Deprecate SMBv1 options and NT4-like domains for Samba 4.13?

Andrew Bartlett abartlet at samba.org
Sat Aug 8 20:09:23 UTC 2020 

On Sat, 2020-08-08 at 15:57 +0300, Alexander Bokovoy wrote:
> On ke, 01 heinä 2020, Andrew Bartlett via samba-technical wrote:
> > Samba 4.13 freezes soon, so I wanted to again propose adding things to
> > the deprecated list.
> > 
> > Yes, we add things to this list far faster then we remove the options,
> > but the job for anyone wishing to remove features starts with this
> > point, marking and announcing to our users that we are not going to
> > keep every Samba option and feature forever.
> > 
> > So I present to you this MR:
> > 
> > https://gitlab.com/samba-team/samba/-/merge_requests/1398
> > 
> > No code is removed of course, and of course we are not going to remove
> > code that FreeIPA needs, but even in between all that I think this is
> > worth doing.
> > 
> > (pdb_ldap is not impacted, I've dropped those references compared to my
> > earlier MR)
> > 
> > Parameter Name                     Description                Default
> > --------------                     -----------                ------
> > domain logons                      Deprecated                 no
> 
> Removing this setting affects FreeIPA. The logic for 'security = <user|auto>'
> triggers PDC definition only in case 'domain logons = yes'. FreeIPA
> depends on NT4 domains mode functionality to provide its hybrid AD
> forest setup.
> 
> I guess, looking at lp_find_server_role() and
> lp_is_security_and_server_role_valid(), I'd need to define 
> 
>  server role = CLASSIC PRIMARY DOMAIN CONTROLLER
>  security = user
> 
> explicitly. Right now we have 
> 
>  security = user
>  domain master = yes
>  domain logons = yes
> 
> and no 'server role', so it defaults to AUTO and will require an update
> of the configuration to set server role explicitly.

Thanks for mentioning how your use case works.  That workaround sounds
fine for now.  Perhaps we should split out your use case into a
distinct 'server role = freeipa' eventually.  

To be consistent 'server role = classic primary domain controller'
should also be deprecated, but our tooling doesn't allow specific enum
values to be deprecated trivially, so I'll just add a documentation
note explaining that this is deprecated except where used by FreeIPA. 

> Given we are deprecating not removing it altogether, it is more of a
> task to me rather than a blocker. I filed
> https://pagure.io/freeipa/issue/8452 to update FreeIPA configuration.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list