#include "dbwrap/dbwrap_rbt.h"
#include "../lib/util/bitmap.h"
#include "librpc/gen_ndr/nbt.h"
+#include "source4/lib/tls/tls.h"
+#include "libcli/auth/ntlm_check.h"
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
static struct loadparm_global Globals;
/* This is a default service used to prime a services structure */
-static struct loadparm_service sDefault =
+static const struct loadparm_service _sDefault =
{
.valid = true,
.autoloaded = false,
.usershare_last_mod = {0, 0},
.szService = NULL,
.path = NULL,
- .username = NULL,
.invalid_users = NULL,
.valid_users = NULL,
.admin_users = NULL,
.max_connections = 0,
.default_case = CASE_LOWER,
.printing = DEFAULT_PRINTING,
- .oplock_contention_limit = 2,
.csc_policy = 0,
.block_size = 1024,
.dfree_cache_time = 0,
.oplocks = true,
.kernel_oplocks = false,
.level2_oplocks = true,
- .only_user = false,
- .mangled_names = true,
+ .mangled_names = MANGLED_NAMES_YES,
.wide_links = false,
.follow_symlinks = true,
.sync_always = false,
.strict_allocate = false,
.strict_rename = false,
- .strict_sync = false,
+ .strict_sync = true,
.mangling_char = '~',
.copymap = NULL,
.delete_readonly = false,
.nt_acl_support = true,
.force_unknown_acl_user = false,
._use_sendfile = false,
- .profile_acls = false,
.map_acl_inherit = false,
.afs_share = false,
.ea_support = false,
.acl_group_control = false,
.acl_allow_execute_always = false,
.allocation_roundup_size = SMB_ROUNDUP_ALLOCATION_SIZE,
- .aio_read_size = 0,
- .aio_write_size = 0,
+ .aio_read_size = 1,
+ .aio_write_size = 1,
.map_readonly = MAP_READONLY_YES,
.directory_name_cache_size = 100,
.smb_encrypt = SMB_SIGNING_DEFAULT,
.dummy = ""
};
+/*
+ * This is a copy of the default service structure. Service options in the
+ * global section would otherwise overwrite the initial default values.
+ */
+static struct loadparm_service sDefault;
+
/* local variables */
static struct loadparm_service **ServicePtrs = NULL;
static int iNumServices = 0;
get_dyn_SMB_PASSWD_FILE());
lpcfg_string_set(Globals.ctx, &Globals.private_dir,
get_dyn_PRIVATE_DIR());
+ lpcfg_string_set(Globals.ctx, &Globals.binddns_dir,
+ get_dyn_BINDDNS_DIR());
/* use the new 'hash2' method by default, with a prefix of 1 */
lpcfg_string_set(Globals.ctx, &Globals.mangling_method, "hash2");
lpcfg_string_set(Globals.ctx, &Globals.logon_path,
"\\\\%N\\%U\\profile");
- Globals.name_resolve_order = str_list_make_v3_const(NULL, "lmhosts wins host bcast", NULL);
+ Globals.name_resolve_order =
+ str_list_make_v3_const(Globals.ctx,
+ DEFAULT_NAME_RESOLVE_ORDER,
+ NULL);
lpcfg_string_set(Globals.ctx, &Globals.password_server, "*");
Globals.algorithmic_rid_base = BASE_RID;
Globals.server_min_protocol = PROTOCOL_LANMAN1;
Globals._client_max_protocol = PROTOCOL_DEFAULT;
Globals.client_min_protocol = PROTOCOL_CORE;
+ Globals._client_ipc_max_protocol = PROTOCOL_DEFAULT;
+ Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
- Globals.client_schannel = Auto;
+ Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
Globals.server_schannel = Auto;
Globals.restrict_anonymous = 0;
Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */
Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */
- Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
- Globals.ntlm_auth = true; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals._lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
+ Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
+ Globals.allow_dcerpc_auth_level_connect = false; /* we don't allow this by default */
+
Globals.map_to_guest = 0; /* By Default, "Never" */
Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
Globals.enhanced_browsing = true;
Globals.reset_on_zero_vc = false;
Globals.log_writeable_files_on_exit = false;
Globals.create_krb5_conf = true;
+ Globals.include_system_krb5_conf = true;
Globals._winbind_max_domain_connections = 1;
/* hostname lookups can be very expensive and are broken on
Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+ Globals.ldap_server_require_strong_auth =
+ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
+
