The branch, v3-6-test has been updated
via c173b7b s3-testparm Warn about incorrect use of 'password server'
via 7938753 s3-param Depricate 'password server = foo:12389' syntax
via da3c013 s3-param Deprecate a number of security parameters for 3.6
via 6fc56d4 docs: Clarify the 'security=server' fails for NTLMv2
via 168522c docs: Rewrite 'password server' documentation
from 0b45809 Fix bug #8150 - Ban 'dos charset = utf8'
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit c173b7bc0bf1e93406b692b27e1987928e81b47c
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed May 18 11:53:34 2011 +1000
s3-testparm Warn about incorrect use of 'password server'
The last 5 patches address bug #8151 (deprecate security parameters for
3.6).
commit 7938753a2973f596bc4cfac7d7829faeb550e7c1
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon May 23 10:42:57 2011 +1000
s3-param Depricate 'password server = foo:12389' syntax
This was originally intended to allow the LDAP port on a DC to be
varied, but makes little sense to change one port when in an
environment where krb5, ldap, smb and potentially DCE/RPC over TCP are
involved.
Andrew Bartlett
commit da3c01387dc0ae0be0de768b4240f164b0a96c25
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri May 13 17:55:41 2011 +0200
s3-param Deprecate a number of security parameters for 3.6
This follows up on the agreement on the samba-technical list in Jan
2011 to deprecate these options, and to possibly remove these in the
4.0 release after user feedback.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abart...@samba.org>
Autobuild-Date: Fri May 13 19:51:41 CEST 2011 on sn-devel-104
commit 6fc56d402ecbb864f3b906f096ac9e2c77b9fbab
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon May 23 10:42:40 2011 +1000
docs: Clarify the 'security=server' fails for NTLMv2
commit 168522c1cbb7981e87cc05bf619f65867e5d3cb3
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon May 23 10:20:47 2011 +1000
docs: Rewrite 'password server' documentation
I think this new version is more clear.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/logon/enableprivileges.xml | 2 +-
docs-xml/smbdotconf/protocol/usespnego.xml | 2 +-
docs-xml/smbdotconf/security/passwordlevel.xml | 2 +-
docs-xml/smbdotconf/security/passwordserver.xml | 106 +++++++++--------
docs-xml/smbdotconf/security/security.xml | 145 +++++++++++------------
docs-xml/smbdotconf/security/username.xml | 2 +-
source3/param/loadparm.c | 21 +++-
source3/utils/testparm.c | 21 +++-
8 files changed, 161 insertions(+), 140 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/logon/enableprivileges.xml
b/docs-xml/smbdotconf/logon/enableprivileges.xml
index 3e958e0..0fbc504 100644
--- a/docs-xml/smbdotconf/logon/enableprivileges.xml
+++ b/docs-xml/smbdotconf/logon/enableprivileges.xml
@@ -5,7 +5,7 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
<para>
- This parameter controls whether or not smbd will honor privileges
assigned to specific SIDs via either
+ This deprecated parameter controls whether or not smbd will honor
privileges assigned to specific SIDs via either
<command>net rpc rights</command> or one of the Windows user and group
manager tools. This parameter is
enabled by default. It can be disabled to prevent members of the Domain
Admins group from being able to
assign privileges to users or groups which can then result in certain
smbd operations running as root that
diff --git a/docs-xml/smbdotconf/protocol/usespnego.xml
b/docs-xml/smbdotconf/protocol/usespnego.xml
index 8fb559c..c975c9b 100644
--- a/docs-xml/smbdotconf/protocol/usespnego.xml
+++ b/docs-xml/smbdotconf/protocol/usespnego.xml
@@ -4,7 +4,7 @@
developer="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
- <para>This variable controls controls whether samba will try
+ <para>This deprecated variable controls controls whether samba will try
to use Simple and Protected NEGOciation (as specified by rfc2478) with
WindowsXP and Windows2000 clients to agree upon an authentication
mechanism.
