1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

872 Commits

Author SHA1 Message Date
Andreas Schneider
5a733c3c1b docs-xml: Add 'client smb encrypt'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andreas Schneider
f03bb8ad8a param: Create and use enum_smb_encryption_vals
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andreas Schneider
bd5a888746 param: Add 'server smb encrypt' parameter
And this also makes 'smb encrypt' a synonym of that.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andrew Bartlett
8c9d9441ed docs: deprecate "raw NTLMv2 auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andrew Bartlett
37583b19d2 docs: deprecate "client plaintext auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andrew Bartlett
5543c11c8b docs: deprecate "client NTLMv2 auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andrew Bartlett
ac8e5ea22d docs: deprecate "client lanman auth"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andrew Bartlett
1b85db57e5 docs: deprecate "client use spnego"
This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific
authentication options for possible removal.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Andrew Bartlett
c6aa710f8d docs: Deprecate NT4-like domains and SMBv1-only protocol options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-18 00:10:40 +00:00
Isaac Boukris
32eb7f3966 Remove depracated "ldap ssl ads" smb.conf option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14462

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Tue Aug 11 10:53:05 UTC 2020 on sn-devel-184
2020-08-11 10:53:05 +00:00
Jeremy Allison
8a140391d6 s3: Parameters. Add 'async dns timeout' parameter. Default to 10. Minimum value 1.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-07 06:34:37 +00:00
Isaac Boukris
9ec83caeb5 Decouple ldap-ssl-ads from ldap-ssl option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-07-13 10:41:37 +00:00
Stefan Metzmacher
8b8c5c4154 s3:smbd: force multi-channel to be turned off without FreeBSD/Linux support
For now it's safer to disable multi-channel without having support
for TIOCOUTQ/FIONWRITE on tcp sockets.

Using a fixed retransmission timeout (rto) of 1 second would be ok,
but we better require kernel support for requesting for unacked bytes
in the kernel send queue.

"force:server multi channel support = yes" can be used to overwrite
the compile time restriction (mainly for testing).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:40 +00:00
Stefan Metzmacher
bc10e5039a docs-xml/smbdotconf: add "smb2 disable oplock break retry"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2020-07-08 15:54:40 +00:00
Günther Deschner
bd71d2d92c lib/util: allow to set TCP_USER_TIMEOUT socket option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11897

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-07-08 15:54:38 +00:00
Andreas Schneider
d308650145 tls: Use NORMAL:-VERS-SSL3.0 as the default configuration
This seems to be really broken in GnuTLS and the documentation is also
not correct.

This partially reverts 53e3a959b9

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul  1 14:56:33 UTC 2020 on sn-devel-184
2020-07-01 14:56:33 +00:00
Stefan Metzmacher
6fc8ed1385 docs-xml/smbdotconf: add "smb2 disable lock sequence checking"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-06-27 04:20:39 +00:00
Andreas Schneider
53e3a959b9 s3:lib:tls: Use better priority lists for modern GnuTLS
We should use the default priority list. That is a good practice,
because TLS protocol hardening and phasing out of legacy algorithms,
is easier to co-ordinate when happens at a single place. See crypto
policies of Fedora.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184
2020-06-17 17:42:02 +00:00
Andrew Bartlett
9464505620 docs: Ensure "use mmap" always has the correct default
We clarify the smb.conf manpage entry for "use mmap" to match the actual behaviour

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-06-17 14:25:28 +00:00
Björn Jacke
f57673d89e docs: improve desription of map acl inherit
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-05-19 14:32:28 +00:00
Stefan Metzmacher
afd3bd01eb docs-xml/smbdotconf: clarify the quoting for advanced "interfaces" options
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May  7 16:23:40 UTC 2020 on sn-devel-184
2020-05-07 16:23:39 +00:00
Gary Lockyer
3149ea0a8a CVE-2020-10704: libcli ldap_message: Add search size limits to ldap_decode
Add search request size limits to ldap_decode calls.

