1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

11 Commits

Author SHA1 Message Date
Andrew Bartlett
2bede9d0d6 param: Remove _SAMBA_BUILD_ checks from now the autoconf build is gone
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>
2013-05-28 12:17:11 +10:00
Andrew Bartlett
11db5b1f33 lib/param: make security=domain and security=ads conflict with being a DC
This simplifies our supported configurations down to those that we test and expect
to work.  security=domain and domain logons = yes has never made much sense, and
security=ads and domain logons = yes was only ever used in early experiments for
our AD support using smbd.

The correct way to be an AD DC is to set "server role = active directory domain controller"

Andrew Bartlett
2012-06-15 09:18:33 +02:00
Andrew Bartlett
b8815dc23d lib/param: Create a seperate server role for "active directory domain controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett
2012-06-15 09:18:33 +02:00
Andrew Bartlett
92fd0fdd79 lib/param: simplfy lp_find_security()
All the roles other than ROLE_DOMAIN_MEMBER map to SEC_USER.

Andrew Bartlett
2012-06-11 11:44:07 +02:00
Stefan Metzmacher
b4abd3faaf s3-auth: remove "security=server" (depricated since 3.6)
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!

Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).

metze
                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SERVER      |
                  |    security=server   |
                  |                      |
                  |                      |
                  |       12 May         |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-05-15 08:18:28 +02:00
Andrew Bartlett
d7bb961859 s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
2012-03-04 23:33:05 +01:00
Amitay Isaacs
8303d163cf param: domain_logons and domain_master are of type enum_bool_auto
These parameters should be defined as int and not bool. This fixes
the test failures on big endian machines.

Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Thu Dec 22 10:37:42 CET 2011 on sn-devel-104
2011-12-22 10:37:42 +01:00
Andrew Bartlett
eb4fa13fd9 param: use lp_is_security_and_server_role_valid()
This also permits a few more valid combinations, due to the layer at which this is
being used.

Andrew Bartlett
2011-11-17 00:34:09 +01:00
Amitay Isaacs
e743fbc26e param: Check if server role and security parameters are conflicting 2011-11-17 00:34:09 +01:00
Andrew Bartlett
1f96a59dda param: move server role helpers into loadparm.h
Pair-Programmed-With: Amitay Isaacs <amitay@samba.org>
2011-11-17 00:34:08 +01:00
Andrew Bartlett
9524e2fce1 param: calculate server role from security, and security from server role
This allows smb.conf files from either the samba3 or samba4 tradition
to come to the same value of server role, using the information in the
smb.conf file.

This is important so that tools like 'net getlocalsid' work against a
Samba4 AD installation (yes, users have tried this).

Andrew Bartlett

Pair-Programmed-With: Amitay Isaacs <amitay@samba.org>
2011-11-17 00:34:08 +01:00