Andrew Bartlett
2001-Nov-12 00:23 UTC
Samba Feature Usage: Does anybody use these options? Can we kill them?
As part of the effort towards Samba 3.0, a number of features have disappeared. This message is intended to gauge the reaction that would occur if Samba 3.0 was released with these features still absent. Users who need these features should indicate exactly how vital they feel they are, and (if possible) the effort they would be able to put into reimplementing/supporting/testing it if it was reintroduced. --with-krb4 This option has been dropped. It is unknown if this is being used, and its testing status is unknown. It has been dropped to reduce confusion, but can be restored with relative ease. --with-krb5 The old-style krb5 plain text password support has been dropped to make way for our new *real* Kerberos support, particularly as used by Active Directory. The best way to use plain text passwords and Kerberos is the pam_krb5 module. Samba supports this via the --with-pam option. This is a much more secure (service ticket verification prevents kdc spoofing) and much better debugged solution to the problem space. Again, this can be restored with relative ease, but I don't want users to think they need this for the new Active Directory support. It also conflicts with --with-pam. If reimplemented, it would need to be as a authentication module, not as a pass_check.c function. status = no This parameter doesn't do anything useful, as far as I can tell, but probably breaks things. It has been removed, status always = yes. guest account as a share level parameter. In an attempt to reduce code paths and simplify code, this parameter has become a global. As far as I can tell, it only ever worked as a per service parameter when security=share, and most of these cases can be sorted with appropriate application of 'force user = '. nt smb support This parameter is forced = yes, there is no (known) reason to disable this functionality restrict anonymous This code doesn't do what its name suggests. It provides some *very weird* hack whereby attempts at an anonymous session setup *after* an authenticated login are denied. It is apparently to provide consistent %U and %G expansion. This gets in the way of the new authentication code, and has been removed. A real restriction on anonymous users gaining access to user & group information will be added in its place (possibly under a new name). \\server\share%user hack This method for specifying the user name has disappeared. Only valid in share level security, this has been removed as a code-simplificaion exercise. Careful reintroduction is possible, but only if it is *really* needed. Thank you for reading this, and I look forward to your feedback, Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
David Collier-Brown
2001-Nov-12 06:29 UTC
Samba Feature Usage: Does anybody use these options? Can we kill them?
Andrew Bartlett wrote:> nt smb support > This parameter is forced = yes, there is no (known) reason to disable > this functionalityThis option should default to yes, but be retained for a fixed time after the last report of it being necessary to turn it off. My leaky memory says that was last month... All the rest sound sane: they're arguably bug-fixes! --dave -- David Collier-Brown, | Always do right. This will gratify Americas Customer Engineering, | some people and astonish the rest. SunPS Integration Services. | -- Mark Twain (905) 415-2849 | davecb@canada.sun.com
Eric Wallace
2001-Nov-12 10:13 UTC
Samba Feature Usage: Does anybody use these options? Can we kill them?
Re:> guest account as a share level parameter. > > In an attempt to reduce code paths and simplify code, this parameter has > become a global. As far as I can tell, it only ever worked as a per > service parameter when security=share, and most of these cases can be > sorted with appropriate application of 'force user = '.As this doesn't work with Samba 2.2.2 and "security = user|domain" (only the Global-level "guest account" configuration takes effect), it's definitely a bother to have it as a broken option in the config, so I'd vote to leave it out. However, I would really love it if the feature actually worked as advertised, as I have rather varied but specific permission restrictions on shares running from the same Samba server, one of which should use "guest account" but not "force user". ~eric w. wallace national semiconductor/maine i.s. infrastructure senior system engineer
Maybe Matching Threads
- Can I kill... 'add user script' behaviour in adding users during logon?
- RE: solaris 8/samba3.0alpha15: ld.so.1: ls: fatal: relocation err or: file /lib/nss_winbind.so.1: symbol socket: referenced symbol not fou nd
- Status on fixes for MS04-11/MS04-12/KB828741 issues
- Specifying a fixed uid for RedHat RPM PrivSep user
- Pause in file transfers while printing,