- Timestamp:
- Jan 15, 2010, 8:21:06 AM (16 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.3.x/docs/htmldocs/Samba3-ByExample/kerberos.html
r274 r368 1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.7 4.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2610613">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611264">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2611280">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611677">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2613307">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2613656">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614269">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614682">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2615408">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2615543">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2610549"></a>1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 11. Active Directory, Kerberos, and Security"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2616672">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2617322">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2617338">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2617736">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2619366">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2619714">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2620328">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2620740">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2621467">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2621601">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2616607"></a> 2 2 By this point in the book, you have been exposed to many Samba-3 features and capabilities. 3 3 More importantly, if you have implemented the examples given, you are well on your way to becoming … … 5 5 practice, you likely have thought of improvements and scenarios with which you can experiment. You 6 6 are rather well plugged in to the many flexible ways Samba can be used. 7 </p><p><a class="indexterm" name="id261 0568"></a>7 </p><p><a class="indexterm" name="id2616626"></a> 8 8 This is a book about Samba-3. Understandably, its intent is to present it in a positive light. 9 9 The casual observer might conclude that this book is one-eyed about Samba. It is what … … 14 14 decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of 15 15 criticism develops with respect to Abmas. 16 </p><p><a class="indexterm" name="id261 0596"></a>16 </p><p><a class="indexterm" name="id2616654"></a> 17 17 This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled 18 18 out of thin air. They were drawn from comments made by Samba users and from criticism during … … 20 20 as possible that of the original. The case presented is a straw-man example that is designed to 21 21 permit each objection to be answered as it might occur in real life. 22 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2610613"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2610619"></a><a class="indexterm" name="id2610627"></a><a class="indexterm" name="id2610635"></a><a class="indexterm" name="id2610643"></a><a class="indexterm" name="id2610651"></a>22 </p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2616672"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2616678"></a><a class="indexterm" name="id2616686"></a><a class="indexterm" name="id2616694"></a><a class="indexterm" name="id2616702"></a><a class="indexterm" name="id2616710"></a> 23 23 Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took 24 24 note of the spectacular projection of Abmas onto the global business stage. Abmas is building an … … 29 29 During the time that the acquisition was closing, the Video Rentals business upgraded its Windows 30 30 NT4-based network to Windows 2003 Server and Active Directory. 31 </p><p><a class="indexterm" name="id261 0675"></a>31 </p><p><a class="indexterm" name="id2616734"></a> 32 32 You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory. 33 33 The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform. 34 34 Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to 35 operate with a solution that is viewed by Christine and her group as “<span class="quote">an island of broken36 technologies.</span>” This comment was made by one of Christine's staff as they were installing a new35 operate with a solution that is viewed by Christine and her group as <span class="quote">“<span class="quote">an island of broken 36 technologies.</span>”</span> This comment was made by one of Christine's staff as they were installing a new 37 37 Samba-3 server at the new business. 