Samba Feature Usage: Does anybody use these options? Can we
kill them?
Rafal Szczesniak
mimir at spin.ict.pwr.wroc.pl
Tue Nov 13 14:50:01 GMT 2001
Do you think I should ask also polish users these questions ? They are
not necessarily subscribed to samba at samba.org ;)
On Mon, 12 Nov 2001, Andrew Bartlett wrote:
> As part of the effort towards Samba 3.0, a number of features have
> disappeared. This message is intended to gauge the reaction that would
> occur if Samba 3.0 was released with these features still absent.
>
> Users who need these features should indicate exactly how vital they
> feel they are, and (if possible) the effort they would be able to put
> into reimplementing/supporting/testing it if it was reintroduced.
>
> --with-krb4
>
> This option has been dropped. It is unknown if this is being used, and
> its testing status is unknown. It has been dropped to reduce confusion,
> but can be restored with relative ease.
>
> --with-krb5
>
> The old-style krb5 plain text password support has been dropped to make
> way for our new *real* Kerberos support, particularly as used by Active
> Directory.
>
> The best way to use plain text passwords and Kerberos is the pam_krb5
> module. Samba supports this via the --with-pam option. This is a much
> more secure (service ticket verification prevents kdc spoofing) and much
> better debugged solution to the problem space.
>
> Again, this can be restored with relative ease, but I don't want users
> to think they need this for the new Active Directory support. It also
> conflicts with --with-pam. If reimplemented, it would need to be as a
> authentication module, not as a pass_check.c function.
>
> status = no
>
> This parameter doesn't do anything useful, as far as I can tell, but
> probably breaks things. It has been removed, status always = yes.
>
> guest account as a share level parameter.
>
> In an attempt to reduce code paths and simplify code, this parameter has
> become a global. As far as I can tell, it only ever worked as a per
> service parameter when security=share, and most of these cases can be
> sorted with appropriate application of 'force user = '.
>
> nt smb support
>
> This parameter is forced = yes, there is no (known) reason to disable
> this functionality
>
> restrict anonymous
>
> This code doesn't do what its name suggests. It provides some *very
> weird* hack whereby attempts at an anonymous session setup *after* an
> authenticated login are denied. It is apparently to provide consistent
> %U and %G expansion. This gets in the way of the new authentication
> code, and has been removed. A real restriction on anonymous users
> gaining access to user & group information will be added in its place
> (possibly under a new name).
>
> \\server\share%user hack
>
> This method for specifying the user name has disappeared. Only valid in
> share level security, this has been removed as a code-simplificaion
> exercise. Careful reintroduction is possible, but only if it is
> *really* needed.
>
> Thank you for reading this, and I look forward to your feedback,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> Student Network Administrator, Hawker College abartlet at hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
>
>
cheers,
+--------------------------------------------------------+
|Rafal 'Mimir' Szczesniak <mimir at spin.ict.pwr.wroc.pl> |
|*BSD, Linux and Samba /
|______________________________________________________/
More information about the samba-technical
mailing list