[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d7a91a855c7 s4-auth: Remove last traces of LanMan authentiation support in the AD DC. via 86f7e4e6905 s4-auth: Only build auth_developer module in developer mode via 360bb864e9a s4-auth: Do not trigger RODC replication unless missing all passwords via 1884bc11f01 s4-auth: Remove unused acct_flags parameter from 14e7112734b waf: Document the confusing --nonshared-binary, --builtin-libraries, --private-libraries and --bundled-libraries https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d7a91a855c7edfb0e09c93cbe4c56df0437fa467 Author: Andrew Bartlett Date: Fri Mar 25 12:18:01 2022 +1300 s4-auth: Remove last traces of LanMan authentiation support in the AD DC. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Mar 29 03:32:57 UTC 2022 on sn-devel-184 commit 86f7e4e69059e77c35f451919365685d909024af Author: Andrew Bartlett Date: Wed Mar 23 15:10:23 2022 +1300 s4-auth: Only build auth_developer module in developer mode This is a silly module for provoking NTSTATUS replies for testing and was useful many moons ago for determining the NTSTATUS -> DOS table that windows uses. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 360bb864e9a958c395f841bdc8caf866f8dcb0e0 Author: Andrew Bartlett Date: Wed Mar 16 16:27:54 2022 +1300 s4-auth: Do not trigger RODC replication unless missing all passwords With the NT hash becoming optional we cannot make blind assumptions that a missing value means we are on an RODC needing the password replicated. Instead, check for supplementalCredentials as well. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 1884bc11f0115078113253d48be684c32cb3c5f9 Author: Andrew Bartlett Date: Wed Mar 16 15:19:54 2022 +1300 s4-auth: Remove unused acct_flags parameter Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: WHATSNEW.txt| 5 + docs-xml/smbdotconf/security/lanmanauth.xml | 4 source4/auth/ntlm/auth_sam.c| 15 +++ source4/auth/ntlm/wscript_build | 3 ++- 4 files changed, 18 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index d23bede2da2..1bdf3a01cfb 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -66,6 +66,11 @@ server used as a front. REMOVED FEATURES +LanMan Authentication and password storage removed from the AD DC +- + +The storage and authentication with LanMan passwords has been entirely +removed from the Samba AD DC, even when "lanman auth = yes" is set. smb.conf changes diff --git a/docs-xml/smbdotconf/security/lanmanauth.xml b/docs-xml/smbdotconf/security/lanmanauth.xml index 842c12d9b64..045e89d94d6 100644 --- a/docs-xml/smbdotconf/security/lanmanauth.xml +++ b/docs-xml/smbdotconf/security/lanmanauth.xml @@ -45,6 +45,10 @@ then only NTLMv2 logins will be permitted and no LM hash will be stored. All modern clients support NTLMv2, and but some older clients require special configuration to use it. + +This parameter has no impact on the Samba AD DC, +LM authentication is always disabled and no LM password is ever +stored. no diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 60795c40723..14b6c707aa5 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -52,7 +52,6 @@ extern const char *domain_ref_attrs[]; / static NTSTATUS authsam_password_ok(struct auth4_context *auth_context, TALLOC_CTX *mem_ctx, - uint16_t acct_flags, const struct samr_Password *nt_pwd, const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, @@ -79,8 +78,8 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context, *lm_sess_key = data_blob(NULL, 0); *user_sess_key = data_blob(NULL, 0); status = hash_password_check(mem_ctx, - lpcfg_lanman_auth(auth_context->lp_ctx), -user_info->password.hash.lanman, +false, +NULL,
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 14e7112734b waf: Document the confusing --nonshared-binary,
--builtin-libraries, --private-libraries and --bundled-libraries
from 127f728d58e vfs_gpfs: Initialize litemask to 0
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 14e7112734bbb31db99e394323ef2cb31385ebf7
Author: Andrew Bartlett
Date: Mon Mar 28 11:16:51 2022 +1300
waf: Document the confusing --nonshared-binary, --builtin-libraries,
--private-libraries and --bundled-libraries
These options are confusing to all who encounter them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8731
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Mon Mar 28 10:06:01 UTC 2022 on sn-devel-184
---
Summary of changes:
buildtools/wafsamba/wscript | 67 -
1 file changed, 60 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 62b63fef145..a4d6f3e5c49 100644
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -30,11 +30,37 @@ def options(opt):
gr = opt.option_group('library handling options')
gr.add_option('--bundled-libraries',
- help=("comma separated list of bundled libraries. May
include !LIBNAME to disable bundling a library. Can be 'NONE' or 'ALL' [auto]"),
+ help=(f'''comma separated list of bundled libraries.
