- Timestamp:
- Jun 17, 2009, 2:19:52 PM (16 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.3.x/docs/htmldocs/Samba3-ByExample/kerberos.html
r218 r274 1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2610613">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611264">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2611280">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611677">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2613307">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2613656">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614269">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id26146 72">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2615399">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2615533">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2610549"></a>1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2610613">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611264">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2611280">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611677">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2613307">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2613656">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614269">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614682">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2615408">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2615543">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2610549"></a> 2 2 By this point in the book, you have been exposed to many Samba-3 features and capabilities. 3 3 More importantly, if you have implemented the examples given, you are well on your way to becoming … … 527 527 Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence: 528 528 </p><div class="orderedlist"><ol type="1"><li><p> 529 A user opens a Wor kdocument from a network drive. The file was owned by user <code class="constant">janetp</code>529 A user opens a Word document from a network drive. The file was owned by user <code class="constant">janetp</code> 530 530 and [users], and was set read/write-enabled for everyone. 531 A user opens a Word document from a network drive. The file was owned by user <code class="constant">janetp</code> 532 and <code class="constant">users</code>, and was set read/write-enabled for everyone. 531 533 </p></li><li><p> 532 534 File changes and edits are made. … … 543 545 want to know when this “<span class="quote">bug</span>” will be fixed. The fact is, this is not a bug in Samba at all. 544 546 Here is the real sequence of what happens in this case. 545 </p><p><a class="indexterm" name="id26144 30"></a><a class="indexterm" name="id2614438"></a><a class="indexterm" name="id2614446"></a>547 </p><p><a class="indexterm" name="id2614440"></a><a class="indexterm" name="id2614448"></a><a class="indexterm" name="id2614456"></a> 546 548 When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned 547 549 by the user who creates the file (<code class="constant">billc</code>) and has the permissions that follow … … 561 563 simple steps to create a share in which all files will consistently be owned by the same user and the 562 564 same group: 563 </p><div class="procedure"><a name="id2614 493"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p>565 </p><div class="procedure"><a name="id2614502"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p> 564 566 Change your share definition so that it matches this pattern: 565 567 </p><pre class="screen"> … … 569 571 read only = No 570 572 </pre><p> 571 </p></li><li><p><a class="indexterm" name="id26145 19"></a><a class="indexterm" name="id2614530"></a>573 </p></li><li><p><a class="indexterm" name="id2614528"></a><a class="indexterm" name="id2614539"></a> 572 574 Set consistent user and group permissions recursively down the directory tree as shown here: 573 575 </p><pre class="screen"> 574 576 <code class="prompt">root# </code> chown -R janetp.users /usr/data/finance 575 577 </pre><p> 576 </p></li><li><p><a class="indexterm" name="id26145 62"></a>578 </p></li><li><p><a class="indexterm" name="id2614571"></a> 577 579 Set the files and directory permissions to be read/write for owner and group, and not accessible 578 580 to others (everyone), using the following command: … … 580 582 <code class="prompt">root# </code> chmod ug+rwx,o-rwx /usr/data/finance 581 583 </pre><p> 582 </p></li><li><p><a class="indexterm" name="id2614 591"></a>584 </p></li><li><p><a class="indexterm" name="id2614600"></a> 583 585 Set the SGID (supergroup) bit on all directories from the top down. This means all files 584 586 can be created with the permissions of the group set on the directory. It means all users … … 590 592 </pre><p> 591 593 592 </p></li><li><p><a class="indexterm" name="id26146 31"></a><a class="indexterm" name="id2614639"></a><a class="indexterm" name="id2614647"></a>594 </p></li><li><p><a class="indexterm" name="id2614641"></a><a class="indexterm" name="id2614649"></a><a class="indexterm" name="id2614657"></a> 593 595 Make sure all users that must have read/write access to the directory have 594 596 <code class="constant">finance</code> group membership as their primary group, 595 597 for example, the group they belong to in <code class="filename">/etc/passwd</code>. 596 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id26146 72"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2614679"></a><a class="indexterm" name="id2614687"></a><a class="indexterm" name="id2614695"></a><a class="indexterm" name="id2614703"></a>598 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614682"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2614688"></a><a class="indexterm" name="id2614696"></a><a class="indexterm" name="id2614704"></a><a class="indexterm" name="id2614712"></a> 597 599 Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because 598 600 there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means … … 602 604 There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, 603 605 either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. 