The branch, master has been updated via a482b3e... s3-auth: Remove docs about obsolete 'update encrypted' option. via 66b6a8c... s3-auth: Remove obsolete 'update encrypted' option. from f03ac22... s3-selftest: add samba3.posix_s3.rpc.spoolss.notify to knownfail list.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a482b3e14ec4e3eada9c2477c9eae2bfbe017f53 Author: Andreas Schneider <a...@samba.org> Date: Thu Jul 29 13:18:35 2010 +0200 s3-auth: Remove docs about obsolete 'update encrypted' option. commit 66b6a8cf62c2fe9b1eafeb094916e6046f686359 Author: Andreas Schneider <a...@samba.org> Date: Thu Jul 29 13:16:09 2010 +0200 s3-auth: Remove obsolete 'update encrypted' option. ----------------------------------------------------------------------- Summary of changes: docs-xml/smbdotconf/security/updateencrypted.xml | 34 ------------- docs-xml/using_samba/appc.xml | 14 ----- docs-xml/using_samba/ch06.xml | 37 +------------- examples/scripts/shares/python/smbparm.py | 1 - source3/auth/auth_unix.c | 58 +--------------------- source3/auth/pass_check.c | 13 ++--- source3/include/proto.h | 3 +- source3/param/loadparm.c | 9 --- source3/web/cgi.c | 4 +- source4/TODO | 1 - 10 files changed, 10 insertions(+), 164 deletions(-) delete mode 100644 docs-xml/smbdotconf/security/updateencrypted.xml Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/security/updateencrypted.xml b/docs-xml/smbdotconf/security/updateencrypted.xml deleted file mode 100644 index eb54ed9..0000000 --- a/docs-xml/smbdotconf/security/updateencrypted.xml +++ /dev/null @@ -1,34 +0,0 @@ -<samba:parameter name="update encrypted" - context="G" - type="boolean" - basic="1" advanced="1" developer="1" - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> -<description> - - <para> - This boolean parameter allows a user logging on with a plaintext password to have their encrypted (hashed) - password in the smbpasswd file to be updated automatically as they log on. This option allows a site to - migrate from plaintext password authentication (users authenticate with plaintext password over the - wire, and are checked against a UNIX account database) to encrypted password authentication (the SMB - challenge/response authentication mechanism) without forcing all users to re-enter their passwords via - smbpasswd at the time the change is made. This is a convenience option to allow the change over to encrypted - passwords to be made over a longer period. Once all users have encrypted representations of their passwords - in the smbpasswd file this parameter should be set to <constant>no</constant>. - </para> - - <para> - In order for this parameter to be operative the <smbconfoption name="encrypt passwords"/> parameter must - be set to <constant>no</constant>. The default value of <smbconfoption name="encrypt - passwords">Yes</smbconfoption>. Note: This must be set to <constant>no</constant> for this <smbconfoption - name="update encrypted"/> to work. - </para> - - <para> - Note that even when this parameter is set, a user authenticating to <command moreinfo="none">smbd</command> - must still enter a valid password in order to connect correctly, and to update their hashed (smbpasswd) - passwords. - </para> -</description> - -<value type="default">no</value> -</samba:parameter> diff --git a/docs-xml/using_samba/appc.xml b/docs-xml/using_samba/appc.xml index 76fc5e8..f4b4666 100644 --- a/docs-xml/using_samba/appc.xml +++ b/docs-xml/using_samba/appc.xml @@ -2728,20 +2728,6 @@ compatibility with older-client bugs.</para> </refsynopsisdiv> </refentry> -<refentry id="appc-refentry-194"> -<refmeta> -<refmiscinfo class="allowable values">YES, NO</refmiscinfo> -<refmiscinfo class="default">NO</refmiscinfo> -</refmeta> -<refnamediv> -<refname>update encrypted = boolean</refname> -</refnamediv> -<refsynopsisdiv> -<para>Updates the Microsoft-format password file when a user logs in with unencrypted passwords. Provided to ease conversion to encryped passwords for Windows 95/98 and NT. Added in Samba 1.9.18p5.</para> - -</refsynopsisdiv> -</refentry> - <refentry id="appc-refentry-195"> <refmeta> <refmiscinfo class="allowable values">comma-separated list of user names</refmiscinfo> diff --git a/docs-xml/using_samba/ch06.xml b/docs-xml/using_samba/ch06.xml index e0973b6..b099e96 100644 --- a/docs-xml/using_samba/ch06.xml +++ b/docs-xml/using_samba/ch06.xml @@ -1592,20 +1592,6 @@ Password changed for user dave</programlisting> <row> -<entry colname="col1"><para><literal>update encrypted</literal></para></entry> - -<entry colname="col2"><para>boolean</para></entry> - -<entry colname="col3"><para>If <literal>yes</literal>, Samba updates the encrypted password file when a client connects to a share with a plaintext password.