security = server

John H Terpstra jht at Samba.Org
Fri Jun 17 22:33:02 GMT 2005

On Friday 17 June 2005 16:12, Andrew Bartlett wrote:
> On Fri, 2005-06-17 at 15:54 -0600, John H Terpstra wrote:
> > Folks,
> >
> > At what point do we propose to drop support for server-mode security?
> >
> > I'd like to make a note about this in the HOWTO. Several people have
> > asked over the past year, so it might be a good thing(TM) to drop this
> > sooner than later.
> >
> > Any reaction to dropping this?
> security=server should be discouraged, but I do not intend to drop it
> from Samba4, going forward.
> This mode of operation (the active MITM attack) has it's problems, but
> where you do not have the active cooperation of domain admin, there are
> few other options.  (And some people really are in the situation where
> the central admins don't mind password checks, much like 'ldap
> authentication', but won't give out domain member accounts).
> In Samba3, with clients later than NT4 are actually quite reliable with
> security=server, because the use of NTLMSSP (extended security, SPNEGO)
> removes the need for the long-term connection to the DC.

Thanks. I appreciate the clarification.

- John T.

More information about the samba-technical mailing list