mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
afb8305ada
SMB service has a number of predefined properties that must be set at a creation time. Thus, we provide a special command that handles all the needed changes. In addition, since SMB principal name is predefined, it is generated automatically based on the machine hostname. Since we generate the service's object primary key, its argument/option should be removed from the list of the command's arguments and options. We also remove those options that make no sense in the context of SMB service. Most controversial would probably be a lack of the authentication indicator that could be associated with the service. However, this is intended: SMB service on the domain member is used by both humans and other SMB services in the domain. Thus, it is not possible to require a specific authentication indicator to be present: automated acquisition of the credentials by a domain controller or other domain member machine accounts is based on a single factor creds and cannot be changed. Access to SMB service should be regulated on the SMB protocol level, with access controls in share ACLs. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>