</para>
diff --git a/docs-xml/smbdotconf/security/passwordlevel.xml
b/docs-xml/smbdotconf/security/passwordlevel.xml
index 1da11e4..754bbdf 100644
--- a/docs-xml/smbdotconf/security/passwordlevel.xml
+++ b/docs-xml/smbdotconf/security/passwordlevel.xml
@@ -13,7 +13,7 @@
text passwords even when NT LM 0.12 selected by the protocol
negotiation request/response.</para>
- <para>This parameter defines the maximum number of characters
+ <para>This deprecated parameter defines the maximum number of characters
that may be upper case in passwords.</para>
<para>For example, say the password given was "FRED". If
<parameter moreinfo="none">
diff --git a/docs-xml/smbdotconf/security/passwordserver.xml
b/docs-xml/smbdotconf/security/passwordserver.xml
index 0e92af9..0aa3b51 100644
--- a/docs-xml/smbdotconf/security/passwordserver.xml
+++ b/docs-xml/smbdotconf/security/passwordserver.xml
@@ -10,54 +10,24 @@
it is possible to get Samba
to do all its username/password validation using a specific remote
server.</para>
- <para>This option sets the name or IP address of the password server to
use.
- New syntax has been added to support defining the port to use when
connecting
- to the server the case of an ADS realm. To define a port other than the
- default LDAP port of 389, add the port number using a colon after the
- name or IP address (e.g. 192.168.1.100:389). If you do not specify a port,
- Samba will use the standard LDAP port of tcp/389. Note that port numbers
- have no effect on password servers for Windows NT 4.0 domains or netbios
- connections.</para>
-
- <para>If parameter is a name, it is looked up using the
- parameter <smbconfoption name="name resolve order"/> and so may resolved
- by any method and order described in that parameter.</para>
-
- <para>The password server must be a machine capable of using
- the "LM1.2X002" or the "NT LM 0.12" protocol, and it
must be in
- user level security mode.</para>
-
- <note><para>Using a password server means your UNIX box (running
- Samba) is only as secure as your password server. <emphasis>DO NOT
- CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>.
- </para></note>
-
- <para>Never point a Samba server at itself for password serving.
- This will cause a loop and could lock up your Samba server!</para>
-
- <para>The name of the password server takes the standard
- substitutions, but probably the only useful one is <parameter
moreinfo="none">%m
- </parameter>, which means the Samba server will use the incoming
- client as the password server. If you use this then you better
- trust your clients, and you had better restrict them with hosts
allow!</para>
-
<para>If the <parameter moreinfo="none">security</parameter> parameter is
set to
- <constant>domain</constant> or <constant>ads</constant>, then the list of
machines in this
- option must be a list of Primary or Backup Domain controllers for the
- Domain or the character '*', as the Samba server is effectively
- in that domain, and will use cryptographically authenticated RPC calls
- to authenticate the user logging on. The advantage of using <command
moreinfo="none">
- security = domain</command> is that if you list several hosts in the
- <parameter moreinfo="none">password server</parameter> option then
<command moreinfo="none">smbd
- </command> will try each in turn till it finds one that responds. This
- is useful in case your primary server goes down.</para>
+ <constant>domain</constant> or <constant>ads</constant>, then this option
+ <emphasis>should not</emphasis> be used, as the default '*' indicates to
Samba
+ to determine the best DC to contact dynamically, just as all other hosts
in an
+ AD domain do. This allows the domain to be maintained without
modification to
+ the smb.conf file. The cryptograpic protection on the authenticated RPC
calls
+ used to verify passwords ensures that this default is safe.</para>
- <para>If the <parameter moreinfo="none">password server</parameter> option
is set
- to the character '*', then Samba will attempt to auto-locate the
- Primary or Backup Domain controllers to authenticate against by
- doing a query for the name <constant>WORKGROUP<1C></constant>
- and then contacting each server returned in the list of IP
- addresses from the name resolution source. </para>
+ <para><emphasis>It is strongly recommended that you use the
+ default of '*'</emphasis>, however if in your particular
+ environment you have reason to specify a particular DC list, then
+ the list of machines in this option must be a list of names or IP
+ addresses of Domain controllers for the Domain. If you use the
+ default of '*', or list several hosts in the <parameter
+ moreinfo="none">password server</parameter> option then <command
+ moreinfo="none">smbd </command> will try each in turn till it
+ finds one that responds. This is useful in case your primary
+ server goes down.</para>
<para>If the list of servers contains both names/IP's and the '*'
character, the list is treated as a list of preferred
