[PROPOSAL] Remove password level (or all plaintext passwords?) for 4.1
yaberger at ca.ibm.com
yaberger at ca.ibm.com
Thu May 23 08:09:44 MDT 2013
Hi,
We are using Samba 3.6.x on AIX.
We use Samba mainly for its file-server feature to share DFS, GPFS and
JFS2 filesystems.
We need users to authenticate with DCE to be able to access their DFS
resources.
To do so, we buid Samba 3.x with pam (--with-pam).
Our /etc/pam.conf has samba entries to use /usr/lib/security/pam_aix.
Password encryption needs to be disabled on both the Samba server and on
the clients.
We are currently in a transition from DFS to GPFS and from DCE to a
LDAP/KRB5 solution using TDS/NAS.
But until the are completely out of DCE/DFS, we need to keep our Samba
file-server with "encrypt passwords = no" (maybe even "client lanman auth
= Yes" and "client plaintext auth = Yes") and our clients set the same
way.
We will be looking in the upcoming months/years (before you stop providing
security fixes for 3.6) to upgrade to Samba 4.x (file-server only) so we
hope to be able to use it in our current environment if we're not done
with our DCE/DFS migration.
Conclusion
My understanding is that your proposal will remove the possibility to use
non-encrypted password and pam (maybe pam has already been removed from
Samba 4.0.x, I've haven't looked yet).
So the impact will depend on how long Samba 3.6 and/or Samba 4.0 will be
supported for security fixes.
Best regards,
Yannick Bergeron
450 534-7711
yaberger at ca.ibm.com
Advisory IT Specialist
Never say never, say "it depends" / Ne jamais dire jamais, dites "ca
dépend"
More information about the samba-technical
mailing list