/* This is what we tell the afs client. in reality we set the token
* to never expire, though, when this runs out the afs client will
* forget the token. Set to 0 to get NEVERDATE.*/
Globals.winbind_enum_users = false;
Globals.winbind_enum_groups = false;
Globals.winbind_use_default_domain = false;
- Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
Globals.name_cache_timeout = 660; /* In seconds */
- Globals.use_spnego = true;
Globals.client_use_spnego = true;
Globals.client_signing = SMB_SIGNING_DEFAULT;
+ Globals._client_ipc_signing = SMB_SIGNING_DEFAULT;
Globals.server_signing = SMB_SIGNING_DEFAULT;
Globals.defer_sharing_violations = true;
Globals.min_receivefile_size = 0;
- Globals.map_untrusted_to_domain = false;
Globals.multicast_dns_register = true;
Globals.smb2_max_read = DEFAULT_SMB2_MAX_READ;
Globals.smb2_max_write = DEFAULT_SMB2_MAX_WRITE;
Globals.smb2_max_trans = DEFAULT_SMB2_MAX_TRANSACT;
Globals.smb2_max_credits = DEFAULT_SMB2_MAX_CREDITS;
- Globals.smb2_leases = false;
+ Globals.smb2_leases = true;
lpcfg_string_set(Globals.ctx, &Globals.ncalrpc_dir,
get_dyn_NCALRPCDIR());
Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
Globals.tls_enabled = true;
+ Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
lpcfg_string_set(Globals.ctx, &Globals.ntp_signd_socket_directory,
get_dyn_NTP_SIGND_SOCKET_DIR());
- lpcfg_string_set(Globals.ctx,
- &Globals.winbindd_privileged_socket_directory,
- get_dyn_WINBINDD_PRIVILEGED_SOCKET_DIR());
-
s = talloc_asprintf(talloc_tos(), "%s/samba_kcc", get_dyn_SCRIPTSBINDIR());
if (s == NULL) {
smb_panic("init_globals: ENOMEM");
Globals.samba_kcc_command = str_list_make_v3_const(NULL, s, NULL);
TALLOC_FREE(s);
+#ifdef MIT_KDC_PATH
+ Globals.mit_kdc_command = str_list_make_v3_const(NULL, MIT_KDC_PATH, NULL);
+#endif
+
s = talloc_asprintf(talloc_tos(), "%s/samba_dnsupdate", get_dyn_SCRIPTSBINDIR());
if (s == NULL) {
smb_panic("init_globals: ENOMEM");
Globals.dns_update_command = str_list_make_v3_const(NULL, s, NULL);
TALLOC_FREE(s);
+ s = talloc_asprintf(talloc_tos(), "%s/samba_gpoupdate", get_dyn_SCRIPTSBINDIR());
+ if (s == NULL) {
+ smb_panic("init_globals: ENOMEM");
+ }
+ Globals.gpo_update_command = str_list_make_v3_const(NULL, s, NULL);
+ TALLOC_FREE(s);
+
s = talloc_asprintf(talloc_tos(), "%s/samba_spnupdate", get_dyn_SCRIPTSBINDIR());
if (s == NULL) {
smb_panic("init_globals: ENOMEM");
Globals.aio_max_threads = 100;
+ lpcfg_string_set(Globals.ctx,
+ &Globals.rpc_server_dynamic_port_range,
+ "49152-65535");
+ Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
+ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
+ Globals.prefork_children = 1;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
return NULL;
}
- lp_ctx->sDefault = &sDefault;
+ lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
+ if (lp_ctx->sDefault == NULL) {
+ DBG_ERR("talloc_zero failed\n");
+ TALLOC_FREE(lp_ctx);
+ return NULL;
+ }
+
+ *lp_ctx->sDefault = _sDefault;
lp_ctx->services = NULL; /* We do not want to access this directly */
lp_ctx->bInGlobalSection = bInGlobalSection;
lp_ctx->flags = flags_list;
static void free_service_byindex(int iService);
static void show_parameter(int parmIndex);
static bool is_synonym_of(int parm1, int parm2, bool *inverse);
+static bool lp_parameter_value_is_valid(const char *parm_name, const char *val);
/*
* This is a helper function for parametrical options support. It returns a
}
lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->path, tmpdir());
- lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->username, "");
lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->comment, comment);
lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->fstype, "IPC");
ServicePtrs[i]->max_connections = 0;
ServicePtrs[i]->guest_ok = guest_ok;
ServicePtrs[i]->printable = false;
ServicePtrs[i]->browseable = sDefault.browseable;
- ServicePtrs[i]->autoloaded = true;
+ ServicePtrs[i]->autoloaded = false;
DEBUG(3, ("adding IPC service\n"));
Turn the value given into the inverse boolean expression when
the synonym is an invers boolean synonym.
