Authenticaion and 'security =' changes

Andrew Bartlett abartlet at pcug.org.au
Sat Nov 10 03:13:01 GMT 2001 

We are on the verge of getting plugable authentication backends in Samba
(HEAD branch).  This will allow a few things, including:

 - the *very* ugly ('interactive' domain logons being referred to a
remote password server using what was 'security = server')
 - the very fast (domain logons being passed via the new
winbind_auth_crap mechanism for DC connection caching)
 - the very flexible (list you authentication backends in any order, no
more 'security = server' instead you chose if you want rhosts, sam,
domain or domain, sam, server or whatever
 - the very plugable (adding loadable module support will be trivial)
 - and the plain & ordinary (standard local SAM based authenticaion)

So we probably will need to add some logic to testparm to avoid
foot-shooting, but I think it is a worthwhile addition.

The change will involve killing security = server and security = domain,
and creating an 'authentication order = ....'.  The 'use rhosts'
parameter will also disappear.

Possible authentication methods will include:

rhosts
hostsequiv
sam
unix
local -- a combination of SAM and Unix, depending on encryption.
server -- old security = server
domain -- old security = domain
winbind -- authentication via winbind cached connections to the DC.  Not
for serious use, mainly as an example module.  Possible minor advantage
in a benchmark.

And any new methods that people care to contribute.

As such things *will break* after the introduction of this parameter.  I
won't do compatibility measures at this time, but we may need to for the
3.0 release.

Jerry:  How best to document this?  I don't want to put it in the 2.2
doco (even with 'this is only in 3.0') because the changes are a little
too radical, and we will confuse users.  Any ideas?

In any case, I'm yet to finish and test the code, so don't panic yet...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list