version.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-27 22:11:11 +02:00
Yvan Masson
15d14d6126 docs/ntvfshandler: remove duplicate value
The "posix" value of option "ntvfs handler" was written two times. This commit
deletes the first occurrence so that the default value is the first seen by
reader.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13053

Signed-off-by: Yvan Masson <yvan@masson-informatique.fr>
Reviewed-by:  Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Sep 27 18:44:45 CEST 2017 on sn-devel-144
2017-09-27 18:44:44 +02:00
Andreas Schneider
4c9608fb27 param: Add 'binddns dir' parameter
This allows to us to have restricted access to the directory by the group
'named' which bind is a member of.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andrew Bartlett
9d4a9bd3cc smb.conf: Explain that "ntlm auth" is a per-passdb setting
This parameter has always applied to this passdb only, not to domain
authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-24 14:50:11 +02:00
Andrew Bartlett
fca8536a82 samr: Disable NTLM-based password changes on the server if NTLM is disabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:21 +02:00
Andrew Bartlett
00db3aba6c param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d0d266bbf7 param: Disable LanMan authentication unless NTLMv1 is also enabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d139d77ae3 auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
daeb74aed8 debug: new debug class for kerberos
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-30 02:12:22 +02:00
Stefan Metzmacher
1199907cbe param: change the effective default for "client max protocol" to the latest supported protocol
Currently it's SMB3_11.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
bcd558eb50 docs-xml: change the default for "map untrusted to domain" to "auto"
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.

Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Stefan Metzmacher
b6e2ddaee1 docs-xml: document "map untrusted to domain = auto"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Stefan Metzmacher
ab36c1d152 docs-xml: improve documentation of "map untrusted to domain"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Volker Lendecke
26932271a8 smbd: Claim version in g_lock
Protect smbd against version incompatibilities in a cluster.

At first startup smbd locks "samba_version_string" and writes its version
string. It then downgrades the lock to a read lock. Subsequent smbds check
against the version string and also keep the read lock around. If the version
does not match, we try to write our own version. But as there's a read lock,
the lock upgrade to write lock will fail due the read lock being around. So as
long as there's one smbd with this read lock, no other version of smbd will be
able to start.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:15 +02:00
Stefan Metzmacher
c6bc00f1da docs-xml/smbdotconf: deprecated "profile acls"
This doesn't work anymore with modern clients,
and there're better ways to support profiles on a share.

Typically something like this seems to work:

[winprofiles]
  comment = Users profiles New
  path = /data/winprofiles/
  browseable = No
  read only = No
  csc policy = disable
  store dos attributes = yes
  vfs objects = acl_xattr

With chmod 1777 on /data/winprofiles/

In order to work around some locking problems, see
https://bugzilla.samba.org/show_bug.cgi?id=12833

It's also useful to something like this in the global
section in order to detect disconnects reliable:

  socket options = TCP_KEEPCNT=5 TCP_KEEPIDLE=30 TCP_KEEPINTVL=1

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-13 18:38:14 +02:00
Andreas Schneider
986b983904 Revert "param: Add 'mit kdc config' option to smb.conf"
This reverts commit eaaf5ce66e.

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 26 15:28:40 CEST 2017 on sn-devel-144
2017-05-26 15:28:40 +02:00
Gary Lockyer
79f027a610 docs: configuration options for extra password hashes
Add the configuration options for the generation and storage of crypt()
based sha256 and sha512 password hashes in supplementalCredentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Andreas Schneider
eaaf5ce66e param: Add 'mit kdc config' option to smb.conf
This points to the kdc config file created by Samba by default.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00