param: calculate server role from security, and security from server role

This allows smb.conf files from either the samba3 or samba4 tradition
to come to the same value of server role, using the information in the
smb.conf file.

This is important so that tools like 'net getlocalsid' work against a
Samba4 AD installation (yes, users have tried this).

Andrew Bartlett

Pair-Programmed-With: Amitay Isaacs <amitay@samba.org>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 44d219a9e49451c742515138e3e8ff8486a8bf9e..aaff5bc5bc70211d5128fda97ab5b75c7e68d730 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -65,6 +65,7 @@
 #include "s3_param.h"
 #include "lib/util/bitmap.h"
 #include "libcli/smb/smb_constants.h"
+#include "lib/param/loadparm_server_role.h"
 
 #define standard_sub_basic talloc_strdup
 
@@ -81,6 +82,10 @@ static bool defaults_saved = false;
        char *tls_dhpfile;                                              \
        char *loglevel;                                                 \
        char *panic_action;                                             \
+       int server_role;                                                \
+       int security;                                                   \
+       int domain_master;                                              \
+       bool domain_logons;                                             \
        int bPreferredMaster;
 
 #include "param_global.h"
@@ -113,8 +118,10 @@ static const struct enum_list enum_protocol[] = {
 };
 
 static const struct enum_list enum_security[] = {
+       {SEC_AUTO, "AUTO"},
        {SEC_SHARE, "SHARE"},
        {SEC_USER, "USER"},
+       {SEC_DOMAIN, "DOMAIN"},
        {SEC_ADS, "ADS"},
        {-1, NULL}
 };
@@ -1484,9 +1491,6 @@ static struct loadparm_context *global_loadparm_context;
 
 #include "lib/param/param_functions.c"
 
-FN_GLOBAL_INTEGER(server_role, server_role)
-static FN_GLOBAL_BOOL(domain_logons, domain_logons)
-FN_GLOBAL_INTEGER(domain_master, domain_master)
 FN_GLOBAL_LIST(smb_ports, smb_ports)
 FN_GLOBAL_INTEGER(nbt_port, nbt_port)
 FN_GLOBAL_INTEGER(dgram_port, dgram_port)
@@ -1570,7 +1574,6 @@ FN_GLOBAL_INTEGER(srv_maxprotocol, srv_maxprotocol)
 FN_GLOBAL_INTEGER(srv_minprotocol, srv_minprotocol)
 FN_GLOBAL_INTEGER(cli_maxprotocol, cli_maxprotocol)
 FN_GLOBAL_INTEGER(cli_minprotocol, cli_minprotocol)
-FN_GLOBAL_INTEGER(security, security)
 FN_GLOBAL_BOOL(paranoid_server_security, paranoid_server_security)
 
 FN_GLOBAL_INTEGER(server_signing, server_signing)
@@ -3306,7 +3309,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "share backend", "classic");
 
-       lpcfg_do_global_parameter(lp_ctx, "server role", "standalone");
+       lpcfg_do_global_parameter(lp_ctx, "server role", "auto");
        lpcfg_do_global_parameter(lp_ctx, "domain logons", "No");
        lpcfg_do_global_parameter(lp_ctx, "domain master", "Auto");
 
@@ -3370,7 +3373,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "server max protocol", "NT1");
        lpcfg_do_global_parameter(lp_ctx, "client min protocol", "CORE");
        lpcfg_do_global_parameter(lp_ctx, "client max protocol", "NT1");
-       lpcfg_do_global_parameter(lp_ctx, "security", "USER");
+       lpcfg_do_global_parameter(lp_ctx, "security", "AUTO");
        lpcfg_do_global_parameter(lp_ctx, "paranoid server security", "True");
        lpcfg_do_global_parameter(lp_ctx, "EncryptPasswords", "True");
        lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
@@ -3799,3 +3802,15 @@ struct gensec_settings *lpcfg_gensec_settings(TALLOC_CTX *mem_ctx, struct loadpa
        return settings;
 }
 
+int lpcfg_server_role(struct loadparm_context *lp_ctx)
+{
+       if (lp_ctx->s3_fns) {
+               return lp_ctx->s3_fns->server_role();
+       }
+
+       return lp_find_server_role(lp_ctx->globals->server_role,
+                                  lp_ctx->globals->security,
+                                  lp_ctx->globals->domain_logons,
+                                  (lp_ctx->globals->domain_master == true) ||
+                                  (lp_ctx->globals->domain_master == Auto));
+}

diff --git a/source3/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c
similarity index 62%
rename from source3/param/loadparm_server_role.c
rename to lib/param/loadparm_server_role.c
index 7fe4411b54d3fe0b7fac43a667770768aa719ec5..1abe9b9ddc3c3d8395395db4b18a0500eae75de7 100644 (file)
--- a/source3/param/loadparm_server_role.c
+++ b/lib/param/loadparm_server_role.c
@@ -26,13 +26,15 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 #include "includes.h"
+#include "lib/param/loadparm_server_role.h"
+#include "libds/common/roles.h"
 
