Authenticaion and 'security =' changes
abartlet at pcug.org.au
Sat Nov 10 03:13:01 GMT 2001
We are on the verge of getting plugable authentication backends in Samba
(HEAD branch). This will allow a few things, including:
- the *very* ugly ('interactive' domain logons being referred to a
remote password server using what was 'security = server')
- the very fast (domain logons being passed via the new
winbind_auth_crap mechanism for DC connection caching)
- the very flexible (list you authentication backends in any order, no
more 'security = server' instead you chose if you want rhosts, sam,
domain or domain, sam, server or whatever
- the very plugable (adding loadable module support will be trivial)
- and the plain & ordinary (standard local SAM based authenticaion)
So we probably will need to add some logic to testparm to avoid
foot-shooting, but I think it is a worthwhile addition.
The change will involve killing security = server and security = domain,
and creating an 'authentication order = ....'. The 'use rhosts'
parameter will also disappear.
Possible authentication methods will include:
local -- a combination of SAM and Unix, depending on encryption.
server -- old security = server
domain -- old security = domain
winbind -- authentication via winbind cached connections to the DC. Not
for serious use, mainly as an example module. Possible minor advantage
in a benchmark.
And any new methods that people care to contribute.
As such things *will break* after the introduction of this parameter. I
won't do compatibility measures at this time, but we may need to for the
Jerry: How best to document this? I don't want to put it in the 2.2
doco (even with 'this is only in 3.0') because the changes are a little
too radical, and we will confuse users. Any ideas?
In any case, I'm yet to finish and test the code, so don't panic yet...
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical