Deprecate SMBv1 options and NT4-like domains for Samba 4.13?
abartlet at samba.org
Sat Aug 8 20:09:23 UTC 2020
On Sat, 2020-08-08 at 15:57 +0300, Alexander Bokovoy wrote:
> On ke, 01 heinä 2020, Andrew Bartlett via samba-technical wrote:
> > Samba 4.13 freezes soon, so I wanted to again propose adding things to
> > the deprecated list.
> > Yes, we add things to this list far faster then we remove the options,
> > but the job for anyone wishing to remove features starts with this
> > point, marking and announcing to our users that we are not going to
> > keep every Samba option and feature forever.
> > So I present to you this MR:
> > https://gitlab.com/samba-team/samba/-/merge_requests/1398
> > No code is removed of course, and of course we are not going to remove
> > code that FreeIPA needs, but even in between all that I think this is
> > worth doing.
> > (pdb_ldap is not impacted, I've dropped those references compared to my
> > earlier MR)
> > Parameter Name Description Default
> > -------------- ----------- ------
> > domain logons Deprecated no
> Removing this setting affects FreeIPA. The logic for 'security = <user|auto>'
> triggers PDC definition only in case 'domain logons = yes'. FreeIPA
> depends on NT4 domains mode functionality to provide its hybrid AD
> forest setup.
> I guess, looking at lp_find_server_role() and
> lp_is_security_and_server_role_valid(), I'd need to define
> server role = CLASSIC PRIMARY DOMAIN CONTROLLER
> security = user
> explicitly. Right now we have
> security = user
> domain master = yes
> domain logons = yes
> and no 'server role', so it defaults to AUTO and will require an update
> of the configuration to set server role explicitly.
Thanks for mentioning how your use case works. That workaround sounds
fine for now. Perhaps we should split out your use case into a
distinct 'server role = freeipa' eventually.
To be consistent 'server role = classic primary domain controller'
should also be deprecated, but our tooling doesn't allow specific enum
values to be deprecated trivially, so I'll just add a documentation
note explaining that this is deprecated except where used by FreeIPA.
> Given we are deprecating not removing it altogether, it is more of a
> task to me rather than a blocker. I filed
> https://pagure.io/freeipa/issue/8452 to update FreeIPA configuration.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical