S3 plain text to encrypted password transition

Andrew Bartlett abartlet at samba.org
Thu Jul 29 02:03:17 MDT 2010


On Thu, 2010-07-29 at 08:46 +0200, Andreas Schneider wrote:
> On Wednesday 28 July 2010 23:48:36 simo wrote:
> > > This decision is a bit
> difficult to make without seeing the
> > > code changes that are blocked by
> it. While it works and does
> > > not conflict with anything else, I would say
> keep it. If you
> > > have something in the pipeline that would become
> > >
> significantly easier if it was dropped, I think we should
> > > look more
> closely at the benefits of having either.
> > > 
> > > Does that sound
> reasonable?
> > 
> > Yes, absolutely.
> > 
> > I will let Andreas comment on that
> though.
> 
> I know that there are old clients, but this code is that a password
> gets automatically migrated to a hashed password during login. If someone
> wants to have this migrated, I think he probably did it in the past 9
> years.

Indeed.

> Well the plan is to change the auth code to use samr/lsa/netlogon
> instead of directly accessing passdb. 

I know this is the current fashion to migrate everything to IDL
interfaces, and I've seen great benefits in doing so, I'll note that
there is also a particular cost.

Some auth modules allow the challenge to be specified (this is something
that security=server does, and which modules like apple's open directory
plugin uses, as I understand it).  The netlogon API does not provide
this ability. 

I will be a little harder to get hold over the next little while, but I
would appreciate it if I could be consulted on plans to change the
structure of the auth subsystem. 

> If I have to migrate code and the
> comment says this code should die and that 9 years ago, I prefer to ask if
> this code is really needed anymore.
> 
> I can spend hours writing rpc code to
> replace this function. To be sure it works I need to test it or write a
> torture test. So I can spend a day replacing this functionality or ask if I
> can cleanup the code which is probably dead since a long time.

I agree, the 'update encrypted' should be deprcated and removed as soon
as possible, as it no longer has a plausible use case. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100729/269698ab/attachment.pgp>


More information about the samba-technical mailing list