Improved cmdline UX in upcoming Samba 4.15
To the newcomer, Samba’s command line user interface appears to be a haphazard jumble of scripts and binaries with options and design principles that fade in and out of use according to some esoteric pattern.
Douglas Bagnall
The initial quote is from the SambaXP talk What should we do with our user interface? in 2019. Douglas wrote that nobody can fix it as experts are locked-in, newbies are baffled and old options can’t be dropped. Since then things have changed. I’ve succeeded to do the impossible, rewrite the command line user interface.
This is part of an effort to support FIPS mode with Samba. For this the client needs to be able have certain defaults set when the machine is set to FIPS mode. But lets first look at what the issues where and how I addressed them.
What were the problems?
Kerberos
$ smbclient --help | grep '\-k' -k, --kerberos Use kerberos $ ldbsearch --help | grep '\-k' -k, --kerberos=STRING Use Kerberos, -k [yes|no]
We have -k and `-k yes`. Same option with and without an argument.
LDB
$ ldbedit --help | grep '\-e'
-e, --editor=PROGRAM external editor
-e, --encrypt Encrypt connection for privacy
Will I enable encryption or will it open an editor, or both?
$ ldbsearch --help | grep '\-S'
-S, --sorted sort attributes
-S, --sign Sign connection to prevent
-S, --signing=on|off|required Set the client signing state
$ ldbsearch --help | grep '\-s'
-s, --scope=SCOPE search scope
-s, --configfile=CONFIGFILE Use alternative configuration
Will I set the scope or provide a config file with `-s`? I want to set the scope, lets use the long option.
$ ldbsearch --help | grep '\-scope'
-s, --scope=SCOPE search scope
-i, --scope=SCOPE Use this Netbios scope
Those are just a few examples but I think you see the problems. I could go on with logging to stderr or stdout. You never know where log messages are ending up.
To address all the issues we run into something called the “Backwards compatibility dilemma”:
Fixing consistency across tools will create new problems!
- We need to introduce new options
- The complexity might increase
- We will certainly break scripts of our users
How did we solve the issues?
For tools written in C the command line parser has been rewritten. There were two different implementation and there is only one now! The parser uses the client credentials API for all tools now. This means that all tools behave the same now.
New important common options
--use-kerberos=desired|required|off Use Kerberos authentication
--use-krb5-ccache=CCACHE Credentials cache location for Kerberos
For Kerberos there are two options available and they have new names. The -k option is deprecated but still works for a grace period. It will be removed in on of the following Samba relases!
A corresponding smb.conf option has been added: client use kerberos = desired|required|off
This allows you to change the default and in FIPS mode it will be forced to be set to required.
--client-protection=sign|encrypt|off
Configure used protection for client connections
There is a new option to select signing or encryption of the connection. It also doesn’t matter if it is an SMB or RPC connection. It will do the right thing for you 🙂
Corresponding smb.conf option: client protection = sign|encrypt|off|default
Logging
All tools and daemons log to stderr by default now! This can be changed using the --debug-stdout option.
Sanity check
The new command line parser comes with a sanity checker. This makes sure that a developer will not introduce duplicate options, whether long or short!
Documentation
The manpage of all tools and daemons have been changed accordingly to reflect the new options. Feel free to open bugs if you find documentation issues or even better, send patches!
The new implementation should make much more sense and developers have tools to avoid mistakes now. Samba 4.15rc1 has just been released. Samba 4.15 is expected to be released in September 2021.