1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

346 Commits

Author SHA1 Message Date
Stefan Metzmacher
6ad9ba72a7 CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
2362c0353b CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
6e22abd977 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
0cd2acef79 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
1dc40a08f0 CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:24 +02:00
Stefan Metzmacher
a1900b5bd6 CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:24 +02:00
Uri Simchoni
798fcfdabc loadparm: introduce lp_parm_ulonglong() and lpcfg_parm_ulonglong()
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-01-26 15:58:11 +01:00
Justin Maggard
8c2609f318 Change default LDAP page size to 1000.
This matches Windows' Active Directory maximum page size.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-01-15 00:54:26 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Quentin Gibeaux
3c6ea3293c lib/param: handle (ignore) substitution variable in smb.conf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10722

The function handle_include returns false when trying to include
files that have a substitution variable in filename (like %U),
this patch makes handle_include to ignore this case, to make
samba-tool work when there is such include in samba's configuration.

Error was :
	root@ubuntu:/usr/local/samba# grep 'include.*%U' etc/smb.conf
	include = %U.conf
	root@ubuntu:/usr/local/samba# ./bin/samba-tool user list
	Can't find include file %U.conf
	ERROR(runtime): uncaught exception - Unable to load default file

Signed-off-by: Quentin Gibeaux <qgibeaux@iris-tech.fr>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec  9 02:05:30 CET 2015 on sn-devel-104
2015-12-09 02:05:30 +01:00
Stefan Metzmacher
a84eed5325 lib/param: add a fixed unified lpcfg_string_{free,set,set_upper}() infrastructure
This reduces the memory footprint of empty string options.

smbd -d1 -i with 1400 shares in smb.conf under x64 valgrind massif before this
patch has 7,703,392 bytes peak memory consumption and after this patch
3,321,200 bytes.

This fixes a regression introduced by commit
2dd7c89079.

BUG:

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11625
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Nov 30 17:41:28 CET 2015 on sn-devel-104
2015-11-30 17:41:28 +01:00
Jeremy Allison
c4be0b7ff4 s3: smbd: Change aio_pending_size static variable to a new "aio max threads" smb.conf parameter.
Removes accessor functions as now this parameter is set
under user control in smb.conf. Default is 100.

Note that this doesn't limit the number of outstanding
aio requests, it just causes them to go onto the
pthreadpool queue.

Now we need to prioritize pthreadpool pipe replies
ahead of incoming SMB2 requests, but that's a patch
for another day.

Based on ideas from Volker.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-11-13 21:36:19 +01:00
Stefan Metzmacher
25dcdc9270 lib/param: fix hiding of FLAG_SYNONYM values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11526

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-09-21 01:50:15 +02:00
Volker Lendecke
53e8d527f3 param: Use talloc_pooled_object
Reduce memory fragmentation a bit and obsolete NULL checks

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Aug 21 14:45:58 CEST 2015 on sn-devel-104
2015-08-21 14:45:58 +02:00
Volker Lendecke
0f600c3459 param: Simplify set_param_opt()
"not_added" is not a very good boolean flag concept... An early
return serves the same purpose just as well.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-21 11:43:05 +02:00
Michael Adam
5820c31a7d param: rename bAvailable -> available
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
c644890fa6 param: make 'realm' use the standard 'realm' variable.
This way, the generated lp_realm() function matches the param_table.
realm_original is only treated in the special handler now.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
4ae289c271 param: turn 'cups encrypt' into a generated function
Move the special stuff of the hand-written lp_cups_encrypt()
function into a handler that is called once at load time.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
44619ad261 param: turn 'smb2 max credits' into generated option
This is achieved by moving the special treatment from
the lp_smb2_max_credits() function in the the special
handler that is called only once upon lp_load().

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
c377f63026 param: use lp[cfg]_max_print_jobs() in lp[cfg]_maxprintjobs()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
521468edb6 param: rename variable of 'max print jobs' to default.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
04da5a8d4b param: accompany FN_LOCAL_PARM_CHAR with FN_LOCAL_CHAR
just like with the other FN_LOCAL_PARM macros.
FN_LOCAL_CHAR is the main definition.

This is also in preparation of a possible future
removal of the _PARM variants (when snum is no
longer used...).

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:29 +02:00
Michael Adam
eab9417f9e param: make set_variable() static.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:29 +02:00
Andrew Bartlett
06f378fa65 lib/tls: Change default supported TLS versions.
The new default is to disable SSLv3, as this is no longer considered
secure after CVE-2014-3566.  Newer GnuTLS versions already disable SSLv3.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2015-07-20 03:08:26 +02:00
Andrew Bartlett
374d73617d lib/tls: Add new 'tls priority' option
This adds a new option to the smb.conf to allow administrators to disable
TLS protocols in GnuTLS without changing the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 03:08:26 +02:00
Michael Adam
204cbe3645 Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:27 +02:00
Michael Adam
8489543e66 param: Remove unused P_SEP and P_SEPARATOR
This was only used in swat.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-05-02 00:56:31 +02:00
Michael Adam
464f4b95c6 param: remove two unused #defines
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Wed Apr 22 16:37:12 CEST 2015 on sn-devel-104
2015-04-22 16:37:12 +02:00
Volker Lendecke
5d0a5c4216 loadparm: Fix CID 1273054 Improper use of negative value
Probably a "can't happen", but formally lpcfg_map_parameter can return -1

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-03-26 14:54:20 +01:00
Christof Schmitt
8a46da3280 debug: Set backends from logging parameter in smb.conf
Fallback to the settings of 'syslog' and 'syslog only' if logging has not
been set.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2015-03-23 21:22:11 +01:00
Andrew Bartlett
65379ef3a4 param: Use IDL-based constants for NBT and NBT dgram ports
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 16 05:35:56 CET 2015 on sn-devel-104
2015-03-16 05:35:55 +01:00
Jelmer Vernooij
782e8d6aab lib/param: Add hook that allows modification of default settings.
This is useful for reducing the amount of configuration necessary for
OpenChange.

