[oi-dev] Install defaults re. SMB and pam.conf

Toomas Soome tsoome at me.com
Sun Mar 26 18:10:01 UTC 2017


> On 26. märts 2017, at 21:04, James Blachly <james.blachly at gmail.com> wrote:
> 
> 
>> On Mar 26, 2017, at 7:36 AM, Toomas Soome <tsoome at me.com <mailto:tsoome at me.com>> wrote:
>> 
>>> 
>>> On 26. märts 2017, at 14:23, Andreas Wacknitz <A.Wacknitz at gmx.de <mailto:A.Wacknitz at gmx.de>> wrote:
>>> 
>>> 
>>> 
>>> Am 25.03.17 um 22:30 schrieb James Blachly:
>>>> (I did not get any response on the -discuss list, so please forgive the re-posting)
>>>> 
>>>> Speaking as a new OI user here,
>>>> 
>>>> I am using the kernel CIFS/SMB service for the first time (on other systems including smartos I am using samba), which is quite convenient. However, it did not work out of the box.
>>>> 
>>>> Is there any reason something along the lines of the following should not be in /etc/pam.conf in the installer/freshly installed image?
>>>> 
>>>> # Kernel SMB/CIFS service for insertion into /var/smb/smbpasswd
>>>> other   password required       pam_smb_passwd.so.1     nowarn
>>>> 
>>>> This seems like a reasonable change that would lower the barrier to entry / lower the frustration level for new users at a critical point in their go/no go decision.
>>> I am not sure about the reasons it is missing in our standard installation. Probably because not everybody is using smb/cifs and it might be
>>> a security problem. I think the general idea behind it was (during Solaris times) that it is safer to have as few as possible things "on" by default
>>> and an admin should know what to activate.
>>> So an alternative to enable this in /etc/pam.conf would be an enhanced desription of admin steps after installation (on the wiki probably).
>>> 
>>> Regards
>>> Andreas
>>> 
>> 
>> 
>> The problem is that smb setup is not consistent. From one hand you get this mantra “look how easy it is” - which is an lie. What actually should happen is:
>> 
>> 1. creating an share should check if we also need to do smbadm join domain or workgroup; if its workgroup, then the join should also set up the pam entry.
>> 2. Set up the default ACL for share. This one is major pain, it is not properly documented, the current default is useless and confusing.
>> 3. create /etc/avahi/services/smb.service for SMB.
>> 
>> Also note that if you need to read wiki just to set up the SMB share, it means the whole concept is already wrong - it has nothing to do with being simple nor easy nor user frendly.
>> 
>> rgds,
>> toomas
> 
> I agree entirely with toomas’ sentiment vis-a-vis “it is not as simple as it appears”, with the qualifier that in the case of a desired setup that is Workgroup only / no AD/ no Windows Domain, the Oracle documentation and all the relevant OI and illumos documentation I could find seemed to suggest that “it should just work” after setting sharesmb property.


Yes, it does depend on how you define “it should just work”, because yea - if you have functional guest setup, sure;)

> 
> **With this addition to pam.conf, it would** , and I advocate strongly for its inclusion in the base installation. (Strictly speaking, the step 3, mDNS/avahi) is not necessary to connect, only to browse)

true, just another small thing. But the world is built on small things.

And do not forget about permission setup;) We can only guess how many people have opted to use samba just because;)

rgds,
toomas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20170326/1fad628e/attachment-0005.html>


More information about the oi-dev mailing list