38 </p><p><a class="indexterm" name="id261 0699"></a><a class="indexterm" name="id2610707"></a>38 </p><p><a class="indexterm" name="id2616757"></a><a class="indexterm" name="id2616765"></a> 39 39 Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer 40 40 should make such a comment. He felt that he had to prepare in case he might be criticized for his 41 41 decision to use Active Directory. He decided he would defend his decision by hiring the services 42 of an outside security systems consultant to report<sup>[<a name="id261 0722" href="#ftn.id2610722" class="footnote">12</a>]</sup> on his unit's operations42 of an outside security systems consultant to report<sup>[<a name="id2616780" href="#ftn.id2616780" class="footnote">12</a>]</sup> on his unit's operations 43 43 and to investigate the role of Samba at his site. Here are key extracts from this hypothetical 44 44 report: 45 </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id261 0732"></a><a class="indexterm" name="id2610740"></a><a class="indexterm" name="id2610748"></a><a class="indexterm" name="id2610756"></a>45 </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2616791"></a><a class="indexterm" name="id2616799"></a><a class="indexterm" name="id2616807"></a><a class="indexterm" name="id2616814"></a> 46 46 ... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site, 47 47 has been examined. We find no evidence to support a notion that vulnerabilities exist at your site. … … 50 50 </p><p> 51 51 ... 52 </p><p><a class="indexterm" name="id261 0777"></a><a class="indexterm" name="id2610788"></a><a class="indexterm" name="id2610800"></a><a class="indexterm" name="id2610808"></a><a class="indexterm" name="id2610816"></a><a class="indexterm" name="id2610824"></a>52 </p><p><a class="indexterm" name="id2616836"></a><a class="indexterm" name="id2616847"></a><a class="indexterm" name="id2616858"></a><a class="indexterm" name="id2616866"></a><a class="indexterm" name="id2616874"></a><a class="indexterm" name="id2616882"></a> 53 53 User and group accounts, and respective privileges, have been well thought out. File system shares are 54 54 appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and 55 55 effective off-site storage practices are considered to exceed industry norms. 56 </p><p><a class="indexterm" name="id261 0840"></a><a class="indexterm" name="id2610848"></a><a class="indexterm" name="id2610855"></a>56 </p><p><a class="indexterm" name="id2616898"></a><a class="indexterm" name="id2616906"></a><a class="indexterm" name="id2616914"></a> 57 57 Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain 58 58 a secure network. 59 </p><p><a class="indexterm" name="id261 0872"></a><a class="indexterm" name="id2610880"></a><a class="indexterm" name="id2610888"></a><a class="indexterm" name="id2610896"></a>59 </p><p><a class="indexterm" name="id2616931"></a><a class="indexterm" name="id2616939"></a><a class="indexterm" name="id2616946"></a><a class="indexterm" name="id2616954"></a> 60 60 The recently installed Linux file and application server uses a tool called <code class="literal">winbind</code> 61 61 that is indiscriminate about security. All user accounts in Active Directory can be used to access data … … 64 64 to great lengths to set fine-grained controls that limit information access to those who need access. 65 65 It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work. 66 </p><p><a class="indexterm" name="id261 0936"></a><a class="indexterm" name="id2610944"></a><a class="indexterm" name="id2610951"></a>66 </p><p><a class="indexterm" name="id2616994"></a><a class="indexterm" name="id2617002"></a><a class="indexterm" name="id2617010"></a> 67 67 Graham Judd [head of network administration] has locked down the security of all systems and is following 68 68 the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network … … 73 73 </p><p> 74 74 ... 75 </p><p><a class="indexterm" name="id261 0976"></a><a class="indexterm" name="id2610984"></a><a class="indexterm" name="id2610992"></a><a class="indexterm" name="id2611000"></a>75 </p><p><a class="indexterm" name="id2617035"></a><a class="indexterm" name="id2617042"></a><a class="indexterm" name="id2617050"></a><a class="indexterm" name="id2617058"></a> 76 76 Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of 77 77 all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft … … 81 81 Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that 82 82 with trusted computing initiatives that the Samba developers do not participate in. 83 </p><p><a class="indexterm" name="id261 1023"></a><a class="indexterm" name="id2611031"></a><a class="indexterm" name="id2611039"></a><a class="indexterm" name="id2611047"></a><a class="indexterm" name="id2611054"></a><a class="indexterm" name="id2611062"></a><a class="indexterm" name="id2611070"></a>83 </p><p><a class="indexterm" name="id2617082"></a><a class="indexterm" name="id2617089"></a><a class="indexterm" name="id2617097"></a><a class="indexterm" name="id2617105"></a><a class="indexterm" name="id2617113"></a><a class="indexterm" name="id2617121"></a><a class="indexterm" name="id2617129"></a> 84 84 One wonders about the integrity of an open source program that is developed by a team of hackers 85 85 who cannot be held accountable for the flaws in their code. The sheer number of updates and bug 86 86 fixes they have released should ring alarm bells in any business. 