28
28
interesting business growth and development plan. Abmas Video Rentals was recently acquired.
29
29
During the time that the acquisition was closing, the Video Rentals business upgraded its Windows
30
30
NT4-based network to Windows 2003 Server and Active Directory.
31
</p><p><a class="indexterm" name="id372662"></a>
31
</p><p><a class="indexterm" name="id394785"></a>
32
32
You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory.
33
33
The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform.
34
34
Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to
35
35
operate with a solution that is viewed by Christine and her group as “<span class="quote">an island of broken
36
36
technologies.</span>” This comment was made by one of Christine's staff as they were installing a new
37
37
Samba-3 server at the new business.
38
</p><p><a class="indexterm" name="id372681"></a><a class="indexterm" name="id372689"></a>
38
</p><p><a class="indexterm" name="id394804"></a><a class="indexterm" name="id394812"></a>
39
39
Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer
40
40
should make such a comment. He felt that he had to prepare in case he might be criticized for his
41
41
decision to use Active Directory. He decided he would defend his decision by hiring the services
42
of an outside security systems consultant to report<sup>[<a name="id372701" href="#ftn.id372701">12</a>]</sup> on his unit's operations
42
of an outside security systems consultant to report<sup>[<a name="id394824" href="#ftn.id394824" class="footnote">12</a>]</sup> on his unit's operations
43
43
and to investigate the role of Samba at his site. Here are key extracts from this hypothetical
45
</p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id372710"></a><a class="indexterm" name="id372718"></a><a class="indexterm" name="id372726"></a><a class="indexterm" name="id372733"></a>
45
</p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id394832"></a><a class="indexterm" name="id394840"></a><a class="indexterm" name="id394848"></a><a class="indexterm" name="id394856"></a>
46
46
... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site,
47
47
has been examined. We find no evidence to support a notion that vulnerabilities exist at your site.
48
48
... we took additional steps to validate the integrity of the installation and operation of Active
49
49
Directory and are pleased that your staff are following sound practices.
52
</p><p><a class="indexterm" name="id372751"></a><a class="indexterm" name="id372763"></a><a class="indexterm" name="id372774"></a><a class="indexterm" name="id372782"></a><a class="indexterm" name="id372790"></a><a class="indexterm" name="id372798"></a>
52
</p><p><a class="indexterm" name="id394874"></a><a class="indexterm" name="id394885"></a><a class="indexterm" name="id394896"></a><a class="indexterm" name="id394904"></a><a class="indexterm" name="id394912"></a><a class="indexterm" name="id394920"></a>
53
53
User and group accounts, and respective privileges, have been well thought out. File system shares are
54
54
appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and
55
55
effective off-site storage practices are considered to exceed industry norms.
56
</p><p><a class="indexterm" name="id372811"></a><a class="indexterm" name="id372819"></a><a class="indexterm" name="id372827"></a>
56
</p><p><a class="indexterm" name="id394934"></a><a class="indexterm" name="id394942"></a><a class="indexterm" name="id394949"></a>
57
57
Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain
59
</p><p><a class="indexterm" name="id372843"></a><a class="indexterm" name="id372850"></a><a class="indexterm" name="id372858"></a><a class="indexterm" name="id372866"></a>
59
</p><p><a class="indexterm" name="id394965"></a><a class="indexterm" name="id394973"></a><a class="indexterm" name="id394981"></a><a class="indexterm" name="id394989"></a>
60
60
The recently installed Linux file and application server uses a tool called <code class="literal">winbind</code>
61
61
that is indiscriminate about security. All user accounts in Active Directory can be used to access data
62
62
stored on the Linux system. We are alarmed that secure information is accessible to staff who should
63
63
not even be aware that it exists. We share the concerns of your network management staff who have gone
64
64
to great lengths to set fine-grained controls that limit information access to those who need access.
65
65
It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work.
66
</p><p><a class="indexterm" name="id372892"></a><a class="indexterm" name="id372900"></a><a class="indexterm" name="id372908"></a>
66
</p><p><a class="indexterm" name="id395019"></a><a class="indexterm" name="id395027"></a><a class="indexterm" name="id395035"></a>
67
67
Graham Judd [head of network administration] has locked down the security of all systems and is following
68
68
the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network
69
69
is isolated from the outside world, the [product name removed] firewall is under current contract
100
100
I also wish to advise that two of the recent recruits want to implement Kerberos authentication
101
101
across all systems. I concur with the desire to improve security. One of the new guys who is championing
102
102
the move to Kerberos was responsible for the comment that caused the embarrassment.
103
</p><p><a class="indexterm" name="id373096"></a><a class="indexterm" name="id373104"></a><a class="indexterm" name="id373111"></a><a class="indexterm" name="id373119"></a>
103
</p><p><a class="indexterm" name="id395223"></a><a class="indexterm" name="id395231"></a><a class="indexterm" name="id395238"></a><a class="indexterm" name="id395246"></a>
104
104
I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP,
105
105
plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect
106
106
to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent,
107
107
I would like to hire the services of a well-known Samba consultant to set the record straight.
108
</p><p><a class="indexterm" name="id373134"></a><a class="indexterm" name="id373142"></a><a class="indexterm" name="id373150"></a><a class="indexterm" name="id373158"></a><a class="indexterm" name="id373166"></a><a class="indexterm" name="id373173"></a>
108
</p><p><a class="indexterm" name="id395261"></a><a class="indexterm" name="id395269"></a><a class="indexterm" name="id395277"></a><a class="indexterm" name="id395285"></a><a class="indexterm" name="id395293"></a><a class="indexterm" name="id395300"></a>
109
109
I intend to use this report to answer the criticism raised and would like to establish a policy that we
110
110
will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered
111
111
out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain
112
112
responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce
113
113
use of any centrally proposed standards, but make all noncompliance the financial responsibility of the
114
114
out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone.
