#include "../lib/util/bitmap.h"
#include "librpc/gen_ndr/nbt.h"
#include "source4/lib/tls/tls.h"
+#include "libcli/auth/ntlm_check.h"
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
static struct loadparm_global Globals;
/* This is a default service used to prime a services structure */
-static struct loadparm_service sDefault =
+static const struct loadparm_service _sDefault =
{
.valid = true,
.autoloaded = false,
.max_connections = 0,
.default_case = CASE_LOWER,
.printing = DEFAULT_PRINTING,
- .oplock_contention_limit = 2,
.csc_policy = 0,
.block_size = 1024,
.dfree_cache_time = 0,
.map_system = false,
.map_hidden = false,
.map_archive = true,
- .store_dos_attributes = false,
+ .store_dos_attributes = true,
.dmapi_support = false,
.locking = true,
.strict_locking = Auto,
.nt_acl_support = true,
.force_unknown_acl_user = false,
._use_sendfile = false,
- .profile_acls = false,
.map_acl_inherit = false,
.afs_share = false,
- .ea_support = false,
+ .ea_support = true,
.acl_check_permissions = true,
.acl_map_full_control = true,
.acl_group_control = false,
.acl_allow_execute_always = false,
.allocation_roundup_size = SMB_ROUNDUP_ALLOCATION_SIZE,
- .aio_read_size = 0,
- .aio_write_size = 0,
- .map_readonly = MAP_READONLY_YES,
+ .aio_read_size = 1,
+ .aio_write_size = 1,
+ .map_readonly = MAP_READONLY_NO,
.directory_name_cache_size = 100,
.smb_encrypt = SMB_SIGNING_DEFAULT,
.kernel_share_modes = true,
.durable_handles = true,
+ .check_parent_directory_delete_on_close = false,
.param_opt = NULL,
.dummy = ""
};
+/*
+ * This is a copy of the default service structure. Service options in the
+ * global section would otherwise overwrite the initial default values.
+ */
+static struct loadparm_service sDefault;
+
/* local variables */
static struct loadparm_service **ServicePtrs = NULL;
static int iNumServices = 0;
get_dyn_SMB_PASSWD_FILE());
lpcfg_string_set(Globals.ctx, &Globals.private_dir,
get_dyn_PRIVATE_DIR());
+ lpcfg_string_set(Globals.ctx, &Globals.binddns_dir,
+ get_dyn_BINDDNS_DIR());
/* use the new 'hash2' method by default, with a prefix of 1 */
lpcfg_string_set(Globals.ctx, &Globals.mangling_method, "hash2");
Globals._client_ipc_min_protocol = PROTOCOL_DEFAULT;
Globals._security = SEC_AUTO;
Globals.encrypt_passwords = true;
- Globals.client_schannel = Auto;
+ Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
- Globals.server_schannel = Auto;
+ Globals.server_schannel = true;
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;
Globals.restrict_anonymous = 0;
Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */
Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */
- Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
- Globals.ntlm_auth = false; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals._lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */
+ Globals.ntlm_auth = NTLM_AUTH_NTLMV2_ONLY; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
Globals.winbind_enum_users = false;
Globals.winbind_enum_groups = false;
Globals.winbind_use_default_domain = false;
- Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;
+ Globals.winbind_scan_trusted_domains = true;
Globals.idmap_cache_time = 86400 * 7; /* a week by default */
Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */
Globals.name_cache_timeout = 660; /* In seconds */
- Globals.use_spnego = true;
Globals.client_use_spnego = true;
Globals.client_signing = SMB_SIGNING_DEFAULT;
Globals.min_receivefile_size = 0;
- Globals.map_untrusted_to_domain = Auto;
Globals.multicast_dns_register = true;
Globals.smb2_max_read = DEFAULT_SMB2_MAX_READ;
Globals._preferred_master = Auto;
Globals.allow_dns_updates = DNS_UPDATE_SIGNED;
+ Globals.dns_zone_scavenging = false;
lpcfg_string_set(Globals.ctx, &Globals.ntp_signd_socket_directory,
get_dyn_NTP_SIGND_SOCKET_DIR());
Globals.dns_update_command = str_list_make_v3_const(NULL, s, NULL);
