1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

215 Commits

Author SHA1 Message Date
Andreas Schneider
1cd233712e lib:param: Add 'client use kerberos' config parameter
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andreas Schneider
9fb88e6ee7 docs-xml: Use 'desired' and 'required' for option 'client ipc signing'
For a better user experience we use disabled, desired, required
everywhere now. The arguments auto and mandatory are still working and
synonyms.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andreas Schneider
293a941fc0 docs-xml: Use 'desired' and 'required' for option 'client signing'
For a better user experience we use disabled, desired, required
everywhere now. The arguments auto and mandatory are still working and
synonyms.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andreas Schneider
a72bc3e15d docs-xml: Update documentation for removal of NIS support
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-22 17:57:30 +00:00
Björn Baumbach
577d4f1a60 docs:smbdotconf: fix a typo in oldpasswordallowedperiod.xml
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-12-17 13:59:37 +00:00
Stefan Metzmacher
d1790a0b5a CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-09-18 12:48:39 +00:00
Andreas Schneider
5a733c3c1b docs-xml: Add 'client smb encrypt'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andreas Schneider
f03bb8ad8a param: Create and use enum_smb_encryption_vals
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andreas Schneider
bd5a888746 param: Add 'server smb encrypt' parameter
And this also makes 'smb encrypt' a synonym of that.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andrew Bartlett
8c9d9441ed docs: deprecate "raw NTLMv2 auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andrew Bartlett
37583b19d2 docs: deprecate "client plaintext auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andrew Bartlett
5543c11c8b docs: deprecate "client NTLMv2 auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andrew Bartlett
ac8e5ea22d docs: deprecate "client lanman auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andreas Schneider
d308650145 tls: Use NORMAL:-VERS-SSL3.0 as the default configuration
This seems to be really broken in GnuTLS and the documentation is also
not correct.

This partially reverts 53e3a959b9

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul  1 14:56:33 UTC 2020 on sn-devel-184
2020-07-01 14:56:33 +00:00
Andreas Schneider
53e3a959b9 s3:lib:tls: Use better priority lists for modern GnuTLS
We should use the default priority list. That is a good practice,
because TLS protocol hardening and phasing out of legacy algorithms,
is easier to co-ordinate when happens at a single place. See crypto
policies of Fedora.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184
2020-06-17 17:42:02 +00:00
Ralph Boehme
24905ba82d docs-xml: remove explicit "constant"
The constant mark applied to types "string" and "ustring". The previous patches
in this patchset already markes all string options as either constant or
substituted, but it's still possible to add options or change existing ones to
be neither constant nor substituted.

In order to enforce strings to be either constant or substitued, remove the
explicit constant marker. Instead, any option that is not marked as substituted
is implicitly made constant.

This patch doesn't change behaviour and all generated files are the same before
and after this change.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
ad2c824b1f docs-xml: remove SWAT specific flags
Most of the SWAT stuff was removed in 4a6a010e78,
somehow these two crept back in afterwards.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
b635c445ad smbdotconf: mark "username map script" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
3c68114e73 smbdotconf: mark "username map" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
8077804c36 smbdotconf: mark "root directory" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
1439c19cee smbdotconf: mark "rename user script" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
1743ff48ba smbdotconf: mark "passwd program" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:35 +00:00
Ralph Boehme
4551dd2784 smbdotconf: mark "passwd chat" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:35 +00:00
Ralph Boehme
e46ea02939 smbdotconf: mark "log nt token command" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:35 +00:00
Ralph Boehme
12e97ee3e8 smbdotconf: mark "check password script" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:34 +00:00
Ralph Boehme
78593e2f00 smbdotconf: mark "force user" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:33 +00:00
Ralph Boehme
2cf62e85e5 smbdotconf: mark "force group" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:33 +00:00
Andrew Bartlett
1006f7abe8 docs: Deprecate "lanman auth = yes"
This feature is only available for SMB1 and we need to warn users that this
is going away soon, and allow the removal in a future release under our rules
for parameter deprecation.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  5 04:04:18 UTC 2019 on sn-devel-184
2019-09-05 04:04:17 +00:00
Andrew Bartlett
8d0d99a4d7 docs: Deprecate "encrypt passwords = no"
This feature is only available for SMB1 and we need to warn users that this
is going away soon, and allow the removal in a future release under our rules
for parameter deprecation.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2019-09-05 02:45:28 +00:00
Mathieu Parent
a24de32556 Spelling fixes s/permited/permitted/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:28 +00:00
Mathieu Parent
a03bafbcd5 Spelling fixes s/overriden/overridden/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-09-01 22:21:26 +00:00
Björn Baumbach
7f70e216fc docs: fix typo in "ntlm auth" doc in smb.conf man page
Thanks to Amit Kumar <amitkuma@redhat.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13784

