summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-07-03 08:05:55 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:59:00 -0500
commit222c6dd7818c729540079cc480ee56812681854e (patch)
treec8c92312f69ae1c97ad51d2a66e524d3e41cc165 /source4
parent2f269ed95463535b701851735a9b2d43d6b955c1 (diff)
downloadsamba-222c6dd7818c729540079cc480ee56812681854e.tar.gz
samba-222c6dd7818c729540079cc480ee56812681854e.tar.bz2
samba-222c6dd7818c729540079cc480ee56812681854e.zip
r23680: Make it easier to setup a domain member server - the 'server role'
will now control the auth methods, but an override is still available, ex: auth methods:domain controller = <methods> Andrew Bartlett (This used to be commit b7e727186ed8eda6a68c873e089f655dc24fe8ae)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth.c33
-rw-r--r--source4/auth/auth_simple.c2
-rw-r--r--source4/auth/ntlmssp/ntlmssp_server.c2
-rw-r--r--source4/param/loadparm.c5
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c4
-rw-r--r--source4/scripting/ejs/smbcalls_auth.c2
-rw-r--r--source4/selftest/Samba4.pm3
-rw-r--r--source4/smb_server/smb/negprot.c2
-rw-r--r--source4/smb_server/smb/sesssetup.c2
9 files changed, 39 insertions, 16 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c
index 9100891d52..8a933c7dd0 100644
--- a/source4/auth/auth.c
+++ b/source4/auth/auth.c
@@ -348,11 +348,12 @@ NTSTATUS auth_check_password_recv(struct auth_check_password_request *req,
/***************************************************************************
Make a auth_info struct for the auth subsystem
+ - Allow the caller to specify the methods to use
***************************************************************************/
-NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, const char **methods,
- struct event_context *ev,
- struct messaging_context *msg,
- struct auth_context **auth_ctx)
+NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
+ struct event_context *ev,
+ struct messaging_context *msg,
+ struct auth_context **auth_ctx)
{
int i;
struct auth_context *ctx;
@@ -406,6 +407,30 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, const char **methods,
return NT_STATUS_OK;
}
+/***************************************************************************
+ Make a auth_info struct for the auth subsystem
+ - Uses default auth_methods, depending on server role and smb.conf settings
+***************************************************************************/
+NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
+ struct event_context *ev,
+ struct messaging_context *msg,
+ struct auth_context **auth_ctx)
+{
+ const char **auth_methods = NULL;
+ switch (lp_server_role()) {
+ case ROLE_STANDALONE:
+ auth_methods = lp_parm_string_list(-1, "auth methods", "standalone", NULL);
+ break;
+ case ROLE_DOMAIN_MEMBER:
+ auth_methods = lp_parm_string_list(-1, "auth methods", "member server", NULL);
+ break;
+ case ROLE_DOMAIN_CONTROLLER:
+ auth_methods = lp_parm_string_list(-1, "auth methods", "domain controller", NULL);
+ break;
+ }
+ return auth_context_create_methods(mem_ctx, auth_methods, ev, msg, auth_ctx);
+}
+
/* the list of currently registered AUTH backends */
static struct auth_backend {
diff --git a/source4/auth/auth_simple.c b/source4/auth/auth_simple.c
index 59e1280ee5..5e1bcc2b8c 100644
--- a/source4/auth/auth_simple.c
+++ b/source4/auth/auth_simple.c
@@ -48,7 +48,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- nt_status = auth_context_create(tmp_ctx, lp_auth_methods(),
+ nt_status = auth_context_create(tmp_ctx,
ev, msg,
&auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 93103b9cbd..4bb37abefc 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -835,7 +835,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- nt_status = auth_context_create(gensec_ntlmssp_state, lp_auth_methods(),
+ nt_status = auth_context_create(gensec_ntlmssp_state,
gensec_security->event_ctx,
gensec_security->msg_ctx,
&gensec_ntlmssp_state->auth_context);
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c
index 9bcf9aada7..8371b94a50 100644
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -398,7 +398,6 @@ static struct parm_struct parm_table[] = {
{"Security Options", P_SEP, P_SEPARATOR},
{"security", P_ENUM, P_GLOBAL, &Globals.security, NULL, enum_security, FLAG_BASIC | FLAG_ADVANCED | FLAG_WIZARD | FLAG_DEVELOPER},
