Depricate auth parameters in 3.6, remove in master?

Andrew Bartlett abartlet at samba.org
Fri Jan 28 14:29:49 MST 2011


On Sat, 2011-01-29 at 01:01 +0900, TAKAHASHI Motonobu wrote:
> 011/1/28 Andrew Bartlett <abartlet at samba.org>:
> > On Fri, 2011-01-28 at 11:58 +0100, Björn Jacke wrote:
> >> > encrypt passwords = no
> >>
> >> not sure how many people actually still use this. I think I'd like to keep
> >> this.
> >
> > The point with the plaintext password code is that it performs a
> > server-side brute force attack (see password level) on the plaintext
> > password (due to case sensitivity), and just does not work properly with
> > Windows clients (almost any) due to lack of caching (causing really
> > weird reconnect failure) and the need to set registry hacks.  So it is
> > both a security risk and a
> >
> > There certainly are users of this, but we need to move them to other
> > more secure solutions to their needs, and that starts by marking it as
> > deprecated.
> 
> Sharity-Light is one product using a plain text password to access to a
> SMB server. Sharity-Ligit is included in Ports of *BSD.
> 
> If LMCompatibilitylevel < 4, then plain text password is supported at the
> SMB server.

I agree that there are tools that can still use plain text, but I don't
know of any that can't at least do LM authentication, and even that is
incredibly insecure.  We should simply not support such insecure
protocols. 

> >> > auth methods
> >>
> >> not sure ...
> 
> To manipulate "auth methods", we can control the auth order around domain
> user and local user.
> 
> For example, setting "auth methods = guest sam winbind:ntdomain
> sam_ignoredomain"
> on a server joining to a domain, the authentication behavior becomes compatible
> with Samba 2.2 series like
> 
>  1) at first try to auth as a domain user
>  2) if failed, then try to auth as a local user
> 
> And if we want to use "script" module and auth_script:script parameter,
> explicitly setting "auth method" is required, although I'm not sure that
> how many users need this parameter...

Thanks for the example.  I don't expect to remove this functionality
totally, but I'm interested in moving it to a per server-role pattern,
and probably changing some of the internal module names etc.  Unlike the
other parameters I mention, I don't propose to remove this knob
entirely, but I would like to deprecate the current parameter and
syntax. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.



More information about the samba-technical mailing list