87 </p><p><a class="indexterm" name="id261 1086"></a><a class="indexterm" name="id2611094"></a><a class="indexterm" name="id2611102"></a>87 </p><p><a class="indexterm" name="id2617144"></a><a class="indexterm" name="id2617152"></a><a class="indexterm" name="id2617160"></a> 88 88 Another factor that should be considered is that buying Microsoft products and services helps to 89 89 provide employment in the IT industry. Samba and Open Source software place those jobs at risk. 90 </p></blockquote></div><p><a class="indexterm" name="id261 1116"></a><a class="indexterm" name="id2611124"></a>90 </p></blockquote></div><p><a class="indexterm" name="id2617175"></a><a class="indexterm" name="id2617183"></a> 91 91 This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple 92 92 discussion, but it gets further out of hand. When you return to your office, you find the following … … 101 101 across all systems. I concur with the desire to improve security. One of the new guys who is championing 102 102 the move to Kerberos was responsible for the comment that caused the embarrassment. 103 </p><p><a class="indexterm" name="id261 1161"></a><a class="indexterm" name="id2611169"></a><a class="indexterm" name="id2611177"></a><a class="indexterm" name="id2611185"></a>103 </p><p><a class="indexterm" name="id2617219"></a><a class="indexterm" name="id2617227"></a><a class="indexterm" name="id2617235"></a><a class="indexterm" name="id2617243"></a> 104 104 I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, 105 105 plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect 106 106 to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, 107 107 I would like to hire the services of a well-known Samba consultant to set the record straight. 108 </p><p><a class="indexterm" name="id261 1203"></a><a class="indexterm" name="id2611211"></a><a class="indexterm" name="id2611219"></a><a class="indexterm" name="id2611227"></a><a class="indexterm" name="id2611235"></a><a class="indexterm" name="id2611242"></a>108 </p><p><a class="indexterm" name="id2617261"></a><a class="indexterm" name="id2617269"></a><a class="indexterm" name="id2617277"></a><a class="indexterm" name="id2617285"></a><a class="indexterm" name="id2617293"></a><a class="indexterm" name="id2617301"></a> 109 109 I intend to use this report to answer the criticism raised and would like to establish a policy that we 110 110 will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered … … 113 113 use of any centrally proposed standards, but make all noncompliance the financial responsibility of the 114 114 out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone. 115 </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2611264"></a>Assignment Tasks</h3></div></div></div><p>115 </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id2617322"></a>Assignment Tasks</h3></div></div></div><p> 116 116 You agreed with Stan's recommendations and hired a consultant to help defuse the powder 117 117 keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able 118 118 to support his or her claims, keep emotions to the side, and answer technically. 119 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2611280"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id2611287"></a><a class="indexterm" name="id2611294"></a><a class="indexterm" name="id2611302"></a><a class="indexterm" name="id2611310"></a><a class="indexterm" name="id2611318"></a><a class="indexterm" name="id2611326"></a><a class="indexterm" name="id2611334"></a>119 </p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2617338"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id2617345"></a><a class="indexterm" name="id2617353"></a><a class="indexterm" name="id2617361"></a><a class="indexterm" name="id2617369"></a><a class="indexterm" name="id2617377"></a><a class="indexterm" name="id2617385"></a><a class="indexterm" name="id2617392"></a> 120 120 Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to 121 121 make or reject. It is likely that your decision to use Samba can greatly benefit your company. … … 125 125 money saved by not spending in the IT area can be spent elsewhere in the business. All money saved 126 126 or spent creates employment. 