Deprecate net -k?

Andreas Schneider asn at samba.org
Tue Jul 7 15:55:26 UTC 2020 

On Tuesday, 7 July 2020 13:08:26 CEST Stefan Metzmacher via samba-technical 
wrote:
> Hi Issac,

Hi Isaac :-)

> Andreas and I were working on a plan to unify the cmdline arguments
> for client authentication across all our commands (including python
> scripts). We should always get a cli_crendential structure out of
> the cmdline parsing and base all other code just on that.
> 
> Andreas, can you post our current plan?

Below is my current TODO list, it is a bit cryptic but should work for now.


WIP branch:
https://gitlab.com/samba-team/devel/samba/-/commits/asn/master-cli-creds


TODO
====

TEST:
-----

Add
echo locDCpass1 | bin/rpcclient ncacn_np:$SERVER -UAdministrator -c 
getusername 

echo locDCpass1 | USER=administrator bin/rpcclient ncacn_np:$SERVER -c 
getusername
-> DONE https://gitlab.com/samba-team/samba/-/merge_requests/1271

Migrate s3 client code to cli_credentials
-> DONE https://gitlab.com/samba-team/samba/-/merge_requests/1362


SMB.CONF:
---------

SMB_SIGNING_VALS="default|off|if_required|desired|required"
Create one function translating signing state string to enum
see set_cmdline_auth_info_signing_state and enum_smb_signing_vals

Add 'server smb encrypt' (done)
  -> smb encrypt as alias
Add 'client smb encrypt' (done)

Add cli_credentials_set_smb_singing(),
cli_credentials_set_smb_ipc_signing(),
cli_credentials_set_smb_encryption(). - DONE

Use cli_creds smb encryption:
tig -7 b06e7ea5cbc0e46c0c42d6cdeb3a14f3cf21f1c6 - DONE

Add smb encrytpion for source4/libcli - WIP


Check do_connect() in client.c


CMDLINE CLI:
------------

-> parse popts

-> set password callback, if not --use-krb5-ccache and not
   --use-ccache and not --no-pass and not auth-file

--use-kerberos=yes|auto|no|default
   default only if we add 'client use kerberos' as smb.conf option

--use-krb5-ccache
  imply --use-kerberos=yes
--krb5-cache=$PATH

'-U... -k' =>
   --use-kerberos=yes
'-k' without -U =>
   --use-krb5-cache

--use-krb5-ccache and --use-ccache
=> not supported,
   TODO: --use-winbind-ccache that provides
         generic support for krb5 and ntlm
Rename --use-ccache to --use-winbind-ccache (removes --use-ccache?)

Add --smb-signing=$SMB_SIGNING_VALS
 also set GENSEC_FEATURE_SIGN for desired/required
 --signing=$SMB_SIGNING_VALS (as legacy)
 '-S $SMB_SIGNING_VALS' ??? (only smbclient?)
 '-S' check what smbtorture is actually using
Remove -S for signing and use only long option

Add --smb-encryption=$SMB_SIGNING_VALS
-e => --smb-encryption=required
      also set GENSEC_FEATURE_SEAL??? => defer to --gensec-protection
Remove -e and use only long option

TODO: what about 'net'...
break it and use options as above?


Add the following???
--gensec-client-protection=[default,seal,sign,plain]
=> see also "ldap client sasl wrapping"
=> default from "gensec client protection"





-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list