while discussing on IRC about some problem with web authentication using
system user credentials with tridge and abartlet, it came out that the
current way is not satisfying.
Currently we allow root (and any system user in theory) to log in via
SWAT2 so that we can do initial configuration of samba4.
The problem is that we cannot always assume that PAM is available or the
superuser name (allowing any normal unix user makes not much sense).
The idea is to allow for a "recovery password" to be created so that we
can do initial provisioning and configuration as uid 0, create the
administrative SAM user and then proceed from there on with this user.
So the proposal is to create this recovery mechanism keeping in mind
that samba may run on embedded systems and that the administrator may
not have access to the underlying file system.
The recovery system may work like this:
1. If samba4 configured with --recoverypass=**** then on make install it
will install a recoverypass.txt file owned by root and with 600
permissions in /private
2. In any case if a file is found the password is read from there.
3. If the file does not exist, samba4 will generate a random password at
runtime and place it in the file.
Step 1/2 allows embedded manufacturers to configure a default recovery
password for their equipments, of course a mechanism to change the
recovery password at runtime must be provided.
So via SWAT2 there will be available 2-3 auth mechanism.
- The SAM mechanism will always be available of course.
- If configured with PAM, also the System Auth mechanism will be
available but only the "root" user will be allowed to login.
- There will be a recovery password login mechanism as described in this
> 1. If samba4 configured with --recoverypass=**** then on make install it
> will install a recoverypass.txt file owned by root and with 600
> permissions in /private
I would advise agains this. Configure options gets recorded in a bit too
many places, and the way users uses configure parameters many users will
enter sensitive passwords to this option, unaware that their entry will be
recorded in plain text all ower the build tree and command history.
> 2. In any case if a file is found the password is read from there.
Good. Please also support hashed form.
> 3. If the file does not exist, samba4 will generate a random password at
> runtime and place it in the file.
For security reasons a recovery password should only be available if
configured. And as you point out once the system has been configured the
recovery password has fulfilled it's job and should at that point be
disabled permanently (until manually reset again).
Better to provide a separate tool for setting (and enabling) the recovery