1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

681 Commits

Author SHA1 Message Date
Timur I. Bakeyev
e9e4cd4d2b Fix typo in the "wide links" description for the getwd cache.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12934

Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-11-29 12:52:28 +01:00
Volker Lendecke
8212c34ae4 docs: Fix the "aio r/w size" smb.conf entries
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Nov 21 15:45:20 CET 2017 on sn-devel-144
2017-11-21 15:45:20 +01:00
Garming Sam
5662e49b49 gpo: Create the gpo update service
Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Signed-off-by: David Mulder <dmulder@suse.com>

Then adapted to current master

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Gary Lockyer
123042c2e3 source4/smbd: add a prefork process model.
Add a pre fork process model to bound the number processes forked by
samba.  Currently workers are only pre-forked for the ldap server,  all
the other services have pre-fork support disabled.

When pre-fork support is disabled a new process is started for each
service, and requests are processed by that process.

This commit partially reverts commit
b5be45c453.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00
Christof Schmitt
267cd25290 Removed unused 'oplock contention limit' config parameter
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-19 00:55:24 +02:00
Noel Power
2c50bdfed0 docs: Improve wording around 'winbind expand groups' param
Signed-off-by: Noel Power <noel.power@suse.com>

Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>

Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Fri Sep 29 22:37:08 CEST 2017 on sn-devel-144
2017-09-29 22:37:08 +02:00
Justin Maggard via samba-technical
0ac94ad963 smb.conf: Update multi-channel warning text
Since Samba 4.4.x is going EOL soon, update the server multi channel
support warning text to reflect the fact that it's still experimental in
4.7, and it won't be getting fixed in a future 4.4.x version.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-27 22:11:11 +02:00
Yvan Masson
15d14d6126 docs/ntvfshandler: remove duplicate value
The "posix" value of option "ntvfs handler" was written two times. This commit
deletes the first occurrence so that the default value is the first seen by
reader.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13053

Signed-off-by: Yvan Masson <yvan@masson-informatique.fr>
Reviewed-by:  Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Sep 27 18:44:45 CEST 2017 on sn-devel-144
2017-09-27 18:44:44 +02:00
Andreas Schneider
4c9608fb27 param: Add 'binddns dir' parameter
This allows to us to have restricted access to the directory by the group
'named' which bind is a member of.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andrew Bartlett
9d4a9bd3cc smb.conf: Explain that "ntlm auth" is a per-passdb setting
This parameter has always applied to this passdb only, not to domain
authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-24 14:50:11 +02:00
Andrew Bartlett
fca8536a82 samr: Disable NTLM-based password changes on the server if NTLM is disabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:21 +02:00
Andrew Bartlett
00db3aba6c param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d0d266bbf7 param: Disable LanMan authentication unless NTLMv1 is also enabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d139d77ae3 auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
daeb74aed8 debug: new debug class for kerberos
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-30 02:12:22 +02:00
Stefan Metzmacher
1199907cbe param: change the effective default for "client max protocol" to the latest supported protocol
Currently it's SMB3_11.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
bcd558eb50 docs-xml: change the default for "map untrusted to domain" to "auto"
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.

Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Stefan Metzmacher
b6e2ddaee1 docs-xml: document "map untrusted to domain = auto"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Stefan Metzmacher
ab36c1d152 docs-xml: improve documentation of "map untrusted to domain"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Volker Lendecke
26932271a8 smbd: Claim version in g_lock
Protect smbd against version incompatibilities in a cluster.

At first startup smbd locks "samba_version_string" and writes its version
string. It then downgrades the lock to a read lock. Subsequent smbds check
against the version string and also keep the read lock around. If the version
does not match, we try to write our own version. But as there's a read lock,
the lock upgrade to write lock will fail due the read lock being around. So as
long as there's one smbd with this read lock, no other version of smbd will be
able to start.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-15 13:19:15 +02:00
Stefan Metzmacher
c6bc00f1da docs-xml/smbdotconf: deprecated "profile acls"
This doesn't work anymore with modern clients,
and there're better ways to support profiles on a share.

Typically something like this seems to work:

[winprofiles]
  comment = Users profiles New
  path = /data/winprofiles/
  browseable = No
  read only = No
  csc policy = disable
  store dos attributes = yes
  vfs objects = acl_xattr

With chmod 1777 on /data/winprofiles/

In order to work around some locking problems, see
https://bugzilla.samba.org/show_bug.cgi?id=12833

It's also useful to something like this in the global
section in order to detect disconnects reliable:

  socket options = TCP_KEEPCNT=5 TCP_KEEPIDLE=30 TCP_KEEPINTVL=1

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-13 18:38:14 +02:00
Andreas Schneider
986b983904 Revert "param: Add 'mit kdc config' option to smb.conf"
This reverts commit eaaf5ce66e.

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 26 15:28:40 CEST 2017 on sn-devel-144
2017-05-26 15:28:40 +02:00
Gary Lockyer
79f027a610 docs: configuration options for extra password hashes
Add the configuration options for the generation and storage of crypt()
based sha256 and sha512 password hashes in supplementalCredentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Andreas Schneider
eaaf5ce66e param: Add 'mit kdc config' option to smb.conf
This points to the kdc config file created by Samba by default.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Andreas Schneider
7556c20d4b param: Add 'mit kdc command' to change the default.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Noel Power
8050db2303 param: Check for valid values of 'name resolve order' option
This variable is populated by a list of values where each value should
be a known option. This patch ensures that illegal values are detected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12739

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2017-04-13 11:26:28 +02:00
Andrew Bartlett
d004196036 auth: Add hooks for notification of authentication events over the message bus
This will allow tests to be written to confirm the correct events are triggered.