604 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id26147 27"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p>606 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2614736"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p> 605 607 From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator 606 608 account (on Samba domains, this is usually the account called <code class="constant">root</code>). … … 617 619 </p></li><li><p> 618 620 In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>. 619 </p></li><li><p><a class="indexterm" name="id261491 0"></a><a class="indexterm" name="id2614918"></a><a class="indexterm" name="id2614925"></a><a class="indexterm" name="id2614933"></a>621 </p></li><li><p><a class="indexterm" name="id2614919"></a><a class="indexterm" name="id2614927"></a><a class="indexterm" name="id2614935"></a><a class="indexterm" name="id2614943"></a> 620 622 In the right panel, double-click on the share on which you wish to set/edit ACLs. This 621 623 brings up the Properties panel. Click the <span class="guimenu">Security</span> tab. It is best … … 624 626 functionality under the <code class="constant">Permissions</code> tab can be utilized with respect 625 627 to a Samba domain server. 626 </p></li><li><p><a class="indexterm" name="id26149 73"></a><a class="indexterm" name="id2614981"></a>628 </p></li><li><p><a class="indexterm" name="id2614982"></a><a class="indexterm" name="id2614990"></a> 627 629 You may now edit/add/remove access control settings. Be very careful. Many problems have been 628 630 created by people who decided that everyone should be rejected but one particular group should … … 633 635 When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> 634 636 buttons until the last panel closes. 635 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id26150 18"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p>637 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615027"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p> 636 638 The following alternative method may be used from a Windows workstation. In this example we work 637 639 with a domain called <code class="constant">MEGANET</code>, a server called <code class="constant">MASSIVE</code>, and a … … 641 643 Click <span class="guimenu">Start</span> → <span class="guimenuitem">[right-click] My Computer</span> → <span class="guimenuitem">Explore</span> → <span class="guimenuitem">[left panel] [+] My Network Places</span> → <span class="guimenuitem">[+] Entire Network</span> → <span class="guimenuitem">[+] Microsoft Windows Network</span> → <span class="guimenuitem">[+] Meganet</span> → <span class="guimenuitem">[+] Massive</span> → <span class="guimenuitem">[right-click] Apps</span> → <span class="guimenuitem">Properties</span> → <span class="guimenuitem">Security</span> → <span class="guimenuitem">Advanced</span>. This opens a panel that has four tabs. Only the functionality under the 642 644 <code class="constant">Permissions</code> tab can be utilized for a Samba domain server. 643 </p></li><li><p><a class="indexterm" name="id26151 42"></a><a class="indexterm" name="id2615150"></a>645 </p></li><li><p><a class="indexterm" name="id2615152"></a><a class="indexterm" name="id2615160"></a> 644 646 You may now edit/add/remove access control settings. Be very careful. Many problems have been 645 647 created by people who decided that everyone should be rejected but one particular group should … … 650 652 When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> 651 653 buttons until the last panel closes. 652 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id26151 89"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2615196"></a><a class="indexterm" name="id2615204"></a>654 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615198"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2615205"></a><a class="indexterm" name="id2615213"></a> 653 655 Yet another alternative method for setting desired security settings on the shared resource files and 654 656 directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line … … 673 675 other::r-x 674 676 </pre><p> 675 </p></li><li><p><a class="indexterm" name="id26152 78"></a>677 </p></li><li><p><a class="indexterm" name="id2615287"></a> 676 678 You want to add permission for <code class="constant">AppsMgrs</code> to enable them to 677 679 manage the applications (apps) share. It is important to set the ACL recursively … … 696 698 </pre><p> 697 699 This confirms that the change of POSIX ACL permissions has been effective. 698 </p></li><li><p><a class="indexterm" name="id26153 34"></a><a class="indexterm" name="id2615341"></a><a class="indexterm" name="id2615349"></a><a class="indexterm" name="id2615357"></a><a class="indexterm" name="id2615365"></a>700 </p></li><li><p><a class="indexterm" name="id2615343"></a><a class="indexterm" name="id2615351"></a><a class="indexterm" name="id2615359"></a><a class="indexterm" name="id2615367"></a><a class="indexterm" name="id2615375"></a> 699 701 It is highly recommended that you read the online manual page for the <code class="literal">setfacl</code> 700 702 and <code class="literal">getfacl</code> commands. This provides information regarding how to set/read the default 701 703 ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent 702 704 of setting <code class="constant">inheritance</code> properties. 703 </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2615 399"></a>Key Points Learned</h3></div></div></div><p>705 </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2615408"></a>Key Points Learned</h3></div></div></div><p> 704 706 The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. 705 707 Looking back, this chapter could be broken into two, but it's too late now. It has been done. 706 708 The highlights covered are as follows: 707 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id26154 16"></a><a class="indexterm" name="id2615424"></a><a class="indexterm" name="id2615432"></a><a class="indexterm" name="id2615440"></a>709 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2615426"></a><a class="indexterm" name="id2615434"></a><a class="indexterm" name="id2615442"></a><a class="indexterm" name="id2615450"></a> 708 710 Winbind honors and does not override account controls set in Active Directory. 