s3-auth: Remove security=share (depricated since 3.6).
authorAndrew Bartlett <abartlet@samba.org>
Fri, 3 Feb 2012 07:03:10 +0000 (18:03 +1100)
committerAndrew Bartlett <abartlet@samba.org>
Sun, 4 Mar 2012 22:33:05 +0000 (23:33 +0100)
This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______

27 files changed:
docs-xml/manpages-3/smb.conf.5.xml
docs-xml/smbdotconf/security/onlyuser.xml
docs-xml/smbdotconf/security/security.xml
docs-xml/smbdotconf/security/serverrole.xml
docs-xml/smbdotconf/security/username.xml
lib/param/loadparm_server_role.c
lib/param/param_enums.c
libds/common/roles.h
source3/Makefile.in
source3/auth/auth.c
source3/auth/auth_compat.c [deleted file]
source3/auth/proto.h
source3/auth/wscript_build
source3/libnet/libnet_join.c
source3/param/loadparm.c
source3/smbd/globals.h
source3/smbd/negprot.c
source3/smbd/password.c
source3/smbd/process.c
source3/smbd/proto.h
source3/smbd/reply.c
source3/smbd/service.c
source3/smbd/sesssetup.c
source3/smbd/smb2_tcon.c
source3/smbd/uid.c
source3/utils/status.c
source4/param/tests/loadparm.c

index f5f252b..becea22 100644 (file)
@@ -670,59 +670,6 @@ chmod 1770 /usr/local/samba/lib/usershares
        
 </refsect1>
 
-<refsect1 id="VALIDATIONSECT">
-       <title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
-
-       <para>
-       There are a number of ways in which a user can connect to a service. The server uses the following steps
-       in determining if it will allow a connection to a specified service. If all the steps fail, the connection
-       request is rejected.  However, if one of the steps succeeds, the following steps are not checked.
-       </para>
-
-       <para>
-       If the service is marked <quote>guest only = yes</quote> and the server is running with share-level
-       security (<quote>security = share</quote>, steps 1 to 5 are skipped.
-       </para>
-
-
-       <orderedlist continuation="restarts" inheritnum="ignore" numeration="arabic">
-               <listitem><para>
-               If the client has passed a username/password pair and that username/password pair is validated by the UNIX 
-               system's password programs, the connection is made as that username. This includes the
-               <literal>\\server\service</literal>%<replaceable>username</replaceable> method of passing a username.
-               </para></listitem>
-
-               <listitem><para>
-               If the client has previously registered a username with the system and now supplies a correct password for that 
-               username, the connection is allowed.
-               </para></listitem>
-               
-               <listitem><para>
-               The client's NetBIOS name and any previously used usernames are checked against the supplied password. If 
-               they match, the connection is allowed as the corresponding user.
-               </para></listitem>
-               
-               <listitem><para>
-               If the client has previously validated a username/password pair with the server and the client has passed 
-               the validation token, that username is used.
-               </para></listitem>
-
-               <listitem><para>
-               If a <literal>user = </literal> field is given in the <filename moreinfo="none">smb.conf</filename> file for the
-               service and the client has supplied a password, and that password matches (according to the UNIX system's
-               password checking) with one of the usernames from the <literal>user =</literal> field, the connection is made as
-               the username in the <literal>user =</literal> line. If one of the usernames in the <literal>user =</literal> list
-               begins with a <literal>@</literal>, that name expands to a list of names in the group of the same name.
-               </para></listitem>
-
-               <listitem><para>
-               If the service is a guest service, a connection is made as the username given in the <literal>guest account
-               =</literal> for the service, irrespective of the supplied password.
-               </para></listitem>
-       </orderedlist>
-
-</refsect1>
-
 <refsect1>
        <title>REGISTRY-BASED CONFIGURATION</title>
 
index b1ef1b7..ed1bbd5 100644 (file)
@@ -3,20 +3,16 @@
                  context="S"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-    <para>This is a boolean option that controls whether 
-    connections with usernames not in the <parameter moreinfo="none">user</parameter> 
-    list will be allowed. By default this option is disabled so that a 
-    client can supply a username to be used by the server.  Enabling
-    this parameter will force the server to only use the login 
-    names from the <parameter moreinfo="none">user</parameter> list and is only really
-    useful in <smbconfoption name="security">share</smbconfoption> level security.</para>
+    <para>To restrict a service to a particular set of users you
+    can use the <smbconfoption name="valid users"/> parameter.</para>
+
+    <para>This parameter is deprecated</para>
+
+    <para>However, it currently operates only in conjunction with
+    <smbconfoption name="username"/>.  The supported way to restrict
+    a service to a particular set of users is the
+    <smbconfoption name="valid users"/> parameter.</para>
 
-    <para>Note that this also means Samba won't try to deduce 
-    usernames from the service name. This can be annoying for 
-    the [homes] section. To get around this you could use <command moreinfo="none">user =
-    %S</command> which means your <parameter moreinfo="none">user</parameter> list
-    will be just the service name, which for home directories is the 
-    name of the user.</para>
 </description>
 
 <related>user</related>
index 74ea569..2575d77 100644 (file)
     Samba and is one of the most important settings in the <filename moreinfo="none">
     smb.conf</filename> file.</para>
 
-    <para>The option sets the &quot;security mode bit&quot; in replies to 
-    protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
-    <manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide 
-    based on this bit whether (and how) to transfer user and password 
-    information to the server.</para>
-
-
     <para>The default is <command moreinfo="none">security = user</command>, as this is
-    the most common setting needed when talking to Windows 98 and 
-    Windows NT.</para>
+    the most common setting, used for a standalone file server or a DC.</para>
 
     <para>The alternatives are
     <command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
-    </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para>
-
-    <para>In versions of Samba prior to 2.0.0, the default was 
-    <command moreinfo="none">security = share</command> mainly because that was
-    the only option at one stage.</para>
+    </command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = server</command>, which is deprecated.</para>
 
     <para>You should use <command moreinfo="none">security = user</command> and 
     <smbconfoption name="map to guest"/> if you 
     want to mainly setup shares without a password (guest shares). This 
     is commonly used for a shared printer server. </para>
                
-    <para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
-    hybrid mode</emphasis> where it is offers both user and share 
-    level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
-
     <para>The different settings will now be explained.</para>
 
 
@@ -65,8 +49,6 @@
     the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
     See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
 
-    <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
     <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
 
     <para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
     the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
     See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
 
-    <para>See also the section <link linkend="VALIDATIONSECT">
-    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
     <para>See also the <smbconfoption name="password server"/> parameter and
         the <smbconfoption name="encrypted passwords"/> parameter.</para>
 
