"auto" for Kerberos, a history

Stefan Metzmacher metze at samba.org
Thu Aug 20 09:19:32 UTC 2020 

Am 20.08.20 um 10:31 schrieb Andrew Bartlett via samba-technical:
> On Thu, 2020-08-20 at 20:19 +1200, Andrew Bartlett via samba-technical
> wrote:
>> On Thu, 2020-08-20 at 08:53 +0200, Stefan Metzmacher wrote:
>>>
>>> yes means no fallback to NTLM,
>>>
>>> Should we use "disabled", "if_available", "required"
>>> instead of "no", "auto", "yes"?
>>
>> I think this is a good idea, and consistent (shock!) with the
>> smb.conf
>> options.  As you know we already have the following synonum table,
>> which covers the required backwards compatibility:
>>
>> /* SMB signing types. */
>> static const struct enum_list enum_smb_signing_vals[] = {
>>         {SMB_SIGNING_DEFAULT, "default"},
>>         {SMB_SIGNING_OFF, "No"},
>>         {SMB_SIGNING_OFF, "False"},
>>         {SMB_SIGNING_OFF, "0"},
>>         {SMB_SIGNING_OFF, "Off"},
>>         {SMB_SIGNING_OFF, "disabled"},
>>         {SMB_SIGNING_IF_REQUIRED, "if_required"},
>>         {SMB_SIGNING_IF_REQUIRED, "Yes"},
>>         {SMB_SIGNING_IF_REQUIRED, "True"},
>>         {SMB_SIGNING_IF_REQUIRED, "1"},
>>         {SMB_SIGNING_IF_REQUIRED, "On"},
>>         {SMB_SIGNING_IF_REQUIRED, "enabled"},
>>         {SMB_SIGNING_IF_REQUIRED, "auto"},
>>         {SMB_SIGNING_DESIRED, "desired"},
>>         {SMB_SIGNING_REQUIRED, "required"},
>>         {SMB_SIGNING_REQUIRED, "mandatory"},
>>         {SMB_SIGNING_REQUIRED, "force"},
>>         {SMB_SIGNING_REQUIRED, "forced"},
>>         {SMB_SIGNING_REQUIRED, "enforced"},
>>         {-1, NULL}
>> };
> 
> Drat.  Yes means different things between this table and what we have
> meant for Kerberos. :-(

We have a similar table for encryption now and some of the mappings
are really strange and only justified as most people want performance
instead of protection.

I don't think we need 100% compat here.

But we could use "disabled", "desired", "required" for kerberos
as the main values.

metze



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200820/9fb9395d/signature.sig>

More information about the samba-technical mailing list