"auto" for Kerberos, a history

Andrew Bartlett abartlet at samba.org
Thu Aug 20 08:19:50 UTC 2020 

On Thu, 2020-08-20 at 08:53 +0200, Stefan Metzmacher wrote:
> Am 20.08.20 um 08:30 schrieb Rowland penny via samba-technical:
> > On 19/08/2020 23:10, Andrew Bartlett wrote:
> > > On Wed, 2020-08-19 at 22:13 +0100, Rowland penny via samba-
> > > technical
> > > wrote:
> > > >       -k KERBEROS, --kerberos=KERBEROS
> > > >                           Use Kerberos
> > > > 
> > > > If you check the code, 'KERBEROS' is actually 'yes', 'auto' or
> > > > 'no'
> > > > 
> > > > What is 'auto' in this context ? surely using kerberos is
> > > > binary,
> > > > you
> > > > either want to use it, or you don't, 'yes' or 'no', so what
> > > > does
> > > > 'auto'
> > > > actually mean and do ?
> > > > 
> > > > Do we really need 'auto', can we not decide what the parameter
> > > > defaults
> > > > (for instance) should be and remove 'auto' ?
> > > 
> > > In this context, the current code behaviour is to try and obtain
> > > a
> > > kerberos ticket, but to fall back to NTLM as 'good enough
> > > protection'
> > > if this fails, for example if no KDC can be reached, or this is
> > > an IP
> > > address, or if the server does not offer Kerberos as an
> > > authentication
> > > type.
> > > 
> > > The idea (when this was written) was to at least try Kerberos,
> > > rather
> > > than continuing to default to NTLM only.  (And on the flip side,
> > > to
> > > continue to work in the many - at the time - networks where AD
> > > was
> > > functioning only with NTLM).
> > > 
> > > Andrew Bartlett
> > > 
> > 
> > Why not just set the default to 'yes' and if this fails, fall back
> > to NTLM, this is what 'auto' seems to mean. To me, 'auto' is
> > confusing and to top it off, it doesn't seem
> > to be documented anywhere.
> 
> yes means no fallback to NTLM,
> 
> Should we use "disabled", "if_available", "required"
> instead of "no", "auto", "yes"?

I think this is a good idea, and consistent (shock!) with the smb.conf
options.  As you know we already have the following synonum table,
which covers the required backwards compatibility:

/* SMB signing types. */
static const struct enum_list enum_smb_signing_vals[] = {
        {SMB_SIGNING_DEFAULT, "default"},
        {SMB_SIGNING_OFF, "No"},
        {SMB_SIGNING_OFF, "False"},
        {SMB_SIGNING_OFF, "0"},
        {SMB_SIGNING_OFF, "Off"},
        {SMB_SIGNING_OFF, "disabled"},
        {SMB_SIGNING_IF_REQUIRED, "if_required"},
        {SMB_SIGNING_IF_REQUIRED, "Yes"},
        {SMB_SIGNING_IF_REQUIRED, "True"},
        {SMB_SIGNING_IF_REQUIRED, "1"},
        {SMB_SIGNING_IF_REQUIRED, "On"},
        {SMB_SIGNING_IF_REQUIRED, "enabled"},
        {SMB_SIGNING_IF_REQUIRED, "auto"},
        {SMB_SIGNING_DESIRED, "desired"},
        {SMB_SIGNING_REQUIRED, "required"},
        {SMB_SIGNING_REQUIRED, "mandatory"},
        {SMB_SIGNING_REQUIRED, "force"},
        {SMB_SIGNING_REQUIRED, "forced"},
        {SMB_SIGNING_REQUIRED, "enforced"},
        {-1, NULL}
};


-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list