115
</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id373189"></a>Assignment Tasks</h3></div></div></div><p>
115
</p></td><td width="10%" valign="top">�</td></tr><tr><td width="10%" valign="top">�</td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395316"></a>Assignment Tasks</h3></div></div></div><p>
116
116
You agreed with Stan's recommendations and hired a consultant to help defuse the powder
117
117
keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
118
118
to support his or her claims, keep emotions to the side, and answer technically.
119
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id373203"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id373209"></a><a class="indexterm" name="id373217"></a><a class="indexterm" name="id373225"></a><a class="indexterm" name="id373233"></a><a class="indexterm" name="id373241"></a><a class="indexterm" name="id373249"></a><a class="indexterm" name="id373257"></a>
119
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id395330"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id395336"></a><a class="indexterm" name="id395344"></a><a class="indexterm" name="id395352"></a><a class="indexterm" name="id395360"></a><a class="indexterm" name="id395368"></a><a class="indexterm" name="id395376"></a><a class="indexterm" name="id395384"></a>
120
120
Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to
121
121
make or reject. It is likely that your decision to use Samba can greatly benefit your company.
122
122
The Samba Team obviously believes that the Samba software is a worthy choice.
124
124
someone to help manage your Samba installation, you can create income and employment. Alternately,
125
125
money saved by not spending in the IT area can be spent elsewhere in the business. All money saved
126
126
or spent creates employment.
127
</p><p><a class="indexterm" name="id373273"></a><a class="indexterm" name="id373281"></a><a class="indexterm" name="id373289"></a><a class="indexterm" name="id373297"></a><a class="indexterm" name="id373305"></a>
127
</p><p><a class="indexterm" name="id395400"></a><a class="indexterm" name="id395408"></a><a class="indexterm" name="id395416"></a><a class="indexterm" name="id395424"></a><a class="indexterm" name="id395432"></a>
128
128
In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted
129
129
purely to provide file and print service interoperability on platforms that otherwise cannot provide
130
130
access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to
131
131
effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an
132
132
alternative to the use of a Microsoft file and print serving platforms with no consideration of costs.
133
</p><p><a class="indexterm" name="id373320"></a><a class="indexterm" name="id373328"></a><a class="indexterm" name="id373336"></a><a class="indexterm" name="id373343"></a>
133
</p><p><a class="indexterm" name="id395447"></a><a class="indexterm" name="id395455"></a><a class="indexterm" name="id395463"></a><a class="indexterm" name="id395470"></a>
134
134
It would be foolish to adopt a technology that might put any data or users at risk. Security affects
135
135
everyone. The Samba-Team is fully cognizant of the responsibility they have to their users.
136
136
The Samba documentation clearly reveals that full responsibility is accepted to fix anything
138
</p><p><a class="indexterm" name="id373357"></a><a class="indexterm" name="id373365"></a><a class="indexterm" name="id373373"></a><a class="indexterm" name="id373381"></a><a class="indexterm" name="id373392"></a><a class="indexterm" name="id373400"></a><a class="indexterm" name="id373408"></a><a class="indexterm" name="id373416"></a><a class="indexterm" name="id373424"></a><a class="indexterm" name="id373432"></a><a class="indexterm" name="id373439"></a>
138
</p><p><a class="indexterm" name="id395484"></a><a class="indexterm" name="id395492"></a><a class="indexterm" name="id395500"></a><a class="indexterm" name="id395508"></a><a class="indexterm" name="id395519"></a><a class="indexterm" name="id395527"></a><a class="indexterm" name="id395535"></a><a class="indexterm" name="id395543"></a><a class="indexterm" name="id395551"></a><a class="indexterm" name="id395559"></a><a class="indexterm" name="id395566"></a>
139
139
There is a mistaken perception in the IT industry that commercial software providers are fully
140
140
accountable for the defects in products. Open Source software comes with no warranty, so it is
141
141
often assumed that its use confers a higher degree of risk. Everyone should read commercial software
143
143
extent of liability that is accepted. Doing so soon dispels the popular notion that
144
144
commercial software vendors are willingly accountable for product defects. In many cases, the
145
145
commercial vendor accepts liability only to reimburse the price paid for the software.
146
</p><p><a class="indexterm" name="id373462"></a><a class="indexterm" name="id373470"></a><a class="indexterm" name="id373477"></a><a class="indexterm" name="id373485"></a><a class="indexterm" name="id373493"></a><a class="indexterm" name="id373501"></a>
146
</p><p><a class="indexterm" name="id395583"></a><a class="indexterm" name="id395591"></a><a class="indexterm" name="id395599"></a><a class="indexterm" name="id395607"></a><a class="indexterm" name="id395615"></a><a class="indexterm" name="id395623"></a>
147
147
The real issues that a consumer (like you) needs answered are What is the way of escape from technical
148
148
problems, and how long will it take? The average problem turnaround time in the Open Source community is
149
149
approximately 48 hours. What does the EULA offer? What is the track record in the commercial software
150
150
industry? What happens when your commercial vendor decides to cease providing support?
151
</p><p><a class="indexterm" name="id373516"></a><a class="indexterm" name="id373523"></a><a class="indexterm" name="id373531"></a><a class="indexterm" name="id373539"></a><a class="indexterm" name="id373547"></a><a class="indexterm" name="id373555"></a><a class="indexterm" name="id373562"></a>
151
</p><p><a class="indexterm" name="id395641"></a><a class="indexterm" name="id395648"></a><a class="indexterm" name="id395656"></a><a class="indexterm" name="id395664"></a><a class="indexterm" name="id395672"></a><a class="indexterm" name="id395680"></a><a class="indexterm" name="id395688"></a>
152
152
Open Source software at least puts you in possession of the source code. This means that when
153
153
all else fails, you can hire a programmer to solve the problem.
