#include "tdb.h"
#include "librpc/gen_ndr/nbt.h"
#include "libds/common/roles.h"
+#include "lib/util/samba_util.h"
+#include "libcli/auth/ntlm_check.h"
#ifdef HAVE_HTTPCONNECTENCRYPT
#include <cups/http.h>
return lp_ctx->sDefault;
}
+int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
+{
+ return lp_ctx->globals->rpc_low_port;
+}
+
+int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
+{
+ return lp_ctx->globals->rpc_high_port;
+}
+
/**
* Convenience routine to grab string parameters into temporary memory
* and run standard_sub_basic on them.
{
if (lp_ctx->s3_fns) {
if (*ptr == NULL || strcmp(*ptr, pszParmValue) != 0) {
- global_iconv_handle = smb_iconv_handle_reinit(NULL,
- lpcfg_dos_charset(lp_ctx),
- lpcfg_unix_charset(lp_ctx),
- true, global_iconv_handle);
+ struct smb_iconv_handle *ret = NULL;
+
+ ret = reinit_iconv_handle(NULL,
+ lpcfg_dos_charset(lp_ctx),
+ lpcfg_unix_charset(lp_ctx));
+ if (ret == NULL) {
+ smb_panic("reinit_iconv_handle failed");
+ }
}
}
}
if (*ptr == NULL || strcmp(*ptr, pszParmValue) != 0) {
+ struct smb_iconv_handle *ret = NULL;
if (is_utf8) {
DEBUG(0,("ERROR: invalid DOS charset: 'dos charset' must not "
"be UTF8, using (default value) %s instead.\n",
DEFAULT_DOS_CHARSET));
pszParmValue = DEFAULT_DOS_CHARSET;
}
- global_iconv_handle = smb_iconv_handle_reinit(NULL,
- lpcfg_dos_charset(lp_ctx),
- lpcfg_unix_charset(lp_ctx),
- true, global_iconv_handle);
+ ret = reinit_iconv_handle(NULL,
+ lpcfg_dos_charset(lp_ctx),
+ lpcfg_unix_charset(lp_ctx));
+ if (ret == NULL) {
+ smb_panic("reinit_iconv_handle failed");
+ }
}
}
return true;
}
+bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue,
+ char **ptr)
+{
+ int low_port = -1, high_port = -1;
+ int rc;
+
+ if (pszParmValue == NULL || pszParmValue[0] == '\0') {
+ return false;
+ }
+
+ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
+ if (rc != 2) {
+ return false;
+ }
+
+ if (low_port > high_port) {
+ return false;
+ }
+
+ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
+ return false;
+ }
+
+ lp_ctx->globals->rpc_low_port = low_port;
+ lp_ctx->globals->rpc_high_port = high_port;
+
+ return true;
+}
+
bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
struct loadparm_service *service,
const char *pszParmValue, char **ptr)
}
+bool handle_name_resolve_order(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue, char **ptr)
+{
+ const char **valid_values = NULL;
+ const char **values_to_set = NULL;
+ int i;
+ bool value_is_valid = false;
+ valid_values = str_list_make_v3_const(NULL,
+ DEFAULT_NAME_RESOLVE_ORDER,
+ NULL);
+ if (valid_values == NULL) {
+ DBG_ERR("OOM: failed to make string list from %s\n",
+ DEFAULT_NAME_RESOLVE_ORDER);
+ goto out;
+ }
+ values_to_set = str_list_make_v3_const(lp_ctx->globals->ctx,
+ pszParmValue,
+ NULL);
+ if (values_to_set == NULL) {
+ DBG_ERR("OOM: failed to make string list from %s\n",
+ pszParmValue);
+ goto out;
+ }
+ TALLOC_FREE(lp_ctx->globals->name_resolve_order);
+ for (i = 0; values_to_set[i] != NULL; i++) {
+ value_is_valid = str_list_check(valid_values, values_to_set[i]);
+ if (!value_is_valid) {
+ DBG_ERR("WARNING: Ignoring invalid list value '%s' "
+ "for parameter 'name resolve order'\n",
+ values_to_set[i]);
+ break;
+ }
+ }
+out:
+ if (value_is_valid) {
+ lp_ctx->globals->name_resolve_order = values_to_set;
+ } else {
+ TALLOC_FREE(values_to_set);
+ }
+ TALLOC_FREE(valid_values);
+ return value_is_valid;
+}
+
static bool set_variable(TALLOC_CTX *mem_ctx, struct loadparm_service *service,
int parmnum, void *parm_ptr,
const char *pszParmName, const char *pszParmValue,
return 0;
}
-struct defaults_hook_data {
- const char *name;
- lpcfg_defaults_hook hook;
- struct defaults_hook_data *prev, *next;
-} *defaults_hooks = NULL;
-
-
-bool lpcfg_register_defaults_hook(const char *name, lpcfg_defaults_hook hook)
-{
- struct defaults_hook_data *hook_data = talloc(talloc_autofree_context(),
- struct defaults_hook_data);
- hook_data->name = talloc_strdup(hook_data, name);
- hook_data->hook = hook;
- DLIST_ADD(defaults_hooks, hook_data);
- return false;
-}
-
/**
* Initialise the global parameter structure.