-    <para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para> 
-
-    <note><para>This option is deprecated as it is incompatible with SMB2</para></note>
-               
-    <para>When clients connect to a share level security server, they 
-    need not log onto the server with a valid username and password before 
-    attempting to connect to a shared resource (although modern clients 
-    such as Windows 95/98 and Windows NT will send a logon request with 
-    a username but no password when talking to a <command moreinfo="none">security = share
-    </command> server). Instead, the clients send authentication information 
-    (passwords) on a per-share basis, at the time they attempt to connect 
-    to that share.</para>
-
-    <para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis> 
-    uses a valid UNIX user to act on behalf of the client, even in
-    <command moreinfo="none">security = share</command> level security.</para>
-
-    <para>As clients are not required to send a username to the server
-    in share level security, <command moreinfo="none">smbd</command> uses several
-    techniques to determine the correct UNIX user to use on behalf
-    of the client.</para>
-
-    <para>A list of possible UNIX usernames to match with the given
-    client password is constructed using the following methods :</para>
-
-    <itemizedlist>
-       <listitem>
-           <para>If the <smbconfoption name="guest only"/> parameter is set, then all the other 
-           stages are missed and only the <smbconfoption name="guest account"/> username is checked.
-           </para>
-       </listitem>
-
-       <listitem>
-           <para>Is a username is sent with the share connection 
-           request, then this username (after mapping - see <smbconfoption name="username map"/>), 
-           is added as a potential username.
-           </para>
-       </listitem>
-
-       <listitem>
-           <para>If the client did a previous <emphasis>logon
-           </emphasis> request (the SessionSetup SMB call) then the 
-           username sent in this SMB will be added as a potential username.
-           </para>
-       </listitem>
-
-       <listitem>
-           <para>The name of the service the client requested is 
-           added as a potential username.
-           </para>
-       </listitem>
-
-       <listitem>
-           <para>The NetBIOS name of the client is added to 
-           the list as a potential username.
-           </para>
-       </listitem>
-
-       <listitem>
-           <para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
-           </para>
-       </listitem>
-    </itemizedlist>
-
-    <para>If the <parameter moreinfo="none">guest only</parameter> parameter is 
-    not set, then this list is then tried with the supplied password. 
-    The first user for whom the password matches will be used as the 
-    UNIX user.</para>
-
-    <para>If the <parameter moreinfo="none">guest only</parameter> parameter is 
-    set, or no username can be determined then if the share is marked 
-    as available to the <parameter moreinfo="none">guest account</parameter>, then this 
-    guest user will be used, otherwise access is denied.</para>
-
-    <para>Note that it can be <emphasis>very</emphasis> confusing 
-    in share-level security as to which UNIX username will eventually
-    be used in granting access.</para>
-
-    <para>See also the section <link linkend="VALIDATIONSECT">
-    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
     <para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
 
     <para>
     the server to automatically map unknown users into the <smbconfoption name="guest account"/>. 
     See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
 
-    <para>See also the section <link linkend="VALIDATIONSECT">
-    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
     <para>See also the <smbconfoption name="password server"/> parameter and the 
        <smbconfoption name="encrypted passwords"/> parameter.</para>
 
index 5832887..e4e65c2 100644 (file)
@@ -51,9 +51,6 @@
     exist as well as the account on the Domain Controller to allow 
     Samba to have a valid UNIX account to map file access to.  Winbind can provide this.</para>
 
-    <para>See also the section <link linkend="VALIDATIONSECT">
-    NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
     <para><anchor id="DC"/><emphasis>SERVER ROLE = DOMAIN CONTROLLER</emphasis></para>
 
     <para>This mode of operation runs Samba as a domain controller, providing domain logon services to Windows and Samba clients of the domain.  Clients must be joined to the domain to create a secure, trusted path across the network.</para>
index 19d8a2e..a85076c 100644 (file)
@@ -5,57 +5,16 @@
 <synonym>user</synonym>
 <synonym>users</synonym>
 <description>
-    <para>Multiple users may be specified in a comma-delimited 
-    list, in which case the supplied password will be tested against 
-    each username in turn (left to right).</para>
-
-    <para>The deprecated <parameter moreinfo="none">username</parameter> line is needed only when 
-    the PC is unable to supply its own username. This is the case 
-    for the COREPLUS protocol or where your users have different WfWg 
-    usernames to UNIX usernames. In both these cases you may also be 
-    better using the \\server\share%user syntax instead.</para>
-
-    <para>The <parameter moreinfo="none">username</parameter> line is not a great 
-    solution in many cases as it means Samba will try to validate 
-    the supplied password against each of the usernames in the 
-    <parameter moreinfo="none">username</parameter> line in turn. This is slow and 
-    a bad idea for lots of users in case of duplicate passwords. 
-    You may get timeouts or security breaches using this parameter 
-    unwisely.</para>
-
-    <para>Samba relies on the underlying UNIX security. This 
-    parameter does not restrict who can login, it just offers hints 
-    to the Samba server as to what usernames might correspond to the 
-    supplied password. Users can login as whoever they please and 
-    they will be able to do no more damage than if they started a 
-    telnet session. The daemon runs as the user that they log in as, 
-    so they cannot do anything that user cannot do.</para>
-
     <para>To restrict a service to a particular set of users you 
     can use the <smbconfoption name="valid users"/> parameter.</para>
 
-    <para>If any of the usernames begin with a '@' then the name 
-    will be looked up first in the NIS netgroups list (if Samba 
-    is compiled with netgroup support), followed by a lookup in 
-    the UNIX groups database and will expand to a list of all users 
-    in the group of that name.</para>
-               
-    <para>If any of the usernames begin with a '+' then the name 
-    will be looked up only in the UNIX groups database and will 
-    expand to a list of all users in the group of that name.</para>
-
-    <para>If any of the usernames begin with a '&amp;' then the name 
-    will be looked up only in the NIS netgroups database (if Samba 
-    is compiled with netgroup support) and will expand to a list 
-    of all users in the netgroup group of that name.</para>
+    <para>This parameter is deprecated</para>
 
-    <para>Note that searching though a groups database can take 
-    quite some time, and some clients may time out during the 
-    search.</para>
+    <para>However, it currently operates only in conjunction with
+    <smbconfoption name="only user"/>.  The supported way to restrict
+    a service to a particular set of users is the
+    <smbconfoption name="valid users"/> parameter.</para>
 
-    <para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
-       USERNAME/PASSWORD VALIDATION</link> for more information on how 
-       this parameter determines access to the services.</para>
 </description>
 
 <value type="default"><comment>The guest account if a guest service, 
index 3655159..4ba54b9 100644 (file)
@@ -73,11 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
        role = ROLE_STANDALONE;
 
        switch (security) {
-               case SEC_SHARE:
-                       if (domain_logons) {
-                               DEBUG(0, ("Server's Role (logon server) conflicts with share-level security\n"));
-                       }
-                       break;
                case SEC_SERVER:
                        if (domain_logons) {
                                DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
@@ -162,7 +157,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
                valid = true;
                break;
        case ROLE_STANDALONE:
-               if (security == SEC_SHARE || security == SEC_SERVER || security == SEC_USER) {
+               if (security == SEC_SERVER || security == SEC_USER) {
                        valid = true;
                }
                break;
index 6065208..42839b4 100644 (file)
@@ -44,7 +44,6 @@ static const struct enum_list enum_protocol[] = {
 
 static const struct enum_list enum_security[] = {
        {SEC_AUTO, "AUTO"},
-       {SEC_SHARE, "SHARE"},
        {SEC_USER, "USER"},
        {SEC_SERVER, "SERVER"},
        {SEC_DOMAIN, "DOMAIN"},
index 19ea1c4..90281ba 100644 (file)
@@ -42,9 +42,26 @@ enum server_role {
 */
 #define ROLE_DOMAIN_CONTROLLER ROLE_DOMAIN_BDC
 
-/* security levels for 'security =' option */
+/* security levels for 'security =' option
+
+                       --------------
+                      /              \
+                     /      REST      \
+                    /        IN        \
+                   /       PEACE        \
+                  /                      \
+                  |      SEC_SHARE       |
+                  |    security=share    |
+                  |                      |
+                  |                      |
+                  |       5 March        |
+                  |                      |
+                  |        2012          |
+                 *|     *  *  *          | *
+        _________)/\\_//(\/(/\)/\//\/\///|_)_______
+
+ */
 enum security_types {SEC_AUTO = 0, 
-                    SEC_SHARE = 1,
                     SEC_USER = 2, 
                     SEC_SERVER = 3,
                     SEC_DOMAIN = 4,
index d64c502..2b0002b 100644 (file)
@@ -912,7 +912,7 @@ AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/token_util.o \
           auth/user_info.o \
           auth/user_util.o \
           auth/user_krb5.o \
-          auth/auth_compat.o auth/auth_ntlmssp.o auth/auth_generic.o \
+          auth/auth_ntlmssp.o auth/auth_generic.o \
           $(PLAINTEXT_AUTH_OBJ) $(SLCACHE_OBJ) $(DCUTIL_OBJ)
 
 MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_hash2.o
index 1c813a4..0c91065 100644 (file)
@@ -523,17 +523,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
                                        talloc_tos(), "guest unix", NULL);
                        }
                        break;
-               case SEC_SHARE:
-                       if (lp_encrypted_passwords()) {
-                               DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
-                               auth_method_list = str_list_make_v3(
-                                       talloc_tos(), "guest sam", NULL);
-                       } else {
-                               DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
-                               auth_method_list = str_list_make_v3(
-                                       talloc_tos(), "guest unix", NULL);
-                       }
-                       break;
                case SEC_ADS:
                        DEBUG(5,("Making default auth method list for security=ADS\n"));
                        auth_method_list = str_list_make_v3(
diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c
deleted file mode 100644 (file)
index e7225a2..0000000
+++ /dev/null
@@ -1,169 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-   Password and authentication handling
-   Copyright (C) Andrew Bartlett         2001-2002
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "auth.h"
-#include "../lib/tsocket/tsocket.h"
-
-extern struct auth_context *negprot_global_auth_context;
-extern bool global_encrypted_passwords_negotiated;
-
-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_AUTH
-
-/****************************************************************************
- COMPATIBILITY INTERFACES:
- ***************************************************************************/
-
-/****************************************************************************
-check if a username/password is OK assuming the password is in plaintext
-return True if the password is correct, False otherwise
-****************************************************************************/
-
-NTSTATUS check_plaintext_password(const char *smb_name,
-                                 const struct tsocket_address *remote_address,
-                                 DATA_BLOB plaintext_blob,
-                                 struct auth_serversupplied_info **server_info)
-{
-       struct auth_context *plaintext_auth_context = NULL;
-       struct auth_usersupplied_info *user_info = NULL;
-       uint8_t chal[8];
-       NTSTATUS nt_status;
-
-       nt_status = make_auth_context_subsystem(talloc_tos(),
-                                               &plaintext_auth_context);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               return nt_status;
-       }
-
-       plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context,
-                                                  chal);
-
-       if (!make_user_info_for_reply(&user_info, 
-                                     smb_name, lp_workgroup(),
-                                     remote_address,
-                                     chal,
-                                     plaintext_blob)) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context, 
-                                                               user_info, server_info); 
-
-       TALLOC_FREE(plaintext_auth_context);
-       free_user_info(&user_info);
-       return nt_status;
-}
-
-static NTSTATUS pass_check_smb(struct auth_context *actx,
-                              const char *smb_name,
-                              const char *domain, 
-                              const struct tsocket_address *remote_address,
-                              DATA_BLOB lm_pwd,
-                              DATA_BLOB nt_pwd)
-
-{
-       NTSTATUS nt_status;
-       struct auth_serversupplied_info *server_info = NULL;
-       struct auth_usersupplied_info *user_info = NULL;
-       if (actx == NULL) {
-               return NT_STATUS_INTERNAL_ERROR;
-       }
-       make_user_info_for_reply_enc(&user_info, smb_name,
-                                    domain,
-                                    remote_address,
-                                    lm_pwd,
-                                    nt_pwd);
-       nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
-       free_user_info(&user_info);
-       TALLOC_FREE(server_info);
-       return nt_status;
-}
-
-/****************************************************************************
-check if a username/password pair is ok via the auth subsystem.
-return True if the password is correct, False otherwise
-****************************************************************************/
-
-bool password_ok(struct auth_context *actx, bool global_encrypted,
-                const char *session_workgroup,
-                const char *smb_name,
-                const struct tsocket_address *remote_address,
-                DATA_BLOB password_blob)
-{
-
-       DATA_BLOB null_password = data_blob_null;
-       bool encrypted = (global_encrypted && (password_blob.length == 24 || password_blob.length > 46));
-
-       if (encrypted) {
-               /* 
-                * The password could be either NTLM or plain LM.  Try NTLM first, 
-                * but fall-through as required.
-                * Vista sends NTLMv2 here - we need to try the client given workgroup.
-                */
-               if (session_workgroup) {
-                       if (NT_STATUS_IS_OK(pass_check_smb(actx,
-                                                          smb_name,
-                                                          session_workgroup,
-                                                          remote_address,
-                                                          null_password,
-                                                          password_blob))) {
-                               return True;
-                       }
-                       if (NT_STATUS_IS_OK(pass_check_smb(actx,
-                                                          smb_name,
-                                                          session_workgroup,
-                                                          remote_address,
-                                                          password_blob,
-                                                          null_password))) {
-                               return True;
-                       }
-               }
-
-               if (NT_STATUS_IS_OK(pass_check_smb(actx,
-                                                  smb_name,
-                                                  lp_workgroup(),
-                                                  remote_address,
-                                                  null_password,
-                                                  password_blob))) {
-                       return True;
-               }
-
-               if (NT_STATUS_IS_OK(pass_check_smb(actx,
-                                                  smb_name,
-                                                  lp_workgroup(),
-                                                  remote_address,
-                                                  password_blob,
-                                                  null_password))) {
-                       return True;
-               }
-       } else {
-               struct auth_serversupplied_info *server_info = NULL;
-               NTSTATUS nt_status = check_plaintext_password(smb_name,
-                                                             remote_address,
-                                                             password_blob,
-                                                             &server_info);
-               TALLOC_FREE(server_info);
-               if (NT_STATUS_IS_OK(nt_status)) {
-                       return True;
-               }
-       }
-
-       return False;
-}
index c68b99a..04f94ae 100644 (file)
@@ -48,18 +48,6 @@ NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
 
 NTSTATUS auth_builtin_init(void);
 
-/* The following definitions come from auth/auth_compat.c  */
-
-NTSTATUS check_plaintext_password(const char *smb_name,
-                                 const struct tsocket_address *remote_address,
-                                 DATA_BLOB plaintext_password,
-                                 struct auth_serversupplied_info **server_info);
-bool password_ok(struct auth_context *actx, bool global_encrypted,
-                const char *session_workgroup,
-                const char *smb_name,
-                const struct tsocket_address *remote_address,
-                DATA_BLOB password_blob);
-
 /* The following definitions come from auth/auth_domain.c  */
 
 void attempt_machine_password_change(void);
index 0dba13f..cf0db42 100644 (file)
@@ -12,7 +12,7 @@ AUTH_NETLOGOND_SRC = 'auth_netlogond.c'
 