154
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id373574"></a>Technical Issues</h3></div></div></div><p>
154
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id395699"></a>Technical Issues</h3></div></div></div><p>
155
155
Each issue is now discussed and, where appropriate, example implementation steps are
157
</p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id373594"></a><a class="indexterm" name="id373601"></a><a class="indexterm" name="id373609"></a><a class="indexterm" name="id373621"></a><a class="indexterm" name="id373628"></a><a class="indexterm" name="id373636"></a><a class="indexterm" name="id373644"></a><a class="indexterm" name="id373652"></a><a class="indexterm" name="id373660"></a><a class="indexterm" name="id373668"></a>
157
</p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id395719"></a><a class="indexterm" name="id395726"></a><a class="indexterm" name="id395734"></a><a class="indexterm" name="id395746"></a><a class="indexterm" name="id395754"></a><a class="indexterm" name="id395761"></a><a class="indexterm" name="id395769"></a><a class="indexterm" name="id395777"></a><a class="indexterm" name="id395785"></a><a class="indexterm" name="id395793"></a>
158
158
Windows network administrators may be dismayed to find that <code class="literal">winbind</code>
159
159
exposes all domain users so that they may use their domain account credentials to
160
160
log on to a UNIX/Linux system. The fact that all users in the domain can see the
161
161
UNIX/Linux server in their Network Neighborhood and can browse the shares on the
162
162
server seems to excite them further.
163
</p><p><a class="indexterm" name="id373688"></a><a class="indexterm" name="id373696"></a><a class="indexterm" name="id373704"></a><a class="indexterm" name="id373712"></a>
163
</p><p><a class="indexterm" name="id395813"></a><a class="indexterm" name="id395821"></a><a class="indexterm" name="id395829"></a><a class="indexterm" name="id395837"></a>
164
164
<code class="literal">winbind</code> provides for the UNIX/Linux domain member server or
165
165
client, the same as one would obtain by adding a Microsoft Windows server or
166
166
client to the domain. The real objection is the fact that Samba is not MS Windows
167
167
and therefore requires handling a little differently from the familiar Windows systems.
168
168
One must recognize fear of the unknown.
169
</p><p><a class="indexterm" name="id373734"></a><a class="indexterm" name="id373742"></a><a class="indexterm" name="id373750"></a><a class="indexterm" name="id373758"></a><a class="indexterm" name="id373766"></a><a class="indexterm" name="id373777"></a>
169
</p><p><a class="indexterm" name="id395857"></a><a class="indexterm" name="id395864"></a><a class="indexterm" name="id395872"></a><a class="indexterm" name="id395880"></a><a class="indexterm" name="id395888"></a><a class="indexterm" name="id395899"></a>
170
170
Windows network administrators need to recognize that <code class="literal">winbind</code> does
171
171
not, and cannot, override account controls set using the Active Directory management
172
172
tools. The control is the same. Have no fear.
173
</p><p><a class="indexterm" name="id373796"></a><a class="indexterm" name="id373804"></a><a class="indexterm" name="id373815"></a><a class="indexterm" name="id373823"></a><a class="indexterm" name="id373831"></a><a class="indexterm" name="id373839"></a><a class="indexterm" name="id373847"></a><a class="indexterm" name="id373855"></a><a class="indexterm" name="id373862"></a><a class="indexterm" name="id373870"></a>
173
</p><p><a class="indexterm" name="id395918"></a><a class="indexterm" name="id395926"></a><a class="indexterm" name="id395937"></a><a class="indexterm" name="id395945"></a><a class="indexterm" name="id395953"></a><a class="indexterm" name="id395961"></a><a class="indexterm" name="id395969"></a><a class="indexterm" name="id395977"></a><a class="indexterm" name="id395985"></a><a class="indexterm" name="id395992"></a>
174
174
Where Samba and the ADS domain account information obtained through the use of
175
175
<code class="literal">winbind</code> permits access, by browsing or by the drive mapping to
176
176
a share, to data that should be better protected. This can only happen when security
177
177
controls have not been properly implemented. Samba permits access controls to be set
179
179
</p><div class="itemizedlist"><ul type="disc"><li><p>Shares themselves (i.e., the logical share itself)</p></li><li><p>The share definition in <code class="filename">smb.conf</code></p></li><li><p>The shared directories and files using UNIX permissions</p></li><li><p>Using Windows 2000 ACLs if the file system is POSIX enabled</p></li></ul></div><p>
180
Examples of each are given in <a href="kerberos.html#ch10expl" title="Implementation">???</a>.
181
</p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id373940"></a><a class="indexterm" name="id373947"></a><a class="indexterm" name="id373959"></a><a class="indexterm" name="id373970"></a><a class="indexterm" name="id373978"></a><a class="indexterm" name="id373986"></a><a class="indexterm" name="id373993"></a><a class="indexterm" name="id374001"></a><a class="indexterm" name="id374009"></a>
180
Examples of each are given in <a class="link" href="kerberos.html#ch10expl" title="Implementation">“Implementation”</a>.
181
</p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id396062"></a><a class="indexterm" name="id396070"></a><a class="indexterm" name="id396081"></a><a class="indexterm" name="id396092"></a><a class="indexterm" name="id396100"></a><a class="indexterm" name="id396108"></a><a class="indexterm" name="id396116"></a><a class="indexterm" name="id396123"></a><a class="indexterm" name="id396131"></a>
182
182
User and group management facilities as known in the Windows ADS environment may be
183
183
used to provide equivalent access control constraints or to provide equivalent
184
184
permissions and privileges on Samba servers. Samba offers greater flexibility in the
185
185
use of user and group controls because it has additional layers of control compared to
186
186
Windows 200x/XP. For example, access controls on a Samba server may be set within
187
187
the share definition in a manner for which Windows has no equivalent.
