Samba Feature Usage: Does anybody use these options? Can we kill them?

Andrew Bartlett abartlet at pcug.org.au
Mon Nov 12 00:23:27 GMT 2001


As part of the effort towards Samba 3.0, a number of features have
disappeared.  This message is intended to gauge the reaction that would
occur if Samba 3.0 was released with these features still absent.

Users who need these features should indicate exactly how vital they
feel they are, and (if possible) the effort they would be able to put
into reimplementing/supporting/testing it if it was reintroduced.

--with-krb4

This option has been dropped.  It is unknown if this is being used, and
its testing status is unknown.  It has been dropped to reduce confusion,
but can be restored with relative ease.

--with-krb5

The old-style krb5 plain text password support has been dropped to make
way for our new *real* Kerberos support, particularly as used by Active
Directory.

The best way to use plain text passwords and Kerberos is the pam_krb5
module.  Samba supports this via the --with-pam option.  This is a much
more secure (service ticket verification prevents kdc spoofing) and much
better debugged solution to the problem space.

Again, this can be restored with relative ease, but I don't want users
to think they need this for the new Active Directory support.  It also
conflicts with --with-pam.  If reimplemented, it would need to be as a
authentication module, not as a pass_check.c function.

status = no

This parameter doesn't do anything useful, as far as I can tell, but
probably breaks things.  It has been removed, status always = yes.

guest account as a share level parameter.

In an attempt to reduce code paths and simplify code, this parameter has
become a global.  As far as I can tell, it only ever worked as a per
service parameter when security=share, and most of these cases can be
sorted with appropriate application of 'force user = '.

nt smb support

This parameter is forced = yes, there is no (known) reason to disable
this functionality

restrict anonymous

This code doesn't do what its name suggests.  It provides some *very
weird* hack whereby attempts at an anonymous session setup *after* an
authenticated login are denied.  It is apparently to provide consistent
%U and %G expansion.  This gets in the way of the new authentication
code, and has been removed.  A real restriction on anonymous users
gaining access to user & group information will be added in its place
(possibly under a new name).

\\server\share%user hack

This method for specifying the user name has disappeared.  Only valid in
share level security, this has been removed as a code-simplificaion
exercise.  Careful reintroduction is possible, but only if it is
*really* needed.

Thank you for reading this, and I look forward to your feedback,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net




More information about the samba mailing list