1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

405 Commits

Author SHA1 Message Date
Stefan Metzmacher
840b8501b4 docs-xml: change "server min protocol" to SMB2_02
SMB2_02 was available with Windows Vista.
It's time to turn SMB1 off by default.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2019-07-08 16:22:37 +00:00
Noel Power
17ce70d6d9 lib/param: clang: Fix Value stored is never read
Fixes:
lib/param/loadparm.c:2164:2: warning: Value stored to 'bRetval' is never read <--[clang]
        bRetval = false;
        ^         ~~~~~
1 warning generated.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-07-08 09:30:09 +00:00
Björn Jacke
d6b8cbc8f7 param: change default of "allocation roundup size" to 0
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2019-07-07 21:32:25 +00:00
Swen Schillig
a8bbd60fd9 lib: Update all consumers of strtoul_err(), strtoull_err() to new API
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2019-06-30 11:32:18 +00:00
Noel Power
164570fcbb lib/param: clang: Fix 'dereference of a null pointer' warning
Fixes:

lib/param/loadparm.c:3325:36: warning: Access to field 'szService' results in a dereference of a null pointer (loaded from variable 'service') <--[clang]
        return lpcfg_string((const char *)service->szService)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Jun 26 11:53:08 UTC 2019 on sn-devel-184
2019-06-26 11:53:08 +00:00
Christof Schmitt
5ac626e7b0 smbd: Move deadtime default to parameter definition and man page
The code has a default of one week (10080 minutes) if the parameter is
set to 0. Make this the public default of the parameter, instead of
hiding it in the code. This change also has the code match the
documentation that setting this parameter to 0 disables the check.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-05-01 03:12:07 +00:00
Christof Schmitt
9ff5c0bab7 memcache: Increase size of default memcache to 512k
With the fixed accounting of talloc objects, the default cache size
needs to increase. The exact increase required depends on the workloads,
going form 256k to 512k seems like a reasonable guess.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13865

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-04-06 05:12:21 +00:00
Garming Sam
4d2260d86d web_server: Remove the web port smb.conf parameter
With the removal of the web server, there are not any users of this
parameter and so should just be removed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-03-07 00:33:16 +00:00
Swen Schillig
e7b7c634e8 common-lib: Use wrapper for string to integer conversion
In order to detect an value overflow error during
the string to integer conversion with strtoul/strtoull,
the errno variable must be set to zero before the execution and
checked after the conversion is performed. This is achieved by
using the wrapper function strtoul_err and strtoull_err.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-03-01 00:32:11 +00:00
Aurelien Aptel
0732499f23 docs-xml: add "debug encryption" global parm
Add debug option to dump in the log the session id & keys in smbd and
libsmb-based code for offline decryption.

Wireshark can make use of this to decrypt encrypted traffic.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2019-02-09 18:30:14 +01:00
Ralph Boehme
38d819e899 docs-xml: add "smbd getinfo ask sharemode"
Counterpart for "smbd search ask sharemode" for getinfo.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-12-06 01:43:14 +01:00
Ralph Boehme
ea36967c04 docs-xml: add "smbd search ask sharemode"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-12-06 01:43:13 +01:00
Gary Lockyer
40941e98f8 source4 smbd prefork: Add backoff to process restart
Add new smbd.conf variables 'prefork backoff increment' and
'prefork maximum backoff' to control the rate at which failed pre-forked
processes are restarted.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-11-23 08:25:19 +01:00
Gary Lockyer
700b4ce981 source4 smbd prefork: Increase default worklers to 4
Increase the default number of worker processes started by the pre-fork
process model from 1 to 4.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-11-07 17:55:09 +01:00
Gary Lockyer
d871e0c84c smb.conf: add dns_zone_scavenging
Add parameter dns_zone_scavenging to control dns zone scavenging.
Scavenging is disabled by default, as due to
https://bugzilla.samba.org/show_bug.cgi?id=12451 the ageing properties of
existing DNS entries are incorrect.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2018-07-12 04:31:51 +02:00
David Mulder
c8621948f6 samba_gpoupdate: Rename the command to samba-gpupdate
On a Windows client, this command is called 'gpupdate'

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-07-04 10:22:15 +02:00
Aaron Haslett
5728867ddc param: Add non-global smb.cfg option (support 2 different smb.confs)
The default behaviour is that there is only a single global underlying
LoadParm object. E.g. if you create 2 different LoadParm objects in
python, they both modify the same underlying object.