The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:32 +00:00
Gary Lockyer
d7e5213818 CVE-2020-10704: smb.conf: Add max ldap request sizes
Add two new smb.conf parameters to control the maximum permitted ldap
request size.

Adds:
   ldap max anonymous request size       default 250Kb
   ldap max authenticated request size   default 16Mb

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:32 +00:00
Andreas Schneider
dc74b437c2 docs-xml: 'mangled names = illegal' is the new default
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 14 15:18:02 UTC 2020 on sn-devel-184
2020-01-14 15:18:02 +00:00
Björn Jacke
55fbd4c05b docs-xml/winbindnssinfo: clarify interaction with idmap_ad etc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14122
RN: docs: clarify interaction between winbind nss info and idmap backend

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jan  8 15:37:46 UTC 2020 on sn-devel-184
2020-01-08 15:37:45 +00:00
Ralph Boehme
24905ba82d docs-xml: remove explicit "constant"
The constant mark applied to types "string" and "ustring". The previous patches
in this patchset already markes all string options as either constant or
substituted, but it's still possible to add options or change existing ones to
be neither constant nor substituted.

In order to enforce strings to be either constant or substitued, remove the
explicit constant marker. Instead, any option that is not marked as substituted
is implicitly made constant.

This patch doesn't change behaviour and all generated files are the same before
and after this change.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
ad2c824b1f docs-xml: remove SWAT specific flags
Most of the SWAT stuff was removed in 4a6a010e78,
somehow these two crept back in afterwards.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
ca72c4b39c smbdotconf: mark "usershare template share" with constant="1"
The code uses Globals.usershare_template_share directly anyway.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
9aca11aec9 smbdotconf: mark "rpc server dynamic port range" with constant="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
564b0b5be3 smbdotconf: mark "mangling method" with constant="1"
From the manpage:

  ... controls the algorithm used for the generating
  the mangled names. Can take two different values, "hash" and
  "hash2". ...

No need for variable substitution support in this option, declare it const.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
6f618b7c95 smbdotconf: mark "ldap user suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix is returned
directly, variable substitution isn't supported anyway, so we can just mark this
const.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
9ed8292a7b smbdotconf: mark "ldap machine suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix is returned
directly, variable substitution isn't supported anyway, so we can just mark this
const.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
b48d30e0e1 smbdotconf: mark "ldap idmap suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix is returned
directly, variable substitution isn't supported anyway, so we can just mark this
const.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:37 +00:00
Ralph Boehme
71e9c6e48b smbdotconf: mark "ldap group suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix is returned
directly, variable substitution isn't supported anyway, so we can just mark this
const.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
ca2e49fe42 smbdotconf: mark "ldap suffix" with constant="1"
Due to the use of append_ldap_suffix() where Globals.ldap_suffix was used
directly in the dependent options like "ldap group suffix", we can just mark
this option as const thereby removing substitution from "ldap suffix".

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
050c28364a smbdotconf: mark "ldap admin dn" with constant="1"
All the other LDAP related options like "ldap user suffix" don't support
variable substitution, so I guess it's safe to remove support for it from this
one as well.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
4d2a3c8a79 smbdotconf: mark "wins hook" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
2dae6473fa smbdotconf: mark "usershare path" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
b635c445ad smbdotconf: mark "username map script" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
3c68114e73 smbdotconf: mark "username map" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
a0185c7efb smbdotconf: mark "shutdown script" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
fd72181fd0 smbdotconf: mark "set quota command" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
434d2632cb smbdotconf: mark "set primary group script" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
7dc7b9e554 smbdotconf: mark "server string" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
8077804c36 smbdotconf: mark "root directory" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
1439c19cee smbdotconf: mark "rename user script" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
6d0db70ef7 smbdotconf: mark "remote browse sync" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
dbc82a9f19 smbdotconf: mark "remote announce" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
5c5dbcc397 smbdotconf: mark "perfcount module" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:36 +00:00
Ralph Boehme
1743ff48ba smbdotconf: mark "passwd program" with substitution="1"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2019-11-27 10:25:35 +00:00