 /*******************************************************************
  Set the server type we will announce as via nmbd.
 ********************************************************************/
 
 static const struct srv_role_tab {
-       uint32 role;
+       uint32_t role;
        const char *role_str;
 } srv_role_tab [] = {
        { ROLE_STANDALONE, "ROLE_STANDALONE" },
@@ -42,7 +44,7 @@ static const struct srv_role_tab {
        { 0, NULL }
 };
 
-const char* server_role_str(uint32 role)
+const char* server_role_str(uint32_t role)
 {
        int i = 0;
        for (i=0; srv_role_tab[i].role_str; i++) {
@@ -53,43 +55,57 @@ const char* server_role_str(uint32 role)
        return NULL;
 }
 
-void set_server_role(void)
+/**
+ * Set the server role based on security, domain logons and domain master
+ */
+int lp_find_server_role(int server_role, int security, bool domain_logons, bool domain_master)
 {
-       int server_role = ROLE_STANDALONE;
+       int role;
 
-       switch (lp_security()) {
+       if (server_role != ROLE_AUTO) {
+               return server_role;
+       }
+
+       /* If server_role is set to ROLE_AUTO, figure out the correct role */
+       role = ROLE_STANDALONE;
+
+       switch (security) {
                case SEC_SHARE:
-                       if (lp_domain_logons())
+                       if (domain_logons) {
                                DEBUG(0, ("Server's Role (logon server) conflicts with share-level security\n"));
+                       }
                        break;
                case SEC_SERVER:
-                       if (lp_domain_logons())
+                       if (domain_logons) {
                                DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
+                       }
                        /* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */
-                       server_role = ROLE_STANDALONE;
+                       role = ROLE_STANDALONE;
                        break;
                case SEC_DOMAIN:
-                       if (lp_domain_logons()) {
+                       if (domain_logons) {
                                DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n"));
-                               server_role = ROLE_DOMAIN_BDC;
+                               role = ROLE_DOMAIN_BDC;
                                break;
                        }
-                       server_role = ROLE_DOMAIN_MEMBER;
+                       role = ROLE_DOMAIN_MEMBER;
                        break;
                case SEC_ADS:
-                       if (lp_domain_logons()) {
-                               server_role = ROLE_DOMAIN_CONTROLLER;
+                       if (domain_logons) {
+                               role = ROLE_DOMAIN_CONTROLLER;
                                break;
                        }
-                       server_role = ROLE_DOMAIN_MEMBER;
+                       role = ROLE_DOMAIN_MEMBER;
                        break;
+               case SEC_AUTO:
                case SEC_USER:
-                       if (lp_domain_logons()) {
+                       if (domain_logons) {
 
-                               if (lp_domain_master_true_or_auto()) /* auto or yes */
-                                       server_role = ROLE_DOMAIN_PDC;
-                               else
-                                       server_role = ROLE_DOMAIN_BDC;
+                               if (domain_master) {
+                                       role = ROLE_DOMAIN_PDC;
+                               } else {
+                                       role = ROLE_DOMAIN_BDC;
+                               }
                        }
                        break;
                default:
@@ -97,7 +113,31 @@ void set_server_role(void)
                        break;
        }
 
-       _lp_set_server_role(server_role);
-       DEBUG(10, ("set_server_role: role = %s\n", server_role_str(server_role)));
+       return role;
 }
 
+/**
+ * Set the server role based on security, domain logons and domain master
+ */
+int lp_find_security(int server_role, int security)
+{
+       if (security != SEC_AUTO) {
+               return security;
+       }
+
+       switch (server_role) {
+       case ROLE_AUTO:
+       case ROLE_STANDALONE:
+               return SEC_USER;
+       case ROLE_DOMAIN_MEMBER:
+#if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4)
+               return SEC_ADS;
+#else
+               return SEC_DOMAIN;
+#endif
+       case ROLE_DOMAIN_PDC:
+       case ROLE_DOMAIN_BDC:
+       default:
+               return SEC_USER;
+       }
+}

