s3-auth: rework default auth methods around the lp_server_role() parameter

To cover all the enum values, ROLE_ACTIVE_DIRECTORY_DOMAIN_CONTROLLER
is mapped to the samba4 auth module, and this is no longer required to
be specified in fileserver.conf.

Andrew Bartlett

2 files changed, 23 insertions, 18 deletions

diff --git a/file_server/file_server.c b/file_server/file_server.c
index 9f43ebbe75..46969f3920 100644
--- a/file_server/file_server.c
+++ b/file_server/file_server.c
@@ -49,7 +49,6 @@ static const char *generate_smb_conf(struct task_server *task)
 	}
 
 	fdprintf(fd, "# auto-generated config for fileserver\n");
-	fdprintf(fd, "auth methods = samba4\n");
 	fdprintf(fd, "passdb backend = samba4\n");
         fdprintf(fd, "rpc_server:default = external\n");
 	fdprintf(fd, "rpc_server:svcctl = embedded\n");
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 4fc54bed37..671319347f 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -486,35 +486,41 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 	}
 
 	if (auth_method_list == NULL) {
-		switch (lp_security()) 
+		switch (lp_server_role()) 
 		{
-		case SEC_DOMAIN:
-		case SEC_ADS:
-			DEBUG(5,("Making default auth method list for security=domain and security=ads\n"));
+		case ROLE_DOMAIN_MEMBER:
+			DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
 			auth_method_list = str_list_make_v3(
 				talloc_tos(), "guest sam winbind:ntdomain",
 				NULL);
 			break;
-		case SEC_USER:
-			if (lp_encrypted_passwords()) {	
-				if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
-					DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n"));
-					auth_method_list = str_list_make_v3(
-						talloc_tos(),
-						"guest sam winbind:trustdomain",
-						NULL);
-				} else {
-					DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n"));
-					auth_method_list = str_list_make_v3(
+		case ROLE_DOMAIN_BDC:
+		case ROLE_DOMAIN_PDC:
+			DEBUG(5,("Making default auth method list for DC\n"));
+			auth_method_list = str_list_make_v3(
+				talloc_tos(),
+				"guest sam winbind:trustdomain",
+				NULL);
+			break;
+		case ROLE_STANDALONE:
+			DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
+			if (lp_encrypted_passwords()) {
+				auth_method_list = str_list_make_v3(
 						talloc_tos(), "guest sam",
 						NULL);
-				}
 			} else {
-				DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
+				DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
 				auth_method_list = str_list_make_v3(
 					talloc_tos(), "guest unix", NULL);
 			}
 			break;
+		case ROLE_ACTIVE_DIRECTORY_DC:
+			DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
+			auth_method_list = str_list_make_v3(
+				talloc_tos(),
+				"samba4",
+				NULL);
+			break;
 		default:
 			DEBUG(5,("Unknown auth method!\n"));
 			return NT_STATUS_UNSUCCESSFUL;