188
</p><p><a class="indexterm" name="id374029"></a><a class="indexterm" name="id374037"></a><a class="indexterm" name="id374045"></a><a class="indexterm" name="id374053"></a><a class="indexterm" name="id374064"></a><a class="indexterm" name="id374072"></a><a class="indexterm" name="id374080"></a>
188
</p><p><a class="indexterm" name="id396147"></a><a class="indexterm" name="id396155"></a><a class="indexterm" name="id396162"></a><a class="indexterm" name="id396170"></a><a class="indexterm" name="id396182"></a><a class="indexterm" name="id396190"></a><a class="indexterm" name="id396197"></a>
189
189
In any serious analysis of system security, it is important to examine the safeguards
190
190
that remain when all other protective measures fail. An administrator may inadvertently
191
191
set excessive permissions on the file system of a shared resource, or he may set excessive
193
193
the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is
194
194
possible to guard against that by enforcing controls on the share definition itself. You
195
195
see a practical example of this a little later in this chapter.
196
</p><p><a class="indexterm" name="id374096"></a><a class="indexterm" name="id374104"></a>
196
</p><p><a class="indexterm" name="id396214"></a><a class="indexterm" name="id396222"></a>
197
197
The report that is critical of Samba really ought to have exercised greater due
198
198
diligence: the real weakness is on the side of a Microsoft Windows environment.
199
</p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id374124"></a>
199
</p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id396242"></a>
200
200
Samba is designed in such a manner that weaknesses inherent in the design of
201
201
Microsoft Windows networking ought not to expose the underlying UNIX/Linux file
202
202
system in any way. All software has potential defects, and Samba is no exception.
203
203
What matters more is how defects that are discovered get dealt with.
204
</p><p><a class="indexterm" name="id374138"></a><a class="indexterm" name="id374146"></a><a class="indexterm" name="id374154"></a><a class="indexterm" name="id374162"></a>
204
</p><p><a class="indexterm" name="id396256"></a><a class="indexterm" name="id396264"></a><a class="indexterm" name="id396272"></a><a class="indexterm" name="id396280"></a>
205
205
The Samba Team totally agrees with the necessity to observe and fully implement
206
206
every security facility to provide a level of protection and security that is necessary
207
207
and that the end user (or network administrator) needs. Never would the Samba Team
208
208
recommend a compromise to system security, nor would deliberate defoliation of
209
209
security be publicly condoned; yet this is the practice by many Windows network
210
210
administrators just to make happy users who have no notion of consequential risk.
211
</p><p><a class="indexterm" name="id374178"></a><a class="indexterm" name="id374186"></a><a class="indexterm" name="id374193"></a><a class="indexterm" name="id374201"></a><a class="indexterm" name="id374209"></a><a class="indexterm" name="id374217"></a><a class="indexterm" name="id374225"></a>
211
</p><p><a class="indexterm" name="id396295"></a><a class="indexterm" name="id396303"></a><a class="indexterm" name="id396311"></a><a class="indexterm" name="id396319"></a><a class="indexterm" name="id396327"></a><a class="indexterm" name="id396335"></a><a class="indexterm" name="id396343"></a>
212
212
The report condemns Samba for releasing updates and security fixes, yet Microsoft
213
213
online updates need to be applied almost weekly. The answer to the criticism
214
214
lies in the fact that Samba development is continuing, documentation is improving,
215
215
user needs are being increasingly met or exceeded, and security updates are issued
216
216
with a short turnaround time.
217
</p><p><a class="indexterm" name="id374239"></a><a class="indexterm" name="id374247"></a><a class="indexterm" name="id374255"></a><a class="indexterm" name="id374263"></a><a class="indexterm" name="id374271"></a>
217
</p><p><a class="indexterm" name="id396357"></a><a class="indexterm" name="id396365"></a><a class="indexterm" name="id396373"></a><a class="indexterm" name="id396381"></a><a class="indexterm" name="id396388"></a>
218
218
The release of Samba-4 is expected around late 2004 to early 2005 and involves a near
219
219
complete rewrite to permit extensive modularization and to prepare Samba for new
220
220
functionality planned for addition during the next-generation series. The Samba Team
221
221
is responsible and can be depended upon; the history to date suggests a high
222
222
degree of dependability and on charter development consistent with published
223
223
roadmap projections.
224
</p><p><a class="indexterm" name="id374289"></a><a class="indexterm" name="id374297"></a><a class="indexterm" name="id374309"></a><a class="indexterm" name="id374320"></a><a class="indexterm" name="id374328"></a><a class="indexterm" name="id374336"></a><a class="indexterm" name="id374343"></a>
224
</p><p><a class="indexterm" name="id396411"></a><a class="indexterm" name="id396419"></a><a class="indexterm" name="id396430"></a><a class="indexterm" name="id396441"></a><a class="indexterm" name="id396449"></a><a class="indexterm" name="id396457"></a><a class="indexterm" name="id396465"></a>
225
225
Not well published is the fact that Microsoft was a foundation member of
226
226
the Common Internet File System (CIFS) initiative, together with the participation
227
227
of the network attached storage (NAS) industry. Unfortunately, for the past few years,
246
246
and trial-and-error implementation of potential techniques. The real value of public
247
247
and defensible standards is obvious to all and would have enabled more secure networking
249
</p><p><a class="indexterm" name="id374478"></a><a class="indexterm" name="id374486"></a>
249
</p><p><a class="indexterm" name="id396600"></a><a class="indexterm" name="id396608"></a>
250
250
Critics of Samba often ignore fundamental problems that may plague (or may have plagued)
251
251
the users of Microsoft's products also. Those who are first to criticize Samba
252
252
for not rushing into release of <code class="constant">digital sign'n'seal</code> support
253
253
often dismiss the problems that Microsoft has
254
<a href="http://support.microsoft.com/default.aspx?kbid=321733" target="_top">acknowledged</a>
254
<a class="ulink" href="http://support.microsoft.com/default.aspx?kbid=321733" target="_top">acknowledged</a>
255
255
and for which a fix was provided. In fact,
256
<a href="http://www.tangent-systems.com/support/delayedwrite.html" target="_top">Tangent Systems</a>
256
<a class="ulink" href="http://www.tangent-systems.com/support/delayedwrite.html" target="_top">Tangent Systems</a>
257
257
have documented a significant problem with delays writes that can be connected with the
258
258
implementation of sign'n'seal. They provide a work-around that is not trivial for many
259
259
Windows networking sites. From notes such as this it is clear that there are benefits
260
260
from not rushing new technology out of the door too soon.
