Changing security parameters

[Andrew Bartlett]

"Gerald (Jerry) Carter" wrote:
> 
> On Sat, 10 Nov 2001, Jeremy Allison wrote:
> 
> > Andrew,
> >
> >       I've been thinking about the security parameters
> > change and I don't think we can remove the "security = "
> > parameter, we need to support it in legacy mode.
> >
> > The way we'd do this is to allow it in smb.conf, and
> > then translate it internally to a setting of the new
> > parameters that has exactly the same effect as it
> > does now.
> >
> > I'm sure Dave CB will agree with me, so many people are
> > familiar with the "security=" stuff that we can't just
> > remove support for it, but must allow it's use into the
> > forseable future as a legacy option.
> 
> One thing I just thought about is that this will pretty
> much void all the existing Samba docs (printed, online, in
> our cvs tree).  Is it really that big of an advantage
> to remove security = [domain|server]?  Why not keep these
> and add the "auth order" parameter.

I think the extra flexability is worth it in the long run.  

Why should server configured (well, it does take some skill) in
security=share not be able to push those passwords off to a remote SMB
or NT server?

Apart from the number of time the various random passwords are checked,
it can actually work...

Also, when we get AD support in Samba, we will need to be able to
support both that and normal remote domain stuff and/or local SAM
stuff.  Care to express that in terms of security=?

I think the current intent of 'security=' is best expressed as 'server
role'.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net