summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2012-05-12 12:00:00 +0200
committerStefan Metzmacher <metze@samba.org>2012-05-15 08:18:28 +0200
commitb4abd3faaf3bdcbcd24fed8325960ccdee43bea9 (patch)
tree72b6ef1be7b90ff79401843cc36efb91c5db2470
parent053fcfef0fa680e2443a07933973f0f21624c336 (diff)
downloadsamba-b4abd3faaf3bdcbcd24fed8325960ccdee43bea9.tar.gz
samba-b4abd3faaf3bdcbcd24fed8325960ccdee43bea9.tar.bz2
samba-b4abd3faaf3bdcbcd24fed8325960ccdee43bea9.zip
s3-auth: remove "security=server" (depricated since 3.6)
"security=server" has a lot of problems in the world with modern security (ntlmv2 and krb5). It was also not very reliable, as it needed a stable connection to the password server for the lifetime of the whole client connection! Please use "security=domain" or "security=ads" is you authentication against remote servers (domain controllers). metze -------------- / \ / REST \ / IN \ / PEACE \ / \ | SEC_SERVER | | security=server | | | | | | 12 May | | | | 2012 | *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______
-rw-r--r--lib/param/loadparm_server_role.c9
-rw-r--r--lib/param/param_enums.c1
-rw-r--r--libds/common/roles.h19
-rw-r--r--source3/auth/auth.c6
-rw-r--r--source3/param/loadparm.c4
-rw-r--r--source3/utils/testparm.c6
6 files changed, 20 insertions, 25 deletions
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
index 4ba54b9131..9ff64be046 100644
--- a/lib/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -73,13 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
role = ROLE_STANDALONE;
switch (security) {
- case SEC_SERVER:
- if (domain_logons) {
- DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
- }
- /* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */
- role = ROLE_STANDALONE;
- break;
case SEC_DOMAIN:
if (domain_logons) {
DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n"));
@@ -157,7 +150,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
valid = true;
break;
case ROLE_STANDALONE:
- if (security == SEC_SERVER || security == SEC_USER) {
+ if (security == SEC_USER) {
valid = true;
}
break;
diff --git a/lib/param/param_enums.c b/lib/param/param_enums.c
index 36234ea4f9..5f4cd61bf6 100644
--- a/lib/param/param_enums.c
+++ b/lib/param/param_enums.c
@@ -46,7 +46,6 @@ static const struct enum_list enum_protocol[] = {
static const struct enum_list enum_security[] = {
{SEC_AUTO, "AUTO"},
{SEC_USER, "USER"},
- {SEC_SERVER, "SERVER"},
{SEC_DOMAIN, "DOMAIN"},
#if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4)
{SEC_ADS, "ADS"},
diff --git a/libds/common/roles.h b/libds/common/roles.h
index 90281ba788..9dc9a00d28 100644
--- a/libds/common/roles.h
+++ b/libds/common/roles.h
@@ -60,10 +60,25 @@ enum server_role {
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
- */
+ --------------
+ / \
+ / REST \
+ / IN \
+ / PEACE \
+ / \
+ | SEC_SERVER |
+ | security=server |
+ | |
+ | |
+ | 12 May |
+ | |
+ | 2012 |
+ *| * * * | *
+ _________)/\\_//(\/(/\)/\//\/\///|_)_______
+
+*/
enum security_types {SEC_AUTO = 0,
SEC_USER = 2,
- SEC_SERVER = 3,
SEC_DOMAIN = 4,
SEC_ADS = 5};
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 4b075a6c54..c442a536d8 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -494,12 +494,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
talloc_tos(), "guest sam winbind:ntdomain",
NULL);
break;
- case SEC_SERVER:
- DEBUG(5,("Making default auth method list for security=server\n"));
- auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam smbserver",
- NULL);
- break;
case SEC_USER:
if (lp_encrypted_passwords()) {
if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7d82b615e7..a34e5d524b 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -9049,10 +9049,6 @@ static bool lp_load_ex(const char *pszFname,
set_allowed_client_auth();
- if (lp_security() == SEC_SERVER) {
- DEBUG(1, ("WARNING: The security=server option is deprecated\n"));
- }
-
if (lp_security() == SEC_ADS && strchr(lp_passwordserver(), ':')) {
DEBUG(1, ("WARNING: The optional ':port' in password server = %s is deprecated\n",
lp_passwordserver()));
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 9b224d4c1b..b75fc61b6e 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -129,11 +129,9 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.\n");
* Password server sanity checks.
*/
- if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
+ if((lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
const char *sec_setting;
- if(lp_security() == SEC_SERVER)
- sec_setting = "server";
- else if(lp_security() == SEC_DOMAIN)
+ if(lp_security() == SEC_DOMAIN)
sec_setting = "domain";
else if(lp_security() == SEC_ADS)
sec_setting = "ads";