diff options
author | Stefan Metzmacher <metze@samba.org> | 2012-05-12 12:00:00 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-05-15 08:18:28 +0200 |
commit | b4abd3faaf3bdcbcd24fed8325960ccdee43bea9 (patch) | |
tree | 72b6ef1be7b90ff79401843cc36efb91c5db2470 | |
parent | 053fcfef0fa680e2443a07933973f0f21624c336 (diff) | |
download | samba-b4abd3faaf3bdcbcd24fed8325960ccdee43bea9.tar.gz samba-b4abd3faaf3bdcbcd24fed8325960ccdee43bea9.tar.bz2 samba-b4abd3faaf3bdcbcd24fed8325960ccdee43bea9.zip |
s3-auth: remove "security=server" (depricated since 3.6)
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!
Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).
metze
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SERVER |
| security=server |
| |
| |
| 12 May |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
-rw-r--r-- | lib/param/loadparm_server_role.c | 9 | ||||
-rw-r--r-- | lib/param/param_enums.c | 1 | ||||
-rw-r--r-- | libds/common/roles.h | 19 | ||||
-rw-r--r-- | source3/auth/auth.c | 6 | ||||
-rw-r--r-- | source3/param/loadparm.c | 4 | ||||
-rw-r--r-- | source3/utils/testparm.c | 6 |
6 files changed, 20 insertions, 25 deletions
diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c index 4ba54b9131..9ff64be046 100644 --- a/lib/param/loadparm_server_role.c +++ b/lib/param/loadparm_server_role.c @@ -73,13 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do role = ROLE_STANDALONE; switch (security) { - case SEC_SERVER: - if (domain_logons) { - DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n")); - } - /* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */ - role = ROLE_STANDALONE; - break; case SEC_DOMAIN: if (domain_logons) { DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n")); @@ -157,7 +150,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security) valid = true; break; case ROLE_STANDALONE: - if (security == SEC_SERVER || security == SEC_USER) { + if (security == SEC_USER) { valid = true; } break; diff --git a/lib/param/param_enums.c b/lib/param/param_enums.c index 36234ea4f9..5f4cd61bf6 100644 --- a/lib/param/param_enums.c +++ b/lib/param/param_enums.c @@ -46,7 +46,6 @@ static const struct enum_list enum_protocol[] = { static const struct enum_list enum_security[] = { {SEC_AUTO, "AUTO"}, {SEC_USER, "USER"}, - {SEC_SERVER, "SERVER"}, {SEC_DOMAIN, "DOMAIN"}, #if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4) {SEC_ADS, "ADS"}, diff --git a/libds/common/roles.h b/libds/common/roles.h index 90281ba788..9dc9a00d28 100644 --- a/libds/common/roles.h +++ b/libds/common/roles.h @@ -60,10 +60,25 @@ enum server_role { *| * * * | * _________)/\\_//(\/(/\)/\//\/\///|_)_______ - */ + -------------- + / \ + / REST \ + / IN \ + / PEACE \ + / \ + | SEC_SERVER | + | security=server | + | | + | | + | 12 May | + | | + | 2012 | + *| * * * | * + _________)/\\_//(\/(/\)/\//\/\///|_)_______ + +*/ enum security_types {SEC_AUTO = 0, SEC_USER = 2, - SEC_SERVER = 3, SEC_DOMAIN = 4, SEC_ADS = 5}; diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4b075a6c54..c442a536d8 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -494,12 +494,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx, talloc_tos(), "guest sam winbind:ntdomain", NULL); break; - case SEC_SERVER: - DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = str_list_make_v3( - talloc_tos(), "guest sam smbserver", - NULL); - break; case SEC_USER: if (lp_encrypted_passwords()) { if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) { diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 7d82b615e7..a34e5d524b 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -9049,10 +9049,6 @@ static bool lp_load_ex(const char *pszFname, set_allowed_client_auth(); - if (lp_security() == SEC_SERVER) { - DEBUG(1, ("WARNING: The security=server option is deprecated\n")); - } - if (lp_security() == SEC_ADS && strchr(lp_passwordserver(), ':')) { DEBUG(1, ("WARNING: The optional ':port' in password server = %s is deprecated\n", lp_passwordserver())); diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c index 9b224d4c1b..b75fc61b6e 100644 --- a/source3/utils/testparm.c +++ b/source3/utils/testparm.c @@ -129,11 +129,9 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.\n"); * Password server sanity checks. */ - if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) { + if((lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) { const char *sec_setting; - if(lp_security() == SEC_SERVER) - sec_setting = "server"; - else if(lp_security() == SEC_DOMAIN) + if(lp_security() == SEC_DOMAIN) sec_setting = "domain"; else if(lp_security() == SEC_ADS) sec_setting = "ads"; |