inspired by the web server in Samba 4

Andrew Tridgell tridge at osdl.org
Wed Jun 8 03:26:05 GMT 2005


Jason.

 > That doesn't follow. If you are "doing" SSL then that means you must be 
 > generating self-signed certs. There's nothing to stop you using Apache, 
 > and checking for the presence of a working HTTPS during install, and - 
 > well - generating a self-signed cert for Apache if there isn't.

there is nothing to stop this except the logistics of it! Show me a
script that does this in a _portable_ way. So that on AIX, HPUX, IRIX,
Linux, *Bsd and every other OS out there with different install paths
for all the tools and different command line syntax you actually get
this to work out of the box every single time.

Give me that script and I'll run it on my little farm of various
oddball OSes I have here at home. I'll be very surprised if it works
on any of them at all.

I have sat watching while inexperienced admins try to setup a secure
web server. The pain is excruciating. The various standard tools do
not make this easy. 

Then of course you have the issue that Samba cannot be installed
without Apache. So someone wanting a file server has to learn how to
be a web administrator too.

The whole world is not Linux. I love using Linux, but I know that lots
of our users are stuck with systems where package management is still
extremely hit and miss.

 >  From what I can see, there's normally 2-3 autogenerated, self-signed 
 > certs lying around on every freshly installed Linux box as it is anyway 
 > - you could always just grab one of those ;-)

what, call 'locate .pem' and copy a random file in? What a wonderful
idea. Or perhaps you want us to do a "find / -name '*.pem'" ?

 > Still, a small setuid root program that sits behind Apache should be 
 > more secure than having a new Samba service. I mean - it'd be less code 
 > for a start... And all Web-based security issues would be Apache's fault 
 > - not Samba's... [that's it - move the blame! ;-)]

less code? The 'its just a cgi program' in Samba3 is 40% more lines of
code than the whole Samba4 web server. And the Samba3 code doesn't
have any TLS or session support.

Cheers, Tridge


More information about the samba-technical mailing list