- {"auth methods", P_LIST, P_GLOBAL, &Globals.AuthMethods, NULL, NULL, FLAG_BASIC | FLAG_ADVANCED | FLAG_WIZARD | FLAG_DEVELOPER},
{"encrypt passwords", P_BOOL, P_GLOBAL, &Globals.bEncryptPasswords, NULL, NULL, FLAG_BASIC | FLAG_ADVANCED | FLAG_WIZARD | FLAG_DEVELOPER},
{"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
{"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, FLAG_ADVANCED | FLAG_DEVELOPER},
@@ -609,7 +608,9 @@ static void init_globals(void)
do_parameter("dcerpc endpoint servers", "epmapper srvsvc wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi winreg dssetup unixinfo", NULL);
do_parameter("server services", "smb rpc nbt wrepl ldap cldap web kdc drepl winbind", NULL);
do_parameter("ntptr providor", "simple_ldb", NULL);
- do_parameter("auth methods", "anonymous sam_ignoredomain", NULL);
+ do_parameter("auth methods:domain controller", "anonymous sam_ignoredomain", NULL);
+ do_parameter("auth methods:member server", "anonymous sam winbind", NULL);
+ do_parameter("auth methods:standalone", "anonymous sam_ignoredomain", NULL);
do_parameter("private dir", dyn_PRIVATE_DIR, NULL);
do_parameter("sam database", "sam.ldb", NULL);
do_parameter("secrets database", "secrets.ldb", NULL);
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 4e699cdc49..d0cadefb84 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -431,7 +431,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
}
/* TODO: we need to deny anonymous access here */
- nt_status = auth_context_create(mem_ctx, lp_auth_methods(),
+ nt_status = auth_context_create(mem_ctx,
dce_call->event_ctx, dce_call->msg_ctx,
&auth_context);
NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -457,7 +457,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
case 6:
/* TODO: we need to deny anonymous access here */
- nt_status = auth_context_create(mem_ctx, lp_auth_methods(),
+ nt_status = auth_context_create(mem_ctx,
dce_call->event_ctx, dce_call->msg_ctx,
&auth_context);
NT_STATUS_NOT_OK_RETURN(nt_status);
diff --git a/source4/scripting/ejs/smbcalls_auth.c b/source4/scripting/ejs/smbcalls_auth.c
index 7b9fe2fc17..5509e78357 100644
--- a/source4/scripting/ejs/smbcalls_auth.c
+++ b/source4/scripting/ejs/smbcalls_auth.c
@@ -56,7 +56,7 @@ static int ejs_doauth(MprVarHandle eid,
msg = messaging_client_init(tmp_ctx, ev);
}
- nt_status = auth_context_create(tmp_ctx, auth_types, ev, msg, &auth_context);
+ nt_status = auth_context_create_methods(tmp_ctx, auth_types, ev, msg, &auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
mprSetPropertyValue(auth, "report", mprString("Auth System Failure"));
diff --git a/source4/selftest/Samba4.pm b/source4/selftest/Samba4.pm
index e7daf7aece..07ed12a80f 100644
--- a/source4/selftest/Samba4.pm
+++ b/source4/selftest/Samba4.pm
@@ -276,8 +276,6 @@ sub provision($$$$$$)
mkdir($_, 0777) foreach ($privatedir, $etcdir, $piddir, $ncalrpcdir, $lockdir,
$tmpdir);
- my $auth_methods = "anonymous sam_ignoredomain";
- $auth_methods = "anonymous sam winbind" if $server_role eq "member server";
my $localdomain = $domain;
$localdomain = $netbiosname if $server_role eq "member server";
@@ -304,7 +302,6 @@ sub provision($$$$$$)
panic action = $srcdir/script/gdb_backtrace \%PID% \%PROG%
wins support = yes
server role = $server_role
- auth methods = $auth_methods
max xmit = 32K
server max protocol = SMB2
notify:inotify = false
diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c
index bd6a0d63a3..6295337ba9 100644
--- a/source4/smb_server/smb/negprot.c
+++ b/source4/smb_server/smb/negprot.c
@@ -44,7 +44,7 @@ static NTSTATUS get_challenge(struct smbsrv_connection *smb_conn, uint8_t buff[8
DEBUG(10, ("get challenge: creating negprot_global_auth_context\n"));
- nt_status = auth_context_create(smb_conn, lp_auth_methods(),
+ nt_status = auth_context_create(smb_conn,
smb_conn->connection->event.ctx,
smb_conn->connection->msg_ctx,
&smb_conn->negotiate.auth_context);
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index 2e9403b10a..532869f862 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -243,7 +243,7 @@ static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess)
}
/* TODO: should we use just "anonymous" here? */
- status = auth_context_create(req, lp_auth_methods(),
+ status = auth_context_create(req,
req->smb_conn->connection->event.ctx,
req->smb_conn->connection->msg_ctx,
&auth_context);