@@ -65,10 +35,12 @@
will be added to the list as well. Samba will not attempt to optimize
this list by locating the closest DC.</para>
+ <para>If parameter is a name, it is looked up using the
+ parameter <smbconfoption name="name resolve order"/> and so may resolved
+ by any method and order described in that parameter.</para>
+
<para>If the <parameter moreinfo="none">security</parameter> parameter is
- set to <constant>server</constant>, then there are different
- restrictions that <command moreinfo="none">security = domain</command>
doesn't
- suffer from:</para>
+ set to <constant>server</constant>, these additional restrictions
apply:</para>
<itemizedlist>
<listitem>
@@ -82,12 +54,42 @@
</listitem>
<listitem>
- <para>If you are using a Windows NT server as your
- password server then you will have to ensure that your users
+ <para>You will have to ensure that your users
are able to login from the Samba server, as when in <command
moreinfo="none">
security = server</command> mode the network logon will appear to
- come from there rather than from the users workstation.</para>
+ come from the Samba server rather than from the users
workstation.</para>
+ </listitem>
+
+ <listitem>
+ <para>The client must not select NTLMv2 authentication.</para>
</listitem>
+
+ <listitem>
+ <para>The password server must be a machine capable of using
+ the "LM1.2X002" or the "NT LM 0.12" protocol, and
it must be in
+ user level security mode.</para>
+ </listitem>
+
+ <listitem>
+ <para>Using a password server means your UNIX box (running
+ Samba) is only as secure as (a host masqurading as) your password
server. <emphasis>DO NOT
+ CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST</emphasis>.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>Never point a Samba server at itself for password serving.
+ This will cause a loop and could lock up your Samba server!</para>
+ </listitem>
+
+ <listitem>
+ <para>The name of the password server takes the standard
+ substitutions, but probably the only useful one is <parameter
moreinfo="none">%m
+ </parameter>, which means the Samba server will use the incoming
+ client as the password server. If you use this then you better
+ trust your clients, and you had better restrict them with hosts
allow!</para>
+ </listitem>
+
</itemizedlist>
</description>
diff --git a/docs-xml/smbdotconf/security/security.xml
b/docs-xml/smbdotconf/security/security.xml
index 514ea54..ed71f95 100644
--- a/docs-xml/smbdotconf/security/security.xml
+++ b/docs-xml/smbdotconf/security/security.xml
@@ -22,32 +22,18 @@
the most common setting needed when talking to Windows 98 and
Windows NT.</para>
- <para>The alternatives are <command moreinfo="none">security =
share</command>,
- <command moreinfo="none">security = server</command> or <command
moreinfo="none">security = domain
- </command>.</para>
+ <para>The alternatives are
+ <command moreinfo="none">security = ads</command> or <command
moreinfo="none">security = domain
+ </command>, which support joining Samba to a Windows domain, along with
<command moreinfo="none">security = share</command> and <command
moreinfo="none">security = server</command>, both of which are
deprecated.</para>
<para>In versions of Samba prior to 2.0.0, the default was
<command moreinfo="none">security = share</command> mainly because that was
the only option at one stage.</para>
- <para>There is a bug in WfWg that has relevance to this
- setting. When in user or server level security a WfWg client
- will totally ignore the username and password you type in the
"connect
- drive" dialog box. This makes it very difficult (if not impossible)
- to connect to a Samba service as anyone except the user that
- you are logged into WfWg as.</para>
-
- <para>If your PCs use usernames that are the same as their
- usernames on the UNIX machine then you will want to use
- <command moreinfo="none">security = user</command>. If you mostly use
usernames
- that don't exist on the UNIX box then use <command
moreinfo="none">security =
- share</command>.</para>
-
- <para>You should also use <command moreinfo="none">security =
share</command> if you
+ <para>You should use <command moreinfo="none">security = user</command> and
+ <smbconfoption name="map to guest"/> if you
want to mainly setup shares without a password (guest shares). This
- is commonly used for a shared printer server. It is more difficult
- to setup guest shares with <command moreinfo="none">security =
user</command>, see
- the <smbconfoption name="map to guest"/> parameter for details.</para>
+ is commonly used for a shared printer server. </para>
<para>It is possible to use <command moreinfo="none">smbd</command> in a
<emphasis>
hybrid mode</emphasis> where it is offers both user and share
@@ -56,7 +42,62 @@
<para>The different settings will now be explained.</para>
+ <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY =
USER</emphasis></para>
+
+ <para>This is the default security setting in Samba.