261
</p><p><a class="indexterm" name="id374519"></a><a class="indexterm" name="id374527"></a><a class="indexterm" name="id374535"></a><a class="indexterm" name="id374543"></a><a class="indexterm" name="id374551"></a><a class="indexterm" name="id374558"></a><a class="indexterm" name="id374566"></a><a class="indexterm" name="id374574"></a><a class="indexterm" name="id374582"></a>
261
</p><p><a class="indexterm" name="id396641"></a><a class="indexterm" name="id396649"></a><a class="indexterm" name="id396656"></a><a class="indexterm" name="id396664"></a><a class="indexterm" name="id396672"></a><a class="indexterm" name="id396680"></a><a class="indexterm" name="id396688"></a><a class="indexterm" name="id396696"></a><a class="indexterm" name="id396704"></a>
262
262
One final comment is warranted. If companies want more secure networking protocols,
263
263
the most effective method by which this can be achieved is by users seeking
264
264
and working together to help define open and publicly refereed standards. The
282
282
challenge of developing and integrating the necessary technologies. Therefore, if
283
283
the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality
284
284
into the Samba project, this dream request cannot become a reality.
285
</p><p><a class="indexterm" name="id374715"></a><a class="indexterm" name="id374723"></a><a class="indexterm" name="id374731"></a><a class="indexterm" name="id374742"></a><a class="indexterm" name="id374750"></a>
285
</p><p><a class="indexterm" name="id396838"></a><a class="indexterm" name="id396846"></a><a class="indexterm" name="id396854"></a><a class="indexterm" name="id396865"></a><a class="indexterm" name="id396872"></a>
286
286
At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the
287
287
Samba development roadmap. If it is not on the published roadmap, it cannot be delivered
288
288
anytime soon. Ergo, ADS server support is not a current goal for Samba development.
289
289
The Samba Team is most committed to permitting Samba to be a full ADS domain member
290
290
that is increasingly capable of being managed using Microsoft Windows MMC tools.
291
</p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id374766"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id374772"></a><a class="indexterm" name="id374780"></a><a class="indexterm" name="id374788"></a>
291
</p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id396888"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id396895"></a><a class="indexterm" name="id396903"></a><a class="indexterm" name="id396911"></a>
292
292
Kerberos is a network authentication protocol that provides secure authentication for
293
293
client-server applications by using secret-key cryptography. Firewalls are an insufficient
294
294
barrier mechanism in today's networking world; at best they only restrict incoming network
295
295
traffic but cannot prevent network traffic that comes from authorized locations from
296
296
performing unauthorized activities.
297
</p><p><a class="indexterm" name="id374802"></a><a class="indexterm" name="id374810"></a><a class="indexterm" name="id374818"></a>
297
</p><p><a class="indexterm" name="id396925"></a><a class="indexterm" name="id396933"></a><a class="indexterm" name="id396941"></a>
298
298
Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses
299
299
strong cryptography so that a client can prove its identity to a server (and vice versa) across an
300
300
insecure network connection. After a client and server has used Kerberos to prove their identity,
301
301
they can also encrypt all of their communications to assure privacy and data integrity as they go
302
302
about their business.
303
</p><p><a class="indexterm" name="id374833"></a><a class="indexterm" name="id374841"></a><a class="indexterm" name="id374849"></a><a class="indexterm" name="id374857"></a><a class="indexterm" name="id374868"></a>
303
</p><p><a class="indexterm" name="id396956"></a><a class="indexterm" name="id396964"></a><a class="indexterm" name="id396972"></a><a class="indexterm" name="id396979"></a><a class="indexterm" name="id396991"></a>
304
304
Kerberos is a trusted third-party service. That means that there is a third party (the kerberos
305
305
server) that is trusted by all the entities on the network (users and services, usually called
306
306
principals). All principals share a secret password (or key) with the kerberos server and this
307
307
enables principals to verify that the messages from the kerberos server are authentic. Therefore,
308
308
trusting the kerberos server, users and services can authenticate each other.
310
<a class="indexterm" name="id374884"></a>
311
<a class="indexterm" name="id374891"></a>
312
<a class="indexterm" name="id374898"></a>
310
<a class="indexterm" name="id397007"></a>
311
<a class="indexterm" name="id397014"></a>
312
<a class="indexterm" name="id397021"></a>
313
313
Kerberos was, until recently, a technology that was restricted from being exported from the United States.
314
314
For many years that hindered global adoption of more secure networking technologies both within the United States
315
315
and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe
316
and is available from the <a href="http://www.pdc.kth.se/heimdal/" target="_top">Royal Institute</a> of
316
and is available from the <a class="ulink" href="http://www.pdc.kth.se/heimdal/" target="_top">Royal Institute</a> of
317
317
Technology (KTH), Sweden. It is known as the Heimdal Kerberos project. In recent times the U.S. government
318
318
has removed sanctions affecting the global distribution of MIT Kerberos. It is likely that there will be a
319
319
significant surge forward in the development of Kerberos-enabled applications and in the general deployment
320
320
and use of Kerberos across the spectrum of the information technology industry.
322
<a class="indexterm" name="id374920"></a>
322
<a class="indexterm" name="id397043"></a>
323
323
A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation
324
324
of it. For example, a 2002
325
<a href="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument" target="_top">IDG</a>
326
report<sup>[<a name="id374937" href="#ftn.id374937">13</a>]</sup> by
325
<a class="ulink" href="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument" target="_top">IDG</a>
326
report<sup>[<a name="id397060" href="#ftn.id397060" class="footnote">13</a>]</sup> by
328
328
</p><div class="blockquote"><blockquote class="blockquote"><p>
329
329
A Microsoft Corp. executive testified at the software giant's remedy hearing that the company goes to
375
375
In the left panel,
376
376
<span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> → <span class="guimenuitem">Connect to another computer ...</span> → <span class="guimenuitem">Browse...</span> → <span class="guimenuitem">Advanced</span> → <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to
377
administer. Click <span class="guimenu">OK</span> → <span class="guimenuitem">OK</span> → <span class="guimenuitem">OK</span>.<a class="indexterm" name="id375232"></a>
377
administer. Click <span class="guimenu">OK</span> → <span class="guimenuitem">OK</span> → <span class="guimenuitem">OK</span>.<a class="indexterm" name="id397356"></a>
378
378
In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect
379
379
the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>,
380
380
the Computer Management entry should now say <span class="guimenu">Computer Management (FRODO)</span>.