127 </p><p><a class="indexterm" name="id261 1356"></a><a class="indexterm" name="id2611364"></a><a class="indexterm" name="id2611372"></a><a class="indexterm" name="id2611380"></a><a class="indexterm" name="id2611388"></a>127 </p><p><a class="indexterm" name="id2617414"></a><a class="indexterm" name="id2617422"></a><a class="indexterm" name="id2617430"></a><a class="indexterm" name="id2617438"></a><a class="indexterm" name="id2617446"></a> 128 128 In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted 129 129 purely to provide file and print service interoperability on platforms that otherwise cannot provide … … 131 131 effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an 132 132 alternative to the use of a Microsoft file and print serving platforms with no consideration of costs. 133 </p><p><a class="indexterm" name="id261 1407"></a><a class="indexterm" name="id2611415"></a><a class="indexterm" name="id2611423"></a><a class="indexterm" name="id2611431"></a>133 </p><p><a class="indexterm" name="id2617466"></a><a class="indexterm" name="id2617474"></a><a class="indexterm" name="id2617482"></a><a class="indexterm" name="id2617490"></a> 134 134 It would be foolish to adopt a technology that might put any data or users at risk. Security affects 135 135 everyone. The Samba-Team is fully cognizant of the responsibility they have to their users. 136 136 The Samba documentation clearly reveals that full responsibility is accepted to fix anything 137 137 that is broken. 138 </p><p><a class="indexterm" name="id261 1448"></a><a class="indexterm" name="id2611456"></a><a class="indexterm" name="id2611464"></a><a class="indexterm" name="id2611472"></a><a class="indexterm" name="id2611483"></a><a class="indexterm" name="id2611491"></a><a class="indexterm" name="id2611499"></a><a class="indexterm" name="id2611507"></a><a class="indexterm" name="id2611515"></a><a class="indexterm" name="id2611523"></a><a class="indexterm" name="id2611531"></a>138 </p><p><a class="indexterm" name="id2617506"></a><a class="indexterm" name="id2617514"></a><a class="indexterm" name="id2617522"></a><a class="indexterm" name="id2617530"></a><a class="indexterm" name="id2617542"></a><a class="indexterm" name="id2617550"></a><a class="indexterm" name="id2617557"></a><a class="indexterm" name="id2617565"></a><a class="indexterm" name="id2617573"></a><a class="indexterm" name="id2617581"></a><a class="indexterm" name="id2617589"></a> 139 139 There is a mistaken perception in the IT industry that commercial software providers are fully 140 140 accountable for the defects in products. Open Source software comes with no warranty, so it is … … 144 144 commercial software vendors are willingly accountable for product defects. In many cases, the 145 145 commercial vendor accepts liability only to reimburse the price paid for the software. 146 </p><p><a class="indexterm" name="id261 1553"></a><a class="indexterm" name="id2611561"></a><a class="indexterm" name="id2611569"></a><a class="indexterm" name="id2611577"></a><a class="indexterm" name="id2611585"></a><a class="indexterm" name="id2611592"></a>146 </p><p><a class="indexterm" name="id2617611"></a><a class="indexterm" name="id2617619"></a><a class="indexterm" name="id2617627"></a><a class="indexterm" name="id2617635"></a><a class="indexterm" name="id2617643"></a><a class="indexterm" name="id2617651"></a> 147 147 The real issues that a consumer (like you) needs answered are What is the way of escape from technical 148 148 problems, and how long will it take? The average problem turnaround time in the Open Source community is 149 149 approximately 48 hours. What does the EULA offer? What is the track record in the commercial software 150 150 industry? What happens when your commercial vendor decides to cease providing support? 151 </p><p><a class="indexterm" name="id261 1617"></a><a class="indexterm" name="id2611625"></a><a class="indexterm" name="id2611633"></a><a class="indexterm" name="id2611641"></a><a class="indexterm" name="id2611649"></a><a class="indexterm" name="id2611657"></a><a class="indexterm" name="id2611664"></a>151 </p><p><a class="indexterm" name="id2617676"></a><a class="indexterm" name="id2617684"></a><a class="indexterm" name="id2617692"></a><a class="indexterm" name="id2617699"></a><a class="indexterm" name="id2617707"></a><a class="indexterm" name="id2617715"></a><a class="indexterm" name="id2617723"></a> 152 152 Open Source software at least puts you in possession of the source code. This means that when 153 153 all else fails, you can hire a programmer to solve the problem. 154 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2611677"></a>Technical Issues</h3></div></div></div><p>154 </p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2617736"></a>Technical Issues</h3></div></div></div><p> 155 155 Each issue is now discussed and, where appropriate, example implementation steps are 156 156 provided. 