The branch, master has been updated
via 62875044ec4 WHATSNEW: Document changes of trusted domains scanning
and enterpise principals
via 3e0fbc79b9c docs-xml: Disable `winbind scan trusted domains` by
default
via 106c2b3977e docs-xml: Enable `winbind use krb5 enterprise
principals` by default
via abb022b957a docs-xml: Fix description of `winbind use krb5
enterprise principals`
from 1139f96cc78 s3: VFS: posixacl_xattr: Remove
posixacl_xattr_acl_set_file(). No longer used.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 62875044ec41449967ff7a139e0c5816fa471428
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jun 23 10:13:24 2021 +0200
WHATSNEW: Document changes of trusted domains scanning and enterpise
principals
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Wed Jun 23 10:46:22 UTC 2021 on sn-devel-184
commit 3e0fbc79b9c53a7244a35649bb5c6615390a1453
Author: Andreas Schneider <a...@samba.org>
Date: Fri Jun 18 10:11:06 2021 +0200
docs-xml: Disable `winbind scan trusted domains` by default
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit 106c2b3977e35b2d9ad3535710fcbda80aa7fa97
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jun 15 16:14:11 2021 +0200
docs-xml: Enable `winbind use krb5 enterprise principals` by default
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
commit abb022b957a0ac8b381059c3199a8b179502fac2
Author: Andreas Schneider <a...@samba.org>
Date: Tue Jun 15 17:31:46 2021 +0200
docs-xml: Fix description of `winbind use krb5 enterprise principals`
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 13 +++++++++++++
docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml | 6 +++---
.../winbind/winbindusekrb5enterpriseprincipals.xml | 6 +++---
lib/param/loadparm.c | 6 +++++-
selftest/target/Samba3.pm | 1 -
source3/param/loadparm.c | 4 +++-
6 files changed, 27 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b36036a25d4..d8effc5ce09 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -108,6 +108,17 @@ smbd:
winbindd:
--log-stdout -> --debug-stdout
+Scanning of trusted domains and enterpise principals
+----------------------------------------------------
+
+As an artifact from the NT4 times, we still scanned the list of trusted domains
+on winbindd startup. This is wrong as we never can get a full picture in Active
+Directory. It is time to change the default value to No. Also with this change
+we always use enterprise principals for Kerberos so that the DC will be able
+to redirect ticket requests to the right DC. This is e.g needed for one way
+trusts. The options `winbind use krb5 enterprise principals` and
+`winbind scan trusted domains` will be deprecated in one of the next releases.
+
REMOVED FEATURES
================
@@ -128,6 +139,8 @@ smb.conf changes
-------------- ----------- -------
client use kerberos New desired
client protection New default
+ winbind use krb5 enterprise principals Changed Yes
+ winbind scan trusted domains Changed No
KNOWN ISSUES
diff --git a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
index 31afdc92b53..12e94cb93f3 100644
--- a/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
+++ b/docs-xml/smbdotconf/winbind/winbindscantrusteddomains.xml
@@ -6,10 +6,10 @@
<para>
This option only takes effect when the <smbconfoption name="security"/>
option is set to
<constant>domain</constant> or <constant>ads</constant>.
- If it is set to yes (the default), winbindd periodically tries to scan for
new
+ If it is set to yes, winbindd periodically tries to scan for new
trusted domains and adds them to a global list inside of winbindd.
The list can be extracted with <command>wbinfo --trusted-domains
--verbose</command>.
- This matches the behaviour of Samba 4.7 and older.</para>
+ Setting it to yes matches the behaviour of Samba 4.7 and older.</para>
<para>The construction of that global list is not reliable and often
incomplete in complex trust setups. In most situations the list is
@@ -25,5 +25,5 @@
</para>
</description>
-<value type="default">yes</value>
+<value type="default">no</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
index bfc11c8636c..d30b7f36a07 100644
--- a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml
@@ -14,7 +14,7 @@
</para>
<para>With <smbconfoption name="winbind scan trusted
domains">no</smbconfoption>
- winbindd don't even get an incomplete picture of the topology.
+ winbindd doesn't even get a complete picture of the topology.
</para>
<para>It is not really required to know about the trust topology.
@@ -29,6 +29,6 @@
</para>
</description>
-<value type="default">no</value>
-<value type="example">yes</value>
+<value type="default">yes</value>
+<value type="example">no</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 54920b85027..59ddc213156 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2653,7 +2653,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
- lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains",
"True");
+ lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains",
"False");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory",
dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory",
dyn_NTP_SIGND_SOCKET_DIR);
@@ -2964,6 +2964,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
"acl flag inherited canonicalization",
"yes");
+ lpcfg_do_global_parameter(lp_ctx,
+ "winbind use krb5 enterprise principals",
+ "yes");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 50311e0c7b9..efa63626ecb 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -703,7 +703,6 @@ sub provision_ad_member
auth event notification = true
password server = $dcvars->{SERVER}
winbind scan trusted domains = no
- winbind use krb5 enterprise principals = yes
winbind offline logon = $option_offline_logon
allow dcerpc auth level connect:lsarpc = yes
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d3b9de4a09a..23ca2cafbed 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -817,7 +817,7 @@ static void init_globals(struct loadparm_context *lp_ctx,
bool reinit_globals)
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template",
NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;
- Globals.winbind_scan_trusted_domains = true;
+ Globals.winbind_scan_trusted_domains = false;
Globals.idmap_cache_time = 86400 * 7; /* a week by default */
Globals.idmap_negative_cache_time = 120; /* 2 minutes by default */
@@ -963,6 +963,8 @@ static void init_globals(struct loadparm_context *lp_ctx,
bool reinit_globals)
Globals.client_protection = CRED_CLIENT_PROTECTION_DEFAULT;
+ Globals.winbind_use_krb5_enterprise_principals = true;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
--
Samba Shared Repository
