diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-11-10 12:45:54 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-11-17 00:34:08 +0100 |
commit | 9524e2fce1b7f644fef5f7c8134f72681d786e65 (patch) | |
tree | 0ffe517b8f05845767921af0c255eea71da5f71e /lib/param | |
parent | f099feaa01b6548cb60cb9d7d50b1f196b1af878 (diff) | |
download | samba-9524e2fce1b7f644fef5f7c8134f72681d786e65.tar.gz samba-9524e2fce1b7f644fef5f7c8134f72681d786e65.tar.bz2 samba-9524e2fce1b7f644fef5f7c8134f72681d786e65.zip |
param: calculate server role from security, and security from server role
This allows smb.conf files from either the samba3 or samba4 tradition
to come to the same value of server role, using the information in the
smb.conf file.
This is important so that tools like 'net getlocalsid' work against a
Samba4 AD installation (yes, users have tried this).
Andrew Bartlett
Pair-Programmed-With: Amitay Isaacs <amitay@samba.org>
Diffstat (limited to 'lib/param')
-rw-r--r-- | lib/param/loadparm.c | 27 | ||||
-rw-r--r-- | lib/param/loadparm_server_role.c | 143 | ||||
-rw-r--r-- | lib/param/loadparm_server_role.h | 31 | ||||
-rw-r--r-- | lib/param/wscript_build | 7 |
4 files changed, 201 insertions, 7 deletions
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 44d219a9e4..aaff5bc5bc 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -65,6 +65,7 @@ #include "s3_param.h" #include "lib/util/bitmap.h" #include "libcli/smb/smb_constants.h" +#include "lib/param/loadparm_server_role.h" #define standard_sub_basic talloc_strdup @@ -81,6 +82,10 @@ static bool defaults_saved = false; char *tls_dhpfile; \ char *loglevel; \ char *panic_action; \ + int server_role; \ + int security; \ + int domain_master; \ + bool domain_logons; \ int bPreferredMaster; #include "param_global.h" @@ -113,8 +118,10 @@ static const struct enum_list enum_protocol[] = { }; static const struct enum_list enum_security[] = { + {SEC_AUTO, "AUTO"}, {SEC_SHARE, "SHARE"}, {SEC_USER, "USER"}, + {SEC_DOMAIN, "DOMAIN"}, {SEC_ADS, "ADS"}, {-1, NULL} }; @@ -1484,9 +1491,6 @@ static struct loadparm_context *global_loadparm_context; #include "lib/param/param_functions.c" -FN_GLOBAL_INTEGER(server_role, server_role) -static FN_GLOBAL_BOOL(domain_logons, domain_logons) -FN_GLOBAL_INTEGER(domain_master, domain_master) FN_GLOBAL_LIST(smb_ports, smb_ports) FN_GLOBAL_INTEGER(nbt_port, nbt_port) FN_GLOBAL_INTEGER(dgram_port, dgram_port) @@ -1570,7 +1574,6 @@ FN_GLOBAL_INTEGER(srv_maxprotocol, srv_maxprotocol) FN_GLOBAL_INTEGER(srv_minprotocol, srv_minprotocol) FN_GLOBAL_INTEGER(cli_maxprotocol, cli_maxprotocol) FN_GLOBAL_INTEGER(cli_minprotocol, cli_minprotocol) -FN_GLOBAL_INTEGER(security, security) FN_GLOBAL_BOOL(paranoid_server_security, paranoid_server_security) FN_GLOBAL_INTEGER(server_signing, server_signing) @@ -3306,7 +3309,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "share backend", "classic"); - lpcfg_do_global_parameter(lp_ctx, "server role", "standalone"); + lpcfg_do_global_parameter(lp_ctx, "server role", "auto"); lpcfg_do_global_parameter(lp_ctx, "domain logons", "No"); lpcfg_do_global_parameter(lp_ctx, "domain master", "Auto"); @@ -3370,7 +3373,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "server max protocol", "NT1"); lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE"); lpcfg_do_global_parameter(lp_ctx, "client max protocol", "NT1"); - lpcfg_do_global_parameter(lp_ctx, "security", "USER"); + lpcfg_do_global_parameter(lp_ctx, "security", "AUTO"); lpcfg_do_global_parameter(lp_ctx, "paranoid server security", "True"); lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True"); lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True"); @@ -3799,3 +3802,15 @@ struct gensec_settings *lpcfg_gensec_settings(TALLOC_CTX *mem_ctx, struct loadpa return settings; } +int lpcfg_server_role(struct loadparm_context *lp_ctx) +{ + if (lp_ctx->s3_fns) { + return lp_ctx->s3_fns->server_role(); + } + + return lp_find_server_role(lp_ctx->globals->server_role, + lp_ctx->globals->security, + lp_ctx->globals->domain_logons, + (lp_ctx->globals->domain_master == true) || + (lp_ctx->globals->domain_master == Auto)); +} diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c new file mode 100644 index 0000000000..1abe9b9ddc --- /dev/null +++ b/lib/param/loadparm_server_role.c @@ -0,0 +1,143 @@ +/* + Unix SMB/CIFS implementation. + Parameter loading functions + Copyright (C) Karl Auer 1993-1998 + + Largely re-written by Andrew