1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

955 Commits

Author SHA1 Message Date
Aurelien Aptel
0732499f23 docs-xml: add "debug encryption" global parm
Add debug option to dump in the log the session id & keys in smbd and
libsmb-based code for offline decryption.

Wireshark can make use of this to decrypt encrypted traffic.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2019-02-09 18:30:14 +01:00
Ralph Boehme
38d819e899 docs-xml: add "smbd getinfo ask sharemode"
Counterpart for "smbd search ask sharemode" for getinfo.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-12-06 01:43:14 +01:00
Ralph Boehme
ea36967c04 docs-xml: add "smbd search ask sharemode"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-12-06 01:43:13 +01:00
Gary Lockyer
40941e98f8 source4 smbd prefork: Add backoff to process restart
Add new smbd.conf variables 'prefork backoff increment' and
'prefork maximum backoff' to control the rate at which failed pre-forked
processes are restarted.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-11-23 08:25:19 +01:00
Gary Lockyer
700b4ce981 source4 smbd prefork: Increase default worklers to 4
Increase the default number of worker processes started by the pre-fork
process model from 1 to 4.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-11-07 17:55:09 +01:00
Gary Lockyer
d871e0c84c smb.conf: add dns_zone_scavenging
Add parameter dns_zone_scavenging to control dns zone scavenging.
Scavenging is disabled by default, as due to
https://bugzilla.samba.org/show_bug.cgi?id=12451 the ageing properties of
existing DNS entries are incorrect.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2018-07-12 04:31:51 +02:00
David Mulder
c8621948f6 samba_gpoupdate: Rename the command to samba-gpupdate
On a Windows client, this command is called 'gpupdate'

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-04 10:22:15 +02:00
Aaron Haslett
5728867ddc param: Add non-global smb.cfg option (support 2 different smb.confs)
The default behaviour is that there is only a single global underlying
LoadParm object. E.g. if you create 2 different LoadParm objects in
python, they both modify the same underlying object.

This patch adds a mechanism to override this and create a separate
non-global LoadParm object. The use-case is the backup tool, where we
want to manipulate 2 different smb.conf files (the one used to create
the backup, and the smb.conf in the backup itself).

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-28 03:34:27 +02:00
Jeremy Allison
506c520503 smbd: fileserver: Change defaults to work with EA support out of the box.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 15 12:40:48 CEST 2018 on sn-devel-144
2018-05-15 12:40:48 +02:00
Christof Schmitt
b07b4e459e loadparm: Remove unused realm_original
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 10 22:47:15 CEST 2018 on sn-devel-144
2018-05-10 22:47:15 +02:00
Andreas Schneider
e0cf35aec2 lib:param: Fix the size type in lp_do_parameter_parametric()
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 22 01:54:08 CET 2018 on sn-devel-144
2018-03-22 01:54:08 +01:00
Andreas Schneider
2683140674 lib:param: Add FALL_THROUGH statements in loadparm.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:41 +01:00
Ralph Boehme
84f07a8dcb s3/smbd: fix handling of delete-on-close on directories
This implements a check to test the delete-on-close flag of a directory
for requests to create files in this directory.

Windows server implement this check, Samba doesn't as it has performance
implications.

This commit implements the check and a new option to control it. By
default the check is skipped, setting "check parent directory delete on
close = yes" enables it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb  3 23:42:16 CET 2018 on sn-devel-144
2018-02-03 23:42:16 +01:00
David Mulder
2ca73cba53 gpo: Add the winbind call to gpupdate
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 22:38:05 +01:00
Stefan Metzmacher
b4e1e3019a winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Stefan Metzmacher
0341e83d40 docs-xml: deprecate "server schannel" and change the default to "yes"
No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
c7acae9043 docs-xml: deprecate "client schannel" and change the default to "yes"
This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
cb5e19271d docs-xml: remove deprecated 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
443984b829 docs-xml: remove unused "map untrusted to domain" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Volker Lendecke
35eb4962a0 smbd: Enable async I/O by default
We've had this code in for long enough that we should enable it by default.
Modern clients do overlapping I/O, we should utilize that if possible.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-12 20:37:08 +01:00
Kevin Anderson
18307f8711 Add mdns name configuration option
Add the mdns name configuration variable to control the mdns hostname.
The default is to use the NETBIOS name of the system to match previous
versions which is typically the hostname in all capitals. A value of mdns
can be provided to defer the hostname to the mdns library.

With the recent patch to support time machine being merged this patch
allows for a user to configure the server name that is advertised to
be lower cased through Avahi advertisements.

