[PATCH] Remove non-guest security=share from master
Andrew Bartlett
abartlet at samba.org
Wed Feb 8 05:10:40 MST 2012
Oops, I forgot to CC Kai and Motonobu Takahashi.
I would appreciate any thoughts at all on this. I know all of you have
expressed views about this issue in the past, and any comment on the
specific proposed patch would be most appreciated.
I refer specifically to the top 3 patches on:
http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/s3-secshare
Thanks,
Andrew Bartlett
On Fri, 2012-02-03 at 19:13 +1100, Andrew Bartlett wrote:
> Attached is a proposed set of patches to make 'security=server' map all
> incoming users as 'guest' accounts, which I would like to get into
> master for 4.0.
>
> The reason I'm so keen to remove security=server is because I strongly
> dislike the username guessing that has to be done to map 'per share'
> password to an account:
> /* there are several possibilities:
> 1) login as the given user with given password
> 2) login as a previously registered username with the given
> password
> 3) login as a session list username with the given password
> 4) login as a previously validated user/password pair
> 5) login as the "user =" user with given password
> 6) login as the "user =" user with no password
> (guest connection)
> 7) any member of a group specified in user= as @group
> 8) the netbios name of the client and the given password
> 9) login as guest user with no password
>
> if the service is guest_only then steps 1 to 5 are skipped
>
> Additionally I dislike this code because we do not keep the state from
> the authentication for use as the user's session info - we instead trust
> the incoming username again.
>
> Also, NTLMv2 logins, which are becoming the norm, also have many
> challenges with security=share, because as you 'guess' the username, you
> throw off that part of the hash calculation.
>
> Finally, I simply think that it is time that this old corner of the
> protocol to be put to rest, particularly as we move to SMB2 which simply
> cannot support it.
>
> I've CC'ed a number of you, my fellow developers, because I want to know
> if this patch is acceptable to you. I know you have all expressed your
> views to me on security=share in the past year that I've been talking
> about removing it. I propose this particular patch because it is
> simple, it removes some quite complex code, and the outcomes are
> predictable (guest access or no access).
>
> Kai, in addressing your concern: Users who just want to connect to
> their home server on a trusted network can still do so easily.
>
> Volker: I know you strongly feel that we cannot remove features like
> this. Does the mapping to guest address any of your concerns? Could
> you live with this feature being retired for 4.0, or if not, is there
> any part of the complexity that can be acceptably removed?
>
> Motonobu Takahashi: I understand this patch would break the complex
> configuration you posted last year, with a 'read password' and 'write
> password' for a given share. Do you think this could be acceptably
> migrated to a 'read user' and 'write user' by the time you deploy Samba
> 4.0?
>
> Thanks,
>
> Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list