security = server

Andrew Bartlett abartlet at samba.org
Sat Jun 18 03:09:13 GMT 2005 

On Fri, 2005-06-17 at 16:33 -0600, John H Terpstra wrote:
> On Friday 17 June 2005 16:12, Andrew Bartlett wrote:
> > On Fri, 2005-06-17 at 15:54 -0600, John H Terpstra wrote:
> > > Folks,
> > >
> > > At what point do we propose to drop support for server-mode security?
> > >
> > > I'd like to make a note about this in the HOWTO. Several people have
> > > asked over the past year, so it might be a good thing(TM) to drop this
> > > sooner than later.
> > >
> > > Any reaction to dropping this?
> >
> > security=server should be discouraged, but I do not intend to drop it
> > from Samba4, going forward.
> >
> > This mode of operation (the active MITM attack) has it's problems, but
> > where you do not have the active cooperation of domain admin, there are
> > few other options.  (And some people really are in the situation where
> > the central admins don't mind password checks, much like 'ldap
> > authentication', but won't give out domain member accounts).
> >
> > In Samba3, with clients later than NT4 are actually quite reliable with
> > security=server, because the use of NTLMSSP (extended security, SPNEGO)
> > removes the need for the long-term connection to the DC.
> 
> Thanks. I appreciate the clarification.

I'm not sure how it applies to things like 'rabbit pellet mode', but the
mechanism is different.  I only really know about the auth end of it.

Of course, security=server relies on the client and MITM (but not origin
server) not enforcing SMB signing.  We also don't get group membership
info, or the like.  But it does, and will continue to work :-)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050618/7ed90edb/attachment.bin

More information about the samba-technical mailing list