 AUTH_SRC = '''auth.c
            user_krb5.c
-           auth_compat.c auth_ntlmssp.c auth_generic.c'''
+           auth_ntlmssp.c auth_generic.c'''
 
 bld.SAMBA3_SUBSYSTEM('TOKEN_UTIL',
                     source='token_util.c',
index 5a36d34..1736ba6 100644 (file)
@@ -1892,7 +1892,6 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
                if (!valid_security) {
                        const char *sec = NULL;
                        switch (lp_security()) {
-                       case SEC_SHARE: sec = "share"; break;
                        case SEC_USER:  sec = "user"; break;
                        case SEC_DOMAIN: sec = "domain"; break;
                        case SEC_ADS: sec = "ads"; break;
index 382a273..453c8fd 100644 (file)
@@ -5286,18 +5286,7 @@ FN_GLOBAL_INTEGER(lp_passwordlevel, pwordlevel)
 FN_GLOBAL_INTEGER(lp_usernamelevel, unamelevel)
 FN_GLOBAL_INTEGER(lp_deadtime, deadtime)
 FN_GLOBAL_BOOL(lp_getwd_cache, getwd_cache)
-static FN_GLOBAL_INTEGER(_lp_srv_maxprotocol, srv_maxprotocol)
-int lp_srv_maxprotocol(void)
-{
-       int ret = _lp_srv_maxprotocol();
-       if ((ret >= PROTOCOL_SMB2_02) && (lp_security() == SEC_SHARE)) {
-               DEBUG(2,("WARNING!!: \"security = share\" is incompatible "
-                       "with the SMB2 protocol. Resetting to SMB1.\n" ));
-                       lp_do_parameter(-1, "server max protocol", "NT1");
-               return PROTOCOL_NT1;
-       }
-       return ret;
-}
+FN_GLOBAL_INTEGER(lp_srv_maxprotocol, srv_maxprotocol)
 FN_GLOBAL_INTEGER(lp_srv_minprotocol, srv_minprotocol)
 FN_GLOBAL_INTEGER(lp_security, security)
 FN_GLOBAL_LIST(lp_auth_methods, AuthMethods)
@@ -9050,9 +9039,7 @@ static bool lp_load_ex(const char *pszFname,
 
        set_allowed_client_auth();
 
-       if (lp_security() == SEC_SHARE) {
-               DEBUG(1, ("WARNING: The security=share option is deprecated\n"));
-       } else if (lp_security() == SEC_SERVER) {
+       if (lp_security() == SEC_SERVER) {
                DEBUG(1, ("WARNING: The security=server option is deprecated\n"));
        }
 
index 0c4b3b7..075dc56 100644 (file)
@@ -531,10 +531,6 @@ struct smbd_server_connection {
                        int max_send;
                        uint16_t last_session_tag;
 
-                       /* users from session setup */
-                       char *session_userlist;
-                       /* workgroup from session setup. */
-                       char *session_workgroup;
                        /*
                         * this holds info on user ids that are already
                         * validated for this VC
index 2f3fd45..8a6b509 100644 (file)
@@ -299,7 +299,6 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
           supports it and we can do encrypted passwords */
 
        if (sconn->smb1.negprot.encrypted_passwords &&
-           (lp_security() != SEC_SHARE) &&
            lp_use_spnego() &&
            (req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
                negotiate_spnego = True;
index 9df99ef..27ba3bd 100644 (file)
@@ -172,12 +172,6 @@ int register_initial_vuid(struct smbd_server_connection *sconn)
 {
        user_struct *vuser;
 
