diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-02-03 18:03:10 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-03-04 23:33:05 +0100 |
commit | d7bb961859a3501aec4d28842bfffb6190d19a73 (patch) | |
tree | e472b543e1e88914fbcf7bf68a3e431ff7314afd /source3/smbd/reply.c | |
parent | acfa107ec64ceb6bf3a28df14585cfb0ccc79f41 (diff) | |
download | samba-d7bb961859a3501aec4d28842bfffb6190d19a73.tar.gz samba-d7bb961859a3501aec4d28842bfffb6190d19a73.tar.bz2 samba-d7bb961859a3501aec4d28842bfffb6190d19a73.zip |
s3-auth: Remove security=share (depricated since 3.6).
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.
The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok. This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server
At the same time, this closes the door on one of the most arcane areas
of Samba authentication.
Naturally, full user-name/password authentication remain available in
security=user and above.
This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.
Andrew Bartlett
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SHARE |
| security=share |
| |
| |
| 5 March |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
Diffstat (limited to 'source3/smbd/reply.c')
-rw-r--r-- | source3/smbd/reply.c | 38 |
1 files changed, 4 insertions, 34 deletions
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 0ab764c2d4..26a928f1b4 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -599,13 +599,6 @@ void reply_special(struct smbd_server_connection *sconn, char *inbuf, size_t inb break; } - /* only add the client's machine name to the list - of possibly valid usernames if we are operating - in share mode security */ - if (lp_security() == SEC_SHARE) { - add_session_user(sconn, get_remote_machine_name()); - } - reload_services(sconn, conn_snum_used, true); reopen_logs(); @@ -656,7 +649,6 @@ void reply_tcon(struct smb_request *req) int pwlen=0; NTSTATUS nt_status; const char *p; - DATA_BLOB password_blob; TALLOC_CTX *ctx = talloc_tos(); struct smbd_server_connection *sconn = req->sconn; @@ -688,14 +680,10 @@ void reply_tcon(struct smb_request *req) service = service_buf; } - password_blob = data_blob(password, pwlen+1); - - conn = make_connection(sconn,service,password_blob,dev, + conn = make_connection(sconn,service,dev, req->vuid,&nt_status); req->conn = conn; - data_blob_clear_free(&password_blob); - if (!conn) { reply_nterror(req, nt_status); END_PROFILE(SMBtcon); @@ -723,7 +711,6 @@ void reply_tcon_and_X(struct smb_request *req) { connection_struct *conn = req->conn; const char *service = NULL; - DATA_BLOB password; TALLOC_CTX *ctx = talloc_tos(); /* what the cleint thinks the device is */ char *client_devicetype = NULL; @@ -761,27 +748,14 @@ void reply_tcon_and_X(struct smb_request *req) } if (sconn->smb1.negprot.encrypted_passwords) { - password = data_blob_talloc(talloc_tos(), req->buf, passlen); - if (lp_security() == SEC_SHARE) { - /* - * Security = share always has a pad byte - * after the password. - */ - p = (const char *)req->buf + passlen + 1; - } else { - p = (const char *)req->buf + passlen; - } + p = (const char *)req->buf + passlen; } else { - password = data_blob_talloc(talloc_tos(), req->buf, passlen+1); - /* Ensure correct termination */ - password.data[passlen]=0; p = (const char *)req->buf + passlen + 1; } p += srvstr_pull_req_talloc(ctx, req, &path, p, STR_TERMINATE); if (path == NULL) { - data_blob_clear_free(&password); reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBtconX); return; @@ -794,7 +768,6 @@ void reply_tcon_and_X(struct smb_request *req) if (*path=='\\') { q = strchr_m(path+2,'\\'); if (!q) { - data_blob_clear_free(&password); reply_nterror(req, NT_STATUS_BAD_NETWORK_NAME); END_PROFILE(SMBtconX); return; @@ -809,7 +782,6 @@ void reply_tcon_and_X(struct smb_request *req) MIN(6, smbreq_bufrem(req, p)), STR_ASCII); if (client_devicetype == NULL) { - data_blob_clear_free(&password); reply_nterror(req, NT_STATUS_INVALID_PARAMETER); END_PROFILE(SMBtconX); return; @@ -817,12 +789,10 @@ void reply_tcon_and_X(struct smb_request *req) DEBUG(4,("Client requested device type [%s] for share [%s]\n", client_devicetype, service)); - conn = make_connection(sconn, service, password, client_devicetype, + conn = make_connection(sconn, service, client_devicetype, req->vuid, &nt_status); req->conn =conn; - data_blob_clear_free(&password); - if (!conn) { reply_nterror(req, nt_status); END_PROFILE(SMBtconX); @@ -2117,7 +2087,7 @@ void reply_ulogoffX(struct smb_request *req) /* in user level security we are supposed to close any files open by this user */ - if ((vuser != NULL) && (lp_security() != SEC_SHARE)) { + if (vuser != NULL) { file_close_user(sconn, req->vuid); } |