S3 plain text to encrypted password transition
Andrew Bartlett
abartlet at samba.org
Thu Jul 29 02:03:17 MDT 2010
On Thu, 2010-07-29 at 08:46 +0200, Andreas Schneider wrote:
> On Wednesday 28 July 2010 23:48:36 simo wrote:
> > > This decision is a bit
> difficult to make without seeing the
> > > code changes that are blocked by
> it. While it works and does
> > > not conflict with anything else, I would say
> keep it. If you
> > > have something in the pipeline that would become
> > >
> significantly easier if it was dropped, I think we should
> > > look more
> closely at the benefits of having either.
> > >
> > > Does that sound
> reasonable?
> >
> > Yes, absolutely.
> >
> > I will let Andreas comment on that
> though.
>
> I know that there are old clients, but this code is that a password
> gets automatically migrated to a hashed password during login. If someone
> wants to have this migrated, I think he probably did it in the past 9
> years.
Indeed.
> Well the plan is to change the auth code to use samr/lsa/netlogon
> instead of directly accessing passdb.
I know this is the current fashion to migrate everything to IDL
interfaces, and I've seen great benefits in doing so, I'll note that
there is also a particular cost.
Some auth modules allow the challenge to be specified (this is something
that security=server does, and which modules like apple's open directory
plugin uses, as I understand it). The netlogon API does not provide
this ability.
I will be a little harder to get hold over the next little while, but I
would appreciate it if I could be consulted on plans to change the
structure of the auth subsystem.
> If I have to migrate code and the
> comment says this code should die and that 9 years ago, I prefer to ask if
> this code is really needed anymore.
>
> I can spend hours writing rpc code to
> replace this function. To be sure it works I need to test it or write a
> torture test. So I can spend a day replacing this functionality or ask if I
> can cleanup the code which is probably dead since a long time.
I agree, the 'update encrypted' should be deprcated and removed as soon
as possible, as it no longer has a plausible use case.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100729/269698ab/attachment.pgp>
More information about the samba-technical
mailing list