Making a big push on the end of --set-auth-user
Andrew Bartlett
abartlet at samba.org
Wed May 19 01:25:12 GMT 2004
Jerry,
I've been thinking about your comments on the samba list, that we really
don't need '--set-auth-user' in all but the most exceptional networks
these days.
I think we should really make a big push on this, in the release notes
and in the documentation. Possibly even in the default output of
'wbinfo --set-auth-user'.
It also seems a common mistake to put the root, or administrator
password into this facility.
For those who missed it, the recent work to always use schannel when
talking to our DC means that we are not bitten by 'RestrictAnonymous=1',
the level compatible with NT4 member servers. On domains that are set
to 'RestrictAnonymous=2' (which is only supported by Win2k and above),
we use security=ads, and since the 3.0 release have used kerberos and
the machine account to perform the initial login.
I think this means the only reason to use --set-auth-user is in complex
NT4 trust situations or if Kerberos is unavailable on your platform.
Does this sound correct?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040519/0417e529/attachment.bin
More information about the samba-technical
mailing list