The branch, v4-13-test has been updated via e0aa042c518 WHATSNEW: list deprecated parameters via 8dbeb26319c docs: deprecate "raw NTLMv2 auth" via af78b53f114 docs: deprecate "client plaintext auth" via e2b9972f3c6 docs: deprecate "client NTLMv2 auth" via 100e32dba49 docs: deprecate "client lanman auth" via 7b48056533e docs: deprecate "client use spnego" via 1338e3a481b docs: Deprecate NT4-like domains and SMBv1-only protocol options via e3c608d27e9 selftest: Do not let deprecated option warnings muck this test up via dcf92a69cd0 param: Allow tests to silence deprecation warnings via b44b26b9cd2 selftest: Add test for suppression of deprecation warnings from 97d3c93e31e util: Add cmocka unit test for directory_create_or_exists
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log ----------------------------------------------------------------- commit e0aa042c5187fe7eff075123b8fb3a3344fa87a6 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jun 16 22:23:32 2020 +1200 WHATSNEW: list deprecated parameters BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Aug 18 01:32:21 UTC 2020 on sn-devel-184 (cherry picked from commit 20606fd0a4c4697ff99da59f748af6908d929901) Autobuild-User(v4-13-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-13-test): Mon Aug 24 15:13:30 UTC 2020 on sn-devel-184 commit 8dbeb26319ce82177068bfed8c25c9c1023adf69 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 5 16:55:35 2019 +1200 docs: deprecate "raw NTLMv2 auth" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 8c9d9441edce2e8d7f0428d0ec5e209ed8a55dbc) commit af78b53f114f0668df7e9439fe0f3f95bcd81979 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 5 16:55:23 2019 +1200 docs: deprecate "client plaintext auth" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 37583b19d2c3dbf3e9d0498a39b8b9d9c727e1d4) commit e2b9972f3c6719e3834eb1ff3df2c25c465d913c Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 5 16:54:01 2019 +1200 docs: deprecate "client NTLMv2 auth" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 5543c11c8b007b49641758428af7ba3976683438) commit 100e32dba493e9274350cb7860ff7cc2a41924b6 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 5 16:53:46 2019 +1200 docs: deprecate "client lanman auth" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit ac8e5ea22d9f9b16a79f519f69852b46ac798541) commit 7b48056533e1ad3b65781f92cfcfc5e080648883 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Sep 5 16:53:20 2019 +1200 docs: deprecate "client use spnego" This parameter is appicable only to SMBv1 and we are deprecating SMBv1 specific authentication options for possible removal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 1b85db57e53533ce14beb79f6d949a08f6ef9f91) commit 1338e3a481be568d39bd2cafe95e89ca12bdac4c Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jun 16 21:46:33 2020 +1200 docs: Deprecate NT4-like domains and SMBv1-only protocol options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit c6aa710f8da9ef92b388f1c0c59b2dd3c602ad2d) commit e3c608d27e968d01b439e8d088a18c5d5af9bb45 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 10 20:36:53 2020 +1200 selftest: Do not let deprecated option warnings muck this test up BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 9e212dd15e6c484d69f236f3c6d7186f0e6353b4) commit dcf92a69cd0c776d9e59bbc5166d24d35ebe9be0 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jul 29 21:26:55 2020 +1200 param: Allow tests to silence deprecation warnings This helps make output sensitive tests more reliable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit d14cc45c98a77fb8a6ac96181eec33f368b8dbd8) commit b44b26b9cd2a06326a0744d1a79f0458aefac7d9 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Aug 10 12:18:07 2020 +1200 selftest: Add test for suppression of deprecation warnings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14460 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit d3ff49f48507d8a64b9c4847f79d7939f647e6f0) ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 21 ++++++++++++++ docs-xml/smbdotconf/logon/domainlogons.xml | 7 +++++ docs-xml/smbdotconf/protocol/clientusespnego.xml | 8 ++++++ docs-xml/smbdotconf/security/clientlanmanauth.xml | 9 ++++++ docs-xml/smbdotconf/security/clientntlmv2auth.xml | 9 ++++++ .../smbdotconf/security/clientplaintextauth.xml | 9 ++++++ docs-xml/smbdotconf/security/rawntlmv2auth.xml | 8 ++++++ lib/param/loadparm.c | 22 ++++++++++++--- source3/script/tests/test_smbclient_s3.sh | 4 +++ source3/script/tests/test_testparm_s3.sh | 33 ++++++++++++++++++++++ 10 files changed, 126 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index cac8cecd2b7..e8b7cb4574c 