-       /* Paranoia check. */
-       if(lp_security() == SEC_SHARE) {
-               smb_panic("register_initial_vuid: "
-                       "Tried to register uid in security=share");
-       }
-
        /* Limit allowed vuids to 16bits - VUID_OFFSET. */
        if (sconn->smb1.sessions.num_validated_vuids >= 0xFFFF-VUID_OFFSET) {
                return UID_FIELD_INVALID;
@@ -352,394 +346,3 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
        }
        return UID_FIELD_INVALID;
 }
-
-/****************************************************************************
- Add a name to the session users list.
-****************************************************************************/
-
-void add_session_user(struct smbd_server_connection *sconn,
-                     const char *user)
-{
-       struct passwd *pw;
-       char *tmp;
-
-       pw = Get_Pwnam_alloc(talloc_tos(), user);
-
-       if (pw == NULL) {
-               return;
-       }
-
-       if (sconn->smb1.sessions.session_userlist == NULL) {
-               sconn->smb1.sessions.session_userlist = SMB_STRDUP(pw->pw_name);
-               goto done;
-       }
-
-       if (in_list(pw->pw_name,sconn->smb1.sessions.session_userlist,false)) {
-               goto done;
-       }
-
-       if (strlen(sconn->smb1.sessions.session_userlist) > 128 * 1024) {
-               DEBUG(3,("add_session_user: session userlist already "
-                        "too large.\n"));
-               goto done;
-       }
-
-       if (asprintf(&tmp, "%s %s",
-                    sconn->smb1.sessions.session_userlist, pw->pw_name) == -1) {
-               DEBUG(3, ("asprintf failed\n"));
-               goto done;
-       }
-
-       SAFE_FREE(sconn->smb1.sessions.session_userlist);
-       sconn->smb1.sessions.session_userlist = tmp;
- done:
-       TALLOC_FREE(pw);
-}
-
-/****************************************************************************
- In security=share mode we need to store the client workgroup, as that's
-  what Vista uses for the NTLMv2 calculation.
-****************************************************************************/
-
-void add_session_workgroup(struct smbd_server_connection *sconn,
-                          const char *workgroup)
-{
-       if (sconn->smb1.sessions.session_workgroup) {
-               SAFE_FREE(sconn->smb1.sessions.session_workgroup);
-       }
-       sconn->smb1.sessions.session_workgroup = smb_xstrdup(workgroup);
-}
-
-/****************************************************************************
- In security=share mode we need to return the client workgroup, as that's
-  what Vista uses for the NTLMv2 calculation.
-****************************************************************************/
-
-const char *get_session_workgroup(struct smbd_server_connection *sconn)
-{
-       return sconn->smb1.sessions.session_workgroup;
-}
-
-/****************************************************************************
- Check if a username is valid.
-****************************************************************************/
-
-static bool user_ok(const char *user, int snum)
-{
-       bool ret;
-
-       ret = True;
-
-       if (lp_invalid_users(snum)) {
-               char **invalid = str_list_copy(talloc_tos(),
-                       lp_invalid_users(snum));
-               if (invalid &&
-                   str_list_substitute(invalid, "%S", lp_servicename(snum))) {
-
-                       /* This is used in sec=share only, so no current user
-                        * around to pass to str_list_sub_basic() */
-
-                       if ( invalid && str_list_sub_basic(invalid, "", "") ) {
-                               ret = !user_in_list(talloc_tos(), user,
-                                                   (const char **)invalid);
-                       }
-               }
-               TALLOC_FREE(invalid);
-       }
-
-       if (ret && lp_valid_users(snum)) {
-               char **valid = str_list_copy(talloc_tos(),
-                       lp_valid_users(snum));
-               if ( valid &&
-                    str_list_substitute(valid, "%S", lp_servicename(snum)) ) {
-
-                       /* This is used in sec=share only, so no current user
-                        * around to pass to str_list_sub_basic() */
-
-                       if ( valid && str_list_sub_basic(valid, "", "") ) {
-                               ret = user_in_list(talloc_tos(), user,
-                                                  (const char **)valid);
-                       }
-               }
-               TALLOC_FREE(valid);
-       }
-
-       if (ret && lp_onlyuser(snum)) {
-               char **user_list = str_list_make_v3(
-                       talloc_tos(), lp_username(snum), NULL);
-               if (user_list &&
-                   str_list_substitute(user_list, "%S",
-                                       lp_servicename(snum))) {
-                       ret = user_in_list(talloc_tos(), user,
-                                          (const char **)user_list);
-               }
-               TALLOC_FREE(user_list);
-       }
-
-       return(ret);
-}
-
-/****************************************************************************
- Validate a group username entry. Return the username or NULL.
-****************************************************************************/
-
-static char *validate_group(struct smbd_server_connection *sconn,
-                           char *group, DATA_BLOB password,int snum)
-{
-#ifdef HAVE_NETGROUP
-       {
-               char *host, *user, *domain;
-               struct auth_context *actx = sconn->smb1.negprot.auth_context;
-               bool enc = sconn->smb1.negprot.encrypted_passwords;
-               setnetgrent(group);
-               while (getnetgrent(&host, &user, &domain)) {
-                       if (user) {
-                               if (user_ok(user, snum) &&
-                                   password_ok(actx, enc,
-                                               get_session_workgroup(sconn),
-                                               user,
-                                               sconn->remote_address,
-                                               password)) {
-                                       endnetgrent();
-                                       return(user);
-                               }
-                       }
-               }
-               endnetgrent();
-       }
-#endif
-
-#ifdef HAVE_GETGRENT
-       {
-               struct group *gptr;
-               struct auth_context *actx = sconn->smb1.negprot.auth_context;
-               bool enc = sconn->smb1.negprot.encrypted_passwords;
-
-               setgrent();
-               while ((gptr = (struct group *)getgrent())) {
-                       if (strequal(gptr->gr_name,group))
-                               break;
-               }
-
-               /*
-                * As user_ok can recurse doing a getgrent(), we must
-                * copy the member list onto the heap before
-                * use. Bug pointed out by leon@eatworms.swmed.edu.
-                */
-
-               if (gptr) {
-                       char *member_list = NULL;
-                       size_t list_len = 0;
-                       char *member;
-                       int i;
-
-                       for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
-                               list_len += strlen(gptr->gr_mem[i])+1;
-                       }
-                       list_len++;
-
-                       member_list = (char *)SMB_MALLOC(list_len);
-                       if (!member_list) {
-                               endgrent();
-                               return NULL;
-                       }
-
-                       *member_list = '\0';
-                       member = member_list;
-
-                       for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
-                               size_t member_len = strlen(gptr->gr_mem[i])+1;
-
-                               DEBUG(10,("validate_group: = gr_mem = "
-                                         "%s\n", gptr->gr_mem[i]));
-
-                               strlcpy(member, gptr->gr_mem[i],
-                                       list_len - (member-member_list));
-                               member += member_len;
-                       }
-
-                       endgrent();
-
-                       member = member_list;
-                       while (*member) {
-                               if (user_ok(member,snum) &&
-                                   password_ok(actx, enc,
-                                               get_session_workgroup(sconn),
-                                               member,
-                                               sconn->remote_address,
-                                               password)) {
-                                       char *name = talloc_strdup(talloc_tos(),
-                                                               member);
-                                       SAFE_FREE(member_list);
-                                       return name;
-                               }
-
-                               DEBUG(10,("validate_group = member = %s\n",
-                                         member));
-
-                               member += strlen(member) + 1;
-                       }
-
-                       SAFE_FREE(member_list);
-               } else {
-                       endgrent();
-                       return NULL;
-               }
-       }
-#endif
-       return(NULL);
-}
-
-/****************************************************************************
- Check for authority to login to a service with a given username/password.
- Note this is *NOT* used when logging on using sessionsetup_and_X.
-****************************************************************************/
-
-bool authorise_login(struct smbd_server_connection *sconn,
-                    int snum, fstring user, DATA_BLOB password,
-                    bool *guest)
-{
-       bool ok = False;
-       struct auth_context *actx = sconn->smb1.negprot.auth_context;
-       bool enc = sconn->smb1.negprot.encrypted_passwords;
-
-#ifdef DEBUG_PASSWORD
-       DEBUG(100,("authorise_login: checking authorisation on "
-                  "user=%s pass=%s\n", user,password.data));
-#endif
-
-       *guest = False;
-
-       /* there are several possibilities:
-               1) login as the given user with given password
-               2) login as a previously registered username with the given
-                  password
-               3) login as a session list username with the given password
-               4) login as a previously validated user/password pair
-               5) login as the "user =" user with given password
-               6) login as the "user =" user with no password
-                  (guest connection)
-               7) login as guest user with no password
-
-               if the service is guest_only then steps 1 to 5 are skipped
-       */
-
-       /* now check the list of session users */
-       if (!ok) {
-               char *auser;
-               char *user_list = NULL;
-               char *saveptr;
-
-               if (sconn->smb1.sessions.session_userlist)
-                       user_list = SMB_STRDUP(sconn->smb1.sessions.session_userlist);
-               else
-                       user_list = SMB_STRDUP("");
-
-               if (!user_list)
-                       return(False);
-
-               for (auser = strtok_r(user_list, LIST_SEP, &saveptr);
-                    !ok && auser;
-                    auser = strtok_r(NULL, LIST_SEP, &saveptr)) {
-                       fstring user2;
-                       fstrcpy(user2,auser);
-                       if (!user_ok(user2,snum))
-                               continue;
-
-                       if (password_ok(actx, enc,
-                                       get_session_workgroup(sconn),
-                                       user2,
-                                       sconn->remote_address,
-                                       password)) {
-                               ok = True;
-                               strlcpy(user,user2,sizeof(fstring));
-                               DEBUG(3,("authorise_login: ACCEPTED: session "
-                                        "list username (%s) and given "
-                                        "password ok\n", user));
-                       }
-               }
-
-               SAFE_FREE(user_list);
-       }
-
-       /* check the user= fields and the given password */
-       if (!ok && lp_username(snum)) {
-               TALLOC_CTX *ctx = talloc_tos();
-               char *auser;
-               char *user_list = talloc_strdup(ctx, lp_username(snum));
-               char *saveptr;
-
-               if (!user_list) {
-                       goto check_guest;
-               }
-
-               user_list = talloc_string_sub(ctx,
-                               user_list,
-                               "%S",
-                               lp_servicename(snum));
-
-               if (!user_list) {
-                       goto check_guest;
-               }
-
-               for (auser = strtok_r(user_list, LIST_SEP, &saveptr);
-                    auser && !ok;
-                    auser = strtok_r(NULL, LIST_SEP, &saveptr)) {
-                       if (*auser == '@') {
-                               auser = validate_group(sconn,auser+1,
-                                                      password,snum);
-                               if (auser) {
-                                       ok = True;
-                                       fstrcpy(user,auser);
-                                       DEBUG(3,("authorise_login: ACCEPTED: "
-                                                "group username and given "
-                                                "password ok (%s)\n", user));
-                               }
-                       } else {
-                               fstring user2;
-                               fstrcpy(user2,auser);
-                               if (user_ok(user2,snum) &&
-                                   password_ok(actx, enc,
-                                               get_session_workgroup(sconn),
-                                               user2,
-                                               sconn->remote_address,
-                                               password)) {
-                                       ok = True;
-                                       strlcpy(user,user2,sizeof(fstring));
-                                       DEBUG(3,("authorise_login: ACCEPTED: "
-                                                "user list username and "
-                                                "given password ok (%s)\n",
-                                                user));
-                               }
-                       }
-               }
-       }
-
-  check_guest:
-
-       /* check for a normal guest connection */
-       if (!ok && GUEST_OK(snum)) {
-               struct passwd *guest_pw;
-               fstring guestname;
-               fstrcpy(guestname,lp_guestaccount());
-               guest_pw = Get_Pwnam_alloc(talloc_tos(), guestname);
-               if (guest_pw != NULL) {
-                       strlcpy(user,guestname,sizeof(fstring));
-                       ok = True;
-                       DEBUG(3,("authorise_login: ACCEPTED: guest account "
-                                "and guest ok (%s)\n", user));
-               } else {
-                       DEBUG(0,("authorise_login: Invalid guest account "
-                                "%s??\n",guestname));
-               }
-               TALLOC_FREE(guest_pw);
-               *guest = True;
-       }
-
-       if (ok && !user_ok(user, snum)) {
-               DEBUG(0,("authorise_login: rejected invalid user %s\n",user));
-               ok = False;
-       }
-
-       return(ok);
-}
index 6ffc067..6c92755 100644 (file)
@@ -1364,8 +1364,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
        flags = smb_messages[type].flags;
 