+
+{Context.g_module.APPNAME} includes copies of externally maintained
+system libraries (such as popt, cmokca) as well as Samba-maintained
+libraries that can be found on the system already (such as talloc,
+tdb).
+
+This option, most useful for packagers, controls if each library
+should be forced to be obtained from inside Samba (bundled), forced to
+be obtained from the system (bundling disabled, ensuing that
+dependency errors are not silently missed) or if that choice should be
+automatic (best for end users).
+
+May include !LIBNAME to disable bundling a library.
+
+Can be 'NONE' or 'ALL' [auto]'''),
action="store", dest='BUNDLED_LIBS', default='')
gr.add_option('--private-libraries',
- help=("comma separated list of normally public libraries to
build instead as private libraries. May include !LIBNAME to disable making a
library private in order to limit the effect of 'ALL'"),
+ help=(f'''comma separated list of normally public libraries
to build instead as private libraries.
+
+By default {Context.g_module.APPNAME} will publish a number of public
+libraries for use by other software. For Samba this would include
+libwbclient, libsmbclient and others.
+
+This allows that to be disabled, to ensure that other software does
+not use these libraries and they are placed in a private filesystem
+prefix.
+
+May include !LIBNAME to disable making a library private in order to
+limit the effect of 'ALL' '''),
action="store", dest='PRIVATE_LIBS', default='')
extension_default = default_value('PRIVATE_EXTENSION_DEFAULT')
@@ -48,12 +74,33 @@ def options(opt):
action="store", dest='PRIVATE_EXTENSION_EXCEPTION',
default=extension_exception)
builtin_default = default_value('BUILTIN_LIBRARIES_DEFAULT')
-gr.add_option('--builtin-libraries',
- help=("command separated list of libraries to build
directly into binaries [%s]" % builtin_default),
- action="store", dest='BUILTIN_LIBRARIES',
default=builtin_default)
+gr.add_option('--builtin-libraries', help=(
+f'''comma separated list of libraries to build directly into binaries.
+
+By default {Context.g_module.APPNAME} will build a large number of
+shared libraries, to reduce binary size. This overrides this
+behaviour and essentially statically links the specified libraries into
+each binary [{builtin_default}]'''),
+ action="store",
+ dest='BUILTIN_LIBRARIES', default=builtin_default)
gr.add_option('--minimum-library-version',
- help=("list of minimum system library versions
(LIBNAME1:version,LIBNAME2:version)"),
+ help=(
+f'''list of minimum system library versions for otherwise bundled
+libraries.
+
+{Context.g_module.APPNAME} by default requires that, in order to match
+what is tested in our continuous integration (CI) test-suite, that the
+versions of libraries that we include match that found on the system,
+before we will select not to 'bundle'.
+
+This option, possibly useful for packagers, allows that specified
+version to be overridden (say, if it is absolutely known that a the
+newer version included in this tarball has no r
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 127f728d58e vfs_gpfs: Initialize litemask to 0
from 0bd4bc40f4a samba-tool: Check specified domain and realm against
our own
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 127f728d58e79a42f8826500e3b15c486e88e556
Author: Christof Schmitt
Date: Mon Mar 21 09:26:41 2022 -0700
vfs_gpfs: Initialize litemask to 0
The change from commit fb13c7c94f to query exact values for atime,
mtime, ctime and size is not necessary, as none of these are used in
this codepath. Initiale litemask to 0 instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15027
Signed-off-by: Christof Schmitt
Reviewed-by: Ralph Boehme
Autobuild-User(master): Ralph Böhme
Autobuild-Date(master): Mon Mar 28 09:10:58 UTC 2022 on sn-devel-184
---
Summary of changes:
source3/modules/vfs_gpfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c
index 004c74cd43a..5ef1f5f2e73 100644
--- a/source3/modules/vfs_gpfs.c
+++ b/source3/modules/vfs_gpfs.c
@@ -1482,7 +1482,7 @@ static NTSTATUS vfs_gpfs_fget_dos_attributes(struct
vfs_handle_struct *handle,
char buf[PATH_MAX];
const char *p = NULL;
struct gpfs_iattr64 iattr = { };
- unsigned int litemask = GPFS_SLITE_EXACT_BITS;
+ unsigned int litemask = 0;
struct timespec ts;
uint64_t file_id;
NTSTATUS status;
@@ -1988,7 +1988,7 @@ static int vfs_gpfs_check_pathref_fstat_x(struct
gpfs_config_data *config,
struct connection_struct *conn)
{
struct gpfs_iattr64 iattr = {0};
- unsigned int litemask = GPFS_SLITE_EXACT_BITS;
+ unsigned int litemask = 0;
int saved_errno;
int fd;
int ret;
--
Samba Shared Repository