diff --git a/lib/param/loadparm_server_role.h b/lib/param/loadparm_server_role.h
new file mode 100644 (file)
index 0000000..2c82527
--- /dev/null
+++ b/lib/param/loadparm_server_role.h
@@ -0,0 +1,31 @@
+/*
+   Unix SMB/CIFS implementation.
+   Parameter loading functions
+   Copyright (C) Karl Auer 1993-1998
+
+   Largely re-written by Andrew Tridgell, September 1994
+
+   Copyright (C) Simo Sorce 2001
+   Copyright (C) Alexander Bokovoy 2002
+   Copyright (C) Stefan (metze) Metzmacher 2002
+   Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
+   Copyright (C) Michael Adam 2008
+   Copyright (C) Andrew Bartlett 2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+const char* server_role_str(uint32_t role);
+int lp_find_server_role(int server_role, int security, bool domain_logons, bool domain_master);
+int lp_find_security(int server_role, int security);

diff --git a/lib/param/wscript_build b/lib/param/wscript_build
index f61e822037553c2155104fc057274ca6574fbece..13b7709abfeb7d7b502a22dae509520d06368dd5 100644 (file)
--- a/lib/param/wscript_build
+++ b/lib/param/wscript_build
@@ -16,11 +16,16 @@ bld.SAMBA_GENERATOR('param_global_h',
                     target='param_global.h',
                     rule='${PERL} ${SRC[1].abspath(env)} ${SRC[0].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
 
+bld.SAMBA_LIBRARY('server-role',
+                  source='loadparm_server_role.c',
+                  deps='samba-util',
+                  private_library=True)
+
 bld.SAMBA_LIBRARY('samba-hostconfig',
        source='loadparm.c generic.c util.c',
        pc_files='samba-hostconfig.pc',
        vnum='0.0.1',
-       deps='DYNCONFIG',
+       deps='DYNCONFIG server-role',
        public_deps='samba-util param_local_h',
        public_headers='param.h',
        autoproto='param_proto.h',

diff --git a/libds/common/roles.h b/libds/common/roles.h
index f6f04758ddec09350aabd85375f27bec5453d1a6..67236032bcf2a3c3c3ee6bc79767bd762d9d7f03 100644 (file)
--- a/libds/common/roles.h
+++ b/libds/common/roles.h
@@ -43,6 +43,6 @@ enum server_role {
 #define ROLE_DOMAIN_CONTROLLER ROLE_DOMAIN_BDC
 
 /* security levels for 'security =' option */
-enum security_types {SEC_SHARE,SEC_USER,SEC_SERVER,SEC_DOMAIN,SEC_ADS};
+enum security_types {SEC_AUTO, SEC_SHARE,SEC_USER,SEC_SERVER,SEC_DOMAIN,SEC_ADS};
 
 #endif /* _LIBDS_ROLES_H_ */

diff --git a/script/mks3param.pl b/script/mks3param.pl
index 2679b5acae226d9d7286ea2b3293d47b04330788..3126af502c3ca4295e8ca4b006561b845fd8f7af 100644 (file)
--- a/script/mks3param.pl
+++ b/script/mks3param.pl
@@ -95,6 +95,7 @@ sub print_header($$)
        $file->("\tbool (*load)(const char *filename);\n");
        $file->("\tbool (*set_cmdline)(const char *pszParmName, const char *pszParmValue);\n");
        $file->("\tvoid (*dump)(FILE *f, bool show_defaults, int maxtoprint);\n");
+       $file->("\tint (*server_role)(void);\n");
 }
 
 sub print_footer($$) 

diff --git a/source3/Makefile.in b/source3/Makefile.in
index 1ec93a11041a6f558a4082a8ee8e9754eecb2eae..76b00b75a249e24d6111c3061bbce9b16d02efb7 100644 (file)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -495,7 +495,7 @@ READLINE_OBJ = ../libcli/smbreadline/smbreadline.o
 # Be sure to include them into your application
 POPT_LIB_OBJ = lib/popt_common.o
 
-PARAM_WITHOUT_REG_OBJ = ../dynconfig/dynconfig.o param/loadparm.o param/loadparm_ctx.o param/loadparm_server_role.o param/util.o lib/sharesec.o lib/ldap_debug_handler.o ../lib/param/loadparm.o ../lib/param/util.o
+PARAM_WITHOUT_REG_OBJ = ../dynconfig/dynconfig.o param/loadparm.o param/loadparm_ctx.o ../lib/param/loadparm_server_role.o param/util.o lib/sharesec.o lib/ldap_debug_handler.o ../lib/param/loadparm.o ../lib/param/util.o
 PARAM_REG_ADD_OBJ = $(REG_SMBCONF_OBJ) $(LIBSMBCONF_OBJ) $(PRIVILEGES_BASIC_OBJ)
 PARAM_OBJ = $(PARAM_WITHOUT_REG_OBJ) $(PARAM_REG_ADD_OBJ)
 

diff --git a/source3/include/proto.h b/source3/include/proto.h
index b9e7f384ab3a0032f491021c7eb98748420d5955..0228120cc6f8ae4a2a8eba1fc67655cd8d19cee8 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1619,7 +1619,6 @@ struct share_params *get_share_params(TALLOC_CTX *mem_ctx,
                                      const char *sharename);
 const char *volume_label(int snum);
 bool lp_domain_master(void);
-bool lp_domain_master_true_or_auto(void);
 bool lp_preferred_master(void);
 void lp_remove_service(int snum);
 void lp_copy_service(int snum, const char *new_name);

