Authenticaion and 'security =' changes

David Collier-Brown davecb at
Mon Nov 12 05:38:12 GMT 2001

Andrew Bartlett wrote:
> So we probably will need to add some logic to testparm to avoid
> foot-shooting, but I think it is a worthwhile addition.

	Er, could someone add my proposed self-check
	patch first?  
> The change will involve killing security = server and security = domain,
> and creating an 'authentication order = ....'.  The 'use rhosts'
> parameter will also disappear.

	Sounds like a decent 3.0-era change.

	I would suggest:
	if (security = x && authentication order = y)
		if (x != y)
			fail horribly
			warn at a high log level (0? 1?)
	if (security = x && no authentication order)
		compose an authentication order
		warn at a moderate log level (1?)
> Possible authentication methods will include:
> rhosts
> hostsequiv
		both are somewhat insecure (;-))
> sam
> unix
> local -- a combination of SAM and Unix, depending on encryption.
		if this is like pam, you can say that direcly
> server -- old security = server
		I'd use a more specific term, like 
		win9x stupid compatability protocol (;-))

> domain -- old security = domain

> As such things *will break* after the introduction of this parameter.  I
> won't do compatibility measures at this time, but we may need to for the
> 3.0 release.
	The technique is not hard, just not well-known.
	Solved problem in computer science from just
	before Unix was written, actually (;-)).

--dave (it wasn't in, still!) c-b
David Collier-Brown,           | Always do right. This will gratify 
Americas Customer Engineering, | some people and astonish the rest.
SunPS Integration Services.    |                      -- Mark Twain
(905) 415-2849                 | davecb at

More information about the samba-technical mailing list