s3-auth: remove "security=server" (depricated since 3.6)
authorStefan Metzmacher <metze@samba.org>
Sat, 12 May 2012 10:00:00 +0000 (12:00 +0200)
committerStefan Metzmacher <metze@samba.org>
Tue, 15 May 2012 06:18:28 +0000 (08:18 +0200)
"security=server" has a lot of problems in the world with
modern security (ntlmv2 and krb5). It was also not very
reliable, as it needed a stable connection to the password
server for the lifetime of the whole client connection!

Please use "security=domain" or "security=ads" is you
authentication against remote servers (domain controllers).

metze
                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SERVER      |
                  |    security=server   |
                  |                      |
                  |                      |
                  |       12 May         |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______

lib/param/loadparm_server_role.c
lib/param/param_enums.c
libds/common/roles.h
source3/auth/auth.c
source3/param/loadparm.c
source3/utils/testparm.c

index 4ba54b9..9ff64be 100644 (file)
@@ -73,13 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
        role = ROLE_STANDALONE;
 
        switch (security) {
-               case SEC_SERVER:
-                       if (domain_logons) {
-                               DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
-                       }
-                       /* this used to be considered ROLE_DOMAIN_MEMBER but that's just wrong */
-                       role = ROLE_STANDALONE;
-                       break;
                case SEC_DOMAIN:
                        if (domain_logons) {
                                DEBUG(1, ("Server's Role (logon server) NOT ADVISED with domain-level security\n"));
@@ -157,7 +150,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
                valid = true;
                break;
        case ROLE_STANDALONE:
-               if (security == SEC_SERVER || security == SEC_USER) {
+               if (security == SEC_USER) {
                        valid = true;
                }
                break;
index 36234ea..5f4cd61 100644 (file)
@@ -46,7 +46,6 @@ static const struct enum_list enum_protocol[] = {
 static const struct enum_list enum_security[] = {
        {SEC_AUTO, "AUTO"},
        {SEC_USER, "USER"},
-       {SEC_SERVER, "SERVER"},
        {SEC_DOMAIN, "DOMAIN"},
 #if (defined(HAVE_ADS) || _SAMBA_BUILD_ >= 4)
        {SEC_ADS, "ADS"},
index 90281ba..9dc9a00 100644 (file)
@@ -60,10 +60,25 @@ enum server_role {
                  *|     *  *  *          | *
         _________)/\\_//(\/(/\)/\//\/\///|_)_______
 
- */
+                       --------------
+                      /              \
+                     /      REST      \
+                    /        IN        \
+                   /       PEACE        \
+                  /                      \
+                  |      SEC_SERVER      |
+                  |    security=server   |
+                  |                      |
+                  |                      |
+                  |       12 May         |
+                  |                      |
+                  |        2012          |
+                 *|     *  *  *          | *
+        _________)/\\_//(\/(/\)/\//\/\///|_)_______
+
+*/
 enum security_types {SEC_AUTO = 0, 
                     SEC_USER = 2, 
-                    SEC_SERVER = 3,
                     SEC_DOMAIN = 4,
                     SEC_ADS = 5};
 
index 4b075a6..c442a53 100644 (file)
@@ -494,12 +494,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
                                talloc_tos(), "guest sam winbind:ntdomain",
                                NULL);
                        break;
-               case SEC_SERVER:
-                       DEBUG(5,("Making default auth method list for security=server\n"));
-                       auth_method_list = str_list_make_v3(
-                               talloc_tos(), "guest sam smbserver",
-                               NULL);
-                       break;
                case SEC_USER:
                        if (lp_encrypted_passwords()) { 
                                if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
index 7d82b61..a34e5d5 100644 (file)
@@ -9049,10 +9049,6 @@ static bool lp_load_ex(const char *pszFname,
 
        set_allowed_client_auth();
 
-       if (lp_security() == SEC_SERVER) {
-               DEBUG(1, ("WARNING: The security=server option is deprecated\n"));
-       }
-
        if (lp_security() == SEC_ADS && strchr(lp_passwordserver(), ':')) {
                DEBUG(1, ("WARNING: The optional ':port' in password server = %s is deprecated\n",
                          lp_passwordserver()));
index 9b224d4..b75fc61 100644 (file)
@@ -129,11 +129,9 @@ cannot be set in the smb.conf file. nmbd will abort with this setting.\n");
         * Password server sanity checks.
         */
 
-       if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
+       if((lp_security() >= SEC_DOMAIN) && !*lp_passwordserver()) {
                const char *sec_setting;
-               if(lp_security() == SEC_SERVER)
-                       sec_setting = "server";
-               else if(lp_security() == SEC_DOMAIN)
+               if(lp_security() == SEC_DOMAIN)
                        sec_setting = "domain";
                else if(lp_security() == SEC_ADS)
                        sec_setting = "ads";