Authenticaion and 'security =' changes
Andrew Bartlett
abartlet at pcug.org.au
Sat Nov 10 03:13:01 GMT 2001
We are on the verge of getting plugable authentication backends in Samba
(HEAD branch). This will allow a few things, including:
- the *very* ugly ('interactive' domain logons being referred to a
remote password server using what was 'security = server')
- the very fast (domain logons being passed via the new
winbind_auth_crap mechanism for DC connection caching)
- the very flexible (list you authentication backends in any order, no
more 'security = server' instead you chose if you want rhosts, sam,
domain or domain, sam, server or whatever
- the very plugable (adding loadable module support will be trivial)
- and the plain & ordinary (standard local SAM based authenticaion)
So we probably will need to add some logic to testparm to avoid
foot-shooting, but I think it is a worthwhile addition.
The change will involve killing security = server and security = domain,
and creating an 'authentication order = ....'. The 'use rhosts'
parameter will also disappear.
Possible authentication methods will include:
rhosts
hostsequiv
sam
unix
local -- a combination of SAM and Unix, depending on encryption.
server -- old security = server
domain -- old security = domain
winbind -- authentication via winbind cached connections to the DC. Not
for serious use, mainly as an example module. Possible minor advantage
in a benchmark.
And any new methods that people care to contribute.
As such things *will break* after the introduction of this parameter. I
won't do compatibility measures at this time, but we may need to for the
3.0 release.
Jerry: How best to document this? I don't want to put it in the 2.2
doco (even with 'this is only in 3.0') because the changes are a little
too radical, and we will confuse users. Any ideas?
In any case, I'm yet to finish and test the code, so don't panic yet...
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list