[Pkg-samba-maint] Merging more Ubuntu changes?

Andrew Bartlett abartlet at samba.org
Fri Dec 29 07:44:50 UTC 2006 

On Thu, 2006-12-28 at 17:26 -0800, Steve Langasek wrote:
> On Tue, Dec 19, 2006 at 07:59:04AM +0100, Christian Perrier wrote:
> > >      * debian/smb.conf:
> > >        - Do not show the version number by default
> 
> > I tend to agree with that one. Seeing all these "(samba x.y.z)"
> > servers on my network is annying..:-)
> 
> I think this might have been done originally in response to upstream's
> concerns about our Samba builds not having a distinguishing version?
> Anyway, this is also a potential information leak to an attacker, so I don't
> object to the change.

We still report it to an anonymous session setup.

> > >        - Comment out the default [homes] shares and add more verbose comments to
> > >          explain what they do and how they work (closes: launchpad.net/27608)
> 
> > ie not sharing homes by default....Any comments from other team members?
> 
> I think homes should be shared by default.
> 
> The launchpad bug report is an entertaining read. :)

:-)

> > >        - Add a "valid users = %S" stanza to the commented-out [homes] section,
> > >          to show users how to restrict access to \\server\username to only
> > >          username.
> 
> > Sounds fair.
> 
> I wouldn't want to use such an example without consulting upstream first
> about its appropriateness.  It's been a long time since I've bothered trying
> to use 'valid users = %foo' to secure home shares.

Yes, the 'valid users = %S' is recommended.  Actually, the usual
complaint is about the games share, but nobody tries 'bin' and such...

> > >        - Change the (commented-out) "printer admin" example to use "@lpadmin"
> > >          instead of "@ntadmin", since the lpadmin group is used for spool admin.
> 
> > Sounds fair
> 
> This has security implications.  It's not obvious that the set of admins for
> the local Unix printer spools is congruent to the set of admins for the NT
> printer drivers; unless someone can show why this should be the case, I
> object to such a change.

I'm pretty sure printer admin is depricated anyway

> > >      * debian/panic-action:
> > >        - Alter the panic-action script to encourage users to report their
> > >          bugs in Ubuntu packages to Ubuntu, rather than reporting to Debian.
> > >          Modify text to more closely match the Debian script
> 
> > We could maybe make part of this script more easily configurable for
> > CDD by using variable parts that could be setup in /etc/default/samba
> 
> No objections in principle.
> 
> > >      * debian/samba-common.templates:
> > >        - Set default workgroup to MSHOME
> 
> > Well, the current "DEBIAN_FANS" we have sounds a bit childish to
> > me. However, I'm unsure abnout the choice of "MSHOME" by Ubuntu...
> 
> I wonder if we still have the debconf bug that prevents you from actually
> changing this workgroup name at install time? :/

Perhaps just leave it as the default of WORKGROUP?

> > >      * debian/control:
> > >        - remove typehandling
> > >        - add update-inetd to Depends
> 
> > Should be investigated. 
> 
> Yes, samba currently depends on netbase for use of update-inetd.  Now that
> there is an update-inetd package, we should transition, but no hurry.
> 
> > >      * debian/samba-common.config:
> > >        - do not change priority to HIGH if dhclient3 is installed
> 
> > Interesting change. To be discussed
> 
> Given the default is 'no', as it must be for policy reasons, I think we
> would still want this as a high-prio question, personally.
> 
> > >        - do not install mount.cifs and umount.cifs as suid
> 
> > Well, that would be a regression for our users. Should we ask a
> > debconf question about this ?
> 
> Ugh, no. :)
> 
> I'm averse to making any changes to the mount helpers without a very, very
> thorough examination and discussion with upstream.  But I'm even more averse
> to adding debconf questions for things like permissions. :)
> 
> Cheers,
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20061229/f12f1f67/attachment-0001.pgp

More information about the Pkg-samba-maint mailing list