</para></entry> - -<entry colname="col4"><para><literal>no</literal></para></entry> - -<entry colname="col5"><para>Global</para></entry> - -</row> - -<row> - <entry colname="col1"><para><literal>null passwords</literal></para></entry> <entry colname="col2"><para>boolean</para></entry> @@ -1769,23 +1755,6 @@ password level</title> <sect3 role="" label="6.4.4.7" id="ch06-SECT-4.3.7"> -<indexterm id="ch06-idx-969481-0"><primary>pdate encrypted option</primary></indexterm> -<title>update encrypted</title> - - -<para>For sites switching over to the <indexterm id="ch06-idx-967799-0"><primary>encrypted passwords</primary><secondary>Microsoft format</secondary></indexterm>encrypted password format, Samba provides an option that should help with the transition. The <literal>update</literal> <literal>encrypted</literal> option allows a site to ease into using encrypted passwords from plaintext passwords. You can activate this option as follows:</para> - - -<programlisting>[global] - update encrypted = yes</programlisting> - - -<para>This instructs Samba to create an encrypted version of each user's Unix password in the <filename>smbpasswd</filename> file each time he or she connects to a share. When this option is enabled, you must have the <literal>encrypt</literal> <literal>passwords</literal> option set to <literal>no</literal> so that the client will pass plaintext passwords to Samba to use to update the files. Once each user has connected at least once, you can set <literal>encrypted</literal> <literal>passwords</literal> <literal>=</literal> <literal>yes</literal>, allowing you to use only the encrypted passwords. The user must already have a valid entry in the <filename>smbpasswd</filename> file for this option to work.</para> -</sect3> - - - -<sect3 role="" label="6.4.4.8" id="ch06-SECT-4.3.8"> <title>null passwords</title> @@ -1801,7 +1770,7 @@ password level</title> -<sect3 role="" label="6.4.4.9" id="ch06-SECT-4.3.9"> +<sect3 role="" label="6.4.4.8" id="ch06-SECT-4.3.8"> <indexterm id="ch06-idx-969483-0"><primary>smb passwd file option</primary></indexterm> <title> smb passwd file</title> @@ -1820,7 +1789,7 @@ smb passwd file</title> -<sect3 role="" label="6.4.4.10" id="ch06-SECT-4.3.10"> +<sect3 role="" label="6.4.4.9" id="ch06-SECT-4.3.9"> <indexterm id="ch06-idx-969486-0"><primary>hosts equiv option</primary></indexterm> <title> hosts equiv</title> @@ -1838,7 +1807,7 @@ hosts equiv</title> -<sect3 role="" label="6.4.4.11" id="ch06-SECT-4.3.11"> +<sect3 role="" label="6.4.4.10" id="ch06-SECT-4.3.10"> <indexterm id="ch06-idx-969487-0"><primary>use rhosts option</primary></indexterm> <title> use rhosts</title> diff --git a/examples/scripts/shares/python/smbparm.py b/examples/scripts/shares/python/smbparm.py index 73637a7..3793992 100644 --- a/examples/scripts/shares/python/smbparm.py +++ b/examples/scripts/shares/python/smbparm.py @@ -353,7 +353,6 @@ parm_table = { "ENHANCEDBROWSING" : ("enhanced browsing", SambaParmBool, P_GLOBAL, "Yes"), "PANICACTION" : ("panic action", SambaParmString, P_GLOBAL, ""), "LDAPMACHINESUFFIX" : ("ldap machine suffix", SambaParmString, P_GLOBAL, ""), - "UPDATEENCRYPTED" : ("update encrypted", SambaParmBool, P_GLOBAL, "No"), "MAXTTL" : ("max ttl", SambaParmString, P_GLOBAL, "259200"), "WRITABLE" : ("read only", SambaParmBoolRev, P_LOCAL, "Yes"), "SHAREMODES" : ("share modes", SambaParmBool, P_LOCAL, "Yes"), diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index a9a4c53..8668a2f 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -23,60 +23,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -/** - * update the encrypted smbpasswd file from the plaintext username and password - * - * this ugly hack needs to die, but not quite yet, I think people still use it... - **/ -static bool update_smbpassword_file(const char *user, const char *password) -{ - struct samu *sampass; - bool ret; - - if ( !