PROPOSAL: deprecate plaintext password support (in SMB1) for 4.11?

Andrew Bartlett abartlet at samba.org
Wed Sep 4 08:23:27 UTC 2019


It is quite late for Samba 4.11 but I wondered what folks would think
of marking 'encrypt passwords' as deprecated so we can consider to
remove this code in Samba 4.12 (eg master) later this year?

This would dovetail with the SMB1 deprecation effort and I hope also
help find users who can't live without this (because SMB2 doesn't have
this at all).  

I'm unclear if this even works, given bugs like:
https://bugzilla.samba.org/show_bug.cgi?id=9705

If this is supported I'll polish up the attached patch and then write a
WHATSNEW for 4.11.

It doesn't commit us to doing anything in master / 4.12 (and we might
want to wait till closer to the end of the year for feedback), but I
took a stab at seeing what it might allow us to remove and this was the
diffstat (and there is probably more if we tried):

 /docs-xml/smbdotconf/security/encryptpasswords.xml  |   43 -
 b/docs-xml/smbdotconf/security/encryptpasswords.xml |    4 
 b/lib/replace/wscript                               |    1 
 b/source3/auth/auth.c                               |    9 
 b/source3/auth/pampass.c                            |  132 ---
 b/source3/auth/proto.h                              |   14 
 b/source3/auth/wscript_build                        |    8 
 b/source3/param/loadparm.c                          |    1 
 b/source3/smbd/globals.h                            |    1 
 b/source3/smbd/negprot.c                            |   62 -
 b/source3/smbd/reply.c                              |    6 
 b/source3/smbd/sesssetup.c                          |  104 --
 b/source3/utils/testparm.c                          |   26 
 b/source3/wscript                                   |    1 
 b/source3/wscript_build                             |    1 
 b/source4/auth/ntlm/wscript_build                   |    8 
 b/source4/smb_server/smb/negprot.c                  |   63 -
 b/source4/smb_server/smb_server.h                   |    3 
 lib/replace/crypt.c                                 |  770 --------------------
 source3/auth/auth_unix.c                            |  104 --
 source3/auth/pass_check.c                           |  294 -------
 source4/auth/ntlm/auth_unix.c                       |  769 -------------------
 22 files changed, 70 insertions(+), 2354 deletions(-)

What do folks think?

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba





More information about the samba-technical mailing list