[PROPOSAL] Remove password level (or all plaintext passwords?) for 4.1
yaberger at ca.ibm.com
yaberger at ca.ibm.com
Mon May 27 05:39:51 MDT 2013
Hi Andrew,
Here is a first list of clients that are using our Samba file service.
There will be a few more under "Other network devices" that I'll send in
another email once I'll have received it.
I should also know which DOS flavor/version is being used in the upcoming
days.
Workstations:
Windows XP SP3 (migrated to Windows 7 by the end of the year)
Windows 7 SP1
RHEL 6 (6.4)
Servers:
Windows 2003 Server
Windows 2008 Server
Windows 2012 Server (soon)
Other network devices:
Windows 2000
Windows XP
Windows 7
Backup/restore process:
LiveCD running BartPE (based on Windows XP).
Floppy running DOS
Best regards,
Yannick Bergeron
450 534-7711
yaberger at ca.ibm.com
Advisory IT Specialist
Never say never, say "it depends" / Ne jamais dire jamais, dites "ca
dépend"
From: Andrew Bartlett <abartlet at samba.org>
To: yaberger at ca.ibm.com,
Cc: samba-technical at lists.samba.org
Date: 05/23/2013 06:21 PM
Subject: Re: [PROPOSAL] Remove password level (or all plaintext
passwords?) for 4.1
On Thu, 2013-05-23 at 10:09 -0400, yaberger at ca.ibm.com wrote:
> Hi,
>
> We are using Samba 3.6.x on AIX.
> We use Samba mainly for its file-server feature to share DFS, GPFS and
> JFS2 filesystems.
> We need users to authenticate with DCE to be able to access their DFS
> resources.
> To do so, we buid Samba 3.x with pam (--with-pam).
> Our /etc/pam.conf has samba entries to use /usr/lib/security/pam_aix.
> Password encryption needs to be disabled on both the Samba server and on
> the clients.
>
> We are currently in a transition from DFS to GPFS and from DCE to a
> LDAP/KRB5 solution using TDS/NAS.
> But until the are completely out of DCE/DFS, we need to keep our Samba
> file-server with "encrypt passwords = no" (maybe even "client lanman
auth
> = Yes" and "client plaintext auth = Yes") and our clients set the same
>
> way.
> We will be looking in the upcoming months/years (before you stop
providing
>
> security fixes for 3.6) to upgrade to Samba 4.x (file-server only) so we
> hope to be able to use it in our current environment if we're not done
> with our DCE/DFS migration.
>
> Conclusion
> My understanding is that your proposal will remove the possibility to
use
> non-encrypted password and pam (maybe pam has already been removed from
> Samba 4.0.x, I've haven't looked yet).
> So the impact will depend on how long Samba 3.6 and/or Samba 4.0 will be
> supported for security fixes.
Thanks for the background. Your site is one of the few that I'm aware
of using plaintext passwords, and it's helpful to know you still need
it. What are your clients in this case, and do you use the password
level parameter, or expect samba to upper or lower case the password for
you?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list