*
struct loadparm_context *lp_ctx;
struct parmlist_entry *parm;
char *logfile;
- struct defaults_hook_data *defaults_hook;
lp_ctx = talloc_zero(mem_ctx, struct loadparm_context);
if (lp_ctx == NULL)
lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
/* This appears odd, but globals in s3 isn't a pointer */
lp_ctx->globals->ctx = lp_ctx->globals;
+ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
+ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
lp_ctx->sDefault->force_create_mode = 0000;
lp_ctx->sDefault->directory_mask = 0755;
lp_ctx->sDefault->force_directory_mode = 0000;
+ lp_ctx->sDefault->aio_read_size = 1;
+ lp_ctx->sDefault->aio_write_size = 1;
DEBUG(3, ("Initialising global parameters\n"));
myname = get_myname(lp_ctx);
lpcfg_do_global_parameter(lp_ctx, "netbios name", myname);
talloc_free(myname);
- lpcfg_do_global_parameter(lp_ctx, "name resolve order", "lmhosts wins host bcast");
+ lpcfg_do_global_parameter(lp_ctx,
+ "name resolve order",
+ DEFAULT_NAME_RESOLVE_ORDER);
lpcfg_do_global_parameter(lp_ctx, "fstype", "NTFS");
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
- lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "false");
+ lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
auth forwarding and for trusted domains */
lpcfg_do_global_parameter(lp_ctx, "private dir", dyn_PRIVATE_DIR);
+ lpcfg_do_global_parameter(lp_ctx, "binddns dir", dyn_BINDDNS_DIR);
lpcfg_do_global_parameter(lp_ctx, "registry:HKEY_LOCAL_MACHINE", "hklm.ldb");
/* This hive should be dynamically generated by Samba using
lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
- lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
+ lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "ntlmv2-only");
lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
- lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
+ lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba_gpoupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "dns update command", "%s/samba_dnsupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "spn update command", "%s/samba_spnupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "samba kcc command",
"%s/samba_kcc", dyn_SCRIPTSBINDIR);
+#ifdef MIT_KDC_PATH
+ lpcfg_do_global_parameter_var(lp_ctx,
+ "mit kdc command",
+ MIT_KDC_PATH);
+#endif
lpcfg_do_global_parameter(lp_ctx, "template shell", "/bin/false");
lpcfg_do_global_parameter(lp_ctx, "template homedir", "/home/%D/%U");
lpcfg_do_global_parameter(lp_ctx, "strict locking", "Auto");
+ lpcfg_do_global_parameter(lp_ctx, "strict sync", "yes");
+
lpcfg_do_global_parameter(lp_ctx, "map readonly", "yes");
lpcfg_do_global_parameter(lp_ctx, "allow trusted domains", "yes");
lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
+ lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios");
+
lpcfg_do_global_parameter(lp_ctx, "ldap server require strong auth", "yes");
lpcfg_do_global_parameter(lp_ctx, "follow symlinks", "yes");
lpcfg_do_global_parameter(lp_ctx, "blocking locks", "yes");
- lpcfg_do_global_parameter(lp_ctx, "oplock contention limit", "2");
-
lpcfg_do_global_parameter(lp_ctx, "load printers", "yes");
lpcfg_do_global_parameter(lp_ctx, "idmap cache time", "604800");
lpcfg_do_global_parameter(lp_ctx, "aio max threads", "100");
- /* Allow modules to adjust defaults */
- for (defaults_hook = defaults_hooks; defaults_hook;
- defaults_hook = defaults_hook->next) {
- bool ret;
+ lpcfg_do_global_parameter(lp_ctx, "smb2 leases", "yes");
- ret = defaults_hook->hook(lp_ctx);
- if (!ret) {
- DEBUG(1, ("Defaults hook %s failed to run.",
- defaults_hook->name));
- talloc_free(lp_ctx);
- return NULL;
- }
- }
+ lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
+
+ lpcfg_do_global_parameter(lp_ctx,
+ "rpc server dynamic port range",
+ "49152-65535");
+
+ lpcfg_do_global_parameter(lp_ctx, "prefork children", "1");
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
_PUBLIC_ void reload_charcnv(struct loadparm_context *lp_ctx)
{
- struct smb_iconv_handle *old_ic = lp_ctx->iconv_handle;
if (!lp_ctx->global) {
return;
}
- if (old_ic == NULL) {
- old_ic = global_iconv_handle;
+ lp_ctx->iconv_handle =
+ reinit_iconv_handle(lp_ctx,
+ lpcfg_dos_charset(lp_ctx),
+ lpcfg_unix_charset(lp_ctx));
+ if (lp_ctx->iconv_handle == NULL) {
+ smb_panic("reinit_iconv_handle failed");
}
- lp_ctx->iconv_handle = smb_iconv_handle_reinit_lp(lp_ctx, lp_ctx, old_ic);
- global_iconv_handle = lp_ctx->iconv_handle;
}
_PUBLIC_ char *lpcfg_tls_keyfile(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
int client_max_protocol = lpcfg__client_max_protocol(lp_ctx);
if (client_max_protocol == PROTOCOL_DEFAULT) {
- return PROTOCOL_NT1;
+ return PROTOCOL_LATEST;
}
return client_max_protocol;
}
}
return tdb_flags;
}
+
+/*
+ * Do not allow LanMan auth if unless NTLMv1 is also allowed
+ *
+ * This also ensures it is disabled if NTLM is totally disabled
+ */
+bool lpcfg_lanman_auth(struct loadparm_context *lp_ctx)
+{
+ enum ntlm_auth_level ntlm_auth_level = lpcfg_ntlm_auth(lp_ctx);
+
+ if (ntlm_auth_level == NTLM_AUTH_ON) {
+ return lpcfg__lanman_auth(lp_ctx);
+ } else {
+ return false;
+ }
+}