[cifs-discuss] Solaris CIFS equivalent to SAMBA guest ok = yes

Gordon Ross Gordon.Ross at Sun.COM
Fri Apr 18 09:54:54 PDT 2008 

The client has a "knob" to let a user choose the minimum strength
of authentication method it will use, with an administrator-controlled
limit on the "weakest" setting anyone is allowed to use.

This received extensive discussion during our PSARC review
because, when the configuration allows, the CIFS client MAY
send a cleartext password.  The design passed with clarification
that the default settings for both the user preference and the
administrative limit would disallow fallback to "cleartext".
It IS however, possible to change the configuration, with
the expected warnings in documentation about why that's
usually a bad idea.

This was a good decision, because it's:
1: "Secure by Default" (one of our "big rules")
2: Provides mechanism without forcing policy.

I'd suggest a similar "knob" for the server side policy
about "authentication required", with (of course) the
default set to "you must use real authentication".

Gordon

On Fri, 2008-04-18 at 09:35 -0700, Afshin Salek wrote:

> > 
> > It would be nice to give users the choice of unauthenticated access.
> > 
> 
> I guess this is something that we need to get PSARC agreement for it
> and my experience tells me that there will be really strong objections.
> 
> Afshin
> 
> > Afshin Salek said the following :
> >> In the old share-mode, users could see the list of shares
> >> on a server and each share could have an optional read-write
> >> or read-only password. In user-mode, users have to be
> >> authenticated before they can see the list of shares.
> >>
> >> Solaris CIFS, intentionally does not provide the old share-mode
> >> because of its inherent weak security. It only provides the
> >> user-mode which means everyone should be authenticated before
> >> they can see the shares exported by the server.
> >>
> >> Afshin
> >>
> >> David Collier-Brown wrote:
> >>   
> >>> cifs-discuss-request at opensolaris.org wrote:
> >>>     
> >>>> From: Tim Thomas <Tim.Thomas at Sun.COM>
> >>>> Thanks Jeff
> >>>>
> >>>> I have been told that we do not support access to shares by 
> >>>> unauthenticated users.
> >>>>
> >>>> Rgds
> >>>>
> >>>> Tim
> >>>>       
> >>>   Guest OK in Samba conveniently reproduces the very old 
> >>> "public share" behavior of SMB 0.1 on a token-ring (;-))
> >>>
> >>>   Perhaps a better question is how do we create a share
> >>> in CIFS which is easily found by everyone and has rwx +t
> >>> permissions for them?
> >>>
> >>>
> >>> --dave
> >>>     
> >> _______________________________________________
> >> cifs-discuss mailing list
> >> cifs-discuss at opensolaris.org
> >> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
> >>   
> > 
> 
> _______________________________________________
> cifs-discuss mailing list
> cifs-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.opensolaris.org/pipermail/cifs-discuss/attachments/20080418/35a5740f/attachment.html

More information about the cifs-discuss mailing list