[Samba] Impending Removal of --with-ssl
Nathan Lutchansky
lutchann at litech.org
Sun May 5 07:09:03 GMT 2002
On Sun, May 05, 2002 at 02:50:13AM -0700, abartlet at samba.org wrote:
> On Sat, May 04, 2002 at 11:22:41PM -0400, Nathan Lutchansky wrote:
> >
> > 1) Can we assume that Microsoft will never include SSL functionality in
> > their Windows clients? Does MS have some other method of providing
> > transport security instead? If the answers are "yes" and "yes", then
> > I'd say it is safe to remove. Otherwise it might feel silly to add SSL
> > back when some XP service pack adds SSL functionality later on.
>
> yes on both counts. Message authenticaion and encryption are available in the
> CIFS protocol, and are detailed in the SNIA Technical Reference (not to
> be confused with the MS Technical Reference)
Oh. Well, that sounds like the way to go in the future. I hope it is not
as ugly to implement as SSL.
> > 2) I'd started a project to authenticate users SMB clients based on client
> > SSL certificates. If --with-ssl is removed, SSL authentication can
> > still be done with wrappers and LIBSMB_PROG, but the server wrapper
> > would somehow need to pass authentication information to Samba. The
> > easiest way is to setreuid to the target user before execing smbd, but
> > can smbd handle this? What happens if smbd is started (without -D) as
> > some user other than root? -Nathan
>
> Samba expects this, and allows become_user() calls to 'fail' but still
> requires passwords as before. You could write a new authentication module
> that implments your requirements quite trivially. (And use environment
> variables or the like to pass the state info along).
OK, I'll look into this when I have time to get back to that project.
Thanks for the hint.
I don't see any reason to keep SSL support in Samba then. -Nathan
--
+-------------------+---------------------+------------------------+
| Nathan Lutchansky | lutchann at litech.org | Lithium Technologies |
+------------------------------------------------------------------+
| I dread success. To have succeeded is to have finished one's |
| business on earth... I like a state of continual becoming, |
| with a goal in front and not behind. - George Bernard Shaw |
+------------------------------------------------------------------+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020505/eebeb2f9/attachment.bin
More information about the samba-technical
mailing list