Signed-off-by: Björn Baumbach <bb@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Jun 20 17:14:50 UTC 2019 on sn-devel-184
2019-06-20 17:14:50 +00:00
Andrew Bartlett
dbf3e81f7f docs: Improve documentation of "lanman auth" and "ntlm auth" connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13981

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2019-06-04 22:13:07 +00:00
Juergen Hoetzel
9a1df272f6 docs: Fix typo
Signed-off-by: Juergen Hoetzel <juergen@archlinux.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-05-19 17:34:20 +00:00
Stefan Metzmacher
2e8daeb2bb docs-xml/smbdotconf: document export of SAMBA_CPS_{ACCOUNT,USER_PRINCIPAL,FULL}_NAME for check password script
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Feb 11 11:03:58 CET 2019 on sn-devel-144
2019-02-11 11:03:58 +01:00
Aurelien Aptel
0732499f23 docs-xml: add "debug encryption" global parm
Add debug option to dump in the log the session id & keys in smbd and
libsmb-based code for offline decryption.

Wireshark can make use of this to decrypt encrypted traffic.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2019-02-09 18:30:14 +01:00
Andreas Schneider
3e25d4d55f docs-xml: Update documentation for 'restrict anonymous' option
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2019-02-07 17:23:18 +01:00
David Disseldorp
3796bb0048 Revert "s3/service: convert lp_force_group() to const"
This reverts commit c53646bccd.
As mentioned by Andrew, we shouldn't break environments where
"force group" has been configured to use substituted variables.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jul 10 00:12:19 CEST 2018 on sn-devel-144
2018-07-10 00:12:19 +02:00
David Disseldorp
3e5e775321 Revert "s3/service: convert lp_force_user() to const"
This reverts commit c58194e3d2.
As mentioned by Andrew, we shouldn't break environments where
"force user" has been configured to use substituted variables.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-07-09 21:30:58 +02:00
David Disseldorp
c58194e3d2 s3/service: convert lp_force_user() to const
Avoid set_conn_force_user_group() talloc stackframe leaks in doing so.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-07-06 20:37:20 +02:00
David Disseldorp
c53646bccd s3/service: convert lp_force_group() to const
set_conn_force_user_group() and change_to_user_internal() leak onto
the callers' talloc stackframe. Drop the unnecessary heap allocations.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-07-06 20:37:20 +02:00
Stefan Metzmacher
0341e83d40 docs-xml: deprecate "server schannel" and change the default to "yes"
No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
c7acae9043 docs-xml: deprecate "client schannel" and change the default to "yes"
This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
e2a052b3bb docs-xml: remove unused "auth methods" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:24 +01:00
Stefan Metzmacher
443984b829 docs-xml: remove unused "map untrusted to domain" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Andreas Schneider
4c9608fb27 param: Add 'binddns dir' parameter
This allows to us to have restricted access to the directory by the group
'named' which bind is a member of.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andrew Bartlett
9d4a9bd3cc smb.conf: Explain that "ntlm auth" is a per-passdb setting
This parameter has always applied to this passdb only, not to domain
authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-24 14:50:11 +02:00
Andrew Bartlett
fca8536a82 samr: Disable NTLM-based password changes on the server if NTLM is disabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:21 +02:00
Andrew Bartlett
00db3aba6c param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d0d266bbf7 param: Disable LanMan authentication unless NTLMv1 is also enabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:20 +02:00