        /* In share mode security we must ignore the vuid. */
-       session_tag = (lp_security() == SEC_SHARE)
-               ? UID_FIELD_INVALID : req->vuid;
+       session_tag = req->vuid;
        conn = req->conn;
 
        DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
@@ -3257,10 +3256,6 @@ void smbd_process(struct tevent_context *ev_ctx,
        sconn->smb1.sessions.done_sesssetup = false;
        sconn->smb1.sessions.max_send = BUFFER_SIZE;
        sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
-       /* users from session setup */
-       sconn->smb1.sessions.session_userlist = NULL;
-       /* workgroup from session setup. */
-       sconn->smb1.sessions.session_workgroup = NULL;
        /* this holds info on user ids that are already validated for this VC */
        sconn->smb1.sessions.validated_users = NULL;
        sconn->smb1.sessions.next_vuid = VUID_OFFSET;
index 5991800..7321ca6 100644 (file)
@@ -707,13 +707,6 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
                        uint16 vuid,
                        struct auth_session_info *session_info,
                        DATA_BLOB response_blob);
-void add_session_user(struct smbd_server_connection *sconn, const char *user);
-void add_session_workgroup(struct smbd_server_connection *sconn,
-                          const char *workgroup);
-const char *get_session_workgroup(struct smbd_server_connection *sconn);
-bool authorise_login(struct smbd_server_connection *sconn,
-                    int snum, fstring user, DATA_BLOB password,
-                    bool *guest);
 
 /* The following definitions come from smbd/pipes.c  */
 
@@ -986,11 +979,10 @@ struct smbd_smb2_tcon;
 connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
                                        struct smbd_smb2_tcon *tcon,
                                        user_struct *vuser,
-                                       DATA_BLOB password,
                                        const char *pdev,
                                        NTSTATUS *pstatus);
 connection_struct *make_connection(struct smbd_server_connection *sconn,
-                                  const char *service_in, DATA_BLOB password,
+                                  const char *service_in,
                                   const char *pdev, uint16 vuid,
                                   NTSTATUS *status);
 void close_cnum(connection_struct *conn, uint16 vuid);
index 0ab764c..26a928f 100644 (file)
@@ -599,13 +599,6 @@ void reply_special(struct smbd_server_connection *sconn, char *inbuf, size_t inb
                        break;
                }
 
-               /* only add the client's machine name to the list
-                  of possibly valid usernames if we are operating
-                  in share mode security */
-               if (lp_security() == SEC_SHARE) {
-                       add_session_user(sconn, get_remote_machine_name());
-               }
-
                reload_services(sconn, conn_snum_used, true);
                reopen_logs();
 
@@ -656,7 +649,6 @@ void reply_tcon(struct smb_request *req)
        int pwlen=0;
        NTSTATUS nt_status;
        const char *p;
-       DATA_BLOB password_blob;
        TALLOC_CTX *ctx = talloc_tos();
        struct smbd_server_connection *sconn = req->sconn;
 
@@ -688,14 +680,10 @@ void reply_tcon(struct smb_request *req)
                service = service_buf;
        }
 
-       password_blob = data_blob(password, pwlen+1);
-
-       conn = make_connection(sconn,service,password_blob,dev,
+       conn = make_connection(sconn,service,dev,
                               req->vuid,&nt_status);
        req->conn = conn;
 
-       data_blob_clear_free(&password_blob);
-
        if (!conn) {
                reply_nterror(req, nt_status);
                END_PROFILE(SMBtcon);
@@ -723,7 +711,6 @@ void reply_tcon_and_X(struct smb_request *req)
 {
        connection_struct *conn = req->conn;
        const char *service = NULL;
-       DATA_BLOB password;
        TALLOC_CTX *ctx = talloc_tos();
        /* what the cleint thinks the device is */
        char *client_devicetype = NULL;
@@ -761,27 +748,14 @@ void reply_tcon_and_X(struct smb_request *req)
        }
 
        if (sconn->smb1.negprot.encrypted_passwords) {
-               password = data_blob_talloc(talloc_tos(), req->buf, passlen);
-               if (lp_security() == SEC_SHARE) {
-                       /*
-                        * Security = share always has a pad byte
-                        * after the password.
-                        */
-                       p = (const char *)req->buf + passlen + 1;
-               } else {
-                       p = (const char *)req->buf + passlen;
-               }
+               p = (const char *)req->buf + passlen;
        } else {
-               password = data_blob_talloc(talloc_tos(), req->buf, passlen+1);
-               /* Ensure correct termination */
-               password.data[passlen]=0;
                p = (const char *)req->buf + passlen + 1;
        }
 
        p += srvstr_pull_req_talloc(ctx, req, &path, p, STR_TERMINATE);
 
        if (path == NULL) {
-               data_blob_clear_free(&password);
                reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
                END_PROFILE(SMBtconX);
                return;
@@ -794,7 +768,6 @@ void reply_tcon_and_X(struct smb_request *req)
        if (*path=='\\') {
                q = strchr_m(path+2,'\\');
                if (!q) {
-                       data_blob_clear_free(&password);
                        reply_nterror(req, NT_STATUS_BAD_NETWORK_NAME);
                        END_PROFILE(SMBtconX);
                        return;
@@ -809,7 +782,6 @@ void reply_tcon_and_X(struct smb_request *req)
                                MIN(6, smbreq_bufrem(req, p)), STR_ASCII);
 
        if (client_devicetype == NULL) {
-               data_blob_clear_free(&password);
                reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
                END_PROFILE(SMBtconX);
                return;
@@ -817,12 +789,10 @@ void reply_tcon_and_X(struct smb_request *req)
 
        DEBUG(4,("Client requested device type [%s] for share [%s]\n", client_devicetype, service));
 
-       conn = make_connection(sconn, service, password, client_devicetype,
+       conn = make_connection(sconn, service, client_devicetype,
                               req->vuid, &nt_status);
        req->conn =conn;
 
-       data_blob_clear_free(&password);
-
        if (!conn) {
                reply_nterror(req, nt_status);
                END_PROFILE(SMBtconX);
@@ -2117,7 +2087,7 @@ void reply_ulogoffX(struct smb_request *req)
 
        /* in user level security we are supposed to close any files
                open by this user */
-       if ((vuser != NULL) && (lp_security() != SEC_SHARE)) {
+       if (vuser != NULL) {
                file_close_user(sconn, req->vuid);
        }
 
index 8436fbe..c533233 100644 (file)
@@ -381,7 +381,6 @@ static NTSTATUS find_forced_group(bool force_user,
 static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
                                              TALLOC_CTX *mem_ctx, int snum,
                                               struct auth_session_info *session_info,
-                                             DATA_BLOB password,
                                               struct auth_session_info **presult)
 {
         if (lp_guest_only(snum)) {
@@ -425,29 +424,7 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
                return NT_STATUS_OK;
         }
 