This patch adds a mechanism to override this and create a separate
non-global LoadParm object. The use-case is the backup tool, where we
want to manipulate 2 different smb.conf files (the one used to create
the backup, and the smb.conf in the backup itself).

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-06-28 03:34:27 +02:00
Jeremy Allison
506c520503 smbd: fileserver: Change defaults to work with EA support out of the box.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 15 12:40:48 CEST 2018 on sn-devel-144
2018-05-15 12:40:48 +02:00
Christof Schmitt
b07b4e459e loadparm: Remove unused realm_original
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 10 22:47:15 CEST 2018 on sn-devel-144
2018-05-10 22:47:15 +02:00
Andreas Schneider
e0cf35aec2 lib:param: Fix the size type in lp_do_parameter_parametric()
This fixes compilation with -Wstrict-overflow=2

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 22 01:54:08 CET 2018 on sn-devel-144
2018-03-22 01:54:08 +01:00
Andreas Schneider
2683140674 lib:param: Add FALL_THROUGH statements in loadparm.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:41 +01:00
Ralph Boehme
84f07a8dcb s3/smbd: fix handling of delete-on-close on directories
This implements a check to test the delete-on-close flag of a directory
for requests to create files in this directory.

Windows server implement this check, Samba doesn't as it has performance
implications.

This commit implements the check and a new option to control it. By
default the check is skipped, setting "check parent directory delete on
close = yes" enables it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb  3 23:42:16 CET 2018 on sn-devel-144
2018-02-03 23:42:16 +01:00
David Mulder
2ca73cba53 gpo: Add the winbind call to gpupdate
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 22:38:05 +01:00
Stefan Metzmacher
b4e1e3019a winbindd: add "winbind scan trusted domains = no" to avoid trust enumeration
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-13 12:55:08 +01:00
Stefan Metzmacher
0341e83d40 docs-xml: deprecate "server schannel" and change the default to "yes"
No client should use the old protocol without DCERPC level integrity/privacy,
but Maybe there're some lagacy OEM file servers, which require this.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
c7acae9043 docs-xml: deprecate "client schannel" and change the default to "yes"
This is already the default, because "require strong key = yes" is
the default.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
cb5e19271d docs-xml: remove deprecated 'use spnego" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-10 01:01:24 +01:00
Stefan Metzmacher
443984b829 docs-xml: remove unused "map untrusted to domain" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Volker Lendecke
35eb4962a0 smbd: Enable async I/O by default
We've had this code in for long enough that we should enable it by default.
Modern clients do overlapping I/O, we should utilize that if possible.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-12 20:37:08 +01:00
Kevin Anderson
18307f8711 Add mdns name configuration option
Add the mdns name configuration variable to control the mdns hostname.
The default is to use the NETBIOS name of the system to match previous
versions which is typically the hostname in all capitals. A value of mdns
can be provided to defer the hostname to the mdns library.

With the recent patch to support time machine being merged this patch
allows for a user to configure the server name that is advertised to
be lower cased through Avahi advertisements.

Signed-off-by: Kevin Anderson <andersonkw2@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-08 22:58:17 +01:00
Garming Sam
5662e49b49 gpo: Create the gpo update service
Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Signed-off-by: David Mulder <dmulder@suse.com>

Then adapted to current master

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Gary Lockyer
123042c2e3 source4/smbd: add a prefork process model.
Add a pre fork process model to bound the number processes forked by
samba.  Currently workers are only pre-forked for the ldap server,  all
the other services have pre-fork support disabled.

When pre-fork support is disabled a new process is started for each
service, and requests are processed by that process.