TALLOC_FREE(s);
+ s = talloc_asprintf(talloc_tos(), "%s/samba-gpupdate", get_dyn_SCRIPTSBINDIR());
+ if (s == NULL) {
+ smb_panic("init_globals: ENOMEM");
+ }
+ Globals.gpo_update_command = str_list_make_v3_const(NULL, s, NULL);
+ TALLOC_FREE(s);
+
+ Globals.apply_group_policies = false;
+
s = talloc_asprintf(talloc_tos(), "%s/samba_spnupdate", get_dyn_SCRIPTSBINDIR());
if (s == NULL) {
smb_panic("init_globals: ENOMEM");
"49152-65535");
Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
+ Globals.prefork_children = 4;
+ Globals.prefork_backoff_increment = 10;
+ Globals.prefork_maximum_backoff = 120;
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
return NULL;
}
- lp_ctx->sDefault = &sDefault;
+ lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
+ if (lp_ctx->sDefault == NULL) {
+ DBG_ERR("talloc_zero failed\n");
+ TALLOC_FREE(lp_ctx);
+ return NULL;
+ }
+
+ *lp_ctx->sDefault = _sDefault;
lp_ctx->services = NULL; /* We do not want to access this directly */
lp_ctx->bInGlobalSection = bInGlobalSection;
lp_ctx->flags = flags_list;
const char *user, const char *pszHomedir)
{
int i;
+ char *global_path;
if (pszHomename == NULL || user == NULL || pszHomedir == NULL ||
pszHomedir[0] == '\0') {
if (i < 0)
return false;
+ global_path = lp_path(talloc_tos(), GLOBAL_SECTION_SNUM);
if (!(*(ServicePtrs[iDefaultService]->path))
- || strequal(ServicePtrs[iDefaultService]->path,
- lp_path(talloc_tos(), GLOBAL_SECTION_SNUM))) {
+ || strequal(ServicePtrs[iDefaultService]->path, global_path)) {
lpcfg_string_set(ServicePtrs[i], &ServicePtrs[i]->path,
pszHomedir);
}
+ TALLOC_FREE(global_path);
if (!(*(ServicePtrs[i]->comment))) {
char *comment = talloc_asprintf(talloc_tos(), "Home directory of %s", user);
ServicePtrs[i]->guest_ok = guest_ok;
ServicePtrs[i]->printable = false;
ServicePtrs[i]->browseable = sDefault.browseable;
- ServicePtrs[i]->autoloaded = true;
+ ServicePtrs[i]->autoloaded = false;
DEBUG(3, ("adding IPC service\n"));
static void show_parameter(int parmIndex)
{
- int enumIndex, flagIndex;
- int parmIndex2;
+ size_t enumIndex, flagIndex;
+ size_t parmIndex2;
bool hadFlag;
bool hadSyn;
bool inverse;
bInGlobalSection = true;
bGlobalOnly = global_only;
bAllowIncludeRegistry = allow_include_registry;
+ sDefault = _sDefault;
lp_ctx = setup_lp_context(talloc_tos());
false, /* global_only */
true, /* save_defaults */
false, /* add_ipc */
- false, /* reinit_globals */
+ true, /* reinit_globals */
true, /* allow_include_registry */
true); /* load_all_shares*/
}
fprintf(f,"\n");
lp_dump_one(f, show_defaults, iService);
}
+ TALLOC_FREE(lp_ctx);
}
/***************************************************************************
if (!usershare_exists(iService, &last_mod)) {
/* Remove the share security tdb entry for it. */
- delete_share_security(lp_servicename(talloc_tos(), iService));
+ delete_share_security(lp_const_servicename(iService));
/* Remove it from the array. */
free_service_byindex(iService);
/* Doesn't exist anymore. */
}
if (lp_unix_extensions() && lp_wide_links(snum)) {
- DEBUG(0,("Share '%s' has wide links and unix extensions enabled. "
+ DBG_ERR("Share '%s' has wide links and unix extensions enabled. "
"These parameters are incompatible. "
"Wide links will be disabled for this share.\n",
- lp_servicename(talloc_tos(), snum) ));
+ lp_const_servicename(snum));
}
}
return Globals.rpc_high_port;
}
+/*
+ * Do not allow LanMan auth if unless NTLMv1 is also allowed
+ *
+ * This also ensures it is disabled if NTLM is totally disabled
+ */
+bool lp_lanman_auth(void)
+{
+ enum ntlm_auth_level ntlm_auth_level = lp_ntlm_auth();
+
+ if (ntlm_auth_level == NTLM_AUTH_ON) {
+ return lp__lanman_auth();
+ } else {
+ return false;
+ }
+}
+
struct loadparm_global * get_globals(void)
{
return &Globals;
git.samba.org / gd / samba-autobuild / .git / blobdiff