#include "librpc/gen_ndr/nbt.h"
#include "source4/lib/tls/tls.h"
#include "libcli/auth/ntlm_check.h"
+#include "lib/crypto/gnutls_helpers.h"
+#include "lib/util/string_wrappers.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
.map_hidden = false,
.map_archive = true,
.store_dos_attributes = true,
+ .smbd_max_xattr_size = 65536,
.dmapi_support = false,
.locking = true,
.strict_locking = Auto,
.aio_write_size = 1,
.map_readonly = MAP_READONLY_NO,
.directory_name_cache_size = 100,
- .smb_encrypt = SMB_SIGNING_DEFAULT,
+ .server_smb_encrypt = SMB_ENCRYPTION_DEFAULT,
.kernel_share_modes = true,
.durable_handles = true,
.check_parent_directory_delete_on_close = false,
.smbd_search_ask_sharemode = true,
.smbd_getinfo_ask_sharemode = true,
.spotlight_backend = SPOTLIGHT_BACKEND_NOINDEX,
+ .honor_change_notify_privilege = false,
.dummy = ""
};
Globals.machine_password_timeout = 60 * 60 * 24 * 7; /* 7 days default. */
Globals.lm_announce = Auto; /* = Auto: send only if LM clients found */
Globals.lm_interval = 60;
-#if (defined(HAVE_NETGROUP) && defined(WITH_AUTOMOUNT))
- Globals.nis_homedir = false;
-#ifdef WITH_NISPLUS_HOME
- lpcfg_string_set(Globals.ctx, &Globals.homedir_map,
- "auto_home.org_dir");
-#else
- lpcfg_string_set(Globals.ctx, &Globals.homedir_map, "auto.home");
-#endif
-#endif
Globals.time_server = false;
Globals.bind_interfaces_only = false;
Globals.unix_password_sync = false;
lpcfg_string_set(Globals.ctx, &Globals.ldap_admin_dn, "");
Globals.ldap_ssl = LDAP_SSL_START_TLS;
- Globals.ldap_ssl_ads = false;
Globals.ldap_deref = -1;
Globals.ldap_passwd_sync = LDAP_PASSWD_SYNC_OFF;
Globals.ldap_delete_dn = false;
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
- lpcfg_string_set(Globals.ctx, &Globals.tls_priority,
+ lpcfg_string_set(Globals.ctx,
+ &Globals.tls_priority,
"NORMAL:-VERS-SSL3.0");
- lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
-
Globals._preferred_master = Auto;
Globals.allow_dns_updates = DNS_UPDATE_SIGNED;
Globals.prefork_backoff_increment = 10;
Globals.prefork_maximum_backoff = 120;
+ Globals.ldap_max_anonymous_request_size = 256000;
+ Globals.ldap_max_authenticated_request_size = 16777216;
+ Globals.ldap_max_search_request_size = 256000;
+
+ /* Async DNS query timeout (in seconds). */
+ Globals.async_dns_timeout = 10;
+
+ Globals.client_smb_encrypt = SMB_ENCRYPTION_DEFAULT;
+
+ Globals._client_use_kerberos = CRED_USE_KERBEROS_DESIRED;
+
+ Globals.client_protection = CRED_CLIENT_PROTECTION_DEFAULT;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
return &s3_global_substitution;
}
-char *lp_string(TALLOC_CTX *ctx, const char *s)
-{
- return lpcfg_substituted_string(ctx, &s3_global_substitution, s);
-}
-
/*
In this section all the functions that are used to access the
parameters from the rest of the program are defined
*/
-#define FN_GLOBAL_STRING(fn_name,ptr) \
-char *lp_ ## fn_name(TALLOC_CTX *ctx) {return(lp_string((ctx), *(char **)(&Globals.ptr) ? *(char **)(&Globals.ptr) : ""));}
#define FN_GLOBAL_SUBSTITUTED_STRING(fn_name,ptr) \
char *lp_ ## fn_name(TALLOC_CTX *ctx, const struct loadparm_substitution *lp_sub) \
{return lpcfg_substituted_string(ctx, lp_sub, *(char **)(&Globals.ptr) ? *(char **)(&Globals.ptr) : "");}
#define FN_GLOBAL_INTEGER(fn_name,ptr) \
int lp_ ## fn_name(void) {return(*(int *)(&Globals.ptr));}
-#define FN_LOCAL_STRING(fn_name,val) \
-char *lp_ ## fn_name(TALLOC_CTX *ctx,int i) {return(lp_string((ctx), (LP_SNUM_OK(i) && ServicePtrs[(i)]->val) ? ServicePtrs[(i)]->val : sDefault.val));}
#define FN_LOCAL_SUBSTITUTED_STRING(fn_name,val) \
char *lp_ ## fn_name(TALLOC_CTX *ctx, const struct loadparm_substitution *lp_sub, int i) \
{return lpcfg_substituted_string((ctx), lp_sub, (LP_SNUM_OK(i) && ServicePtrs[(i)]->val) ? ServicePtrs[(i)]->val : sDefault.val);}
#include "lib/param/param_functions.c"
-FN_LOCAL_STRING(servicename, szService)
+FN_LOCAL_SUBSTITUTED_STRING(servicename, szService)
FN_LOCAL_CONST_STRING(const_servicename, szService)
/* These functions cannot be auto-generated */
}
}
+
+static const char *ad_dc_req_vfs_mods[] = {"dfs_samba4", "acl_xattr", NULL};
+
+/*
+ * check that @vfs_objects includes all vfs modules required by an AD DC.
