Samba Feature Usage: Does anybody use these options? Can we kill them?

Rafal Szczesniak mimir at
Tue Nov 13 14:50:01 GMT 2001

Do you think I should ask also polish users these questions ? They are
not necessarily subscribed to samba at ;)

On Mon, 12 Nov 2001, Andrew Bartlett wrote:

> As part of the effort towards Samba 3.0, a number of features have
> disappeared.  This message is intended to gauge the reaction that would
> occur if Samba 3.0 was released with these features still absent.
> Users who need these features should indicate exactly how vital they
> feel they are, and (if possible) the effort they would be able to put
> into reimplementing/supporting/testing it if it was reintroduced.
> --with-krb4
> This option has been dropped.  It is unknown if this is being used, and
> its testing status is unknown.  It has been dropped to reduce confusion,
> but can be restored with relative ease.
> --with-krb5
> The old-style krb5 plain text password support has been dropped to make
> way for our new *real* Kerberos support, particularly as used by Active
> Directory.
> The best way to use plain text passwords and Kerberos is the pam_krb5
> module.  Samba supports this via the --with-pam option.  This is a much
> more secure (service ticket verification prevents kdc spoofing) and much
> better debugged solution to the problem space.
> Again, this can be restored with relative ease, but I don't want users
> to think they need this for the new Active Directory support.  It also
> conflicts with --with-pam.  If reimplemented, it would need to be as a
> authentication module, not as a pass_check.c function.
> status = no
> This parameter doesn't do anything useful, as far as I can tell, but
> probably breaks things.  It has been removed, status always = yes.
> guest account as a share level parameter.
> In an attempt to reduce code paths and simplify code, this parameter has
> become a global.  As far as I can tell, it only ever worked as a per
> service parameter when security=share, and most of these cases can be
> sorted with appropriate application of 'force user = '.
> nt smb support
> This parameter is forced = yes, there is no (known) reason to disable
> this functionality
> restrict anonymous
> This code doesn't do what its name suggests.  It provides some *very
> weird* hack whereby attempts at an anonymous session setup *after* an
> authenticated login are denied.  It is apparently to provide consistent
> %U and %G expansion.  This gets in the way of the new authentication
> code, and has been removed.  A real restriction on anonymous users
> gaining access to user & group information will be added in its place
> (possibly under a new name).
> \\server\share%user hack
> This method for specifying the user name has disappeared.  Only valid in
> share level security, this has been removed as a code-simplificaion
> exercise.  Careful reintroduction is possible, but only if it is
> *really* needed.
> Thank you for reading this, and I look forward to your feedback,
> Andrew Bartlett
> --
> Andrew Bartlett                                 abartlet at
> Manager, Authentication Subsystems, Samba Team  abartlet at
> Student Network Administrator, Hawker College   abartlet at

|Rafal 'Mimir' Szczesniak <mimir at>   |
|*BSD, Linux and Samba                                  /

More information about the samba-technical mailing list