157 </p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id261 1698"></a><a class="indexterm" name="id2611706"></a><a class="indexterm" name="id2611714"></a><a class="indexterm" name="id2611725"></a><a class="indexterm" name="id2611733"></a><a class="indexterm" name="id2611741"></a><a class="indexterm" name="id2611749"></a><a class="indexterm" name="id2611757"></a><a class="indexterm" name="id2611765"></a><a class="indexterm" name="id2611773"></a>157 </p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id2617756"></a><a class="indexterm" name="id2617764"></a><a class="indexterm" name="id2617772"></a><a class="indexterm" name="id2617784"></a><a class="indexterm" name="id2617792"></a><a class="indexterm" name="id2617800"></a><a class="indexterm" name="id2617808"></a><a class="indexterm" name="id2617816"></a><a class="indexterm" name="id2617824"></a><a class="indexterm" name="id2617832"></a> 158 158 Windows network administrators may be dismayed to find that <code class="literal">winbind</code> 159 159 exposes all domain users so that they may use their domain account credentials to … … 161 161 UNIX/Linux server in their Network Neighborhood and can browse the shares on the 162 162 server seems to excite them further. 163 </p><p><a class="indexterm" name="id261 1797"></a><a class="indexterm" name="id2611805"></a><a class="indexterm" name="id2611813"></a><a class="indexterm" name="id2611820"></a>163 </p><p><a class="indexterm" name="id2617855"></a><a class="indexterm" name="id2617863"></a><a class="indexterm" name="id2617871"></a><a class="indexterm" name="id2617879"></a> 164 164 <code class="literal">winbind</code> provides for the UNIX/Linux domain member server or 165 165 client, the same as one would obtain by adding a Microsoft Windows server or … … 167 167 and therefore requires handling a little differently from the familiar Windows systems. 168 168 One must recognize fear of the unknown. 169 </p><p><a class="indexterm" name="id261 1843"></a><a class="indexterm" name="id2611852"></a><a class="indexterm" name="id2611859"></a><a class="indexterm" name="id2611867"></a><a class="indexterm" name="id2611875"></a><a class="indexterm" name="id2611887"></a>169 </p><p><a class="indexterm" name="id2617902"></a><a class="indexterm" name="id2617910"></a><a class="indexterm" name="id2617918"></a><a class="indexterm" name="id2617926"></a><a class="indexterm" name="id2617934"></a><a class="indexterm" name="id2617945"></a> 170 170 Windows network administrators need to recognize that <code class="literal">winbind</code> does 171 171 not, and cannot, override account controls set using the Active Directory management 172 172 tools. The control is the same. Have no fear. 173 </p><p><a class="indexterm" name="id261 1907"></a><a class="indexterm" name="id2611915"></a><a class="indexterm" name="id2611926"></a><a class="indexterm" name="id2611934"></a><a class="indexterm" name="id2611942"></a><a class="indexterm" name="id2611950"></a><a class="indexterm" name="id2611958"></a><a class="indexterm" name="id2611966"></a><a class="indexterm" name="id2611974"></a><a class="indexterm" name="id2611982"></a>173 </p><p><a class="indexterm" name="id2617966"></a><a class="indexterm" name="id2617974"></a><a class="indexterm" name="id2617985"></a><a class="indexterm" name="id2617993"></a><a class="indexterm" name="id2618001"></a><a class="indexterm" name="id2618009"></a><a class="indexterm" name="id2618016"></a><a class="indexterm" name="id2618024"></a><a class="indexterm" name="id2618032"></a><a class="indexterm" name="id2618040"></a> 174 174 Where Samba and the ADS domain account information obtained through the use of 175 175 <code class="literal">winbind</code> permits access, by browsing or by the drive mapping to … … 177 177 controls have not been properly implemented. Samba permits access controls to be set 178 178 on: 179 </p><div class="itemizedlist"><ul type="disc"><li><p>Shares themselves (i.e., the logical share itself)</p></li><li><p>The share definition in <code class="filename">smb.conf</code></p></li><li><p>The shared directories and files using UNIX permissions</p></li><li><p>Using Windows 2000 ACLs if the file system is POSIX enabled</p></li></ul></div><p>179 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Shares themselves (i.e., the logical share itself)</p></li><li class="listitem"><p>The share definition in <code class="filename">smb.conf</code></p></li><li class="listitem"><p>The shared directories and files using UNIX permissions</p></li><li class="listitem"><p>Using Windows 2000 ACLs if the file system is POSIX enabled</p></li></ul></div><p> 180 180 Examples of each are given in <a class="link" href="kerberos.html#ch10expl" title="Implementation">“Implementation”</a>. 