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -52,6 +52,21 @@ causing administrators who need this functionality to have to explicitly add the vfs_widelinks module into the "vfs objects =" parameter lists. The release notes will be updated to note this change when it occurs. +NT4-like 'classic' Samba domain controllers +------------------------------------------- + +Samba 4.13 deprecates Samba's original domain controller mode. + +Sites using Samba as a Domain Controller should upgrade from the +NT4-like 'classic' Domain Controller to a Samba Active Directory DC +to ensure full operation with modern windows clients. + +SMBv1 only protocol options deprecated +-------------------------------------- + +A number of smb.conf parameters for less-secure authentication methods +which are only possible over SMBv1 are deprecated in this release. + REMOVED FEATURES ================ @@ -64,6 +79,12 @@ smb.conf changes -------------- ----------- ------- ldap ssl ads removed smb2 disable lock sequence checking No + domain logons Deprecated no + raw NTLMv2 auth Deprecated no + client plaintext auth Deprecated no + client NTLMv2 auth Deprecated yes + client lanman auth Deprecated no + client use spnego Deprecated yes CHANGES SINCE 4.13.0rc1 diff --git a/docs-xml/smbdotconf/logon/domainlogons.xml b/docs-xml/smbdotconf/logon/domainlogons.xml index 7ee419e15af..7f849751a9e 100644 --- a/docs-xml/smbdotconf/logon/domainlogons.xml +++ b/docs-xml/smbdotconf/logon/domainlogons.xml @@ -2,8 +2,15 @@ context="G" type="boolean" function="_domain_logons" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para>This parameter has been deprecated since Samba 4.13 and + support for NT4-style domain logons(as distinct from the Samba + AD DC) will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>domain logons = no</command> + will be the enforced behaviour.</para> <para> If set to <constant>yes</constant>, the Samba server will provide the netlogon service for Windows 9X network logons for the diff --git a/docs-xml/smbdotconf/protocol/clientusespnego.xml b/docs-xml/smbdotconf/protocol/clientusespnego.xml index b2f3b1257fb..2d45f912f17 100644 --- a/docs-xml/smbdotconf/protocol/clientusespnego.xml +++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml @@ -1,8 +1,16 @@ <samba:parameter name="client use spnego" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para>This parameter has been deprecated since Samba 4.13 and + support for NTLMv2, NTLM and LanMan authentication outside NTLMSSP + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>client use spnego = yes</command> + will be the enforced behaviour.</para> + <para> This variable controls whether Samba clients will try to use Simple and Protected NEGOciation (as specified by rfc2478) with supporting servers (including WindowsXP, Windows2000 and Samba diff --git a/docs-xml/smbdotconf/security/clientlanmanauth.xml b/docs-xml/smbdotconf/security/clientlanmanauth.xml index c026b8f429b..60e1c86809e 100644 --- a/docs-xml/smbdotconf/security/clientlanmanauth.xml +++ b/docs-xml/smbdotconf/security/clientlanmanauth.xml @@ -1,8 +1,17 @@ <samba:parameter name="client lanman auth" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para>This parameter has been deprecated since Samba 4.13 and + support for LanMan (as distinct from NTLM, NTLMv2 or + Kerberos) authentication as a client + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>client NTLMv2 auth = yes</command> + will be the enforced behaviour.</para> + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle> <manvolnum>8</manvolnum></citerefentry> and other samba client tools will attempt to authenticate itself to servers using the diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml index f42f627bc08..9b47944dfcc 100644 --- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml +++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml @@ -1,8 +1,17 @@ <samba:parameter name="client NTLMv2 auth" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para>This parameter has been deprecated since Samba 4.13 and + support for NTLM and LanMan (as distinct from NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>client NTLMv2 auth = yes</command> + will be the enforced behaviour.</para> + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbclient</refentrytitle> <manvolnum>8</manvolnum></citerefentry> will attempt to authenticate itself to servers using the NTLMv2 encrypted password diff --git a/docs-xml/smbdotconf/security/clientplaintextauth.xml b/docs-xml/smbdotconf/security/clientplaintextauth.xml index 1c4d3566f82..5a51c33216c 100644 --- a/docs-xml/smbdotconf/security/clientplaintextauth.xml +++ b/docs-xml/smbdotconf/security/clientplaintextauth.xml @@ -1,8 +1,17 @@ <samba:parameter name="client plaintext auth" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para>This parameter has been deprecated since Samba 4.13 and + support for plaintext (as distinct from NTLM, NTLMv2 or + Kerberos authentication) + will be removed in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>client plaintext auth = no</command> + will be the enforced behaviour.