-        if (lp_security() == SEC_SHARE) {
-
-                fstring user;
-               bool guest;
-
-                /* add the sharename as a possible user name if we
-                   are in share mode security */
-
-                add_session_user(sconn, lp_servicename(snum));
-
-                /* shall we let them in? */
-
-                if (!authorise_login(sconn, snum,user,password,&guest)) {
-                        DEBUG( 2, ( "Invalid username/password for [%s]\n",
-                                    lp_servicename(snum)) );
-                       return NT_STATUS_WRONG_PASSWORD;
-                }
-
-               return make_session_info_from_username(mem_ctx, user, guest,
-                                                      presult);
-        }
-
-       DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
+       DEBUG(0, ("invalid VUID (vuser)\n"));
        return NT_STATUS_ACCESS_DENIED;
 }
 
@@ -557,7 +534,6 @@ static void create_share_access_mask(connection_struct *conn, int snum)
 static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
                                        connection_struct *conn,
                                        int snum, user_struct *vuser,
-                                       DATA_BLOB password,
                                        const char *pdev)
 {
        struct smb_filename *smb_fname_cpath = NULL;
@@ -582,7 +558,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
        conn->params->service = snum;
 
        status = create_connection_session_info(sconn,
-               conn, snum, vuser ? vuser->session_info : NULL, password,
+               conn, snum, vuser ? vuser->session_info : NULL,
                &conn->session_info);
 
        if (!NT_STATUS_IS_OK(status)) {
@@ -591,12 +567,10 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
                goto err_root_exit;
        }
 
-       if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
+       if (lp_guest_only(snum)) {
                conn->force_user = true;
        }
 
-       add_session_user(sconn, conn->session_info->unix_info->unix_name);
-
        conn->num_files_open = 0;
        conn->lastused = conn->lastused_count = time(NULL);
        conn->used = True;
@@ -630,7 +604,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
                goto err_root_exit;
        }
 
-       conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
+       conn->vuid = vuser->vuid;
 
        {
                char *s = talloc_sub_advanced(talloc_tos(),
@@ -930,7 +904,6 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
 
 static connection_struct *make_connection_smb1(struct smbd_server_connection *sconn,
                                        int snum, user_struct *vuser,
-                                       DATA_BLOB password,
                                        const char *pdev,
                                        NTSTATUS *pstatus)
 {
@@ -944,7 +917,6 @@ static connection_struct *make_connection_smb1(struct smbd_server_connection *sc
                                        conn,
                                        snum,
                                        vuser,
-                                        password,
                                        pdev);
        if (!NT_STATUS_IS_OK(*pstatus)) {
                conn_free(conn);
@@ -961,7 +933,6 @@ static connection_struct *make_connection_smb1(struct smbd_server_connection *sc
 connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
                                        struct smbd_smb2_tcon *tcon,
                                        user_struct *vuser,
-                                       DATA_BLOB password,
                                        const char *pdev,
                                        NTSTATUS *pstatus)
 {
@@ -976,7 +947,6 @@ connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
                                        conn,
                                        tcon->snum,
                                        vuser,
-                                        password,
                                        pdev);
        if (!NT_STATUS_IS_OK(*pstatus)) {
                conn_free(conn);
@@ -992,7 +962,7 @@ connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
 ****************************************************************************/
 
 connection_struct *make_connection(struct smbd_server_connection *sconn,
-                                  const char *service_in, DATA_BLOB password,
+                                  const char *service_in,
                                   const char *pdev, uint16 vuid,
                                   NTSTATUS *status)
 {
@@ -1017,14 +987,12 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
                return NULL;
        }
 
-       if(lp_security() != SEC_SHARE) {
-               vuser = get_valid_user_struct(sconn, vuid);
-               if (!vuser) {
-                       DEBUG(1,("make_connection: refusing to connect with "
-                                "no session setup\n"));
-                       *status = NT_STATUS_ACCESS_DENIED;
-                       return NULL;
-               }
+       vuser = get_valid_user_struct(sconn, vuid);
+       if (!vuser) {
+               DEBUG(1,("make_connection: refusing to connect with "
+                        "no session setup\n"));
+               *status = NT_STATUS_ACCESS_DENIED;
+               return NULL;
        }
 
        /* Logic to try and connect to the correct [homes] share, preferably
@@ -1037,57 +1005,28 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
        */
 
        if (strequal(service_in,HOMES_NAME)) {
-               if(lp_security() != SEC_SHARE) {
-                       DATA_BLOB no_pw = data_blob_null;
-                       if (vuser->homes_snum == -1) {
-                               DEBUG(2, ("[homes] share not available for "
-                                         "this user because it was not found "
-                                         "or created at session setup "
-                                         "time\n"));
-                               *status = NT_STATUS_BAD_NETWORK_NAME;
-                               return NULL;
-                       }
-                       DEBUG(5, ("making a connection to [homes] service "
-                                 "created at session setup time\n"));
-                       return make_connection_smb1(sconn,
-                                                   vuser->homes_snum,
-                                                   vuser, no_pw, 
-                                                   dev, status);
-               } else {
-                       /* Security = share. Try with
-                        * current_user_info.smb_name as the username.  */
-                       if (*current_user_info.smb_name) {
-                               char *unix_username = NULL;
-                               (void)map_username(talloc_tos(),
-                                               current_user_info.smb_name,
-                                               &unix_username);
-                               snum = find_service(talloc_tos(),
-                                               unix_username,
-                                               &unix_username);
-                               if (!unix_username) {
-                                       *status = NT_STATUS_NO_MEMORY;
-                               }
-                               return NULL;
-                       }
-                       if (snum != -1) {
-                               DEBUG(5, ("making a connection to 'homes' "
-                                         "service %s based on "
-                                         "security=share\n", service_in));
-                               return make_connection_smb1(sconn,
-                                                           snum, NULL,
-                                                           password,
-                                                           dev, status);
-                       }
+               if (vuser->homes_snum == -1) {
+                       DEBUG(2, ("[homes] share not available for "
+                                 "this user because it was not found "
+                                 "or created at session setup "
+                                 "time\n"));
+                       *status = NT_STATUS_BAD_NETWORK_NAME;
+                       return NULL;
                }
-       } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
+               DEBUG(5, ("making a connection to [homes] service "
+                         "created at session setup time\n"));
+               return make_connection_smb1(sconn,
+                                           vuser->homes_snum,
+                                           vuser,
+                                           dev, status);
+       } else if ((vuser->homes_snum != -1)
                   && strequal(service_in,
                               lp_servicename(vuser->homes_snum))) {
-               DATA_BLOB no_pw = data_blob_null;
                DEBUG(5, ("making a connection to 'homes' service [%s] "
                          "created at session setup time\n", service_in));
                return make_connection_smb1(sconn,
                                            vuser->homes_snum,
-                                           vuser, no_pw, 
+                                           vuser,
                                            dev, status);
        }
 
@@ -1134,7 +1073,6 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
        DEBUG(5, ("making a connection to 'normal' service %s\n", service));
 
        return make_connection_smb1(sconn, snum, vuser,
-                                   password,
                                    dev, status);
 }
 
index 987b626..da306b9 100644 (file)
@@ -561,11 +561,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
                if (doencrypt) {
                        lm_resp = data_blob(p, passlen1);
                        nt_resp = data_blob(p+passlen1, passlen2);
-               } else if (lp_security() != SEC_SHARE) {
-                       /*
-                        * In share level we should ignore any passwords, so
-                        * only read them if we're not.
-                        */
+               } else {
                        char *pass = NULL;
                        bool unic= smb_flag2 & FLAGS2_UNICODE_STRINGS;
 
@@ -673,27 +669,6 @@ void reply_sesssetup_and_X(struct smb_request *req)
 
        reload_services(sconn, conn_snum_used, true);
 
