Deleting parameters.

Gerald (Jerry) Carter jerry at
Mon Nov 12 05:33:01 GMT 2001

On Mon, 12 Nov 2001, Andrew Bartlett wrote:

> > OK.  I'll play devil's advocate here.  Have you asked ?  Or are we
> > assuming?  Now I will also point out that as I did to Andrew B.
> > that removing the --with-krb5 option removes certain functionality
> > that I do not think can be supported in 3.0.  Namely, logons
> > using Kerberos from non-win2000 clients with a non-PAM server
> > (which there are many).
> Yes, that problem bothers me.  I think we will end up with a new
> solution that uses the new kerberos code that is complementary to the
> existing design.  In intend to allow PAM (and possibly krb5-plaintext)
> to be configured at runtime, rather than at compile time.  This is
> actually quite practical with the new auth code.

You know, I'm glad to hear you say this.  This is the first time
I've heard anyone mention this plan.  Will it be done in time for 3.0? :-)

> > > 2) they only work with plaintext passwords on the wire, which means
> > >    they need client hacks
> >
> > So? What is the point here?  People who logon against NIS or /etc/passwd
> > for convience do the same thing.
> And we still allow rhosts and hostsequiv.  But how many sites:  a) have
> a security policy such that they run kerberos.  b) Allow cleartext
> passwords on their network.  c) Run as OS that *can't* support PAM
> (installing PAM does not mandate its use for /bin/login, and FreeBSD now
> supports it) and d) have made the client hacks?

My point was simply that voiding something because it required
client side changes was a weak arguement.  People do it all the time.

cheers, jerry
 ---------------------------------------------------------------------              SAMBA  Team                                 Hewlett-Packard
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

More information about the samba-technical mailing list