</para> + <para>Specifies whether a client should send a plaintext password if the server does not support encrypted passwords.</para> </description> diff --git a/docs-xml/smbdotconf/security/rawntlmv2auth.xml b/docs-xml/smbdotconf/security/rawntlmv2auth.xml index 30e7280bc5d..c4d75546388 100644 --- a/docs-xml/smbdotconf/security/rawntlmv2auth.xml +++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml @@ -1,8 +1,16 @@ <samba:parameter name="raw NTLMv2 auth" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para>This parameter has been deprecated since Samba 4.13 and + support for NTLMv2 authentication without NTLMSSP will be removed + in a future Samba release.</para> + <para>That is, in the future, the current default of + <command>raw NTLMv2 auth = no</command> + will be the enforced behaviour.</para> + <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without extended security (without SPNEGO) to use NTLMv2 authentication.</para> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index da639a8b0ff..e041f4fb01b 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -1863,8 +1863,15 @@ bool lpcfg_do_global_parameter(struct loadparm_context *lp_ctx, } if (parm_table[parmnum].flags & FLAG_DEPRECATED) { - DEBUG(1, ("WARNING: The \"%s\" option is deprecated\n", - pszParmName)); + char *suppress_env = getenv("SAMBA_DEPRECATED_SUPPRESS"); + bool print_warning = (suppress_env == NULL + || suppress_env[0] == '\0'); + if (print_warning) { + DBG_WARNING("WARNING: The \"%s\" option " + "is deprecated\n", + pszParmName); + + } } parm_ptr = lpcfg_parm_ptr(lp_ctx, NULL, &parm_table[parmnum]); @@ -1896,8 +1903,15 @@ bool lpcfg_do_service_parameter(struct loadparm_context *lp_ctx, } if (parm_table[parmnum].flags & FLAG_DEPRECATED) { - DEBUG(1, ("WARNING: The \"%s\" option is deprecated\n", - pszParmName)); + char *suppress_env = getenv("SAMBA_DEPRECATED_SUPPRESS"); + bool print_warning = (suppress_env == NULL + || suppress_env[0] == '\0'); + if (print_warning) { + DBG_WARNING("WARNING: The \"%s\" option " + "is deprecated\n", + pszParmName); + + } } if (parm_table[parmnum].p_class == P_GLOBAL) { diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh index 3ea55f54107..62662690415 100755 --- a/source3/script/tests/test_smbclient_s3.sh +++ b/source3/script/tests/test_smbclient_s3.sh @@ -33,6 +33,10 @@ incdir=`dirname $0`/../../../testprogs/blackbox failed=0 +# Do not let deprecated option warnings muck this up +SAMBA_DEPRECATED_SUPPRESS=1 +export SAMBA_DEPRECATED_SUPPRESS + # Test that a noninteractive smbclient does not prompt test_noninteractive_no_prompt() { diff --git a/source3/script/tests/test_testparm_s3.sh b/source3/script/tests/test_testparm_s3.sh index 6dcdeff07d7..9ef3f7e0097 100755 --- a/source3/script/tests/test_testparm_s3.sh +++ b/source3/script/tests/test_testparm_s3.sh @@ -58,6 +58,36 @@ EOF ${TESTPARM} ${TEMP_CONFFILE} } +test_testparm_deprecated() +{ + name=$1 + old_SAMBA_DEPRECATED_SUPPRESS=$SAMBA_DEPRECATED_SUPPRESS + SAMBA_DEPRECATED_SUPPRESS= + export SAMBA_DEPRECATED_SUPPRESS + testit_grep $name 'WARNING: The "lsaovernetlogon" option is deprecated' $VALGRIND ${TESTPARM} ${TEMP_CONFFILE} --option='lsaovernetlogon=true' + SAMBA_DEPRECATED_SUPPRESS=$old_SAMBA_DEPRECATED_SUPPRESS + export SAMBA_DEPRECATED_SUPPRESS +} + +test_testparm_deprecated_suppress() +{ + name=$1 + subunit_start_test "$name" + output=$(SAMBA_DEPRECATED_SUPPRESS=1 $VALGRIND ${TESTPARM} ${TEMP_CONFFILE} --option='lsa over netlogon = true' 2>&1) + status=$? + if [ "$status" = "0" ]; then + echo "$output" | grep --quiet 'WARNING: The "lsa over netlogon " option is deprecated' + status=$? + if [ "$status" = "1" ]; then + subunit_pass_test "$name" + else + echo $output | subunit_fail_test "$name" + fi + else + echo $output | subunit_fail_test "$name" + fi +} + testit "name resolve order = lmhosts wins host bcast"\ test_one_global_option "name resolve order = lmhosts wins host bcast" || \ failed=`expr ${failed} + 1` @@ -112,6 +142,9 @@ testit "copy" \ test_copy || \ failed=`expr ${failed} + 1` +test_testparm_deprecated "test_deprecated_warning_printed" +test_testparm_deprecated_suppress "test_deprecated_warning_suppressed" + rm -f ${TEMP_CONFFILE} testok $0 ${failed} -- Samba Shared Repository