samba.git/source3/param, branch ldb-1.2.3 Unnamed repository; edit this file 'description' to name the repository. s3/loadparm: don't mark IPC$ as autoloaded 2017-12-05T09:34:26+00:00 Ralph Boehme slow@samba.org 2017-11-21T13:34:28+00:00 9990e6e4bff94dde226752b615c24dd4671bd370 A related problem that affects configuration for the hidden IPC$ share. This share is marked a "autoloaded" and such shares are not reloaded when requested. That resulted in the tcon to IPC$ still using encrpytion after running the following sequence of changes: 1. stop Samba 2. set [global] smb encrypt = required 3. start Samba 4. remove [global] smb encrypt = required 5. smbcontrol smbd reload-config 6a bin/smbclient -U slow%x //localhost/raw -c quit, or 6b bin/smbclient -U slow%x -mNT1 //localhost/raw -c ls In 6a the client simply encrypted packets on the IPC$ tcon. In 6b the client got a tcon failure with NT_STATUS_ACCESS_DENIED, but silently ignore the error. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13051 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Nov 28 02:02:37 CET 2017 on sn-devel-144 (cherry picked from commit deaaff6843159f02bb15aeaf457f8af305e40164) 
A related problem that affects configuration for the hidden IPC$
share. This share is marked a "autoloaded" and such shares are not
reloaded when requested. That resulted in the tcon to IPC$ still using
encrpytion after running the following sequence of changes:

1. stop Samba
2. set [global] smb encrypt = required
3. start Samba
4. remove [global] smb encrypt = required
5. smbcontrol smbd reload-config
6a bin/smbclient -U slow%x //localhost/raw -c quit, or
6b bin/smbclient -U slow%x -mNT1 //localhost/raw -c ls

In 6a the client simply encrypted packets on the IPC$ tcon. In 6b the
client got a tcon failure with NT_STATUS_ACCESS_DENIED, but silently
ignore the error.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13051

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 28 02:02:37 CET 2017 on sn-devel-144

(cherry picked from commit deaaff6843159f02bb15aeaf457f8af305e40164)
s3/loadparm: ensure default service options are not changed 2017-12-05T09:34:26+00:00 Ralph Boehme slow@samba.org 2017-11-21T13:28:48+00:00 cecbc43a5a3c03d184f2f4e8d80e066b740c4fe9 Rename sDefault to _sDefault and make it const. sDefault is make a copy of _sDefault in in the initialisation function lp_load_ex(). As we may end up in setup_lp_context() without going through lp_load_ex(), sDefault may still be uninitialized at that point, so I'm initializing lp_ctx->sDefault from _sDefault. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13051 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit ea4e6f95ae5c97e8570b8090ee7e7a577b49a8c3) 
Rename sDefault to _sDefault and make it const. sDefault is make a copy
of _sDefault in in the initialisation function lp_load_ex().

As we may end up in setup_lp_context() without going through
lp_load_ex(), sDefault may still be uninitialized at that point, so I'm
initializing lp_ctx->sDefault from _sDefault.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13051

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ea4e6f95ae5c97e8570b8090ee7e7a577b49a8c3)
s3/loadparm: allocate a fresh sDefault object per lp_ctx 2017-12-05T09:34:26+00:00 Ralph Boehme slow@samba.org 2017-11-22T10:49:57+00:00 7dc2782ab51feb0ed55ab3ee8fe2b6748c404f3f This is in preperation of preventing direct access to sDefault in all places that currently modify it. As currently s3/loadparm is afaict not accessing lp_ctx->sDefault, but changes sDefault indirectly through lp_parm_ptr() this change is just a safety measure to prevent future breakage. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13051 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 1fc103547023aa1c880713e5b65ec164acb58b54) 
This is in preperation of preventing direct access to sDefault in all
places that currently modify it.

As currently s3/loadparm is afaict not accessing lp_ctx->sDefault, but
changes sDefault indirectly through lp_parm_ptr() this change is just a
safety measure to prevent future breakage.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13051

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 1fc103547023aa1c880713e5b65ec164acb58b54)
param: Disable LanMan authentication unless NTLMv1 is also enabled 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T02:11:47+00:00 d0d266bbf79fac956ca5de0b48dfac08b6f18628 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T00:11:51+00:00 d139d77ae3dbc490525ac94f46276d790bc2d879 The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
param: change the effective default for "client max protocol" to the latest supported protocol 2017-06-27T14:57:48+00:00 Stefan Metzmacher metze@samba.org 2017-06-26T08:00:53+00:00 1199907cbe2f003a7df6f56e6cf3878d0732344d Currently it's SMB3_11. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Currently it's SMB3_11.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s3:param: Allow to add usershare if uid_wrapper is loaded 2017-06-27T14:57:42+00:00 Andreas Schneider asn@samba.org 2017-06-22T14:13:12+00:00 0df6ecf2fabf7bc4b29688d200274acb81cad0db Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
docs-xml: change the default for "map untrusted to domain" to "auto" 2017-06-16T01:21:29+00:00 Stefan Metzmacher metze@samba.org 2017-03-22T11:11:26+00:00 bcd558eb50814dfdc68bf49f082f9f644651cb38 This makes the behaviour much more robust, particularly with forest child domains over one-way forest trusts. Sadly we don't support this kind of setup with our current ADDC, so there's no way to have automated tests for this behaviour, but at least we know it doesn't break any existing tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This makes the behaviour much more robust, particularly with forest child
domains over one-way forest trusts.

Sadly we don't support this kind of setup with our current ADDC, so
there's no way to have automated tests for this behaviour, but
at least we know it doesn't break any existing tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
param: Add 'mit kdc command' to change the default. 2017-04-29T21:31:09+00:00 Andreas Schneider asn@samba.org 2014-04-28T13:22:34+00:00 7556c20d4bf90bfcc288ba1c82008105eaf8f261 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
s3:param: Use new utility function to hide use of global_iconv_handle 2017-04-18T09:47:17+00:00 Jeremy Allison jra@samba.org 2017-04-11T22:47:17+00:00 6086b0e5a2ca03ba3a3c16cae2a0fe79605f5a6a Add error return check. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Add error return check.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>