This commit partially reverts commit
b5be45c453.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:10 +02:00
Christof Schmitt
267cd25290 Removed unused 'oplock contention limit' config parameter
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-10-19 00:55:24 +02:00
Andreas Schneider
4c9608fb27 param: Add 'binddns dir' parameter
This allows to us to have restricted access to the directory by the group
'named' which bind is a member of.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andrew Bartlett
d0d266bbf7 param: Disable LanMan authentication unless NTLMv1 is also enabled
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:20 +02:00
Andrew Bartlett
d139d77ae3 auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth ='
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Stefan Metzmacher
1199907cbe param: change the effective default for "client max protocol" to the latest supported protocol
Currently it's SMB3_11.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
bcd558eb50 docs-xml: change the default for "map untrusted to domain" to "auto"
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.

Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-16 03:21:29 +02:00
Andreas Schneider
7556c20d4b param: Add 'mit kdc command' to change the default.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Jeremy Allison
1e8e048bf0 lib: param: Remove lpcfg_register_defaults_hook().
Completely unused functionality. Gets rid of another
talloc_autofree_context(). Updated WHATSNEW to make
this clear.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-04-18 22:54:15 +02:00
Jeremy Allison
2a4d07b999 lib: param: Remove the last external use of global_iconv_handle by calling the utility function reinit_iconv_handle().
Add an error check.

This *looks* like a logic change, but it is not.

The only change is the addition of the error return check.

The reason is that the changed function, reload_charcnv(),
is the *only* function that sets lp_ctx->iconv_handle. And
it does so just before setting global_iconv_handle = lp_ctx->iconv_handle.

Calling the utility function reinit_iconv_handle()
instead merely sets global_iconv_handle first, then
assigns it (as the return) to lp_ctx->iconv_handle.

So all this is doing is reversing the order of
setting global_iconv_handle and lp_ctx->iconv_handle
to the same thing.

Even the removal of the lines:

-       struct smb_iconv_handle *old_ic = lp_ctx->iconv_handle
-       if (old_ic == NULL) {
-               old_ic = global_iconv_handle;

has no effect, as remember that lp_ctx->iconv_handle
is only ever set to the same value as global_iconv_handle,
and once this function has been run once, lp_ctx->iconv_handle != NULL.

This allows us finally to make global_iconv_handle private
to the C source file that defines it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-18 11:47:17 +02:00
Jeremy Allison
766e9ff05e lib: param: Use utility functions to get rid of two more uses of global_iconv_handle.
Add error return checking.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-18 11:47:17 +02:00
Jeremy Allison
3afbdb7a0e lib: Remove smb_iconv_handle_reinit_lp()
It's merely a wrapper for smb_iconv_handle_reinit(),
only used in one place and smb_iconv_handle_reinit()
is already called from lib/param/loadparm.c.

Removing this will make it easier to make global_iconv_handle
private state to lib/util/charset/codepoints.c later.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-18 11:47:17 +02:00
Noel Power
8050db2303 param: Check for valid values of 'name resolve order' option
This variable is populated by a list of values where each value should
be a known option. This patch ensures that illegal values are detected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12739

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2017-04-13 11:26:28 +02:00
Jeremy Allison
ed483d8e57 s3: smbd: Change "strict sync" paramter from "no" to "yes" for 4.7.0.
Document change and modify in loadparm.c.
Safer default for new installs and vendors.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-03-25 00:49:22 +01:00
Andreas Schneider
9d60ad53b8 rpc_server: Allow to configure the port range for RPC services
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-01-27 08:09:15 +01:00
Andrew Bartlett
bd8d9559bf param: Remove winbindd privileged socket directory option
This option is unused and has not been used since before Samba 4.3
when the source4/ winbindd code went away.

The associated dynconfig parameters used for the default are also removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10066

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-22 18:30:12 +01:00
Uri Simchoni
513fa31c85 s3-param: add kerberos encryption types parameter
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-09 04:39:07 +02:00
Stefan Metzmacher
cd8dfed1a6 docs-xml:smbdotconf: default "ntlm auth" to "no"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 16:03:26 +02:00
Volker Lendecke
dd10c820aa smbd: Enable leases by default
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-07-22 10:32:22 +02:00