PROPOSAL: deprecate plaintext password support (in SMB1) for 4.11?

Nico Kadel-Garcia nkadel at gmail.com
Wed Sep 4 11:50:09 UTC 2019 

On Wed, Sep 4, 2019 at 4:24 AM Andrew Bartlett via samba-technical
<samba-technical at lists.samba.org> wrote:
>
> It is quite late for Samba 4.11 but I wondered what folks would think
> of marking 'encrypt passwords' as deprecated so we can consider to
> remove this code in Samba 4.12 (eg master) later this year?
>
> This would dovetail with the SMB1 deprecation effort and I hope also
> help find users who can't live without this (because SMB2 doesn't have
> this at all).

It's a good idea as a behavior. But you're right that it is *really*
late in the release process. By "depreceate", do you mean deprecate in
the documentation? Or to change any software behavior?

> I'm unclear if this even works, given bugs like:
> https://bugzilla.samba.org/show_bug.cgi?id=9705
>
> If this is supported I'll polish up the attached patch and then write a
> WHATSNEW for 4.11.
>
> It doesn't commit us to doing anything in master / 4.12 (and we might
> want to wait till closer to the end of the year for feedback), but I
> took a stab at seeing what it might allow us to remove and this was the
> diffstat (and there is probably more if we tried):
>
>  /docs-xml/smbdotconf/security/encryptpasswords.xml  |   43 -
>  b/docs-xml/smbdotconf/security/encryptpasswords.xml |    4
>  b/lib/replace/wscript                               |    1
>  b/source3/auth/auth.c                               |    9
>  b/source3/auth/pampass.c                            |  132 ---
>  b/source3/auth/proto.h                              |   14
>  b/source3/auth/wscript_build                        |    8
>  b/source3/param/loadparm.c                          |    1
>  b/source3/smbd/globals.h                            |    1
>  b/source3/smbd/negprot.c                            |   62 -
>  b/source3/smbd/reply.c                              |    6
>  b/source3/smbd/sesssetup.c                          |  104 --
>  b/source3/utils/testparm.c                          |   26
>  b/source3/wscript                                   |    1
>  b/source3/wscript_build                             |    1
>  b/source4/auth/ntlm/wscript_build                   |    8
>  b/source4/smb_server/smb/negprot.c                  |   63 -
>  b/source4/smb_server/smb_server.h                   |    3
>  lib/replace/crypt.c                                 |  770 --------------------
>  source3/auth/auth_unix.c                            |  104 --
>  source3/auth/pass_check.c                           |  294 -------
>  source4/auth/ntlm/auth_unix.c                       |  769 -------------------
>  22 files changed, 70 insertions(+), 2354 deletions(-)
>
> What do folks think?
>
> Andrew Bartlett

Obviously, Iyou are far more active in the source code than us mere
mortals. But as an occasional software developer, more than 2000 lines
of deletion in 22 C files, that hasn't been through *any* of the
releases QA? That's begging for trouble with an unexpected dependency,
and it's not a critical feature. I'd push actual deletion back to
4.12, and be cautious about even inserting a deprecation warning at
this late date.

> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
>

More information about the samba-technical mailing list