[Samba] Impending Removal of --with-ssl

Nathan Lutchansky lutchann at litech.org
Sun May 5 07:09:03 GMT 2002 

On Sun, May 05, 2002 at 02:50:13AM -0700, abartlet at samba.org wrote:
> On Sat, May 04, 2002 at 11:22:41PM -0400, Nathan Lutchansky wrote:
> > 
> > 1) Can we assume that Microsoft will never include SSL functionality in
> >    their Windows clients?  Does MS have some other method of providing
> >    transport security instead?  If the answers are "yes" and "yes", then 
> >    I'd say it is safe to remove.  Otherwise it might feel silly to add SSL 
> >    back when some XP service pack adds SSL functionality later on.
> 
> yes on both counts.  Message authenticaion and encryption are available in the 
> CIFS protocol, and are detailed in the SNIA Technical Reference (not to
> be confused with the MS Technical Reference)

Oh.  Well, that sounds like the way to go in the future.  I hope it is not 
as ugly to implement as SSL.

> > 2) I'd started a project to authenticate users SMB clients based on client
> >    SSL certificates.  If --with-ssl is removed, SSL authentication can 
> >    still be done with wrappers and LIBSMB_PROG, but the server wrapper 
> >    would somehow need to pass authentication information to Samba.  The
> >    easiest way is to setreuid to the target user before execing smbd, but
> >    can smbd handle this?  What happens if smbd is started (without -D) as
> >    some user other than root?  -Nathan
> 
> Samba expects this, and allows become_user() calls to 'fail' but still 
> requires passwords as before.  You could write a new authentication module
> that implments your requirements quite trivially.  (And use environment 
> variables or the like to pass the state info along).

OK, I'll look into this when I have time to get back to that project.  
Thanks for the hint.

I don't see any reason to keep SSL support in Samba then.  -Nathan

-- 
+-------------------+---------------------+------------------------+
| Nathan Lutchansky | lutchann at litech.org |  Lithium Technologies  |
+------------------------------------------------------------------+
|  I dread success.  To have succeeded is to have finished one's   |
|  business on earth...  I like a state of continual becoming,     |
|  with a goal in front and not behind. - George Bernard Shaw      |
+------------------------------------------------------------------+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020505/eebeb2f9/attachment.bin

More information about the samba-technical mailing list