[Samba] Impending Removal of --with-ssl

abartlet at samba.org abartlet at samba.org
Sun May 5 02:51:01 GMT 2002

On Sat, May 04, 2002 at 11:22:41PM -0400, Nathan Lutchansky wrote:
> On Fri, May 03, 2002 at 07:56:43AM -0700, abartlet at samba.org wrote:
> > 
> > --with-ssl allows Samba to tunnel SMB inside an SSL connection.  Unfortunetly
> > there are only 2 clients:  smbclient and sharity.  Windows clients simply
> > don't know how to use SSL.
> Two things:
> 1) Can we assume that Microsoft will never include SSL functionality in
>    their Windows clients?  Does MS have some other method of providing
>    transport security instead?  If the answers are "yes" and "yes", then 
>    I'd say it is safe to remove.  Otherwise it might feel silly to add SSL 
>    back when some XP service pack adds SSL functionality later on.

yes on both counts.  Message authenticaion and encryption are available in the 
CIFS protocol, and are detailed in the SNIA Technical Reference (not to
be confused with the MS Technical Reference)

> 2) I'd started a project to authenticate users SMB clients based on client
>    SSL certificates.  If --with-ssl is removed, SSL authentication can 
>    still be done with wrappers and LIBSMB_PROG, but the server wrapper 
>    would somehow need to pass authentication information to Samba.  The
>    easiest way is to setreuid to the target user before execing smbd, but
>    can smbd handle this?  What happens if smbd is started (without -D) as
>    some user other than root?  -Nathan

Samba expects this, and allows become_user() calls to 'fail' but still 
requires passwords as before.  You could write a new authentication module
that implments your requirements quite trivially.  (And use environment 
variables or the like to pass the state info along).

Andrew Bartlett

More information about the samba-technical mailing list