[WIP PATCH] allow changing the password on remount in some cases
Steve French
smfrench at gmail.com
Fri Feb 16 17:06:37 UTC 2024
On Fri, Feb 16, 2024 at 8:41 AM Paulo Alcantara <pc at manguebit.com> wrote:
>
> Shyam Prasad N <nspmangalore at gmail.com> writes:
>
> > need_recon would also be true in other cases, for example when the
> > network is temporarily disconnected. This patch will allow changing of
> > password even then.
> > We could setup a special flag when the server returns a
> > STATUS_LOGON_FAILURE for SessionSetup. We can make the check for that
> > flag and then allow password change on remount.
>
> Yes. Allowing password change over remount simply because network is
> disconnected is not a good idea. The user could mistype the password
> when performing a remount and then everything would stop working.
I agree - will change patch to do that.
> Not to mention that this patch is only handling a specfic case where a
> mount would have a single SMB session, which isn't true for a DFS mount.
We should do a patch for that too. Agreed.
> > Another option is to extend the multiuser keyring mechanism for single
> > user use case as well, and use that for password update.
> > Ideally, we should be able to setup multiple passwords in that keyring
> > and iterate through them once to see if SessionSetup goes through.
>
> Yes, sounds like the best approach so far. It would allow users to
> update their passwords in keyring and sysadmins could drop existing SMB
> sessions from server side and then the client would reconnect by using
> new password from keyring. This wouldn't even require a remount.
Yes - I was discussing this with David Howells, and having a backup password
in keyring is helpful in long run (and better solution for some) but we also
need remount because that is what user's would intuitively try first.
> Besides, marking this for -stable makes no sense.
Problem we have is that it can be (and has sometimes been) a big problem for
user when password keys rotate and no way to fix it other than unmount - so
we will need the "easy and low risk" solution available for distros
since keyring
won't work for some use cases (although helpful for others)
--
Thanks,
Steve
More information about the samba-technical
mailing list