On Sun, May 05, 2002 at 10:06:53AM -0400, Nathan Lutchansky wrote: > On Sun, May 05, 2002 at 02:50:13AM -0700, [EMAIL PROTECTED] wrote: > > On Sat, May 04, 2002 at 11:22:41PM -0400, Nathan Lutchansky wrote: > > > > > > 1) Can we assume that Microsoft will never include SSL functionality in > > > their Windows clients? Does MS have some other method of providing > > > transport security instead? If the answers are "yes" and "yes", then > > > I'd say it is safe to remove. Otherwise it might feel silly to add SSL > > > back when some XP service pack adds SSL functionality later on. > > > > yes on both counts. Message authenticaion and encryption are available in the > > CIFS protocol, and are detailed in the SNIA Technical Reference (not to > > be confused with the MS Technical Reference) > > Oh. Well, that sounds like the way to go in the future. I hope it is not > as ugly to implement as SSL. > > > > 2) I'd started a project to authenticate users SMB clients based on client > > > SSL certificates. If --with-ssl is removed, SSL authentication can > > > still be done with wrappers and LIBSMB_PROG, but the server wrapper > > > would somehow need to pass authentication information to Samba. The > > > easiest way is to setreuid to the target user before execing smbd, but > > > can smbd handle this? What happens if smbd is started (without -D) as > > > some user other than root? -Nathan > > > > Samba expects this, and allows become_user() calls to 'fail' but still > > requires passwords as before. You could write a new authentication module > > that implments your requirements quite trivially. (And use environment > > variables or the like to pass the state info along). > > OK, I'll look into this when I have time to get back to that project. > Thanks for the hint.
While samba will 'cope' with non-root setups, this really only works in testing environments, where that same user owns the critical files. As such I would suggest you make your SSL wrapper leave smbd as root, and make a cusome authenticaion module figure it out from there. See samba's rhosts support module for a trivila example of what you want to do. (It only still exists becouse its a good example, not becouse anybody should use it...) Andrew Bartlett
