Deprecate net -k?
Andreas Schneider
asn at samba.org
Tue Jul 7 15:55:26 UTC 2020
On Tuesday, 7 July 2020 13:08:26 CEST Stefan Metzmacher via samba-technical
wrote:
> Hi Issac,
Hi Isaac :-)
> Andreas and I were working on a plan to unify the cmdline arguments
> for client authentication across all our commands (including python
> scripts). We should always get a cli_crendential structure out of
> the cmdline parsing and base all other code just on that.
>
> Andreas, can you post our current plan?
Below is my current TODO list, it is a bit cryptic but should work for now.
WIP branch:
https://gitlab.com/samba-team/devel/samba/-/commits/asn/master-cli-creds
TODO
====
TEST:
-----
Add
echo locDCpass1 | bin/rpcclient ncacn_np:$SERVER -UAdministrator -c
getusername
echo locDCpass1 | USER=administrator bin/rpcclient ncacn_np:$SERVER -c
getusername
-> DONE https://gitlab.com/samba-team/samba/-/merge_requests/1271
Migrate s3 client code to cli_credentials
-> DONE https://gitlab.com/samba-team/samba/-/merge_requests/1362
SMB.CONF:
---------
SMB_SIGNING_VALS="default|off|if_required|desired|required"
Create one function translating signing state string to enum
see set_cmdline_auth_info_signing_state and enum_smb_signing_vals
Add 'server smb encrypt' (done)
-> smb encrypt as alias
Add 'client smb encrypt' (done)
Add cli_credentials_set_smb_singing(),
cli_credentials_set_smb_ipc_signing(),
cli_credentials_set_smb_encryption(). - DONE
Use cli_creds smb encryption:
tig -7 b06e7ea5cbc0e46c0c42d6cdeb3a14f3cf21f1c6 - DONE
Add smb encrytpion for source4/libcli - WIP
Check do_connect() in client.c
CMDLINE CLI:
------------
-> parse popts
-> set password callback, if not --use-krb5-ccache and not
--use-ccache and not --no-pass and not auth-file
--use-kerberos=yes|auto|no|default
default only if we add 'client use kerberos' as smb.conf option
--use-krb5-ccache
imply --use-kerberos=yes
--krb5-cache=$PATH
'-U... -k' =>
--use-kerberos=yes
'-k' without -U =>
--use-krb5-cache
--use-krb5-ccache and --use-ccache
=> not supported,
TODO: --use-winbind-ccache that provides
generic support for krb5 and ntlm
Rename --use-ccache to --use-winbind-ccache (removes --use-ccache?)
Add --smb-signing=$SMB_SIGNING_VALS
also set GENSEC_FEATURE_SIGN for desired/required
--signing=$SMB_SIGNING_VALS (as legacy)
'-S $SMB_SIGNING_VALS' ??? (only smbclient?)
'-S' check what smbtorture is actually using
Remove -S for signing and use only long option
Add --smb-encryption=$SMB_SIGNING_VALS
-e => --smb-encryption=required
also set GENSEC_FEATURE_SEAL??? => defer to --gensec-protection
Remove -e and use only long option
TODO: what about 'net'...
break it and use options as above?
Add the following???
--gensec-client-protection=[default,seal,sign,plain]
=> see also "ldap client sasl wrapping"
=> default from "gensec client protection"
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list