+ */
+static bool check_ad_dc_required_mods(const char **vfs_objects)
+{
+ int i;
+ int j;
+ int got_req;
+
+ for (i = 0; ad_dc_req_vfs_mods[i] != NULL; i++) {
+ got_req = false;
+ for (j = 0; vfs_objects[j] != NULL; j++) {
+ if (!strwicmp(ad_dc_req_vfs_mods[i], vfs_objects[j])) {
+ got_req = true;
+ break;
+ }
+ }
+ if (!got_req) {
+ DEBUG(0, ("vfs objects specified without required AD "
+ "DC module: %s\n", ad_dc_req_vfs_mods[i]));
+ return false;
+ }
+ }
+
+ DEBUG(6, ("vfs objects specified with all required AD DC modules\n"));
+ return true;
+}
+
+
/***************************************************************************
Initialize any local variables in the sDefault table, after parsing a
[globals] section.
*/
if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
const char **vfs_objects = lp_vfs_objects(-1);
- if (!vfs_objects || !vfs_objects[0]) {
+ if (vfs_objects != NULL) {
+ /* ignore return, only warn if modules are missing */
+ check_ad_dc_required_mods(vfs_objects);
+ } else {
if (lp_parm_const_string(-1, "xattr_tdb", "file", NULL)) {
lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr xattr_tdb");
} else if (lp_parm_const_string(-1, "posix", "eadb", NULL)) {
open and fstat. Ensure this isn't a symlink link. */
if (sys_lstat(fname, &lsbuf, false) != 0) {
+ if (errno == ENOENT) {
+ /* Unknown share requested. Just ignore. */
+ goto out;
+ }
+ /* Only log messages for meaningful problems. */
DEBUG(0,("process_usershare_file: stat of %s failed. %s\n",
fname, strerror(errno) ));
goto out;
int max_user_shares = Globals.usershare_max_shares;
int snum_template = -1;
+ if (servicename[0] == '\0') {
+ /* Invalid service name. */
+ return -1;
+ }
+
if (*usersharepath == 0 || max_user_shares == 0) {
return -1;
}
tmp_ctx = talloc_stackframe();
for (iService = iNumServices - 1; iService >= 0; iService--) {
if (VALID(iService) && (ServicePtrs[iService]->usershare == USERSHARE_PENDING_DELETE)) {
+ const struct loadparm_substitution *lp_sub =
+ loadparm_s3_global_substitution();
char *servname;
if (snumused && snumused(sconn, iService)) {
continue;
}
- servname = lp_servicename(tmp_ctx, iService);
+ servname = lp_servicename(tmp_ctx, lp_sub, iService);
/* Remove from the share ACL db. */
DEBUG(10,("load_usershare_shares: Removing deleted usershare %s\n",
size_t end = 32;
if (!*label) {
- label = lp_servicename(ctx, snum);
+ label = lp_servicename(ctx, lp_sub, snum);
}
/*
return lp_disable_spoolss() ? SVCCTL_STOPPED : SVCCTL_RUNNING;
}
-/*******************************************************************
- Ensure we don't use sendfile if server smb signing is active.
-********************************************************************/
-
-bool lp_use_sendfile(int snum, struct smb_signing_state *signing_state)
-{
- bool sign_active = false;
-
- /* Using sendfile blows the brains out of any DOS or Win9x TCP stack... JRA. */
- if (get_Protocol() < PROTOCOL_NT1) {
- return false;
- }
- if (signing_state) {
- sign_active = smb_signing_is_active(signing_state);
- }
- return (lp__use_sendfile(snum) &&
- (get_remote_arch() != RA_WIN95) &&
- !sign_active);
-}
-
/*******************************************************************
Turn off sendfile if we find the underlying OS doesn't support it.
********************************************************************/
return client_ipc_signing;
}
+enum credentials_use_kerberos lp_client_use_kerberos(void)
+{
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ return CRED_USE_KERBEROS_REQUIRED;
+ }
+
+ return lp__client_use_kerberos();
+}
+
+
int lp_rpc_low_port(void)
{
return Globals.rpc_low_port;
return flags_list;
}
+
+enum samba_weak_crypto lp_weak_crypto()
+{
+ if (Globals.weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
+ Globals.weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED;
+
+ if (samba_gnutls_weak_crypto_allowed()) {
+ Globals.weak_crypto = SAMBA_WEAK_CRYPTO_ALLOWED;
+ }
+ }
+
+ return Globals.weak_crypto;
+}
+
+uint32_t lp_get_async_dns_timeout(void)
+{
+ /*
+ * Clamp minimum async dns timeout to 1 second
+ * as per the man page.
+ */
+ return MAX(Globals.async_dns_timeout, 1);
+}
git.samba.org / samba.git / blobdiff