(sampass = samu_new( NULL )) ) { - return False; - } - - become_root(); - ret = pdb_getsampwnam(sampass, user); - unbecome_root(); - - if(ret == False) { - DEBUG(0,("pdb_getsampwnam returned NULL\n")); - TALLOC_FREE(sampass); - return False; - } - - /* - * Remove the account disabled flag - we are updating the - * users password from a login. - */ - if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED, PDB_CHANGED)) { - TALLOC_FREE(sampass); - return False; - } - - if (!pdb_set_plaintext_passwd (sampass, password)) { - TALLOC_FREE(sampass); - return False; - } - - /* Now write it into the file. */ - become_root(); - - ret = NT_STATUS_IS_OK(pdb_update_sam_account (sampass)); - - unbecome_root(); - - if (ret) { - DEBUG(3,("pdb_update_sam_account returned %d\n",ret)); - } - - TALLOC_FREE(sampass); - return ret; -} - - /** Check a plaintext username/password * * Cannot deal with an encrupted password in any manner whatsoever, @@ -102,9 +48,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, nt_status = pass_check(pass, pass ? pass->pw_name : user_info->mapped.account_name, user_info->password.plaintext, - lp_update_encrypted() ? - update_smbpassword_file : NULL, - True); + true); unbecome_root(); diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index d1b720c..ee35fba 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -647,8 +647,10 @@ match is found and is used to update the encrypted password file return NT_STATUS_OK on correct match, appropriate error otherwise ****************************************************************************/ -NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, - bool (*fn) (const char *, const char *), bool run_cracker) +NTSTATUS pass_check(const struct passwd *pass, + const char *user, + const char *password, + bool run_cracker) { char *pass2 = NULL; int level = lp_passwordlevel(); @@ -820,9 +822,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas /* try it as it came to us */ nt_status = password_check(password); if NT_STATUS_IS_OK(nt_status) { - if (fn) { - fn(user, password); - } return (nt_status); } else if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { /* No point continuing if its not the password thats to blame (ie PAM disabled). */ @@ -850,8 +849,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas if (strhasupper(pass2)) { strlower_m(pass2); if NT_STATUS_IS_OK(nt_status = password_check(pass2)) { - if (fn) - fn(user, pass2); return (nt_status); } } @@ -865,8 +862,6 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas strlower_m(pass2); if (NT_STATUS_IS_OK(nt_status = string_combinations(pass2, password_check, level))) { - if (fn) - fn(user, pass2); return nt_status; } diff --git a/source3/include/proto.h b/source3/include/proto.h index c6061fc..850710b 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -232,7 +232,7 @@ bool smb_pam_close_session(char *in_user, char *tty, char *rhost); void dfs_unlogin(void); NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, - bool (*fn) (const char *, const char *), bool run_cracker); + bool run_cracker); /* The following definitions come from auth/token_util.c */ @@ -3708,7 +3708,6 @@ bool _lp_writeraw(void); bool lp_null_passwords(void); bool lp_obey_pam_restrictions(void); bool lp_encrypted_passwords(void); -bool lp_update_encrypted(void); int lp_client_schannel(void); int lp_server_schannel(void); bool lp_syslog_only(void); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index b20b565..f200022 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -1102,15 +1102,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_BASIC | FLAG_ADVANCED | FLAG_WIZARD, }, { - .label = "update encrypted", - .type = P_BOOL, - .p_class = P_GLOBAL, - .ptr = &Globals.bUpdateEncrypt, - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED, - }, - { .label = "client schannel", .type = P_ENUM, .p_class = P_GLOBAL, diff --git a/source3/web/cgi.c b/source3/web/cgi.c index 0c1c80e..3d7b32c 100644 --- a/source3/web/cgi.c +++ b/source3/web/cgi.c @@ -373,9 +373,7 @@ static bool cgi_handle_authorization(char *line) * Validate the password they have given. */ - if NT_STATUS_IS_OK(pass_check(pass, user, user_pass, - NULL, False)) { - + if NT_STATUS_IS_OK(pass_check(pass, user, user_pass, false)) { if (pass) { /* * Password was ok. diff --git a/source4/TODO b/source4/TODO index 2d7853f..9a29c20 100644 --- a/source4/TODO +++ b/source4/TODO @@ -18,7 +18,6 @@ The following options don't exist in Samba4 yet or are not converted by the upgrade script or will be removed: -- update encrypted - public - guest ok - client schannel -- Samba Shared Repository