diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2007-07-03 08:05:55 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:59:00 -0500 |
| commit | 222c6dd7818c729540079cc480ee56812681854e (patch) | |
| tree | c8c92312f69ae1c97ad51d2a66e524d3e41cc165 /source4 | |
| parent | 2f269ed95463535b701851735a9b2d43d6b955c1 (diff) | |
| download | samba-222c6dd7818c729540079cc480ee56812681854e.tar.gz samba-222c6dd7818c729540079cc480ee56812681854e.tar.bz2 samba-222c6dd7818c729540079cc480ee56812681854e.zip | |
r23680: Make it easier to setup a domain member server - the 'server role'
will now control the auth methods, but an override is still available,
ex:
auth methods:domain controller = <methods>
Andrew Bartlett
(This used to be commit b7e727186ed8eda6a68c873e089f655dc24fe8ae)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/auth/auth.c | 33 | ||||
| -rw-r--r-- | source4/auth/auth_simple.c | 2 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 2 | ||||
| -rw-r--r-- | source4/param/loadparm.c | 5 | ||||
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 | ||||
| -rw-r--r-- | source4/scripting/ejs/smbcalls_auth.c | 2 | ||||
| -rw-r--r-- | source4/selftest/Samba4.pm | 3 | ||||
| -rw-r--r-- | source4/smb_server/smb/negprot.c | 2 | ||||
| -rw-r--r-- | source4/smb_server/smb/sesssetup.c | 2 |
9 files changed, 39 insertions, 16 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c index 9100891d52..8a933c7dd0 100644 --- a/source4/auth/auth.c +++ b/source4/auth/auth.c @@ -348,11 +348,12 @@ NTSTATUS auth_check_password_recv(struct auth_check_password_request *req, /*************************************************************************** Make a auth_info struct for the auth subsystem + - Allow the caller to specify the methods to use ***************************************************************************/ -NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, const char **methods, - struct event_context *ev, - struct messaging_context *msg, - struct auth_context **auth_ctx) +NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, + struct event_context *ev, + struct messaging_context *msg, + struct auth_context **auth_ctx) { int i; struct auth_context *ctx; @@ -406,6 +407,30 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, const char **methods, return NT_STATUS_OK; } +/*************************************************************************** + Make a auth_info struct for the auth subsystem + - Uses default auth_methods, depending on server role and smb.conf settings +***************************************************************************/ +NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, + struct event_context *ev, + struct messaging_context *msg, + struct auth_context **auth_ctx) +{ + const char **auth_methods = NULL; + switch (lp_server_role()) { + case ROLE_STANDALONE: + auth_methods = lp_parm_string_list(-1, "auth methods", "standalone", NULL); + break; + case ROLE_DOMAIN_MEMBER: + auth_methods = lp_parm_string_list(-1, "auth methods", "member server", NULL); + break; + case ROLE_DOMAIN_CONTROLLER: + auth_methods = lp_parm_string_list(-1, "auth methods", "domain controller", NULL); + break; + } + return auth_context_create_methods(mem_ctx, auth_methods, ev, msg, auth_ctx); +} + /* the list of currently registered AUTH backends */ static struct auth_backend { diff --git a/source4/auth/auth_simple.c b/source4/auth/auth_simple.c index 59e1280ee5..5e1bcc2b8c 100644 --- a/source4/auth/auth_simple.c +++ b/source4/auth/auth_simple.c @@ -48,7 +48,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - nt_status = auth_context_create(tmp_ctx, lp_auth_methods(), + nt_status = auth_context_create(tmp_ctx, ev, msg, &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 93103b9cbd..4bb37abefc 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -835,7 +835,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } - nt_status = auth_context_create(gensec_ntlmssp_state, lp_auth_methods(), + nt_status = auth_context_create(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->msg_ctx, &gensec_ntlmssp_state->auth_context); diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c index 9bcf9aada7..8371b94a50 100644 --- a/source4/param/loadparm.c +++ b/source4/param/loadparm.c @@ -398,7 +398,6 @@ static struct parm_struct parm_table[] = { {"Security Options", P_SEP, P_SEPARATOR}, {"security", P_ENUM, P_GLOBAL, &Globals.security, NULL, enum_security, FLAG_BASIC | FLAG_ADVANCED | FLAG_WIZARD | FLAG_DEVELOPER}, - {"auth methods", P_LIST, P_GLOBAL, &Globals.AuthMethods, NULL, NULL, FLAG_BASIC | FLAG_ADVANCED | FLAG_WIZARD | FLAG_DEVELOPER}, {"encrypt passwords", P_BOOL, P_GLOBAL, &Globals.bEncryptPasswords, NULL, NULL, FLAG_BASIC | FLAG_ADVANCED | FLAG_WIZARD | FLAG_DEVELOPER}, {"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER}, @@ -609,7 +608,9 @@ static void init_globals(void) do_parameter("dcerpc endpoint servers", "epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup unixinfo", NULL); do_parameter("server services", "smb rpc nbt wrepl ldap cldap web kdc drepl winbind", NULL); do_parameter("ntptr providor", "simple_ldb", NULL); - do_parameter("auth methods", "anonymous sam_ignoredomain", NULL); + do_parameter("auth methods:domain controller", "anonymous sam_ignoredomain", NULL); + do_parameter("auth methods:member server", "anonymous sam winbind", NULL); + do_parameter("auth methods:standalone", "anonymous sam_ignoredomain", NULL); do_parameter("private dir", dyn_PRIVATE_DIR, NULL); do_parameter("sam database", "sam.ldb", NULL); do_parameter("secrets database", "secrets.ldb", NULL); diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 4e699cdc49..d0cadefb84 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -431,7 +431,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal } /* TODO: we need to deny anonymous access here */ - nt_status = auth_context_create(mem_ctx, lp_auth_methods(), + nt_status = auth_context_create(mem_ctx, dce_call->event_ctx, dce_call->msg_ctx, &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -457,7 +457,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal case 6: /* TODO: we need to deny anonymous access here */ - nt_status = auth_context_create(mem_ctx, lp_auth_methods(), + nt_status = auth_context_create(mem_ctx, dce_call->event_ctx, dce_call->msg_ctx, &auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); diff --git a/source4/scripting/ejs/smbcalls_auth.c b/source4/scripting/ejs/smbcalls_auth.c index 7b9fe2fc17..5509e78357 100644 --- a/source4/scripting/ejs/smbcalls_auth.c +++ b/source4/scripting/ejs/smbcalls_auth.c @@ -56,7 +56,7 @@ static int ejs_doauth(MprVarHandle eid, msg = messaging_client_init(tmp_ctx, ev); } - nt_status = auth_context_create(tmp_ctx, auth_types, ev, msg, &auth_context); + nt_status = auth_context_create_methods(tmp_ctx, auth_types, ev, msg, &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { mprSetPropertyValue(auth, "result", mprCreateBoolVar(False)); mprSetPropertyValue(auth, "report", mprString("Auth System Failure")); diff --git a/source4/selftest/Samba4.pm b/source4/selftest/Samba4.pm index e7daf7aece..07ed12a80f 100644 --- a/source4/selftest/Samba4.pm +++ b/source4/selftest/Samba4.pm @@ -276,8 +276,6 @@ sub provision($$$$$$) mkdir($_, 0777) foreach ($privatedir, $etcdir, $piddir, $ncalrpcdir, $lockdir, $tmpdir); - my $auth_methods = "anonymous sam_ignoredomain"; - $auth_methods = "anonymous sam winbind" if $server_role eq "member server"; my $localdomain = $domain; $localdomain = $netbiosname if $server_role eq "member server"; @@ -304,7 +302,6 @@ sub provision($$$$$$) panic action = $srcdir/script/gdb_backtrace \%PID% \%PROG% wins support = yes server role = $server_role - auth methods = $auth_methods max xmit = 32K server max protocol = SMB2 notify:inotify = false diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c index bd6a0d63a3..6295337ba9 100644 --- a/source4/smb_server/smb/negprot.c +++ b/source4/smb_server/smb/negprot.c @@ -44,7 +44,7 @@ static NTSTATUS get_challenge(struct smbsrv_connection *smb_conn, uint8_t buff[8 DEBUG(10, ("get challenge: creating negprot_global_auth_context\n")); - nt_status = auth_context_create(smb_conn, lp_auth_methods(), + nt_status = auth_context_create(smb_conn, smb_conn->connection->event.ctx, smb_conn->connection->msg_ctx, &smb_conn->negotiate.auth_context); diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index 2e9403b10a..532869f862 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -243,7 +243,7 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess) } /* TODO: should we use just "anonymous" here? */ - status = auth_context_create(req, lp_auth_methods(), + status = auth_context_create(req, req->smb_conn->connection->event.ctx, req->smb_conn->connection->msg_ctx, &auth_context); |