709 711 This means that password change, logon hours, and so on, are (or soon will be) enforced … … 711 713 change is enforced. At this time, if logon hours expire, the user is not forcibly 712 714 logged off. That may be implemented at some later date. 713 </p></li><li><p><a class="indexterm" name="id26154 59"></a><a class="indexterm" name="id2615467"></a>715 </p></li><li><p><a class="indexterm" name="id2615468"></a><a class="indexterm" name="id2615476"></a> 714 716 Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential 715 717 problems acknowledged by Microsoft as having been fixed but reported by some as still 716 718 possibly an open issue. 717 </p></li><li><p><a class="indexterm" name="id26154 83"></a><a class="indexterm" name="id2615491"></a><a class="indexterm" name="id2615498"></a><a class="indexterm" name="id2615506"></a>719 </p></li><li><p><a class="indexterm" name="id2615492"></a><a class="indexterm" name="id2615500"></a><a class="indexterm" name="id2615508"></a><a class="indexterm" name="id2615516"></a> 718 720 The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft 719 721 Active Directory. The possibility to do this is not planned in the current Samba-3 … … 724 726 the four key methodologies was reviewed with specific reference to example deployment 725 727 techniques. 726 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id26155 33"></a>Questions and Answers</h2></div></div></div><p>727 </p><div class="qandaset"><dl><dt> <a href="kerberos.html#id26155 49">728 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2615543"></a>Questions and Answers</h2></div></div></div><p> 729 </p><div class="qandaset"><dl><dt> <a href="kerberos.html#id2615558"> 728 730 Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? 729 </a></dt><dt> <a href="kerberos.html#id26156 19">731 </a></dt><dt> <a href="kerberos.html#id2615629"> 730 732 Does Samba-3 support Active Directory? 731 </a></dt><dt> <a href="kerberos.html#id26156 50">733 </a></dt><dt> <a href="kerberos.html#id2615660"> 732 734 When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was 733 735 necessary with Samba-2? 734 </a></dt><dt> <a href="kerberos.html#id26156 89">736 </a></dt><dt> <a href="kerberos.html#id2615698"> 735 737 Is it safe to set share-level access controls in Samba? 736 </a></dt><dt> <a href="kerberos.html#id26157 18">738 </a></dt><dt> <a href="kerberos.html#id2615728"> 737 739 Is it mandatory to set share ACLs to get a secure Samba-3 server? 738 </a></dt><dt> <a href="kerberos.html#id2615 795">740 </a></dt><dt> <a href="kerberos.html#id2615804"> 739 741 The valid users did not work on the [homes]. 740 742 Has this functionality been restored yet? 741 </a></dt><dt> <a href="kerberos.html#id26158 61">743 </a></dt><dt> <a href="kerberos.html#id2615870"> 742 744 Is the bias against use of the force user and force group 743 745 really warranted? 744 </a></dt><dt> <a href="kerberos.html#id26159 24">746 </a></dt><dt> <a href="kerberos.html#id2615934"> 745 747 The example given for file and directory access control forces all files to be owned by one 746 748 particular user. I do not like that. Is there any way I can see who created the file? 747 </a></dt><dt> <a href="kerberos.html#id26159 72">749 </a></dt><dt> <a href="kerberos.html#id2615982"> 748 750 In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use 749 751 of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why 750 752 have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? 751 </a></dt><dt> <a href="kerberos.html#id26160 39">753 </a></dt><dt> <a href="kerberos.html#id2616048"> 752 754 I tried to set valid users = @Engineers, but it does not work. My Samba 753 755 server is an Active Directory domain member server. Has this been fixed now? 754 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id26155 49"></a><a name="id2615551"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615554"></a><a class="indexterm" name="id2615562"></a>756 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2615558"></a><a name="id2615561"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615564"></a><a class="indexterm" name="id2615572"></a> 755 757 Does Samba-3 require the <code class="constant">Sign'n'seal</code> registry hacks needed by Samba-2? 756 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26155 82"></a><a class="indexterm" name="id2615589"></a><a class="indexterm" name="id2615597"></a>758 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615591"></a><a class="indexterm" name="id2615599"></a><a class="indexterm" name="id2615607"></a> 757 759 No. Samba-3 fully supports <code class="constant">Sign'n'seal</code> as well as <code class="constant">schannel</code> 758 760 operation. The registry change should not be applied when Samba-3 is used as a domain controller. 759 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26156 19"></a><a name="id2615622"></a></td><td align="left" valign="top"><p>761 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615629"></a><a name="id2615631"></a></td><td align="left" valign="top"><p> 760 762 Does Samba-3 support Active Directory? 761 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26156 32"></a>763 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615642"></a> 762 764 Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not 763 765 provide Active Directory services. It cannot be used to replace a Microsoft Active Directory 764 766 server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, 765 767 and it can function as an Active Directory domain member server. 766 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26156 50"></a><a name="id2615653"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615656"></a>768 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615660"></a><a name="id2615662"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615665"></a> 767 769 When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was 768 770 necessary with Samba-2? 769 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26156 72"></a>771 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615682"></a> 770 772 No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x 771 773 Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, 772 774 because Samba-3 can join a native Windows 2003 Server ADS domain. 773 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26156 89"></a><a name="id2615691"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615694"></a>775 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615698"></a><a name="id2615701"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615704"></a> 774 776 Is it safe to set share-level access controls in Samba? 