kill security=share and security=server

[Christopher R. Hertel]

Jeremy Allison wrote:
> On Thu, Jan 27, 2011 at 07:36:01PM +0100, Volker Lendecke wrote:
>> Ok, maybe you're right. I think it gives different semantics
>> though depending on which client OS you're coming from, or
>> what protocol the client decides to use
> 
> I think this only affects clients using Win9x or below,
> who would notice the change in the bit we return in the
> negprot that specifies user level security - which this
> patch would now always return.
> 
> I don't think any modern (XP or later) clients ever
> use the non-sessionsetup varients anymore.

In SMB1, the server determines whether or not share level authentication is
being used, and the only options that the client has are to accept the
server's decree or close the connection.  Unfortunately, clients cannot
"negotiate" user vs. share level security.

Another unfortunate problem is that user vs. share level authentication is
determined per SMB1 session, not per share.

Win9x servers, and below, make it easy to configure share-level
authentication.  XP and above don't.  I'm not sure about W/ME...but who cares.

>> I would feel better
>> if we had max protocol = smb1 for all security=share configs.
> 
> Well we already log a message telling the user what we're
> doing - do you want me to make this debug level 0 so it
> can't be ignored (currently it's level 2).
> 
> I just don't want to cause smbd to silently exit on
> the first smb2 packet with share level security (which
> we used to do).

I have no idea how share level security works in SMB2.  Probably something I
should learn.

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org