- Return true if parm_name is a valid parameter name and
- in case it is an invers boolean synonym, if the val string could
- successfully be converted to the reverse bool.
+ Return true if
+ - parm_name is a valid parameter name and
+ - val is a valid value for this parameter and
+ - in case the parameter is an inverse boolean synonym, if the val
+ string could successfully be converted to the reverse bool.
Return false in all other cases.
**************************************************************************/
{
int num;
bool inverse;
+ bool ret;
if (!lp_parameter_is_valid(parm_name)) {
*canon_parm = NULL;
/* parametric option */
*canon_parm = parm_name;
*canon_val = val;
- } else {
- *canon_parm = parm_table[num].label;
- if (inverse) {
- if (!lp_invert_boolean(val, canon_val)) {
- *canon_val = NULL;
- return false;
- }
- } else {
- *canon_val = val;
+ return true;
+ }
+
+ *canon_parm = parm_table[num].label;
+ if (inverse) {
+ if (!lp_invert_boolean(val, canon_val)) {
+ *canon_val = NULL;
+ return false;
}
+ } else {
+ *canon_val = val;
}
- return true;
+ ret = lp_parameter_value_is_valid(*canon_parm, *canon_val);
+
+ return ret;
}
/***************************************************************************
printf("\n");
}
+/*
+ * Check the value for a P_ENUM
+ */
+static bool check_enum_parameter(struct parm_struct *parm, const char *value)
+{
+ int i;
+
+ for (i = 0; parm->enum_list[i].name; i++) {
+ if (strwicmp(value, parm->enum_list[i].name) == 0) {
+ return true;
+ }
+ }
+ return false;
+}
+
+/**************************************************************************
+ Check whether the given value is valid for the given parameter name.
+**************************************************************************/
+
+static bool lp_parameter_value_is_valid(const char *parm_name, const char *val)
+{
+ bool ret = false, tmp_bool;
+ int num = lpcfg_map_parameter(parm_name), tmp_int;
+ uint64_t tmp_int64 = 0;
+ struct parm_struct *parm;
+
+ /* parametric options (parameter names containing a colon) cannot
+ be checked and are therefore considered valid. */
+ if (strchr(parm_name, ':') != NULL) {
+ return true;
+ }
+
+ if (num >= 0) {
+ parm = &parm_table[num];
+ switch (parm->type) {
+ case P_BOOL:
+ case P_BOOLREV:
+ ret = set_boolean(val, &tmp_bool);
+ break;
+
+ case P_INTEGER:
+ ret = (sscanf(val, "%d", &tmp_int) == 1);
+ break;
+
+ case P_OCTAL:
+ ret = (sscanf(val, "%o", &tmp_int) == 1);
+ break;
+
+ case P_ENUM:
+ ret = check_enum_parameter(parm, val);
+ break;
+
+ case P_BYTES:
+ if (conv_str_size_error(val, &tmp_int64) &&
+ tmp_int64 <= INT_MAX) {
+ ret = true;
+ }
+ break;
+
+ case P_CHAR:
+ case P_LIST:
+ case P_STRING:
+ case P_USTRING:
+ case P_CMDLIST:
+ ret = true;
+ break;
+ }
+ }
+ return ret;
+}
+
/***************************************************************************
Show all parameter's name, type, [values,] and flags.