-       if (lp_security() == SEC_SHARE) {
-               char *sub_user_mapped = NULL;
-               /* In share level we should ignore any passwords */
-
-               data_blob_free(&lm_resp);
-               data_blob_free(&nt_resp);
-               data_blob_clear_free(&plaintext_password);
-
-               (void)map_username(talloc_tos(), sub_user, &sub_user_mapped);
-               if (!sub_user_mapped) {
-                       reply_nterror(req, NT_STATUS_NO_MEMORY);
-                       END_PROFILE(SMBsesssetupX);
-                       return;
-               }
-               fstrcpy(sub_user, sub_user_mapped);
-               add_session_user(sconn, sub_user);
-               add_session_workgroup(sconn, domain);
-               /* Then force it to null for the benfit of the code below */
-               user = "";
-       }
-
        if (!*user) {
 
                nt_status = check_guest_password(sconn->remote_address, &server_info);
@@ -796,36 +771,31 @@ void reply_sesssetup_and_X(struct smb_request *req)
        /* register the name and uid as being validated, so further connections
           to a uid can get through without a password, on the same VC */
 
-       if (lp_security() == SEC_SHARE) {
-               sess_vuid = UID_FIELD_INVALID;
-               TALLOC_FREE(session_info);
-       } else {
-               /* Ignore the initial vuid. */
-               sess_vuid = register_initial_vuid(sconn);
-               if (sess_vuid == UID_FIELD_INVALID) {
-                       data_blob_free(&nt_resp);
-                       data_blob_free(&lm_resp);
-                       reply_nterror(req, nt_status_squash(
-                                             NT_STATUS_LOGON_FAILURE));
-                       END_PROFILE(SMBsesssetupX);
-                       return;
-               }
-               /* register_existing_vuid keeps the session_info */
-               sess_vuid = register_existing_vuid(sconn, sess_vuid,
-                                       session_info,
-                                       nt_resp.data ? nt_resp : lm_resp);
-               if (sess_vuid == UID_FIELD_INVALID) {
-                       data_blob_free(&nt_resp);
-                       data_blob_free(&lm_resp);
-                       reply_nterror(req, nt_status_squash(
-                                             NT_STATUS_LOGON_FAILURE));
-                       END_PROFILE(SMBsesssetupX);
-                       return;
-               }
-
-               /* current_user_info is changed on new vuid */
-               reload_services(sconn, conn_snum_used, true);
+       /* Ignore the initial vuid. */
+       sess_vuid = register_initial_vuid(sconn);
+       if (sess_vuid == UID_FIELD_INVALID) {
+               data_blob_free(&nt_resp);
+               data_blob_free(&lm_resp);
+               reply_nterror(req, nt_status_squash(
+                                     NT_STATUS_LOGON_FAILURE));
+               END_PROFILE(SMBsesssetupX);
+               return;
        }
+       /* register_existing_vuid keeps the session_info */
+       sess_vuid = register_existing_vuid(sconn, sess_vuid,
+                                          session_info,
+                                          nt_resp.data ? nt_resp : lm_resp);
+       if (sess_vuid == UID_FIELD_INVALID) {
+               data_blob_free(&nt_resp);
+               data_blob_free(&lm_resp);
+               reply_nterror(req, nt_status_squash(
+                                     NT_STATUS_LOGON_FAILURE));
+               END_PROFILE(SMBsesssetupX);
+               return;
+       }
+
+       /* current_user_info is changed on new vuid */
+       reload_services(sconn, conn_snum_used, true);
 
        data_blob_free(&nt_resp);
        data_blob_free(&lm_resp);
index b7e5ce0..56c4288 100644 (file)
@@ -232,7 +232,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
        compat_conn = make_connection_smb2(req->sconn,
                                        tcon,
                                        req->session->compat_vuser,
-                                       data_blob_null, "???",
+                                       "???",
                                        &status);
        if (compat_conn == NULL) {
                TALLOC_FREE(tcon);
index 3847d39..84cb61c 100644 (file)
@@ -288,19 +288,7 @@ bool change_to_user(connection_struct *conn, uint16_t vuid)
 
        vuser = get_valid_user_struct(conn->sconn, vuid);
 
-       /*
-        * We need a separate check in security=share mode due to vuid
-        * always being UID_FIELD_INVALID. If we don't do this then
-        * in share mode security we are *always* changing uid's between
-        * SMB's - this hurts performance - Badly.
-        */
-
-       if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
-          (current_user.ut.uid == conn->session_info->unix_token->uid)) {
-               DEBUG(4,("Skipping user change - already "
-                        "user\n"));
-               return(True);
-       } else if ((current_user.conn == conn) &&
+       if ((current_user.conn == conn) &&
                   (vuser != NULL) && (current_user.vuid == vuid) &&
                   (current_user.ut.uid == vuser->session_info->unix_token->uid)) {
                DEBUG(4,("Skipping user change - already "
@@ -308,16 +296,15 @@ bool change_to_user(connection_struct *conn, uint16_t vuid)
                return(True);
        }
 
-       session_info = vuser ? vuser->session_info : conn->session_info;
-
-       if (session_info == NULL) {
-               /* Invalid vuid sent - even with security = share. */
+       if (vuser == NULL) {
+               /* Invalid vuid sent */
                DEBUG(2,("Invalid vuid %d used on "
                         "share %s.\n", vuid, lp_servicename(snum) ));
                return false;
        }
 
-       /* security = share sets force_user. */
+       session_info = vuser->session_info;
+
        if (!conn->force_user && vuser == NULL) {
                DEBUG(2,("Invalid vuid used %d in accessing "
                        "share %s.\n", vuid, lp_servicename(snum) ));
index 8f8f394..0755f9f 100644 (file)
@@ -418,10 +418,6 @@ static int traverse_sessionid(const char *key, struct sessionid *session,
                d_printf("\nSamba version %s\n",samba_version_string());
                d_printf("PID     Username      Group         Machine                        \n");
                d_printf("-------------------------------------------------------------------\n");
-               if (lp_security() == SEC_SHARE) {
-                       d_printf(" <processes do not show up in "
-                                "anonymous mode>\n");
-               }
 
                sessionid_traverse_read(traverse_sessionid, NULL);
 
index 5f27439..a8a6d78 100644 (file)
@@ -237,15 +237,6 @@ static bool test_server_role_security_domain(struct torture_context *tctx)
        return true;
 }
 
-static bool test_server_role_security_share(struct torture_context *tctx)
-{
-       struct loadparm_context *lp_ctx = loadparm_init(tctx);
-       torture_assert(tctx, lpcfg_set_option(lp_ctx, "security=share"), "lpcfg_set_option failed");
-       torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_STANDALONE, "ROLE should be STANDALONE");
-       torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_SHARE, "security should be share");
-       return true;
-}
-
 static bool test_server_role_security_server(struct torture_context *tctx)
 {
        struct loadparm_context *lp_ctx = loadparm_init(tctx);
@@ -282,7 +273,6 @@ struct torture_suite *torture_local_loadparm(TALLOC_CTX *mem_ctx)
        torture_suite_add_simple_test(suite, "test_server_role_dc_domain_logons_and_not_master", test_server_role_dc_domain_logons_and_not_master);
        torture_suite_add_simple_test(suite, "test_server_role_security_ads", test_server_role_security_ads);
        torture_suite_add_simple_test(suite, "test_server_role_security_domain", test_server_role_security_domain);
-       torture_suite_add_simple_test(suite, "test_server_role_security_share", test_server_role_security_share);
        torture_suite_add_simple_test(suite, "test_server_role_security_server", test_server_role_security_server);
 
        return suite;