Signed-off-by: Kevin Anderson <andersonkw2@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-08 22:58:17 +01:00
David Mulder
e60f49783e gpo: Apply kerberos settings
Add kdc kerberos settings to gpo.tdb, then retrieve those settings in
lpcfg_default_kdc_policy.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
Garming Sam
5662e49b49 gpo: Create the gpo update service
Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Signed-off-by: David Mulder <dmulder@suse.com>

Then adapted to current master

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Gary Lockyer
123042c2e3 source4/smbd: add a prefork process model.
Add a pre fork process model to bound the number processes forked by
samba.  Currently workers are only pre-forked for the ldap server,  all
the other services have pre-fork support disabled.

When pre-fork support is disabled a new process is started for each
service, and requests are processed by that process.

This commit partially reverts commit
b5be45c453.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00
Christof Schmitt
267cd25290 Removed unused 'oplock contention limit' config parameter
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-19 00:55:24 +02:00
Andreas Schneider
4c9608fb27 param: Add 'binddns dir' parameter
This allows to us to have restricted access to the directory by the group
'named' which bind is a member of.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andrew Bartlett
00db3aba6c param: Add new "disabled" value to "ntlm auth" to disable NTLM totally
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d0d266bbf7 param: Disable LanMan authentication unless NTLMv1 is also enabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d139d77ae3 auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Stefan Metzmacher
1199907cbe param: change the effective default for "client max protocol" to the latest supported protocol
Currently it's SMB3_11.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
bcd558eb50 docs-xml: change the default for "map untrusted to domain" to "auto"
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.

Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Andreas Schneider
7556c20d4b param: Add 'mit kdc command' to change the default.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Jeremy Allison
1e8e048bf0 lib: param: Remove lpcfg_register_defaults_hook().
Completely unused functionality. Gets rid of another
talloc_autofree_context(). Updated WHATSNEW to make
this clear.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-04-18 22:54:15 +02:00
Jeremy Allison
2a4d07b999 lib: param: Remove the last external use of global_iconv_handle by calling the utility function reinit_iconv_handle().
Add an error check.

This *looks* like a logic change, but it is not.

The only change is the addition of the error return check.

The reason is that the changed function, reload_charcnv(),
is the *only* function that sets lp_ctx->iconv_handle. And
it does so just before setting global_iconv_handle = lp_ctx->iconv_handle.

Calling the utility function reinit_iconv_handle()
instead merely sets global_iconv_handle first, then
assigns it (as the return) to lp_ctx->iconv_handle.

So all this is doing is reversing the order of
setting global_iconv_handle and lp_ctx->iconv_handle
to the same thing.

Even the removal of the lines:

-       struct smb_iconv_handle *old_ic = lp_ctx->iconv_handle
-       if (old_ic == NULL) {
-               old_ic = global_iconv_handle;

has no effect, as remember that lp_ctx->iconv_handle
is only ever set to the same value as global_iconv_handle,
and once this function has been run once, lp_ctx->iconv_handle != NULL.

This allows us finally to make global_iconv_handle private
to the C source file that defines it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-18 11:47:17 +02:00
Jeremy Allison
766e9ff05e lib: param: Use utility functions to get rid of two more uses of global_iconv_handle.
Add error return checking.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-18 11:47:17 +02:00
Jeremy Allison
3afbdb7a0e lib: Remove smb_iconv_handle_reinit_lp()
It's merely a wrapper for smb_iconv_handle_reinit(),
only used in one place and smb_iconv_handle_reinit()
is already called from lib/param/loadparm.c.

Removing this will make it easier to make global_iconv_handle
private state to lib/util/charset/codepoints.c later.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-18 11:47:17 +02:00
Noel Power
8050db2303 param: Check for valid values of 'name resolve order' option
This variable is populated by a list of values where each value should
be a known option. This patch ensures that illegal values are detected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12739

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2017-04-13 11:26:28 +02:00
Jeremy Allison
ed483d8e57 s3: smbd: Change "strict sync" paramter from "no" to "yes" for 4.7.0.
Document change and modify in loadparm.c.
Safer default for new installs and vendors.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-03-25 00:49:22 +01:00
Andreas Schneider
12d26899a4 param: Allow to specify kerberos method on the commandline
We support --option for our tools but you cannot set an option where the
value of the option includes a space.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-03-14 15:22:12 +01:00
Andreas Schneider
9d60ad53b8 rpc_server: Allow to configure the port range for RPC services
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-27 08:09:15 +01:00
Zentaro Kavanagh
8ec6d8a6f2 Add explicit dependency on samba-debug from libinterfaces and libserverrole.
Currently these dependencies are indirect via a SAMBA_SUBSYSTEM
which does not propagate private library information. This results
in these 2 libraries getting generated with no RPATH information
in the ELF header.

Additional discussion [1].