775 777 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> … … 777 779 very mature technology. Not enough sites make use of this powerful capability, neither on 778 780 Windows server or with Samba servers. 779 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26157 18"></a><a name="id2615720"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615724"></a>781 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615728"></a><a name="id2615730"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615733"></a> 780 782 Is it mandatory to set share ACLs to get a secure Samba-3 server? 781 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26157 39"></a><a class="indexterm" name="id2615747"></a><a class="indexterm" name="id2615755"></a><a class="indexterm" name="id2615764"></a><a class="indexterm" name="id2615772"></a>783 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615749"></a><a class="indexterm" name="id2615757"></a><a class="indexterm" name="id2615765"></a><a class="indexterm" name="id2615773"></a><a class="indexterm" name="id2615781"></a> 782 784 No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides 783 785 means of securing shares through share definition controls in the <code class="filename">smb.conf</code> file. The additional 784 786 support for share-level ACLs is like frosting on the cake. It adds to security but is not essential 785 787 to it. 786 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615 795"></a><a name="id2615797"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615800"></a>788 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615804"></a><a name="id2615806"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615810"></a> 787 789 The <em class="parameter"><code>valid users</code></em> did not work on the <em class="parameter"><code>[homes]</code></em>. 788 790 Has this functionality been restored yet? 789 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26158 28"></a>791 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615837"></a> 790 792 Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard 791 793 on the <em class="parameter"><code>[homes]</code></em> meta-service. The correct way to specify this is: 792 794 <a class="link" href="smb.conf.5.html#VALIDUSERS" target="_top">valid users = %S</a>. 793 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26158 61"></a><a name="id2615863"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615866"></a><a class="indexterm" name="id2615874"></a><a class="indexterm" name="id2615882"></a>795 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615870"></a><a name="id2615872"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615876"></a><a class="indexterm" name="id2615883"></a><a class="indexterm" name="id2615891"></a> 794 796 Is the bias against use of the <em class="parameter"><code>force user</code></em> and <em class="parameter"><code>force group</code></em> 795 797 really warranted? 796 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26159 09"></a>798 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615918"></a> 797 799 There is no bias. There is a determination to recommend the right tool for the task at hand. 798 800 After all, it is better than putting users through performance problems, isn't it? 799 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26159 24"></a><a name="id2615926"></a></td><td align="left" valign="top"><p>801 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615934"></a><a name="id2615936"></a></td><td align="left" valign="top"><p> 800 802 The example given for file and directory access control forces all files to be owned by one 801 803 particular user. I do not like that. Is there any way I can see who created the file? 802 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26159 39"></a>804 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615948"></a> 803 805 Sure. You do not have to set the SUID bit on the directory. Simply execute the following command 804 806 to permit file ownership to be retained by the user who created it: … … 808 810 Note that this required no more than removing the <code class="constant">u</code> argument so that the 809 811 SUID bit is not set for the owner. 810 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26159 72"></a><a name="id2615974"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615978"></a>812 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615982"></a><a name="id2615984"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615987"></a> 811 813 In the book, “<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>”, you recommended use 812 814 of the Windows NT4 Server Manager (part of the <code class="filename">SRVTOOLS.EXE</code>) utility. Why 813 815 have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? 814 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26160 06"></a><a class="indexterm" name="id2616013"></a>816 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2616015"></a><a class="indexterm" name="id2616023"></a> 815 817 Either tool can be used with equal effect. There is no benefit of one over the other, except that 816 818 the MMC utility is present on all Windows 200x/XP systems and does not require additional software … … 818 820 Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which 819 821 is provided as part of the <code class="filename">SRVTOOLS.EXE</code> utility. 820 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26160 39"></a><a name="id2616041"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2616044"></a><a class="indexterm" name="id2616052"></a><a class="indexterm" name="id2616060"></a>822 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2616048"></a><a name="id2616051"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2616054"></a><a class="indexterm" name="id2616062"></a><a class="indexterm" name="id2616070"></a> 821 823 I tried to set <em class="parameter"><code>valid users = @Engineers</code></em>, but it does not work. My Samba 822 824 server is an Active Directory domain member server. Has this been fixed now?
Note:
See TracChangeset
for help on using the changeset viewer.
