Merge branch 'master' of ssh://git.koozali.org:2222/smeserver/smeserver-samba

- disable access to list of users without being logged in [SME: 12765]

.gitignore

@@ -2,3 +2,4 @@
 *.log
 *spec-20*
 *.tar.xz
+*.bak

README.md

@@ -6,7 +6,14 @@ SMEServer Koozali developed git repo for smeserver-samba smeserver
 <br />https://wiki.koozali.org/
 
 ## Bugzilla
-Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=smeserver-samba&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)\
+Show list of outstanding bugs:
+[All](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&bug_status=VERIFIED&cf_package=smeserver-samba&classification=SME+Server&list_id=105756&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Confirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=CONFIRMED&cf_package=smeserver-samba&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Unconfirmed](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=UNCONFIRMED&cf_package=smeserver-samba&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Need info](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=NEEDINFO&cf_package=smeserver-samba&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[In progress](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=IN_PROGRESS&cf_package=smeserver-samba&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Resolved](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=RESOLVED&cf_package=smeserver-samba&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)  
+[Verified](https://bugs.koozali.org/buglist.cgi?action=wrap&bug_status=VERIFIED&cf_package=smeserver-samba&classification=SME+Server&order=changeddate+DESC%2Ccomponent%2Cpriority%2Cbug_severity&query_format=advanced)
 And a list of outstanding Legacy bugs: (e-smith-samba) [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-samba&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
 
 ## Description

root/etc/e-smith/events/actions/create-machine-account

@@ -1,6 +1,7 @@
 #!/usr/bin/perl -w
 #----------------------------------------------------------------------
 # copyright (C) 2001 Mitel Networks Corporation
+# Copyright (C) 2024 Koozali Foundation inc.
 # 
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -26,6 +27,9 @@ use Errno;
 use esmith::ConfigDB;
 use esmith::AccountsDB;
 use esmith::util;
+use utf8;
+use esmith::util::ldap;
+
 
 my $a = esmith::AccountsDB->open || die "Couldn't open accounts db\n";
 my $c = esmith::ConfigDB->open_ro || die "Could not open Config DB";
@@ -33,8 +37,8 @@ my $c = esmith::ConfigDB->open_ro || die "Could not open Config DB";
 my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
 my $x = 0; # exit value
 
-my $domain = $c->get('DomainName')->value();
+# prepare LDAP bind
-my $base = esmith::util::ldapBase ($domain);
+my $ldap=esmith::util::ldap->new();
 
 my $event = $ARGV [0];
 my $machineName = $ARGV [1];
@@ -101,34 +105,16 @@ if ($ldapauth ne 'enabled')
 }
 
 # Create the machine's unique group first (in ldap)
-system( 
+my $result = $ldap->ldapgroup($m);
-        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd",
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $machineName.\n" );
-        "-g", $gid,
-        "-o",
-        "$machineName"
-    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $machineName.\n" );
 
-# Now create the machine account (in ldap)
+# Now create the machine account (in ldap). samba related action script will add more
-system(
+$result = $ldap->ldapaddmachine($m);
-        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd",
+$result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $machineName.\n" );
-        "-u", $uid,
-        "-g", $gid,
-        "--userbase=ou=Computers,$base",
-        "-c", "Hostname account for $machineName",
-        "-o",
-        "-d", "/noexistingpath",
-        "-s", "/bin/false",
-        "$machineName"
-    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $machineName.\n" );
 
 warn "create-machine-account $machineName: Locking account\n";
 
-system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", 
+# esmith::util::ldap ldapaddmachine already lock account on creation in LDAP
-       "--userbase=ou=Computers,$base",
-       "-o", 
-       "-L", 
-       "$machineName"
-) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed locking (ldap) password for $machineName\n" );
 
 if ($ldapauth ne 'enabled')
 {

root/etc/e-smith/templates/etc/smb.conf/11anonymous

@@ -0,0 +1,8 @@
+{
+# 0 allows to retrieve the list of users without being logged on the domain 
+# 1 will disable anonymous SAMR access. (including user enumeration)
+# 2 will, in addition to restricting SAMR access, disallow anonymous connections to the IPC$ share in general. (preventing login to smb PDC)
+# The option also affects the browse option which is required by legacy clients which rely on Netbios browsing. 
+# While modern Windows version should be fine with restricting the access there could still be applications relying on anonymous access.
+}
+restrict anonymous = 1

root/etc/e-smith/templates/etc/smb.conf/11domainLogons

@@ -1,3 +0,0 @@
-{
-   "domain logons = " . ( $smb{ServerRole} =~ m{^(PDC|BDC|ADS)$} ? "yes" : "no" );
-}

root/etc/e-smith/templates/etc/smb.conf/11encryptPasswords

@@ -1,6 +0,0 @@
-{
-# You may wish to use password encryption. Please read
-# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
-# Do not enable this option unless you have read those documents
-}
-encrypt passwords = yes

smeserver-samba.spec

@@ -4,7 +4,7 @@ Summary: smeserver specific Samba configuration files and templates
 %define name smeserver-samba
 Name: %{name}
 %define version 11.0.0
-%define release 4
+%define release 8
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -18,7 +18,7 @@ Provides: e-smith-samba
 Obsoletes: e-smith-samba
 BuildRequires: smeserver-devtools >= 1.13.1-03
 Obsoletes: e-smith-regedit
-Requires: smeserver-lib >= 2.2.0-2
+Requires: smeserver-lib >= 11.0.0-7
 Requires: smeserver-formmagick >= 1.4.0-9
 Requires: samba >= 3.5.10
 Requires: samba-client >= 3.5.10
@@ -41,6 +41,15 @@ Requires: /usr/bin/tdbbackup
 AutoReqProv: no
 
 %changelog
+* Thu Nov 14 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme
+- disable access to list of users without being logged in [SME: 12765]
+
+* Tue Aug 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-6.sme
+- use esmith::util::ldap for machines LDAP account [SME: 12687]
+
+* Tue Apr 16 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-5.sme
+- remove deprecated options [SME: 12630]
+
 * Sat Apr 13 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-4.sme
 - fix regex to get SID [SME: 12581]