samba.git/lib/param/loadparm_server_role.c, branch talloc-2.4.2 Unnamed repository; edit this file 'description' to name the repository. CVE-2020-25717: Add FreeIPA domain controller role 2021-11-09T19:45:33+00:00 Alexander Bokovoy ab@samba.org 2020-11-11T16:50:45+00:00 e2d5b4d709293b52112d078d6fcde95593d790c5 As we want to reduce use of 'classic domain controller' role but FreeIPA relies on it internally, add a separate role to mark FreeIPA domain controller role. It means that role won't result in ROLE_STANDALONE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Alexander Bokovoy <ab@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
controller role.

It means that role won't result in ROLE_STANDALONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
param: Remove _SAMBA_BUILD_ checks from now the autoconf build is gone 2013-05-28T02:17:11+00:00 Andrew Bartlett abartlet@samba.org 2013-05-22T03:44:59+00:00 2bede9d0d6f92046dffe9bcd282fdd791339b10c Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> 
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

Reviewed-by: David Disseldorp <ddiss@samba.org>
lib/param: make security=domain and security=ads conflict with being a DC 2012-06-15T07:18:33+00:00 Andrew Bartlett abartlet@samba.org 2012-06-11T00:40:32+00:00 11db5b1f3321b3d5b73bb16f4030111c9a35fbbe This simplifies our supported configurations down to those that we test and expect to work. security=domain and domain logons = yes has never made much sense, and security=ads and domain logons = yes was only ever used in early experiments for our AD support using smbd. The correct way to be an AD DC is to set "server role = active directory domain controller" Andrew Bartlett 
This simplifies our supported configurations down to those that we test and expect
to work.  security=domain and domain logons = yes has never made much sense, and
security=ads and domain logons = yes was only ever used in early experiments for
our AD support using smbd.

The correct way to be an AD DC is to set "server role = active directory domain controller"

Andrew Bartlett
lib/param: Create a seperate server role for "active directory domain controller" 2012-06-15T07:18:33+00:00 Andrew Bartlett abartlet@samba.org 2012-06-10T12:08:20+00:00 b8815dc23d36468cce9b615335ed62f119eb8f35 This will allow us to detect from the smb.conf if this is a Samba4 AD DC which will allow smarter handling of (for example) accidentially starting smbd rather than samba. To cope with upgrades from existing Samba4 installs, 'domain controller' is a synonym of 'active directory domain controller' and new parameters 'classic primary domain controller' and 'classic backup domain controller' are added. Andrew Bartlett 
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett
lib/param: simplfy lp_find_security() 2012-06-11T09:44:07+00:00 Andrew Bartlett abartlet@samba.org 2012-06-11T01:12:52+00:00 92fd0fdd790d9a0fbb1e82e5dc7acbc1a193a7ca All the roles other than ROLE_DOMAIN_MEMBER map to SEC_USER. Andrew Bartlett 
All the roles other than ROLE_DOMAIN_MEMBER map to SEC_USER.

Andrew Bartlett
s3-auth: remove "security=server" (depricated since 3.6) 2012-05-15T06:18:28+00:00 Stefan Metzmacher metze@samba.org 2012-05-12T10:00:00+00:00 b4abd3faaf3bdcbcd24fed8325960ccdee43bea9 "security=server" has a lot of problems in the world with modern security (ntlmv2 and krb5). It was also not very reliable, as it needed a stable connection to the password server for the lifetime of the whole client connection! Please use "security=domain" or "security=ads" is you authentication against remote servers (domain controllers). metze -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SERVER | | security=server | | | | | | 12 May | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______ 
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!

Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).

metze
                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SERVER      |
                  |    security=server   |
                  |                      |
                  |                      |
                  |       12 May         |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
s3-auth: Remove security=share (depricated since 3.6). 2012-03-04T22:33:05+00:00 Andrew Bartlett abartlet@samba.org 2012-02-03T07:03:10+00:00 d7bb961859a3501aec4d28842bfffb6190d19a73 This patch removes security=share, which Samba implemented by matching the per-share password provided by the client in the Tree Connect with a selection of usernames supplied by the client, the smb.conf or guessed from the environment. The rationale for the removal is that for the bulk of security=share users, we just we need a very simple way to run a 'trust the network' Samba server, where users mark shares as guest ok. This is still supported, and the smb.conf options are documented at https://wiki.samba.org/index.php/Public_Samba_Server At the same time, this closes the door on one of the most arcane areas of Samba authentication. Naturally, full user-name/password authentication remain available in security=user and above. This includes documentation updates for username and only user, which now only do a small amount of what they used to do. Andrew Bartlett -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SHARE | | security=share | | | | | | 5 March | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______ 
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
param: domain_logons and domain_master are of type enum_bool_auto 2011-12-22T09:37:42+00:00 Amitay Isaacs amitay@gmail.com 2011-12-22T05:40:10+00:00 8303d163cf34d0b61bfbbc62e497f7b444a17e10 These parameters should be defined as int and not bool. This fixes the test failures on big endian machines. Autobuild-User: Amitay Isaacs <amitay@samba.org> Autobuild-Date: Thu Dec 22 10:37:42 CET 2011 on sn-devel-104 
These parameters should be defined as int and not bool. This fixes
the test failures on big endian machines.

Autobuild-User: Amitay Isaacs <amitay@samba.org>
Autobuild-Date: Thu Dec 22 10:37:42 CET 2011 on sn-devel-104
param: use lp_is_security_and_server_role_valid() 2011-11-16T23:34:09+00:00 Andrew Bartlett abartlet@samba.org 2011-11-10T08:34:36+00:00 eb4fa13fd967a2604284de357ee8e8bfbee0a507 This also permits a few more valid combinations, due to the layer at which this is being used. Andrew Bartlett 
This also permits a few more valid combinations, due to the layer at which this is
being used.

Andrew Bartlett
param: Check if server role and security parameters are conflicting 2011-11-16T23:34:09+00:00 Amitay Isaacs amitay@gmail.com 2011-11-10T06:45:28+00:00 e743fbc26ef64f8f3e4164f809140a12b304c90f