kill security=share and security=server

simo idra at samba.org
Mon May 14 12:08:59 MDT 2012


On Mon, 2012-05-14 at 12:37 -0400, David Collier-Brown wrote: 
> On 05/14/2012 12:01 PM, Jeremy Allison wrote:
> > On Sat, May 12, 2012 at 12:56:20PM +0200, Stefan (metze) Metzmacher wrote:
> >> Hi,
> >>
> >>>> Does Windows7 supports that, if not we should get rid of it.
> >>>> And I'd also love to get rid of security=server
> >>>> and auth/auth_server.c
> >>> Yes, please deprecate that too.  There are more users of security=server
> >>> (SMB servers running without IT authorization in large companies), but
> >>> we need to put the signal out there that this isn't the right way to
> >>> handle the problem, even if we renege on removing the feature in future.
> >> Now where we removed security=share support, I think we should
> >> also remove security=server.
> >>
> >> I'd like to push the following patches...
> > +1 from me !
> >
> > Jeremy.
> >
> One remaining use of security=server is in companies where one part of
> the IT department will not grant permission to another part of the
> department to have member servers. 
> 
> Is it a good idea? No, but consider the alternative (:-))

It's always a bad idea.

> Of course, if there's a better way to get around the problem, then I
> *entirely* agree.

There are many alternatives, if there is a trust problem people can use
trusted domains to segregate administration. Using MITM techniques to
fool another department is simply wrong.

If you can't come to agreement use normal password an point users to the
party in the wrong about why they are being inconvenienced.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list