security = server

Andrew Bartlett abartlet at samba.org
Fri Jun 17 22:12:06 GMT 2005


On Fri, 2005-06-17 at 15:54 -0600, John H Terpstra wrote:
> Folks,
> 
> At what point do we propose to drop support for server-mode security?
> 
> I'd like to make a note about this in the HOWTO. Several people have asked 
> over the past year, so it might be a good thing(TM) to drop this sooner than 
> later.
> 
> Any reaction to dropping this?

security=server should be discouraged, but I do not intend to drop it
from Samba4, going forward.  

This mode of operation (the active MITM attack) has it's problems, but
where you do not have the active cooperation of domain admin, there are
few other options.  (And some people really are in the situation where
the central admins don't mind password checks, much like 'ldap
authentication', but won't give out domain member accounts).

In Samba3, with clients later than NT4 are actually quite reliable with
security=server, because the use of NTLMSSP (extended security, SPNEGO)
removes the need for the long-term connection to the DC.

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050618/981fa30b/attachment.bin


More information about the samba-technical mailing list