382
382
In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>.
383
</p></li><li><p><a class="indexterm" name="id375293"></a><a class="indexterm" name="id375301"></a>
383
</p></li><li><p><a class="indexterm" name="id397418"></a><a class="indexterm" name="id397426"></a>
384
384
In the right panel, double-click on the share on which you wish to set/edit ACLs. This
385
385
will bring up the Properties panel. Click the <span class="guimenu">Share Permissions</span> tab.
386
</p></li><li><p><a class="indexterm" name="id375323"></a><a class="indexterm" name="id375331"></a><a class="indexterm" name="id375339"></a><a class="indexterm" name="id375347"></a><a class="indexterm" name="id375354"></a><a class="indexterm" name="id375362"></a>
386
</p></li><li><p><a class="indexterm" name="id397447"></a><a class="indexterm" name="id397455"></a><a class="indexterm" name="id397463"></a><a class="indexterm" name="id397471"></a><a class="indexterm" name="id397479"></a><a class="indexterm" name="id397487"></a>
387
387
You may now edit/add/remove access control settings. Be very careful. Many problems have been
388
388
created by people who decided that everyone should be rejected but one particular group should
389
389
have full control. This is a catch-22 situation because members of that particular group also
393
393
When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span>
395
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id375395"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id375401"></a><a class="indexterm" name="id375413"></a><a class="indexterm" name="id375421"></a><a class="indexterm" name="id375428"></a><a class="indexterm" name="id375436"></a><a class="indexterm" name="id375444"></a>
395
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id397519"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id397526"></a><a class="indexterm" name="id397537"></a><a class="indexterm" name="id397545"></a><a class="indexterm" name="id397553"></a><a class="indexterm" name="id397561"></a><a class="indexterm" name="id397568"></a>
396
396
Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a
397
397
checkpoint can be used to require someone who wants to get through to meet certain requirements, so
398
398
it is possible to require the user (or group the user belongs to) to meet specified credential-related
399
399
objectives. It can be likened to a pile-driver by overriding default controls in that having met the
400
400
credential-related objectives, the user can be granted powers and privileges that would not normally be
401
401
available under default settings.
402
</p><p><a class="indexterm" name="id375460"></a><a class="indexterm" name="id375468"></a><a class="indexterm" name="id375476"></a><a class="indexterm" name="id375484"></a>
402
</p><p><a class="indexterm" name="id397584"></a><a class="indexterm" name="id397592"></a><a class="indexterm" name="id397600"></a><a class="indexterm" name="id397608"></a>
403
403
It must be emphasized that the controls discussed here can act as a filter or give rights of passage
404
404
that act as a superstructure over normal directory and file access controls. However, share-level
405
405
ACLs act at a higher level than do share definition controls because the user must filter through the
406
406
share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
407
407
by Samba and Windows networking consists of:
408
</p><div class="orderedlist"><ol type="1"><li><p>Share-level ACLs</p></li><li><p>Share-definition controls</p></li><li><p>Directory and file permissions</p></li><li><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id375528"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id375535"></a>
408
</p><div class="orderedlist"><ol type="1"><li><p>Share-level ACLs</p></li><li><p>Share-definition controls</p></li><li><p>Directory and file permissions</p></li><li><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id397648"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id397655"></a>
409
409
Consider the following extract from a <code class="filename">smb.conf</code> file defining the share called <code class="constant">Apps</code>:
410
410
</p><pre class="screen">
417
417
This definition permits only those who are members of the group called <code class="constant">Employees</code> to
418
418
access the share.
419
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id375568"></a><a class="indexterm" name="id375579"></a><a class="indexterm" name="id375587"></a><a class="indexterm" name="id375595"></a><a class="indexterm" name="id375603"></a>
419
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id397688"></a><a class="indexterm" name="id397700"></a><a class="indexterm" name="id397708"></a><a class="indexterm" name="id397716"></a><a class="indexterm" name="id397723"></a>
420
420
On domain member servers and clients, even when the <em class="parameter"><code>winbind use default domain</code></em> has
421
421
been specified, the use of domain accounts in security controls requires fully qualified domain specification,
422
for example, <a class="indexterm" name="id375620"></a>valid users = @"MEGANET\Northern Engineers".
422
for example, <a class="link" href="smb.conf.5.html#VALIDUSERS">valid users = @"MEGANET\Northern Engineers"</a>.
423
423
Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a
425
</p></div><p><a class="indexterm" name="id375630"></a><a class="indexterm" name="id375638"></a><a class="indexterm" name="id375646"></a>
425
</p></div><p><a class="indexterm" name="id397755"></a><a class="indexterm" name="id397762"></a><a class="indexterm" name="id397770"></a>
426
426
If there is an ACL on the share itself to permit read/write access for all <code class="constant">Employees</code>
427
427
as well as read/write for the group <code class="constant">Doctors</code>, both groups are permitted through
428
428
to the share. However, at the moment an attempt is made to set up a connection to the share, a member of
429
429
the group <code class="constant">Doctors</code>, who is not also a member of the group <code class="constant">Employees</code>,
430
430
would immediately fail to validate.
