[Pkg-samba-maint] Bug#496196: libpam-smbpass: package description overhaul

Steve Langasek vorlon at debian.org
Sat Aug 23 18:41:14 UTC 2008 

On Sat, Aug 23, 2008 at 01:54:20PM +0100, Justin B Rye wrote:
> Package: libpam-smbpass
> Version: 2:3.2.1-1
> Severity: minor

> This is part of a set of related bugreports on the packages in the
> Samba suite; I've already reported many of these issues (with some
> suggested fixes) as a single bugreport on samba4 (see #486370), but
> since that approach is a dud I'm trying the alternative of splitting
> them up and targetting individual packages.

This should have been a single bug report against the samba package, not
14 separate bug reports!

I'm half inclined to close all of these and ask for resubmission as a single
bug report.

> Current package description:
> # Description: pluggable authentication module for SMB/CIFS password database
> #  This is a stackable PAM module that allows a system administrator to easily
> #  migrate to using encrypted passwords for Samba and to keep smb passwords in
> #  sync with unix passwords.  Unlike other solutions, it does this without
> #  requiring users to change their existing passwords or login to Samba using
> #  cleartext passwords.

> Problems shared with other packages in the set:
> * this synopsis obeys DevRef's recommendation of dropping an initial
> 	article, but then overzealously extends the rule to "[the]
> 	SMB/CIFS password database".

The developer's reference also advises that the short description should be
short, ideally less than 50 characters.  This one is already 63 characters
long; adding in the article wouldn't have been an improvement.

> * Samba is all about OS interoperability, so keep the OS names
> 	straight.  These "unix passwords" aren't just for UNIX,
> 	they're also used on GNU/Linux!  In fact, why not stick to
> 	talking about "/etc/passwd"?

a) Unix passwords are those passwords managed by the pam_unix module.
b) Passwords aren't stored in /etc/passwd.
c) These passwords are only /usually/ stored in /etc/shadow: pam_unix will
   also manage other Unix password backends (such as NIS and NIS+).
d) The distinction between Unix and GNU/Linux as OSes is utterly
   uninteresting in the 21st century.  What's being referred to here are the
   password databases that are common to all recent Unix systems.

I would be ok with "to keep SMB passwords in sync with the Unix password
database".  Does that sound ok to you?

> * "PAM module" is a mild but easily avoidable PIN-numberism (and
> 	"stackable" is redundant).

Well, I guess we can debate whether it's redundant to declare that a PAM
module is stackable, given some of the modules out there... probably more
redundant now than when it was written, at least. :)  That's fine.

And given that PAM stands for "Pluggable Authentication Modules", "PAM
module" is not a PIN-numberism, though the wording can be improved in the
way you suggest.

> * and a wishlist item: WIBNI all the packages in the suite had
> 	consistently styled short descriptions.  Likewise, in this
> 	case, consistent what-Samba-is boilerplate.

I don't agree that this is an improvement.  "Samba implements the SMB/CIFS
protocol" is irrelevant to explaining to the user what libpam-smbpass is
for: libpam-smbpass is for use with Samba, and if you don't already have
Samba installed you don't need libpam-smbpass.

> Problems unique to this package:
> * six repetitions of the word "password(s)"!
> * "smb passwords" - make that "SMB", or avoid the jargon entirely.

Agreed.

> * the noun is one word, "a login", but the verb is "to log
> 	(oneself) in (to...)".

Yes (and tsk, shame on me for the sloppiness).

> * "requiring" users to change passwords directly inconveniences
> 	them; "requiring" users to use cleartext logins does not, so
> 	don't phrase it as if they were parallel cases.

It's an inconvenience when their password is stolen over the wire.

> And something I don't know Samba well enough to be sure about: are
> the "other solutions" it mentions still relevant in the 21st century
> or does this need a complete rewrite?
> 
> Suggested replacement text:
> | Description: Samba pluggable authentication module
> |  The Samba software suite implements the SMB/CIFS protocol, providing
> |  cross-platform support for Windows-style network shares.

Not useful to have in the description, as mentioned above.

> |  .
> |  This package provides a module for PAM that lets Samba migrate to using
> |  encrypted passwords, and keep them in sync with /etc/passwd. Unlike other

"/etc/passwd" - inaccurate.

> |  solutions, it does this without needing Samba logins to be sent in
> |  cleartext, or forcing users to change their existing passwords.

"Samba logins to be sent in cleartext" - inaccurate, the question is whether
*passwords* are sent in cleartext.

Counter-suggestion:

 Description: pluggable authentication module for SMB password database
  This is a module for PAM that enables a system administrator to migrate
  user passwords from the Unix password database to the SMB password
  database as used by Samba, and to subsequently keep the two databases in
  sync.  Unlike other solutions, it does this without needing users to log
  in to Samba using cleartext passwords, or requiring them to change their
  existing passwords.

I don't particularly like the use of the term "SMB password database" (more
accurate would be to call it an "NTLM password database"), but it's
consistent with the upstream terminology for the moment.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-samba-maint mailing list