***************************************************************************/
(data.dptr != NULL) &&
(data.dsize == sizeof(iService)))
{
- iService = *(int *)data.dptr;
+ memcpy(&iService, data.dptr, sizeof(iService));
}
TALLOC_FREE(canon_name);
**/
static void init_iconv(void)
{
- global_iconv_handle = smb_iconv_handle_reinit(NULL, lp_dos_charset(),
- lp_unix_charset(),
- true, global_iconv_handle);
+ struct smb_iconv_handle *ret = NULL;
+
+ ret = reinit_iconv_handle(NULL,
+ lp_dos_charset(),
+ lp_unix_charset());
+ if (ret == NULL) {
+ smb_panic("reinit_iconv_handle failed");
+ }
}
/***************************************************************************
return true;
}
+static bool usershare_directory_is_root(uid_t uid)
+{
+ if (uid == 0) {
+ return true;
+ }
+
+ if (uid_wrapper_enabled()) {
+ return true;
+ }
+
+ return false;
+}
+
/***************************************************************************
Load a usershare service by name. Returns a valid servicenumber or -1.
***************************************************************************/
*/
#ifdef S_ISVTX
- if (sbuf.st_ex_uid != 0 || !(sbuf.st_ex_mode & S_ISVTX) || (sbuf.st_ex_mode & S_IWOTH)) {
+ if (!usershare_directory_is_root(sbuf.st_ex_uid) ||
+ !(sbuf.st_ex_mode & S_ISVTX) || (sbuf.st_ex_mode & S_IWOTH)) {
#else
- if (sbuf.st_ex_uid != 0 || (sbuf.st_ex_mode & S_IWOTH)) {
+ if (!usershare_directory_is_root(sbuf.st_ex_uid) ||
+ (sbuf.st_ex_mode & S_IWOTH)) {
#endif
DEBUG(0,("load_usershare_service: directory %s is not owned by root "
"or does not have the sticky bit 't' set or is writable by anyone.\n",
bInGlobalSection = true;
bGlobalOnly = global_only;
bAllowIncludeRegistry = allow_include_registry;
+ sDefault = _sDefault;
lp_ctx = setup_lp_context(talloc_tos());
/**
* most common lp_load wrapper, loading only the globals
+ *
+ * If this is used in a daemon or client utility it should be called
+ * after processing popt.
*/
bool lp_load_global(const char *file_name)
{
{
int client_max_protocol = lp__client_max_protocol();
if (client_max_protocol == PROTOCOL_DEFAULT) {
- return PROTOCOL_NT1;
+ return PROTOCOL_LATEST;
}
return client_max_protocol;
}
-int lp_winbindd_max_protocol(void)
+int lp_client_ipc_min_protocol(void)
{
- int client_max_protocol = lp__client_max_protocol();
- if (client_max_protocol == PROTOCOL_DEFAULT) {
+ int client_ipc_min_protocol = lp__client_ipc_min_protocol();
+ if (client_ipc_min_protocol == PROTOCOL_DEFAULT) {
+ client_ipc_min_protocol = lp_client_min_protocol();
+ }
+ if (client_ipc_min_protocol < PROTOCOL_NT1) {
+ return PROTOCOL_NT1;
+ }
+ return client_ipc_min_protocol;
+}
+
+int lp_client_ipc_max_protocol(void)
+{
+ int client_ipc_max_protocol = lp__client_ipc_max_protocol();
+ if (client_ipc_max_protocol == PROTOCOL_DEFAULT) {
return PROTOCOL_LATEST;
}
- return client_max_protocol;
+ if (client_ipc_max_protocol < PROTOCOL_NT1) {
+ return PROTOCOL_NT1;
+ }
+ return client_ipc_max_protocol;
+}
+
+int lp_client_ipc_signing(void)
+{
+ int client_ipc_signing = lp__client_ipc_signing();
+ if (client_ipc_signing == SMB_SIGNING_DEFAULT) {
+ return SMB_SIGNING_REQUIRED;
+ }
+ return client_ipc_signing;
+}
+
+int lp_rpc_low_port(void)
+{
+ return Globals.rpc_low_port;
+}
+
+int lp_rpc_high_port(void)
+{
+ return Globals.rpc_high_port;
+}
+
+/*
+ * Do not allow LanMan auth if unless NTLMv1 is also allowed
+ *
+ * This also ensures it is disabled if NTLM is totally disabled
+ */
+bool lp_lanman_auth(void)
+{
+ enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+ if (ntlm_auth_level == NTLM_AUTH_ON) {
+ return lp__lanman_auth();
+ } else {
+ return false;
+ }
}
struct loadparm_global * get_globals(void)