Age | Commit message (Collapse) | Author | Files | Lines |
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers. By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.
Andrew Bartlett
|
|
The plan is to have files_struct as some kind of low level
abstraction for a smb1/smb2 opens, that can be used by SMB_VFS modules.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Mar 6 23:04:01 CET 2012 on sn-devel-104
|
|
smbd_server_connection
The plan is to have connection_struct as some kind of low level
abstraction for a smb1/smb2 tree connects, that can be used by SMB_VFS modules.
metze
|
|
The plan is to have users_struct as some kind of low level
abstraction for a smb1/smb2 session, that can be used by SMB_VFS modules.
metze
|
|
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.
The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok. This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server
At the same time, this closes the door on one of the most arcane areas
of Samba authentication.
Naturally, full user-name/password authentication remain available in
security=user and above.
This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.
Andrew Bartlett
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SHARE |
| security=share |
| |
| |
| 5 March |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sun Mar 4 23:18:10 CET 2012 on sn-devel-104
|
|
This was previously needed because SPNEGO was only available in the AD DC.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This is handled by the gensec_spnego module.
metze
|
|
This is possible because the s3 gensec modules are started as
normal gensec modules, so we do not need a wrapper any more.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Tue Jan 3 15:16:50 CET 2012 on sn-devel-104
|
|
This structure handles more than NTLMSSP now, at least when we are an AD DC
and so changing the name may avoid some confusion in the future.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
metze
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 15 14:24:59 CET 2011 on sn-devel-104
|
|
metze
|
|
*am_parent'
This is a short term solution on the way to get rid of 'am_parent' completely.
metze
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Dec 13 22:06:02 CET 2011 on sn-devel-104
|
|
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Dec 12 16:08:59 CET 2011 on sn-devel-104
|
|
metze
|
|
metze
|
|
milliseconds
In future we'll pass the delay from the caller.
metze
|
|
metze
|
|
|
|
This structure added no value, particularly after the move to gensec.
It was added at a time when auth_ntlmssp_state was not available in
the client. This changed a while back (the wrapper was extended with
client calls), and the move to gensec again reinforced that we do not
need the extra complexity.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
#8473)
We should enforce the negotiated max sizes instead of the
lp_smb2_max_*() sizes.
metze
|
|
metze
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
metze
|
|
This adds support for the 2 stage negprot, from SMB 1 to SMB 2.1.
Support for this of for now and "max protocol = SMB2" still maps
to "max protocol = SMB2_02" PROTOCOL_SMB2_02.
In order to activate smb2.1, you need to use "max protocol = SMB2_10".
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Sep 5 19:30:58 CEST 2011 on sn-devel-104
|
|
metze
|
|
out-of-order when processing a compound request. (cherry picked from commit 19db1c98c6ba3cb5e883e16e865c44900ce17444)
|
|
metze
(cherry picked from commit cda93f04eb4e7e975b192a5fd33275ec638140ac)
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
This tests if the auth_generic_start() hook is available on the auth
context during the negprot, and if so it uses auth_generic_start() to
hook to GENSEC to handle the full SPNEGO blob.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
This patch finally has the same structure being used to describe the
authorization data of a user across the whole codebase.
This will allow of our session handling to be accomplished with common code.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)
The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
metze
|
|
to their only user and make them static. Add comments.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Jul 8 21:01:40 CEST 2011 on sn-devel-104
|
|
Move the num_requests field out of the smb1 struct into the generic
struct smbd_server_connection struct. Use it to count SMB2 requests
as well as SMB1 and ensure that check_log_size() is called every 50
SMB2 requests.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Jul 8 01:14:53 CEST 2011 on sn-devel-104
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Guenther
|
|
global
section until we decide if we want to idle SMB2 directory handles.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Mar 18 01:13:53 CET 2011 on sn-devel-104
|
|
|
|
|
|
These variables, of type struct auth_serversupplied_info were poorly
named when added into 2001, and in good consistant practice, this has
extended all over the codebase in the years since.
The structure is also not ideal for it's current purpose. Originally
intended to convey the results of the authentication modules, it
really describes all the essential attributes of a session. This
rename will reduce the volume of a future patch to replaced these with
a struct auth_session_info, with auth_serversupplied_info confined to
the lower levels of the auth subsystem, and then eliminated.
(The new structure will be the output of create_local_token(), and the
change in struct definition will ensure that this is always run, populating
local groups and privileges).
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Since commit 7022554, smbds share a printcap cache (printer_list.tdb),
therefore ordering of events between smbd processes is important when
updating printcap cache information. Consider the following two process
example:
1) smbd1 receives HUP or printcap cache time expiry
2) smbd1 checks whether pcap needs refresh, it does
3) smbd1 marks pcap as refreshed
4) smbd1 forks child1 to obtain cups printer info
5) smbd2 receives HUP or printcap cache time expiry
6) smbd2 checks whether pcap needs refresh, it does not (due to step 3)
7) smbd2 reloads printer shares prior to child1 completion (stale pcap)
8) child1 completion, pcap cache (printer_list.tdb) is updated by smbd1
9) smbd1 reloads printer shares based on new pcap information
In this case both smbd1 and smbd2 are reliant on the pcap update
performed on child1 completion.
The prior commit "reload shares after pcap cache fill" ensures that
smbd1 only reloads printer shares following pcap update, however smbd2
continues to present shares based on stale pcap data.
This commit addresses the above problem by driving pcap cache and
printer share updates from the parent smbd process.
1) smbd0 (parent) receives a HUP or printcap cache time expiry
2) smbd0 forks child0 to obtain cups printer info
3) child0 completion, pcap cache (printer_list.tdb) is updated by smbd0
4) smbd0 reloads printer shares
5) smbd0 notifies child smbds of pcap update via message_send_all()
6) child smbds read fresh pcap data and reload printer shares
This architecture has the additional advantage that only a single
process (the parent smbd) requests printer information from the printcap
backend.
Use time_mono in housekeeping functions As suggested by Björn Jacke.
|
|
128 credits.
Jeremy.
|
|
SMB2 also.
|