431
</p><p><a class="indexterm" name="id375674"></a>
431
</p><p><a class="indexterm" name="id397798"></a>
432
432
Consider another example. In this case, you want to permit all members of the group <code class="constant">Employees</code>
433
433
except the user <code class="constant">patrickj</code> to access the <code class="constant">Apps</code> share. This can be
434
434
easily achieved by setting a share-level ACL permitting only <code class="constant">Employees</code> to access the share,
697
697
This confirms that the change of POSIX ACL permissions has been effective.
698
</p></li><li><p><a class="indexterm" name="id376942"></a><a class="indexterm" name="id376950"></a><a class="indexterm" name="id376958"></a><a class="indexterm" name="id376965"></a><a class="indexterm" name="id376973"></a>
698
</p></li><li><p><a class="indexterm" name="id399066"></a><a class="indexterm" name="id399074"></a><a class="indexterm" name="id399082"></a><a class="indexterm" name="id399090"></a><a class="indexterm" name="id399098"></a>
699
699
It is highly recommended that you read the online manual page for the <code class="literal">setfacl</code>
700
700
and <code class="literal">getfacl</code> commands. This provides information regarding how to set/read the default
701
701
ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
702
702
of setting <code class="constant">inheritance</code> properties.
703
</p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id377005"></a>Key Points Learned</h3></div></div></div><p>
703
</p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399129"></a>Key Points Learned</h3></div></div></div><p>
704
704
The mish-mash of issues were thrown together into one chapter because it seemed like a good idea.
705
705
Looking back, this chapter could be broken into two, but it's too late now. It has been done.
706
706
The highlights covered are as follows:
707
</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id377020"></a><a class="indexterm" name="id377028"></a><a class="indexterm" name="id377036"></a><a class="indexterm" name="id377043"></a>
707
</p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id399144"></a><a class="indexterm" name="id399152"></a><a class="indexterm" name="id399160"></a><a class="indexterm" name="id399168"></a>
708
708
Winbind honors and does not override account controls set in Active Directory.
709
709
This means that password change, logon hours, and so on, are (or soon will be) enforced
710
710
by Samba winbind. At this time, an out-of-hours login is denied and password
711
711
change is enforced. At this time, if logon hours expire, the user is not forcibly
712
712
logged off. That may be implemented at some later date.
713
</p></li><li><p><a class="indexterm" name="id377059"></a><a class="indexterm" name="id377067"></a>
713
</p></li><li><p><a class="indexterm" name="id399183"></a><a class="indexterm" name="id399191"></a>
714
714
Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential
715
715
problems acknowledged by Microsoft as having been fixed but reported by some as still
716
716
possibly an open issue.
717
</p></li><li><p><a class="indexterm" name="id377081"></a><a class="indexterm" name="id377089"></a><a class="indexterm" name="id377097"></a><a class="indexterm" name="id377104"></a>
717
</p></li><li><p><a class="indexterm" name="id399205"></a><a class="indexterm" name="id399213"></a><a class="indexterm" name="id399221"></a><a class="indexterm" name="id399229"></a>
718
718
The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft
719
719
Active Directory. The possibility to do this is not planned in the current Samba-3
720
720
roadmap. Samba-3 does aim to provide further improvements in interoperability so that
723
723
This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of
724
724
the four key methodologies was reviewed with specific reference to example deployment
726
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id377127"></a>Questions and Answers</h2></div></div></div><p>
727
</p><div class="qandaset"><dl><dt> <a href="kerberos.html#id377142">
726
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id399251"></a>Questions and Answers</h2></div></div></div><p>
727
</p><div class="qandaset"><dl><dt> <a href="kerberos.html#id399266">
728
728
Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2?
729
</a></dt><dt> <a href="kerberos.html#id377210">
729
</a></dt><dt> <a href="kerberos.html#id399334">
730
730
Does Samba-3 support Active Directory?
731
</a></dt><dt> <a href="kerberos.html#id377238">
731
</a></dt><dt> <a href="kerberos.html#id399362">
732
732
When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was
733
733
necessary with Samba-2?
734
</a></dt><dt> <a href="kerberos.html#id377273">
734
</a></dt><dt> <a href="kerberos.html#id399397">
735
735
Is it safe to set share-level access controls in Samba?
736
</a></dt><dt> <a href="kerberos.html#id377300">
736
</a></dt><dt> <a href="kerberos.html#id399424">
737
737
Is it mandatory to set share ACLs to get a secure Samba-3 server?
738
</a></dt><dt> <a href="kerberos.html#id377372">
738
</a></dt><dt> <a href="kerberos.html#id399496">
739
739
The valid users did not work on the [homes].
740
740
Has this functionality been restored yet?
741
</a></dt><dt> <a href="kerberos.html#id377431">
741
</a></dt><dt> <a href="kerberos.html#id399559">
742
742
Is the bias against use of the force user and force group
743
743
really warranted?
744
</a></dt><dt> <a href="kerberos.html#id377492">
744
</a></dt><dt> <a href="kerberos.html#id399620">
745
745
The example given for file and directory access control forces all files to be owned by one
746
746
particular user. I do not like that. Is there any way I can see who created the file?
747
</a></dt><dt> <a href="kerberos.html#id377536">
747
</a></dt><dt> <a href="kerberos.html#id399664">
748
748
In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use
749
749
of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why
750
750
have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
751
</a></dt><dt> <a href="kerberos.html#id377596">
751
</a></dt><dt> <a href="kerberos.html#id399724">
752
752
I tried to set valid users = @Engineers, but it does not work. My Samba
753
753
server is an Active Directory domain member server. Has this been fixed now?
754
</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id377142"></a><a name="id377144"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377147"></a><a class="indexterm" name="id377155"></a>
754
</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id399266"></a><a name="id399268"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id399272"></a><a class="indexterm" name="id399280"></a>
755
755
Does Samba-3 require the <code class="constant">Sign'n'seal</code> registry hacks needed by Samba-2?
756
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377174"></a><a class="indexterm" name="id377182"></a><a class="indexterm" name="id377190"></a>
756
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id399298"></a><a class="indexterm" name="id399306"></a><a class="indexterm" name="id399314"></a>
757
757
No. Samba-3 fully supports <code class="constant">Sign'n'seal</code> as well as <code class="constant">schannel</code>
758
758
operation. The registry change should not be applied when Samba-3 is used as a domain controller.
