IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
SMB clients only supporting SMB1 connecting to a Samba server that only
accepts SMB protocol versions 2 and 3 can spam the logs with the "No
protocol supported" message. This is useful information for debugging
failed connection attempts, but it should not be in the default log.
Adjust it to NOTICE/3.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.
The main logic for this hides in lpcfg_server_signing_allowed().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Remote arch detection for OSX clients has been broken for some time, since
both Samba and OSX started supporting SMB2. Fix it by adding modern OSX
client detection support to the negprot remote arch detection routine.
Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <rb@sernet.de>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 3 09:03:53 CET 2016 on sn-devel-144
Negprot remote arch detection is very cryptic. Rework it so it's easier
to understand, and therefore more extensible, following the protocol table
in inline comments. This also allows us to remove some hacks.
Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
Reviewed-by: Ralph Boehme <rb@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
This prepares the structures for multi-channel support.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
This prepares the structures for multi-channel support.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
When a client supports extended security but server does not,
and that client, in Flags2 field of smb header indicates that
- it supports extended security negotiation
- it does not support security signatures
- it does not require security signatures
Samba server treats a client as a Vista client.
That turns off case sensitivity and that is a problem for cifs vfs client.
So include remote cifs client along with remote samba client
to not do so otherwise.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10755
Signed-off-by: Shirish Pargaonkar <spargaonkar@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Aug 1 16:11:43 CEST 2014 on sn-devel-104
Always allow the client to turn on SMB1 signing using
FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 16 10:07:56 CEST 2014 on sn-devel-104
They have been changed to function like normal parameters,
removing a special case in the loadparm system.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Michael Adam <obnox@samba.org>
If SMB3 is chosen via an SMB1 negprot, we forked the echo handler because
set_Protocol is called later, after the full protocol negotiation is done.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Aug 14 15:54:43 CEST 2013 on sn-devel-104
This falls out of the removal of security=share, because we now require that
a session setup has been performed before (essentially) all other operations.
Andrew Bartlett
This will represent a transport connection for SMB 1 or 2
in the server. smbd_server_connection will slowly be moved
to the SMB_VFS layer to satisfy the existing modules,
but it will hopefully be protocol independend in future.
metze
The performance of these is minimal (these days) and they can return
invalid results when used as part of applications that do not use
sys_fork().
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Mar 24 21:55:41 CET 2012 on sn-devel-104
This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers. By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.
Andrew Bartlett
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.
The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok. This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server
At the same time, this closes the door on one of the most arcane areas
of Samba authentication.
Naturally, full user-name/password authentication remain available in
security=user and above.
This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.
Andrew Bartlett
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SHARE |
| security=share |
| |
| |
| 5 March |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
This adds an alisas to ensure that both our loadparm systems know all
the names.
I would like to move to the 'server ..' name as canonical, and this
will be raised on the list.
Andrew Bartlett
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This makes the long term owner of this memory more clear. So far only the
clear cases have been moved from NULL however.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This function handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This structure handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
We should map from lp_server_signing() just once in srv_init_signing().
metze
Signed-off-by: Günther Deschner <gd@samba.org>
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Nov 16 18:59:49 CET 2011 on sn-devel-104
This matches W2K (at least sp4) and higher.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Nov 4 15:50:06 CET 2011 on sn-devel-104
This adds support for the 2 stage negprot, from SMB 1 to SMB 2.1.
Support for this of for now and "max protocol = SMB2" still maps
to "max protocol = SMB2_02" PROTOCOL_SMB2_02.
In order to activate smb2.1, you need to use "max protocol = SMB2_10".
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Sep 5 19:30:58 CEST 2011 on sn-devel-104
If a smb1 negprot negotiated smb2 we forked the echo responder. This will
eventually lead to a panic from
[2011/08/30 10:33:29.212578, 0, pid=3846917] smbd/smb2_server.c:243(smbd_smb2_request_create)
Invalid SMB packet: first request: 0x0009
because from the echo responder we always read using the normal smb1 protocol
handling routine. If that is a bit down the smb2 stream, we get a non-negprot
packet and panic.
BTW, the echo responder is not required for smb2 anyway, Microsoft confirmed
that it probes the server liveness using TCP keepalives and not smb2 echo
requests.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Wed Aug 31 17:58:48 CEST 2011 on sn-devel-104