[1] -
https://lists.samba.org/archive/samba-technical/2017-January/118078.html

Signed-off-by: Zentaro Kavanagh <zentaro@google.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jan 23 08:26:43 CET 2017 on sn-devel-144
2017-01-23 08:26:43 +01:00
Andrew Bartlett
bd8d9559bf param: Remove winbindd privileged socket directory option
This option is unused and has not been used since before Samba 4.3
when the source4/ winbindd code went away.

The associated dynconfig parameters used for the default are also removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10066

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-22 18:30:12 +01:00
Ralph Boehme
18591edafa s3/smbd: new "mangled names" setting "illegal"
This does mangling for names with illegal NTFS characters, but not for
names longer then 8.3:

Name mangling with mangled named = yes
======================================

Mangled | Short | Name
----------------------------
        |       | foo
        | yes   | 123456789
yes     |       | foo:bar

Name mangling with mangled named = illegal
==========================================

Mangled | Short | Name
----------------------------
        |       | foo
        |       | 123456789
yes     |       | foo:bar

Setting "mangled names = illegal" is the most sensible setting for
modern clients that don't use the shortname anymore.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-09 19:31:20 +01:00
Ralph Boehme
19eae53773 s3/smbd: convert "mangled names" option to an enum
This is in preparation of adding an additional setting for this
option. No change in behaviour by this commit, that comes in the next
one.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-09 19:31:20 +01:00
Uri Simchoni
1dfd8df23d smbd: add an option to inherit only the UNIX owner
This can be used to emulate folder quotas, as explained in the
modified manpage.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-10 08:18:17 +02:00
Uri Simchoni
513fa31c85 s3-param: add kerberos encryption types parameter
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-09 04:39:07 +02:00
Stefan Metzmacher
cd8dfed1a6 docs-xml:smbdotconf: default "ntlm auth" to "no"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 16:03:26 +02:00
Volker Lendecke
dd10c820aa smbd: Enable leases by default
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-07-22 10:32:22 +02:00
Garming Sam
fbc26289e5 samba_kcc: Enable the python samba_kcc
For any reasonably large domain, the old KCC is impractical as the dense
mesh topology causes replication pulses.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-21 06:37:08 +02:00
Andrew Bartlett
748384992b param: Correct the defaults for "dcerpc endpoint services"
We must not list any services that we skip building, as otherwise all RPC services fail to start.

We now build without the source4 spoolss server in non-developer builds

This fixes commit 0b4c741b9c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12025
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2016-07-19 13:41:11 +02:00
Garming Sam
73152561df param: fix a typo emtpy -> empty
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-05 00:00:15 +02:00
Stefan Metzmacher
70cc56d3e7 lib/param: add lpcfg_sam_dnsname() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
f762be4343 CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:28 +02:00
Stefan Metzmacher
06b038c017 CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
We sadly need to allow this for now by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Stefan Metzmacher
c52097ae17 CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:27 +02:00
Ralph Boehme
b720575f16 CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
SMB_SIGNING_IPC_DEFAULT must be used from s3 client code when opening
RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-04-12 19:25:26 +02:00
Stefan Metzmacher
f65f618e96 CVE-2016-2115: docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-04-12 19:25:26 +02:00
Stefan Metzmacher
8ff6a955f5 CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-04-12 19:25:26 +02:00
Stefan Metzmacher
6ad9ba72a7 CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
2362c0353b CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
6e22abd977 CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
0cd2acef79 CVE-2016-2112: docs-xml: add "ldap server require strong auth" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
1dc40a08f0 CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:24 +02:00
Stefan Metzmacher
a1900b5bd6 CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:24 +02:00
Uri Simchoni
798fcfdabc loadparm: introduce lp_parm_ulonglong() and lpcfg_parm_ulonglong()
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-01-26 15:58:11 +01:00
Justin Maggard
8c2609f318 Change default LDAP page size to 1000.
This matches Windows' Active Directory maximum page size.

Signed-off-by: Justin Maggard <jmaggard@netgear.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2016-01-15 00:54:26 +01:00
Jelmer Vernooij
773cfba9af Avoid including libds/common/roles.h in public loadparm.h header.
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-By: Andrew Bartlett <abartlet@samba.org>
Reviewed-By: Stefan Metzmacher <metze@samba.org>
2016-01-13 04:43:23 +01:00
Quentin Gibeaux
3c6ea3293c lib/param: handle (ignore) substitution variable in smb.conf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10722

The function handle_include returns false when trying to include
files that have a substitution variable in filename (like %U),
this patch makes handle_include to ignore this case, to make
samba-tool work when there is such include in samba's configuration.