759
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377210"></a><a name="id377212"></a></td><td align="left" valign="top"><p>
759
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399334"></a><a name="id399337"></a></td><td align="left" valign="top"><p>
760
760
Does Samba-3 support Active Directory?
761
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377222"></a>
761
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id399347"></a>
762
762
Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not
763
763
provide Active Directory services. It cannot be used to replace a Microsoft Active Directory
764
764
server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit,
765
765
and it can function as an Active Directory domain member server.
766
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377238"></a><a name="id377240"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377243"></a>
766
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399362"></a><a name="id399364"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id399367"></a>
767
767
When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was
768
768
necessary with Samba-2?
769
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377259"></a>
769
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id399383"></a>
770
770
No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x
771
771
Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation,
772
772
because Samba-3 can join a native Windows 2003 Server ADS domain.
773
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377273"></a><a name="id377275"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377278"></a>
773
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399397"></a><a name="id399400"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id399403"></a>
774
774
Is it safe to set share-level access controls in Samba?
775
775
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
776
776
Yes. Share-level access controls have been supported since early versions of Samba-2. This is
777
777
very mature technology. Not enough sites make use of this powerful capability, neither on
778
778
Windows server or with Samba servers.
779
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377300"></a><a name="id377302"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377305"></a>
779
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399424"></a><a name="id399426"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id399429"></a>
780
780
Is it mandatory to set share ACLs to get a secure Samba-3 server?
781
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377320"></a><a class="indexterm" name="id377328"></a><a class="indexterm" name="id377336"></a><a class="indexterm" name="id377344"></a><a class="indexterm" name="id377352"></a>
781
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id399444"></a><a class="indexterm" name="id399452"></a><a class="indexterm" name="id399460"></a><a class="indexterm" name="id399468"></a><a class="indexterm" name="id399476"></a>
782
782
No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides
783
783
means of securing shares through share definition controls in the <code class="filename">smb.conf</code> file. The additional
784
784
support for share-level ACLs is like frosting on the cake. It adds to security but is not essential
786
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377372"></a><a name="id377374"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377378"></a>
786
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399496"></a><a name="id399499"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id399502"></a>
787
787
The <em class="parameter"><code>valid users</code></em> did not work on the <em class="parameter"><code>[homes]</code></em>.
788
788
Has this functionality been restored yet?
789
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377404"></a>
789
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id399529"></a>
790
790
Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard
791
791
on the <em class="parameter"><code>[homes]</code></em> meta-service. The correct way to specify this is:
792
<a class="indexterm" name="id377421"></a>valid users = %S.
793
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377431"></a><a name="id377433"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377436"></a><a class="indexterm" name="id377444"></a><a class="indexterm" name="id377452"></a>
792
<a class="link" href="smb.conf.5.html#VALIDUSERS">valid users = %S</a>.
793
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399559"></a><a name="id399561"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id399564"></a><a class="indexterm" name="id399572"></a><a class="indexterm" name="id399580"></a>
794
794
Is the bias against use of the <em class="parameter"><code>force user</code></em> and <em class="parameter"><code>force group</code></em>
795
795
really warranted?
796
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377479"></a>
796
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id399606"></a>
797
797
There is no bias. There is a determination to recommend the right tool for the task at hand.
798
798
After all, it is better than putting users through performance problems, isn't it?
799
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377492"></a><a name="id377494"></a></td><td align="left" valign="top"><p>
799
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399620"></a><a name="id399622"></a></td><td align="left" valign="top"><p>
800
800
The example given for file and directory access control forces all files to be owned by one
801
801
particular user. I do not like that. Is there any way I can see who created the file?
802
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377506"></a>
802
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id399634"></a>
803
803
Sure. You do not have to set the SUID bit on the directory. Simply execute the following command
804
804
to permit file ownership to be retained by the user who created it:
805
805
</p><pre class="screen">
808
808
Note that this required no more than removing the <code class="constant">u</code> argument so that the
809
809
SUID bit is not set for the owner.
810
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377536"></a><a name="id377538"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377541"></a>
810
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399664"></a><a name="id399666"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id399669"></a>
811
811
In the book, “<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>”, you recommended use
812
812
of the Windows NT4 Server Manager (part of the <code class="filename">SRVTOOLS.EXE</code>) utility. Why
813
813
have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
814
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id377567"></a><a class="indexterm" name="id377575"></a>
814
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id399695"></a><a class="indexterm" name="id399702"></a>
815
815
Either tool can be used with equal effect. There is no benefit of one over the other, except that
816
816
the MMC utility is present on all Windows 200x/XP systems and does not require additional software
817
817
to be downloaded and installed. Note that if you want to manage user and group accounts in your
818
818
Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which
819
819
is provided as part of the <code class="filename">SRVTOOLS.EXE</code> utility.
820
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id377596"></a><a name="id377599"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id377602"></a><a class="indexterm" name="id377610"></a><a class="indexterm" name="id377618"></a>
820
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id399724"></a><a name="id399726"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id399730"></a><a class="indexterm" name="id399737"></a><a class="indexterm" name="id399745"></a>
821
821
I tried to set <em class="parameter"><code>valid users = @Engineers</code></em>, but it does not work. My Samba
822
822
server is an Active Directory domain member server. Has this been fixed now?
823
823
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
824
824
The use of this parameter has always required the full specification of the domain account, for
825
825
example, <em class="parameter"><code>valid users = @"MEGANET2\Domain Admins"</code></em>.
826
</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id374937" href="#id374937">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part�III.�Reference Section�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�12.�Integrating Additional Services</td></tr></table></div></body></html>
826
</p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a class="ulink" href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id397060" href="#id397060" class="ulink">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part�III.�Reference Section�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�12.�Integrating Additional Services</td></tr></table></div></body></html>