+ With user-level security a client must first "log-on" with a
+ valid username and password (which can be mapped using the <smbconfoption
name="username map"/>
+ parameter). Encrypted passwords (see the <smbconfoption name="encrypted
passwords"/> parameter) can also
+ be used in this security mode. Parameters such as <smbconfoption
name="user"/> and <smbconfoption
+ name="guest only"/> if set are then applied and
+ may change the UNIX user to use on this connection, but only after
+ the user has been successfully authenticated.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <smbconfoption
name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on
doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT
USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY =
DOMAIN</emphasis></para>
+
+ <para>This mode will only work correctly if
<citerefentry><refentrytitle>net</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> has been used to add this
+ machine into a Windows NT Domain. It expects the <smbconfoption
name="encrypted passwords"/>
+ parameter to be set to <constant>yes</constant>. In this
+ mode Samba will try to validate the username/password by passing
+ it to a Windows NT Primary or Backup Domain Controller, in exactly
+ the same way that a Windows NT Server would do.</para>
+
+ <para><emphasis>Note</emphasis> that a valid UNIX user must still
+ exist as well as the account on the Domain Controller to allow
+ Samba to have a valid UNIX account to map file access to.</para>
+
+ <para><emphasis>Note</emphasis> that from the client's point
+ of view <command moreinfo="none">security = domain</command> is the same
+ as <command moreinfo="none">security = user</command>. It only
+ affects how the server deals with the authentication,
+ it does not in any way affect what the client sees.</para>
+
+ <para><emphasis>Note</emphasis> that the name of the resource being
+ requested is <emphasis>not</emphasis> sent to the server until after
+ the server has successfully authenticated the client. This is why
+ guest shares don't work in user level security without allowing
+ the server to automatically map unknown users into the <smbconfoption
name="guest account"/>.
+ See the <smbconfoption name="map to guest"/> parameter for details on
doing this.</para>
+
+ <para>See also the section <link linkend="VALIDATIONSECT">
+ NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
+
+ <para>See also the <smbconfoption name="password server"/> parameter and
+ the <smbconfoption name="encrypted passwords"/> parameter.</para>
+
<para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY =
SHARE</emphasis></para>
+
+ <note><para>This option is deprecated as it is incompatible with
SMB2</para></note>
<para>When clients connect to a share level security server, they
need not log onto the server with a valid username and password before
@@ -135,63 +176,10 @@
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
- <para><anchor id="SECURITYEQUALSUSER"/><emphasis>SECURITY =
USER</emphasis></para>
-
- <para>This is the default security setting in Samba 3.0.
- With user-level security a client must first "log-on" with a
- valid username and password (which can be mapped using the <smbconfoption
name="username map"/>
- parameter). Encrypted passwords (see the <smbconfoption name="encrypted
passwords"/> parameter) can also
- be used in this security mode. Parameters such as <smbconfoption
name="user"/> and <smbconfoption
- name="guest only"/> if set are then applied and
- may change the UNIX user to use on this connection, but only after
- the user has been successfully authenticated.</para>
-
- <para><emphasis>Note</emphasis> that the name of the resource being
- requested is <emphasis>not</emphasis> sent to the server until after
- the server has successfully authenticated the client. This is why
- guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <smbconfoption
name="guest account"/>.