Error was :
	root@ubuntu:/usr/local/samba# grep 'include.*%U' etc/smb.conf
	include = %U.conf
	root@ubuntu:/usr/local/samba# ./bin/samba-tool user list
	Can't find include file %U.conf
	ERROR(runtime): uncaught exception - Unable to load default file

Signed-off-by: Quentin Gibeaux <qgibeaux@iris-tech.fr>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec  9 02:05:30 CET 2015 on sn-devel-104
2015-12-09 02:05:30 +01:00
Stefan Metzmacher
a84eed5325 lib/param: add a fixed unified lpcfg_string_{free,set,set_upper}() infrastructure
This reduces the memory footprint of empty string options.

smbd -d1 -i with 1400 shares in smb.conf under x64 valgrind massif before this
patch has 7,703,392 bytes peak memory consumption and after this patch
3,321,200 bytes.

This fixes a regression introduced by commit
2dd7c89079.

BUG:

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11625
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Nov 30 17:41:28 CET 2015 on sn-devel-104
2015-11-30 17:41:28 +01:00
Jeremy Allison
c4be0b7ff4 s3: smbd: Change aio_pending_size static variable to a new "aio max threads" smb.conf parameter.
Removes accessor functions as now this parameter is set
under user control in smb.conf. Default is 100.

Note that this doesn't limit the number of outstanding
aio requests, it just causes them to go onto the
pthreadpool queue.

Now we need to prioritize pthreadpool pipe replies
ahead of incoming SMB2 requests, but that's a patch
for another day.

Based on ideas from Volker.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-11-13 21:36:19 +01:00
Stefan Metzmacher
25dcdc9270 lib/param: fix hiding of FLAG_SYNONYM values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11526

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-09-21 01:50:15 +02:00
Volker Lendecke
53e8d527f3 param: Use talloc_pooled_object
Reduce memory fragmentation a bit and obsolete NULL checks

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Aug 21 14:45:58 CEST 2015 on sn-devel-104
2015-08-21 14:45:58 +02:00
Volker Lendecke
0f600c3459 param: Simplify set_param_opt()
"not_added" is not a very good boolean flag concept... An early
return serves the same purpose just as well.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-21 11:43:05 +02:00
Volker Lendecke
78d7512db9 lib: Remove unused parmlist code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-21 11:43:04 +02:00
Michael Adam
10374dde0f param: update the README with instructions for adding a parameter
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 31 05:00:57 CEST 2015 on sn-devel-104
2015-07-31 05:00:56 +02:00
Michael Adam
3f5e874340 param: remove the static param_table.
It is now auto-generated.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:33 +02:00
Michael Adam
33dfaf7ef9 param: use the generated parameter table.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:32 +02:00
Michael Adam
b138d57c4d build: generate param_table_gen.c from docs in the build
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:32 +02:00
Michael Adam
bbd55f69a0 param: move the actual table out into param_table_static.c
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:32 +02:00
Michael Adam
3c35dd47ec param: don't list '-valid' and 'copy' as synonyms - they aren't
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
179d715350 param: make 'timestamp logs' the default writing of 'debug timestamp'
This is how it used internally.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
e5ac180fbe param: add SYNONYM flag where missing
thereby remove DEPRECATED flags: synonyms currently
only carry the syn flag. Other flags sit on the primary
entry.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
c03891c0d5 param: move dnsdomain from generate_param to EXTRA_GLOBALS
This is alongside realm_original which is of the same kind.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
ff4134329d generate_param: generate struct entries if we don't generate access functions.
This shrinks LOADPARM_EXTRA_GLOBALS/LOCALS.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
37234031c7 param: rename szIdmapGID -> idmap_gid
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
3566e7de93 param: rename szIdmapUID -> idmap_uid
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
8c0217c2a2 param: rename szIdmapBackend -> idmap_backend
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
6b1d1a471c param: rename szInclude -> include
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
bd92bc0417 param: rename szCopy -> copy
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
5820c31a7d param: rename bAvailable -> available
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
c644890fa6 param: make 'realm' use the standard 'realm' variable.
This way, the generated lp_realm() function matches the param_table.
realm_original is only treated in the special handler now.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:31 +02:00
Michael Adam
4ae289c271 param: turn 'cups encrypt' into a generated function
Move the special stuff of the hand-written lp_cups_encrypt()
function into a handler that is called once at load time.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
5c18d00135 param: rename CupsEncrypt -> cups_encrypt
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
496f275a4b param: make 'winbind max domain connections' a generated function.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
78e276a35d param: rename winbindMaxDomainConnections -> _winbind_max_domain_connections
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
866fd3b889 param: turn 'wide links' into a generated funcion
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
b7172b8f7c param: rename bWidelinks -> wide_links
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
44619ad261 param: turn 'smb2 max credits' into generated option
This is achieved by moving the special treatment from
the lp_smb2_max_credits() function in the the special
handler that is called only once upon lp_load().

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
a6e387d689 param: turn 'printcap name' into a generated function
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00
Michael Adam
3732456805 param: rename szPrintcapName -> printcap_name
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:30 +02:00