The hook is ideally registered from a plugin initialization function,
so that it automatically gets used whenever the plugin is installed.

This makes it possible for plugins to e.g. extend the default value for
the list of enabled dcerpc endpoint services.

Like all our interfaces, callers are expected to use this API
responsibly. For example, OpenChange should only enable its DCE/RPC
interface if it has been provisioned.

Change-Id: Ic8bacdd8b4c92a2a4b97cfa1a50dc41365b78071
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 03:00:06 +01:00
Volker Lendecke
ce909f2ce1 loadparm: Simplify "set_variable"
I usually don't like complicated if/else and in particular the else
piece. But if the alternative is a goto, then else is better I guess :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jan 29 00:28:55 CET 2015 on sn-devel-104
2015-01-29 00:28:55 +01:00
Garming Sam
907094c7fa param: fix testparm to show hidden share defaults
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10864
Change-Id: I16710f70a3cbaeadf7adf139441dd2b017ef81ee
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri Nov 28 07:54:54 CET 2014 on sn-devel-104
2014-11-28 07:54:54 +01:00
Andrew Bartlett
5ab6fa18a4 lib/param: Allow enum values to also be white-space insentive in comparison
This makes it easier to specify these in the --option= syntax on the command line.

Change-Id: I6b2398d79d37407c5d82cd6b540651ede1d09106
Pair-Programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-11-27 05:17:32 +01:00
Volker Lendecke
733422c611 param: Simplify get_parametric_helper()
With variable sized arrays we don't need talloc_asprintf here

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 27 01:41:09 CET 2014 on sn-devel-104
2014-11-27 01:41:08 +01:00
Volker Lendecke
66173dd987 param: add "smbd profiling level" option
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-19 20:51:37 +01:00
Stefan Metzmacher
3d4eb5c043 lib/param: fix const warnings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-14 23:27:04 +01:00
Andrew Bartlett
14f6256c51 s3-winbindd: Allow winbindd to connect over SMB2 to servers
This allows SMB signing to work against many more DCs, and so improves network security.

The default for "client max protocol" remains NT1 in the rest of the code.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Kamen Mazdrashki
0fbce1457d loadparm//init_copymap: Add braces around if/for blocks to match coding style
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  1 13:47:22 CEST 2014 on sn-devel-104
2014-10-01 13:47:22 +02:00
Kamen Mazdrashki
122fdf5ea4 loadparm: Allocate service->copymap in service memory context
This patch adds a restriction that target service structure
must be a valid TALLOC_CTX memory context.

I have traced all call paths and at the moment this is the case,
pservice parameter layways gets allocated on TALLOC_CTX.

Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-10-01 11:21:38 +02:00
Andrew Bartlett
afe02d12f4 winbindd: Change value of "ldap sasl wrapping" to sign
This is to disrupt MITM attacks between us and our DC

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2014-09-30 12:32:05 +02:00
Stefan Metzmacher
8280bc5092 lib/param: set the kccsrv:samba_kcc option to false by default
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10697

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-09-29 08:28:06 +02:00
Michael Adam
64b9f520d2 param: remove a redundant (and wrong) comment frop lpcfg_service_ok()
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-07-31 18:49:46 +02:00
Stefan Metzmacher
98426ad467 lib/param: change the default for "winbind expand groups" to "0"
Expanding groups requires the usage of SAMR, which is often not possible
with the trust account credentials. This has caused a lot of trouble
in the past, as this is the only operation which requires a member to
contact a dc of a trusted domain directly, which is not always possible.
With this changed default, it should only be required to contact
a dc of our own domain. This is the correct behavior for a domain member.

As expanding groups is mostly cosmetic, we should avoid it.
This is similar to "winbind enum users" and "winbind enum groups",
which are also off by default.

Only some broken applications calculate the group memberships of
users by traversing groups, such applications will require
"winbind expand groups = 1".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Björn Jacke <bj@sernet.de>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 31 18:48:36 CEST 2014 on sn-devel-104
2014-07-31 18:48:36 +02:00
Garming Sam
e17c241711 param: Add errors for when an s3 context is used incorrectly
Change-Id: I176b4413769f41739639875ab874a3e340b6a184
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Jul 31 10:41:58 CEST 2014 on sn-devel-104
2014-07-31 10:41:58 +02:00
Garming Sam
72642f1260 param: get rid of unnecessary get_default_loadparm_service pointer
Change-Id: I9f512be671e5cd738c43fd97c9c3e0b4ee7a2736
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-07-31 08:17:11 +02:00
Garming Sam
0693b5d77b param: remove unnecessary lp_do_parameter call
Change-Id: I0cd1842bac3fcb6dde7236b87d5d235f10277e60
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-07-31 08:17:11 +02:00
Garming Sam
47f10ac65c param: remove lp_get_parameter
Ensure lpcfg_parm_struct, its counterpart is equivalent

Change-Id: I127ce5d3cf7fe02ebf161aa011ec3b41bc32a656
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-07-31 08:17:11 +02:00
Garming Sam
71eb59200a param: remove init printer values from s3-helpers
Change-Id: I2c4a85b4f5039158924982a277be20ebc2d6302e
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2014-07-31 08:17:11 +02:00