[PROPOSAL] Remove password level (or all plaintext passwords?) for 4.1

Andrew Bartlett abartlet at samba.org
Thu May 23 16:21:44 MDT 2013


On Thu, 2013-05-23 at 10:09 -0400, yaberger at ca.ibm.com wrote:
> Hi,
> 
> We are using Samba 3.6.x on AIX.
> We use Samba mainly for its file-server feature to share DFS, GPFS and 
> JFS2 filesystems.
> We need users to authenticate with DCE to be able to access their DFS 
> resources.
> To do so, we buid Samba 3.x with pam (--with-pam).
> Our /etc/pam.conf has samba entries to use /usr/lib/security/pam_aix.
> Password encryption needs to be disabled on both the Samba server and on 
> the clients.
> 
> We are currently in a transition from DFS to GPFS and from DCE to a 
> LDAP/KRB5 solution using TDS/NAS.
> But until the are completely out of DCE/DFS, we need to keep our Samba 
> file-server with "encrypt passwords = no" (maybe even "client lanman auth 
> = Yes" and "client plaintext auth = Yes") and our clients set the same 
> 
> way.
> We will be looking in the upcoming months/years (before you stop providing 
> 
> security fixes for 3.6) to upgrade to Samba 4.x (file-server only) so we 
> hope to be able to use it in our current environment if we're not done 
> with our DCE/DFS migration.
> 
> Conclusion
> My understanding is that your proposal will remove the possibility to use 
> non-encrypted password and pam (maybe pam has already been removed from 
> Samba 4.0.x, I've haven't looked yet).
> So the impact will depend on how long Samba 3.6 and/or Samba 4.0 will be 
> supported for security fixes.

Thanks for the background.  Your site is one of the few that I'm aware
of using plaintext passwords, and it's helpful to know you still need
it.  What are your clients in this case, and do you use the password
level parameter, or expect samba to upper or lower case the password for
you?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list