Tridgell, September 1994 + + Copyright (C) Simo Sorce 2001 + Copyright (C) Alexander Bokovoy 2002 + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 + Copyright (C) Michael Adam 2008 + Copyright (C) Andrew Bartlett 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ +#include "includes.h" +#include "lib/param/loadparm_server_role.h" +#include "libds/common/roles.h" + +/******************************************************************* + Set the server type we will announce as via nmbd. +********************************************************************/ + +static const struct srv_role_tab { + uint32_t role; + const char *role_str; +} srv_role_tab [] = { + { ROLE_STANDALONE, "ROLE_STANDALONE" }, + { ROLE_DOMAIN_MEMBER, "ROLE_DOMAIN_MEMBER" }, + { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" }, + { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" }, + { 0, NULL } +}; + +const char* server_role_str(uint32_t role) +{ + int i = 0; + for (i=0; srv_role_tab[i].role_str; i++) { + if (role == srv_role_tab[i].role) { + return srv_role_tab[i].role_str; + } + } + return NULL; +} + +/** + * Set the server role based on security, domain logons and domain master + */ +int lp_find_server_role(int server_role, int security, bool domain_logons, bool domain_master) +{ + int role; + + if (server_role != ROLE_AUTO) { + return server_role; + } + + /* If server_role is set to ROLE_AUTO, figure out the correct role */ + role = ROLE_STANDALONE; + + switch (security) { + case SEC_SHARE: + if (domain_logons) { + DEBUG(0, ("Server's Role (logon server) conflicts with share-level security\n")); + } + break; + case SEC_SERVER: + if (domain_logons) { + DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n")); + } + /* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */ + role = ROLE_STANDALONE; + break; + case SEC_DOMAIN: + if (domain_logons) { + DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n")); + role = ROLE_DOMAIN_BDC; + break; + } + role = ROLE_DOMAIN_MEMBER; + break; + case SEC_ADS: + if (domain_logons) { + role = ROLE_DOMAIN_CONTROLLER; + break; + } + role = ROLE_DOMAIN_MEMBER; + break; + case SEC_AUTO: + case SEC_USER: + if (domain_logons) { + + if (domain_master) { + role = ROLE_DOMAIN_PDC; + } else { + role = ROLE_DOMAIN_BDC; + } + } + break; + default: + DEBUG(0, ("Server's Role undefined due to unknown security mode\n")); + break; + } + + return role; +} + +/** + * Set the server role based on security, domain logons and domain master + */ +int lp_find_security(int server_role, int security) +{ + if (security != SEC_AUTO) { + return security; + } + + switch (server_role) { + case ROLE_AUTO: + case ROLE_STANDALONE: + return SEC_USER; + case ROLE_DOMAIN_MEMBER: +#if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4) + return SEC_ADS; +#else + return SEC_DOMAIN; +#endif + case ROLE_DOMAIN_PDC: + case ROLE_DOMAIN_BDC: + default: + return SEC_USER; + } +} diff --git a/lib/param/loadparm_server_role.h b/lib/param/loadparm_server_role.h new file mode 100644 index 0000000000..2c82527573 --- /dev/null +++ b/lib/param/loadparm_server_role.h @@ -0,0 +1,31 @@ +/* + Unix SMB/CIFS implementation. + Parameter loading functions + Copyright (C) Karl Auer 1993-1998 + + Largely re-written by Andrew Tridgell, September 1994 + + Copyright (C) Simo Sorce 2001 + Copyright (C) Alexander Bokovoy 2002 + Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003 + Copyright (C) Michael Adam 2008 + Copyright (C) Andrew Bartlett 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +const char* server_role_str(uint32_t role); +int lp_find_server_role(int server_role, int security, bool domain_logons, bool domain_master); +int lp_find_security(int server_role, int security); diff --git a/lib/param/wscript_build b/lib/param/wscript_build index f61e822037..13b7709abf 100644 --- a/lib/param/wscript_build +++ b/lib/param/wscript_build @@ -16,11 +16,16 @@ bld.SAMBA_GENERATOR('param_global_h', target='param_global.h', rule='${PERL} ${SRC[1].abspath(env)} ${SRC[0].abspath(env)} --file ${TGT} --generate-scope=GLOBAL') +bld.SAMBA_LIBRARY('server-role', + source='loadparm_server_role.c', + deps='samba-util', + private_library=True) + bld.SAMBA_LIBRARY('samba-hostconfig', source='loadparm.c generic.c util.c', pc_files='samba-hostconfig.pc', vnum='0.0.1', - deps='DYNCONFIG', + deps='DYNCONFIG server-role', public_deps='samba-util param_local_h', public_headers='param.h', autoproto='param_proto.h', |