The branch, master has been updated via 62875044ec4 WHATSNEW: Document changes of trusted domains scanning and enterpise principals via 3e0fbc79b9c docs-xml: Disable `winbind scan trusted domains` by default via 106c2b3977e docs-xml: Enable `winbind use krb5 enterprise principals` by default via abb022b957a docs-xml: Fix description of `winbind use krb5 enterprise principals` from 1139f96cc78 s3: VFS: posixacl_xattr: Remove posixacl_xattr_acl_set_file(). No longer used.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 62875044ec41449967ff7a139e0c5816fa471428 Author: Andreas Schneider <a...@samba.org> Date: Wed Jun 23 10:13:24 2021 +0200 WHATSNEW: Document changes of trusted domains scanning and enterpise principals Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Wed Jun 23 10:46:22 UTC 2021 on sn-devel-184 commit 3e0fbc79b9c53a7244a35649bb5c6615390a1453 Author: Andreas Schneider <a...@samba.org> Date: Fri Jun 18 10:11:06 2021 +0200 docs-xml: Disable `winbind scan trusted domains` by default Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit 106c2b3977e35b2d9ad3535710fcbda80aa7fa97 Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 15 16:14:11 2021 +0200 docs-xml: Enable `winbind use krb5 enterprise principals` by default Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> commit abb022b957a0ac8b381059c3199a8b179502fac2 Author: Andreas Schneider <a...@samba.org> Date: Tue Jun 15 17:31:46 2021 +0200 docs-xml: Fix description of `winbind use krb5 enterprise principals` Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 13 +++++++++++++ docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml | 6 +++--- .../winbind/winbindusekrb5enterpriseprincipals.xml | 6 +++--- lib/param/loadparm.c | 6 +++++- selftest/target/Samba3.pm | 1 - source3/param/loadparm.c | 4 +++- 6 files changed, 27 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b36036a25d4..d8effc5ce09 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -108,6 +108,17 @@ smbd: winbindd: --log-stdout -> --debug-stdout +Scanning of trusted domains and enterpise principals +---------------------------------------------------- + +As an artifact from the NT4 times, we still scanned the list of trusted domains +on winbindd startup. This is wrong as we never can get a full picture in Active +Directory. It is time to change the default value to No. Also with this change +we always use enterprise principals for Kerberos so that the DC will be able +to redirect ticket requests to the right DC. This is e.g needed for one way +trusts. The options `winbind use krb5 enterprise principals` and +`winbind scan trusted domains` will be deprecated in one of the next releases. + REMOVED FEATURES ================ @@ -128,6 +139,8 @@ smb.conf changes -------------- ----------- ------- client use kerberos New desired client protection New default + winbind use krb5 enterprise principals Changed Yes + winbind scan trusted domains Changed No KNOWN ISSUES diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml index 31afdc92b53..12e94cb93f3 100644 --- a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml +++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml @@ -6,10 +6,10 @@ <para> This option only takes effect when the <smbconfoption name="security"/> option is set to <constant>domain</constant> or <constant>ads</constant>. - If it is set to yes (the default), winbindd periodically tries to scan for new + If it is set to yes, winbindd periodically tries to scan for new trusted domains and adds them to a global list inside of winbindd. The list can be extracted with <command>wbinfo --trusted-domains --verbose</command>. - This matches the behaviour of Samba 4.7 and older.</para> + Setting it to yes matches the behaviour of Samba 4.7 and older.</para> <para>The construction of that global list is not reliable and often incomplete in complex trust setups. In most situations the list is @@ -25,5 +25,5 @@ </para> </description> -<value type="default">yes</value> +<value type="default">no</value> </samba:parameter> diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml index bfc11c8636c..d30b7f36a07 100644 --- a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml +++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml @@ -14,7 +14,7 @@ </para> <para>With <smbconfoption name="winbind scan trusted domains">no</smbconfoption> - winbindd don't even get an incomplete picture of the topology. + winbindd doesn't even get a complete picture of the topology. </para> <para>It is not really required to know about the trust topology. @@ -29,6 +29,6 @@ </para> </description> -<value type="default">no</value> -<value type="example">yes</value> +<value type="default">yes</value> +<value type="example">no</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 54920b85027..59ddc213156 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2653,7 +2653,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\"); lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True"); - lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True"); + lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False"); lpcfg_do_global_parameter(lp_ctx, "require strong key", "True"); lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR); lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); @@ -2964,6 +2964,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "acl flag inherited canonicalization", "yes"); + lpcfg_do_global_parameter(lp_ctx, + "winbind use krb5 enterprise principals", + "yes"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 50311e0c7b9..efa63626ecb 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -703,7 +703,6 @@ sub provision_ad_member auth event notification = true password server = $dcvars->{SERVER} winbind scan trusted domains = no - winbind use krb5 enterprise principals = yes winbind offline logon = $option_offline_logon allow dcerpc auth level connect:lsarpc = yes diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index d3b9de4a09a..23ca2cafbed 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -817,7 +817,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL); Globals.winbind_refresh_tickets = false; Globals.winbind_offline_logon = false; - Globals.winbind_scan_trusted_domains = true; + Globals.winbind_scan_trusted_domains = false; Globals.idmap_cache_time = 86400 * 7; /* a week by default */ Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */ @@ -963,6 +963,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_protection = CRED_CLIENT_PROTECTION_DEFAULT; + Globals.winbind_use_krb5_enterprise_principals = true; + /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); } -- Samba Shared Repository