samba.git/lib/param, branch ldb-1.2.3 Unnamed repository; edit this file 'description' to name the repository. param: Add new "disabled" value to "ntlm auth" to disable NTLM totally 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T02:16:50+00:00 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0 Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
param: Disable LanMan authentication unless NTLMv1 is also enabled 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T02:11:47+00:00 d0d266bbf79fac956ca5de0b48dfac08b6f18628 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T00:11:51+00:00 d139d77ae3dbc490525ac94f46276d790bc2d879 The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
param: change the effective default for "client max protocol" to the latest supported protocol 2017-06-27T14:57:48+00:00 Stefan Metzmacher metze@samba.org 2017-06-26T08:00:53+00:00 1199907cbe2f003a7df6f56e6cf3878d0732344d Currently it's SMB3_11. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Currently it's SMB3_11.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
docs-xml: change the default for "map untrusted to domain" to "auto" 2017-06-16T01:21:29+00:00 Stefan Metzmacher metze@samba.org 2017-03-22T11:11:26+00:00 bcd558eb50814dfdc68bf49f082f9f644651cb38 This makes the behaviour much more robust, particularly with forest child domains over one-way forest trusts. Sadly we don't support this kind of setup with our current ADDC, so there's no way to have automated tests for this behaviour, but at least we know it doesn't break any existing tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.

Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
param: Add 'mit kdc command' to change the default. 2017-04-29T21:31:09+00:00 Andreas Schneider asn@samba.org 2014-04-28T13:22:34+00:00 7556c20d4bf90bfcc288ba1c82008105eaf8f261 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
lib: param: Remove lpcfg_register_defaults_hook(). 2017-04-18T20:54:15+00:00 Jeremy Allison jra@samba.org 2017-04-18T17:21:50+00:00 1e8e048bf01447148ffa89ec237e2f9f58ff0ab6 Completely unused functionality. Gets rid of another talloc_autofree_context(). Updated WHATSNEW to make this clear. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 
Completely unused functionality. Gets rid of another
talloc_autofree_context(). Updated WHATSNEW to make
this clear.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
lib: param: Remove the last external use of global_iconv_handle by calling the utility function reinit_iconv_handle(). 2017-04-18T09:47:17+00:00 Jeremy Allison jra@samba.org 2017-04-11T22:57:28+00:00 2a4d07b999df2343c694a2b373d3b506bd3d5682 Add an error check. This *looks* like a logic change, but it is not. The only change is the addition of the error return check. The reason is that the changed function, reload_charcnv(), is the *only* function that sets lp_ctx->iconv_handle. And it does so just before setting global_iconv_handle = lp_ctx->iconv_handle. Calling the utility function reinit_iconv_handle() instead merely sets global_iconv_handle first, then assigns it (as the return) to lp_ctx->iconv_handle. So all this is doing is reversing the order of setting global_iconv_handle and lp_ctx->iconv_handle to the same thing. Even the removal of the lines: - struct smb_iconv_handle *old_ic = lp_ctx->iconv_handle - if (old_ic == NULL) { - old_ic = global_iconv_handle; has no effect, as remember that lp_ctx->iconv_handle is only ever set to the same value as global_iconv_handle, and once this function has been run once, lp_ctx->iconv_handle != NULL. This allows us finally to make global_iconv_handle private to the C source file that defines it. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Add an error check.

This *looks* like a logic change, but it is not.

The only change is the addition of the error return check.

The reason is that the changed function, reload_charcnv(),
is the *only* function that sets lp_ctx->iconv_handle. And
it does so just before setting global_iconv_handle = lp_ctx->iconv_handle.

Calling the utility function reinit_iconv_handle()
instead merely sets global_iconv_handle first, then
assigns it (as the return) to lp_ctx->iconv_handle.

So all this is doing is reversing the order of
setting global_iconv_handle and lp_ctx->iconv_handle
to the same thing.

Even the removal of the lines:

-       struct smb_iconv_handle *old_ic = lp_ctx->iconv_handle
-       if (old_ic == NULL) {
-               old_ic = global_iconv_handle;

has no effect, as remember that lp_ctx->iconv_handle
is only ever set to the same value as global_iconv_handle,
and once this function has been run once, lp_ctx->iconv_handle != NULL.

This allows us finally to make global_iconv_handle private
to the C source file that defines it.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
lib: param: Use utility functions to get rid of two more uses of global_iconv_handle. 2017-04-18T09:47:17+00:00 Jeremy Allison jra@samba.org 2017-04-11T22:51:17+00:00 766e9ff05e0689b0c0284e33e044a363ed4a4709 Add error return checking. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Add error return checking.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
lib: Remove smb_iconv_handle_reinit_lp() 2017-04-18T09:47:17+00:00 Jeremy Allison jra@samba.org 2017-04-11T22:31:17+00:00 3afbdb7a0e5c5e4bacc40f80ad0e8981b0af4b88 It's merely a wrapper for smb_iconv_handle_reinit(), only used in one place and smb_iconv_handle_reinit() is already called from lib/param/loadparm.c. Removing this will make it easier to make global_iconv_handle private state to lib/util/charset/codepoints.c later. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
It's merely a wrapper for smb_iconv_handle_reinit(),
only used in one place and smb_iconv_handle_reinit()
is already called from lib/param/loadparm.c.

Removing this will make it easier to make global_iconv_handle
private state to lib/util/charset/codepoints.c later.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>