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 285023944a411570b69d04827985c99a3a33c13f..25b5eb84dca1cfc761a3388cbc36dfd1a498cc50 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -60,6 +60,7 @@
 #include "lib/smbconf/smbconf.h"
 #include "lib/smbconf/smbconf_init.h"
 #include "lib/param/loadparm.h"
+#include "lib/param/loadparm_server_role.h"
 
 #include "ads.h"
 #include "../librpc/gen_ndr/svcctl.h"
@@ -4822,7 +4823,7 @@ static void init_globals(bool reinit_globals)
        Globals.PrintcapCacheTime = 750;        /* 12.5 minutes */
 
        Globals.ConfigBackend = config_backend;
-       Globals.ServerRole = ROLE_STANDALONE;
+       Globals.ServerRole = ROLE_AUTO;
 
        /* Was 65535 (0xFFFF). 0x4101 matches W2K and causes major speed improvements... */
        /* Discovered by 2 days of pain by Don McCall @ HP :-). */
@@ -5390,7 +5391,7 @@ FN_GLOBAL_INTEGER(lp_lock_spin_time, iLockSpinTime)
 FN_GLOBAL_INTEGER(lp_usershare_max_shares, iUsershareMaxShares)
 FN_GLOBAL_CONST_STRING(lp_socket_options, szSocketOptions)
 FN_GLOBAL_INTEGER(lp_config_backend, ConfigBackend)
-FN_GLOBAL_INTEGER(lp_server_role, ServerRole)
+static FN_GLOBAL_INTEGER(lp__server_role, ServerRole)
 FN_GLOBAL_INTEGER(lp_smb2_max_read, ismb2_max_read)
 FN_GLOBAL_INTEGER(lp_smb2_max_write, ismb2_max_write)
 FN_GLOBAL_INTEGER(lp_smb2_max_trans, ismb2_max_trans)
@@ -9121,7 +9122,6 @@ static bool lp_load_ex(const char *pszFname,
                }
        }
 
-       set_server_role();
        set_allowed_client_auth();
 
        if (lp_security() == SEC_SHARE) {
@@ -9432,7 +9432,7 @@ bool lp_domain_master(void)
  If we are PDC then prefer us as DMB
 ************************************************************/
 
-bool lp_domain_master_true_or_auto(void)
+static bool lp_domain_master_true_or_auto(void)
 {
        if (Globals.iDomainMaster) /* auto or yes */
                return true;
@@ -9736,7 +9736,10 @@ bool lp_readraw(void)
        return _lp_readraw();
 }
 
-void _lp_set_server_role(int server_role)
+int lp_server_role(void)
 {
-       Globals.ServerRole = server_role;
+       return lp_find_server_role(lp__server_role(),
+                                  lp_security(),
+                                  lp_domain_logons(),
+                                  lp_domain_master_true_or_auto());
 }

diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
index 1e11eeb4b206f3bfd2f5c420583920d7c82155b3..61fe97462d33b6e10cb1637ba5c8d8a95dc6299a 100644 (file)
--- a/source3/param/loadparm_ctx.c
+++ b/source3/param/loadparm_ctx.c
@@ -74,7 +74,6 @@ static const struct loadparm_s3_context s3_fns =
        .dump = lp_dump,
 
        .server_role = lp_server_role,
-       .domain_master = lp_domain_master,
 
        .winbind_separator = lp_winbind_separator,
        .template_homedir = lp_template_homedir,

diff --git a/source3/wscript_build b/source3/wscript_build
index 99d40406d7a3d25f28ecd184819d2232588132f5..2b05edb0d2433ddb5000d0008afa35e84635c78c 100755 (executable)
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -82,7 +82,7 @@ POPT_LIB_SRC = '''lib/popt_common.c'''
 
 PARAM_UTIL_SRC = '''param/util.c'''
 
-PARAM_WITHOUT_REG_SRC = '''param/loadparm.c param/loadparm_server_role.c
+PARAM_WITHOUT_REG_SRC = '''param/loadparm.c
                            lib/sharesec.c lib/ldap_debug_handler.c lib/util_names.c'''
 
 KRBCLIENT_SRC = '''libads/kerberos.c libads/ads_status.c libsmb/clikrb5.c'''