Depricate auth parameters in 3.6, remove in master?

TAKAHASHI Motonobu monyo at monyo.com
Fri Jan 28 09:01:33 MST 2011


011/1/28 Andrew Bartlett <abartlet at samba.org>:
> On Fri, 2011-01-28 at 11:58 +0100, Björn Jacke wrote:
>> > encrypt passwords = no
>>
>> not sure how many people actually still use this. I think I'd like to keep
>> this.
>
> The point with the plaintext password code is that it performs a
> server-side brute force attack (see password level) on the plaintext
> password (due to case sensitivity), and just does not work properly with
> Windows clients (almost any) due to lack of caching (causing really
> weird reconnect failure) and the need to set registry hacks.  So it is
> both a security risk and a
>
> There certainly are users of this, but we need to move them to other
> more secure solutions to their needs, and that starts by marking it as
> deprecated.

Sharity-Light is one product using a plain text password to access to a
SMB server. Sharity-Ligit is included in Ports of *BSD.

If LMCompatibilitylevel < 4, then plain text password is supported at the
SMB server.

>> > auth methods
>>
>> not sure ...

To manipulate "auth methods", we can control the auth order around domain
user and local user.

For example, setting "auth methods = guest sam winbind:ntdomain
sam_ignoredomain"
on a server joining to a domain, the authentication behavior becomes compatible
with Samba 2.2 series like

 1) at first try to auth as a domain user
 2) if failed, then try to auth as a local user

And if we want to use "script" module and auth_script:script parameter,
explicitly setting "auth method" is required, although I'm not sure that
how many users need this parameter...

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>


More information about the samba-technical mailing list