[Samba] Proposal to change security=share in Samba 4.0

Stefan (metze) Metzmacher metze at samba.org
Mon Feb 27 15:11:21 MST 2012


Am 27.02.2012 13:39, schrieb John H Terpstra:
> On 02/27/2012 04:58 AM, Andrew Bartlett wrote:
>> I recently proposed on samba-technical that for Samba 4.0, that we
>> change security=share to have the following semantics:
>>
>>  - All connections are made as the guest user
>>  - No passwords are required, and no other accounts are available.
>>
>> Naturally, full user-name/password authentication remain available in
>> security=user and above.
>>
>> The rationale is that we need a very simple way to run a 'trust the
>> network' Samba server, where users mark shares as guest ok.  I want to
>> keep these simple configurations working.
>>
>> At the same time, I want to close the door on one of the most arcane
>> areas of Samba authentication.  The problem comes from the fact that
>> Samba never implemented security=share properly:  instead of having one
>> password per share, we tried to guess the username, and match that to a
>> username/password pair. 
>>
>> Not only is this code complex, it begins to fail with modern clients and
>> modern security settings.  For example, NTLMv2 relies on the username
>> and workgroup, but clients which send NTLMv2 do not send these in the
>> 'tree connect' request that contains the password.  Instead, we must
>> remember the previous unchecked 'session setup', and apply the password
>> from there.  If we instead guess the username, then NTLMv2 will not
>> work.
>>
>> Finally, Samba clients only send LM passwords to security=share servers.
>> LM passwords are very insecure, and are now off by default.  As such,
>> Samba clients will not connect to any server running security=share by
>> default.
>>
>> If you use security=share, and feel that your particular configuration
>> cannot be handled any other way, please let me know, so we can find the
>> best to handle your particular requirements. 
>>
>> Thanks, 
>>
>> Andrew Bartlett
> 
> Is there any reason we can not do away with "security = share" and get
> rid of this altogether?  Was there not a prior proposal to deprecate
> this back in the early days of 3.0.x?

I only remember a discussion at the 3.6.0preX time.

I'd love to remove "security=share" completely, but I'm also ok
with keeping it for anonymous access only.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20120227/c875aee8/attachment.pgp>


More information about the samba mailing list