Authenticaion and 'security =' changes
David Collier-Brown
davecb at canada.sun.com
Mon Nov 12 05:38:12 GMT 2001
Andrew Bartlett wrote:
> So we probably will need to add some logic to testparm to avoid
> foot-shooting, but I think it is a worthwhile addition.
Er, could someone add my proposed self-check
patch first?
>
> The change will involve killing security = server and security = domain,
> and creating an 'authentication order = ....'. The 'use rhosts'
> parameter will also disappear.
Sounds like a decent 3.0-era change.
I would suggest:
if (security = x && authentication order = y)
if (x != y)
fail horribly
else
warn at a high log level (0? 1?)
if (security = x && no authentication order)
compose an authentication order
warn at a moderate log level (1?)
> Possible authentication methods will include:
>
> rhosts
> hostsequiv
both are somewhat insecure (;-))
> sam
> unix
> local -- a combination of SAM and Unix, depending on encryption.
if this is like pam, you can say that direcly
> server -- old security = server
I'd use a more specific term, like
win9x stupid compatability protocol (;-))
> domain -- old security = domain
ditto
> As such things *will break* after the introduction of this parameter. I
> won't do compatibility measures at this time, but we may need to for the
> 3.0 release.
>
The technique is not hard, just not well-known.
Solved problem in computer science from just
before Unix was written, actually (;-)).
--dave (it wasn't in, still!) c-b
--
David Collier-Brown, | Always do right. This will gratify
Americas Customer Engineering, | some people and astonish the rest.
SunPS Integration Services. | -- Mark Twain
(905) 415-2849 | davecb at canada.sun.com
More information about the samba-technical
mailing list