- See the <smbconfoption name="map to guest"/> parameter for details on
doing this.</para>
-
- <para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT
USERNAME/PASSWORD VALIDATION</link>.</para>
-
- <para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY =
DOMAIN</emphasis></para>
-
- <para>This mode will only work correctly if
<citerefentry><refentrytitle>net</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> has been used to add this
- machine into a Windows NT Domain. It expects the <smbconfoption
name="encrypted passwords"/>
- parameter to be set to <constant>yes</constant>. In this
- mode Samba will try to validate the username/password by passing
- it to a Windows NT Primary or Backup Domain Controller, in exactly
- the same way that a Windows NT Server would do.</para>
-
- <para><emphasis>Note</emphasis> that a valid UNIX user must still
- exist as well as the account on the Domain Controller to allow
- Samba to have a valid UNIX account to map file access to.</para>
-
- <para><emphasis>Note</emphasis> that from the client's point
- of view <command moreinfo="none">security = domain</command> is the same
- as <command moreinfo="none">security = user</command>. It only
- affects how the server deals with the authentication,
- it does not in any way affect what the client sees.</para>
-
- <para><emphasis>Note</emphasis> that the name of the resource being
- requested is <emphasis>not</emphasis> sent to the server until after
- the server has successfully authenticated the client. This is why
- guest shares don't work in user level security without allowing
- the server to automatically map unknown users into the <smbconfoption
name="guest account"/>.
- See the <smbconfoption name="map to guest"/> parameter for details on
doing this.</para>
-
- <para>See also the section <link linkend="VALIDATIONSECT">
- NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
-
- <para>See also the <smbconfoption name="password server"/> parameter and
- the <smbconfoption name="encrypted passwords"/> parameter.</para>
-
<para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY =
SERVER</emphasis></para>
<para>
- In this mode Samba will try to validate the username/password by
passing it to another SMB server, such as an
+ In this depicted mode Samba will try to validate the username/password
by passing it to another SMB server, such as an
NT box. If this fails it will revert to <command
moreinfo="none">security = user</command>. It expects the
<smbconfoption name="encrypted passwords"/> parameter to be set to
<constant>yes</constant>, unless the remote
server does not support them. However note that if encrypted passwords
have been negotiated then Samba cannot
@@ -203,19 +191,24 @@
<note><para>This mode of operation has
significant pitfalls since it is more vulnerable to
man-in-the-middle attacks and server impersonation. In particular,
- this mode of operation can cause significant resource consuption on
+ this mode of operation can cause significant resource consumption on
the PDC, as it must maintain an active connection for the duration
of the user's session. Furthermore, if this connection is lost,
- there is no way to reestablish it, and futher authentications to the
+ there is no way to reestablish it, and further authentications to the
Samba server may fail (from a single client, till it disconnects).
</para></note>
+ <note><para>If the client selects NTLMv2 authentication, then this mode
of operation <emphasis>will fail</emphasis>
+ </para></note>
+
<note><para>From the client's point of
view, <command moreinfo="none">security = server</command> is the
same as <command moreinfo="none">security = user</command>. It
only affects how the server deals with the authentication, it does
not in any way affect what the client sees.</para></note>
+ <note><para>This option is deprecated, and may be removed in
future</para></note>
+
<para><emphasis>Note</emphasis> that the name of the resource being
requested is <emphasis>not</emphasis> sent to the server until after
the server has successfully authenticated the client. This is why
diff --git a/docs-xml/smbdotconf/security/username.xml
b/docs-xml/smbdotconf/security/username.xml
index 3a45d4d..788f617 100644
--- a/docs-xml/smbdotconf/security/username.xml
+++ b/docs-xml/smbdotconf/security/username.xml
@@ -9,7 +9,7 @@
list, in which case the supplied password will be tested against
each username in turn (left to right).</para>
- <para>The <parameter moreinfo="none">username</parameter> line is needed
only when
+ <para>The deprecated <parameter moreinfo="none">username</parameter> line
is needed only when
the PC is unable to supply its own username. This is the case
for the COREPLUS protocol or where your users have different WfWg
usernames to UNIX usernames. In both these cases you may also be
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index be99759..77b67f1 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1161,7 +1161,7 @@ static struct parm_struct parm_table[] = {
.ptr = &Globals.bNullPasswords,
.special = NULL,
.enum_list = NULL,
- .flags = FLAG_ADVANCED,
+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED,
},
{
.label = "obey pam restrictions",
@@ -1260,7 +1260,7 @@ static struct parm_struct parm_table[] = {
.ptr = &Globals.bEnablePrivileges,
.special = NULL,
.enum_list = NULL,
- .flags = FLAG_ADVANCED,
+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED,
},
{
@@ -1333,7 +1333,7 @@ static struct parm_struct parm_table[] = {
.ptr = &Globals.pwordlevel,
.special = NULL,
.enum_list = NULL,
- .flags = FLAG_ADVANCED,
+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED,
},
{
.label = "username level",
@@ -1432,7 +1432,7 @@ static struct parm_struct parm_table[] = {
.ptr = &sDefault.szUsername,
.special = NULL,
.enum_list = NULL,
- .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE,
+ .flags = FLAG_ADVANCED | FLAG_GLOBAL | FLAG_SHARE |
FLAG_DEPRECATED,
},
{
.label = "user",
@@ -2295,7 +2295,7 @@ static struct parm_struct parm_table[] = {
.ptr = &Globals.bUseSpnego,
.special = NULL,
.enum_list = NULL,
- .flags = FLAG_ADVANCED,
+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED,
},
{
.label = "client signing",
@@ -9618,6 +9618,17 @@ static bool lp_load_ex(const char *pszFname,
set_default_server_announce_type();
set_allowed_client_auth();
+ if (lp_security() == SEC_SHARE) {
+ DEBUG(1, ("WARNING: The security=share option is
deprecated\n"));
+ } else if (lp_security() == SEC_SERVER) {
+ DEBUG(1, ("WARNING: The security=server option is
deprecated\n"));
+ }
+
+ if (lp_security() == SEC_ADS && strchr(lp_passwordserver(), ':')) {
+ DEBUG(1, ("WARNING: The optional ':port' in password server =
%s is deprecated\n",
+ lp_passwordserver()));
+ }
+
bLoaded = True;
/* Now we check bWINSsupport and set szWINSserver to 127.0.0.1 */
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 978ada2..6076a57 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -128,20 +128,35 @@ cannot be set in the smb.conf file. nmbd will abort with
this setting.\n");
* Password server sanity checks.
*/
- if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) &&
!lp_passwordserver()) {
+ if((lp_security() == SEC_SERVER || lp_security() >= SEC_DOMAIN) &&
!*lp_passwordserver()) {
const char *sec_setting;
if(lp_security() == SEC_SERVER)
sec_setting = "server";
else if(lp_security() == SEC_DOMAIN)
sec_setting = "domain";
+ else if(lp_security() == SEC_ADS)
+ sec_setting = "ads";
else
sec_setting = "";
- fprintf(stderr, "ERROR: The setting 'security=%s' requires the
'password server' parameter be set \
-to a valid password server.\n", sec_setting );
+ fprintf(stderr, "ERROR: The setting 'security=%s' requires the
'password server' parameter be set\n"
+ "to the default value * or a valid password server.\n",
sec_setting );
ret = 1;
}
+ if((lp_security() >= SEC_DOMAIN) && (strcmp(lp_passwordserver(), "*")
!= 0)) {
+ const char *sec_setting;
+ if(lp_security() == SEC_DOMAIN)
+ sec_setting = "domain";
+ else if(lp_security() == SEC_ADS)
+ sec_setting = "ads";
+ else
+ sec_setting = "";
+
+ fprintf(stderr, "WARNING: The setting 'security=%s' should NOT
be combined with the 'password server' parameter.\n"
+ "(by default Samba will discover the correct DC to
contact automatically).\n", sec_setting );
+ }
+
/*
* Password chat sanity checks.
*/
--
Samba Shared Repository