We pass in a messaging context from the callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Gary Lockyer
387eb18a1c auth_log: Add JSON logging of Authorisation and Authentications
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-Programmed: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:27 +02:00
Jeremy Allison
ed483d8e57 s3: smbd: Change "strict sync" paramter from "no" to "yes" for 4.7.0.
Document change and modify in loadparm.c.
Safer default for new installs and vendors.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-03-25 00:49:22 +01:00
Volker Lendecke
358c84dde3 docs: Deprecate "auth methods"
Keeping this parameter prevents fixing bug 2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-16 20:30:19 +01:00
Volker Lendecke
e985a8470b docs: Deprecate "map untrusted to domain"
The implementation of this parameter depends on Samba to enumerate
trusted domains. In an active directory environment, we don't know of
a good way to enumerate all domains that we have to accept as trusted,
in particular with multiple forests, one-way and external trusts. We
hope to replace this parameter in the future with something that matches
Windows behaviour better, after the deprecation phase of this parameter
is over and we can remove it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-16 20:30:19 +01:00
Uri Simchoni
65aafb14b7 doc: update "ea support" section of the smb.conf manpage
This section was badly outdated.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Mar 12 21:04:11 CET 2017 on sn-devel-144
2017-03-12 21:04:11 +01:00
Chris Lamb
6e2869ab10 Correct "encyption" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
1e0bca1e6c Correct "seperate" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
4ff2923d1c Correct "follwing" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Chris Lamb
5482e5426e Correct "existence" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Karolin Seeger
89ed562fd9 docs: Fix typo in man smb.conf.
charactar -> character

Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 20 15:30:29 CET 2017 on sn-devel-144
2017-02-20 15:30:29 +01:00
Douglas Bagnall
c4299da8ac docs/smbconf: update log level list in man page
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-10 05:09:08 +01:00
Karolin Seeger
a592bdc51c docs: Add missing spaces in man smb.conf.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb  9 23:58:02 CET 2017 on sn-devel-144
2017-02-09 23:58:02 +01:00
David Mulder
73deaecbd5 s3:winbindd: document "winbind:ignore domains"
The "winbind:ignore domains" smb.conf option is undocumented but used frequently.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan 30 12:24:47 CET 2017 on sn-devel-144
2017-01-30 12:24:47 +01:00
Ralph Boehme
f8d937b331 docs: impact of a global "smb encrypt=off" on a share with "smb encrypt=required"
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-27 22:00:17 +01:00
Andreas Schneider
9d60ad53b8 rpc_server: Allow to configure the port range for RPC services
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-27 08:09:15 +01:00
Andrew Bartlett
bd8d9559bf param: Remove winbindd privileged socket directory option
This option is unused and has not been used since before Samba 4.3
when the source4/ winbindd code went away.

The associated dynconfig parameters used for the default are also removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10066

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-22 18:30:12 +01:00
Ralph Boehme
1f6d5f2c09 debug: add "ringbuf" backend logging to a ringbuffer
This is useful for debugging bugs that involve timing effects and are
not reproducible when logging at higher debug levels with the file
backend.

The log can be dumped to a file with gdb:

(gdb) dump binary memory samba.log debug_ringbuf debug_ringbuf+SIZE

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-01-20 18:48:25 +01:00
Ralph Boehme
18591edafa s3/smbd: new "mangled names" setting "illegal"
This does mangling for names with illegal NTFS characters, but not for
names longer then 8.3:

Name mangling with mangled named = yes
======================================

Mangled | Short | Name
----------------------------
        |       | foo
        | yes   | 123456789
yes     |       | foo:bar

Name mangling with mangled named = illegal
==========================================

Mangled | Short | Name
----------------------------
        |       | foo
        |       | 123456789
yes     |       | foo:bar

Setting "mangled names = illegal" is the most sensible setting for
modern clients that don't use the shortname anymore.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-09 19:31:20 +01:00
Andrew Bartlett
6dc14b0a5d s4-rpc_server: Allow listener for RPC servers to use multiple processes
To do this we must get the ncacn_ip_tcp listener to split out (for example)
netlogon onto a distinct port, so we change the registration code to split up each
ncacn_ip_tcp registration to create a new interface for indicated services.

The new option "rpc server port" allows control of the default port and
"rpc server port:netlogon" (also valid for any other pipe from the IDL name)
allows us to both work around limitations in socket_wrapper against
double-binding and allows specification of the port by the administrator.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 01:11:23 +01:00
Andreas Schneider
494482c654 docs: Update doc to use absolute path for 'dedicated keytab file'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-16 01:55:13 +01:00
Andrew Bartlett
31d625bcd2 s4-rpc_server: Add back support for lsa over \\pipe\\netlogon optionally
The idea here is that perhaps some real client relies on this (and not just Samba torture
commands), so we need a way to support it for the 4.6 release.

If no such client emerges, it can be deprecated and removed in the normal way.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-15 08:21:12 +01:00
Björn Jacke
8a89b9bbcb docs-xml: change http://samba.org to https://www.samba.org
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
2016-12-09 13:10:26 +01:00
Alexander Bokovoy
5c79a0fc90 logon script: clarify usage for different Samba roles
'logon script' is only used when Samba runs as a logon server in the
classical domain controller role. And even there 'ldapsam' passdb
backend will override it.

For Samba AD setup 'logon script' is not used at all.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-02 23:46:15 +01:00