181 </p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id261 2056"></a><a class="indexterm" name="id2612064"></a><a class="indexterm" name="id2612075"></a><a class="indexterm" name="id2612087"></a><a class="indexterm" name="id2612094"></a><a class="indexterm" name="id2612102"></a><a class="indexterm" name="id2612110"></a><a class="indexterm" name="id2612118"></a><a class="indexterm" name="id2612126"></a>181 </p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id2618114"></a><a class="indexterm" name="id2618122"></a><a class="indexterm" name="id2618134"></a><a class="indexterm" name="id2618145"></a><a class="indexterm" name="id2618153"></a><a class="indexterm" name="id2618161"></a><a class="indexterm" name="id2618168"></a><a class="indexterm" name="id2618176"></a><a class="indexterm" name="id2618184"></a> 182 182 User and group management facilities as known in the Windows ADS environment may be 183 183 used to provide equivalent access control constraints or to provide equivalent … … 186 186 Windows 200x/XP. For example, access controls on a Samba server may be set within 187 187 the share definition in a manner for which Windows has no equivalent. 188 </p><p><a class="indexterm" name="id261 2146"></a><a class="indexterm" name="id2612154"></a><a class="indexterm" name="id2612162"></a><a class="indexterm" name="id2612170"></a><a class="indexterm" name="id2612181"></a><a class="indexterm" name="id2612189"></a><a class="indexterm" name="id2612197"></a>188 </p><p><a class="indexterm" name="id2618204"></a><a class="indexterm" name="id2618212"></a><a class="indexterm" name="id2618220"></a><a class="indexterm" name="id2618228"></a><a class="indexterm" name="id2618239"></a><a class="indexterm" name="id2618247"></a><a class="indexterm" name="id2618255"></a> 189 189 In any serious analysis of system security, it is important to examine the safeguards 190 190 that remain when all other protective measures fail. An administrator may inadvertently … … 194 194 possible to guard against that by enforcing controls on the share definition itself. You 195 195 see a practical example of this a little later in this chapter. 196 </p><p><a class="indexterm" name="id261 2219"></a><a class="indexterm" name="id2612226"></a>196 </p><p><a class="indexterm" name="id2618277"></a><a class="indexterm" name="id2618285"></a> 197 197 The report that is critical of Samba really ought to have exercised greater due 198 198 diligence: the real weakness is on the side of a Microsoft Windows environment. 199 </p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id261 2248"></a>199 </p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id2618307"></a> 200 200 Samba is designed in such a manner that weaknesses inherent in the design of 201 201 Microsoft Windows networking ought not to expose the underlying UNIX/Linux file 202 202 system in any way. All software has potential defects, and Samba is no exception. 203 203 What matters more is how defects that are discovered get dealt with. 204 </p><p><a class="indexterm" name="id261 2265"></a><a class="indexterm" name="id2612273"></a><a class="indexterm" name="id2612281"></a><a class="indexterm" name="id2612289"></a>204 </p><p><a class="indexterm" name="id2618324"></a><a class="indexterm" name="id2618332"></a><a class="indexterm" name="id2618339"></a><a class="indexterm" name="id2618347"></a> 205 205 The Samba Team totally agrees with the necessity to observe and fully implement 206 206 every security facility to provide a level of protection and security that is necessary … … 209 209 security be publicly condoned; yet this is the practice by many Windows network 210 210 administrators just to make happy users who have no notion of consequential risk. 211 </p><p><a class="indexterm" name="id261 2309"></a><a class="indexterm" name="id2612317"></a><a class="indexterm" name="id2612325"></a><a class="indexterm" name="id2612332"></a><a class="indexterm" name="id2612340"></a><a class="indexterm" name="id2612348"></a><a class="indexterm" name="id2612356"></a>211 </p><p><a class="indexterm" name="id2618367"></a><a class="indexterm" name="id2618375"></a><a class="indexterm" name="id2618383"></a><a class="indexterm" name="id2618391"></a><a class="indexterm" name="id2618399"></a><a class="indexterm" name="id2618407"></a><a class="indexterm" name="id2618415"></a> 212 212 The report condemns Samba for releasing updates and security fixes, yet Microsoft 213 213 online updates need to be applied almost weekly. The answer to the criticism … … 215 215 user needs are being increasingly met or exceeded, and security updates are issued 216 216 with a short turnaround time. 217 </p><p><a class="indexterm" name="id261 2374"></a><a class="indexterm" name="id2612382"></a><a class="indexterm" name="id2612390"></a><a class="indexterm" name="id2612398"></a><a class="indexterm" name="id2612406"></a>217 </p><p><a class="indexterm" name="id2618433"></a><a class="indexterm" name="id2618441"></a><a class="indexterm" name="id2618449"></a><a class="indexterm" name="id2618456"></a><a class="indexterm" name="id2618464"></a> 218 218 The release of Samba-4 is expected around late 2004 to early 2005 and involves a near 219 219 complete rewrite to permit extensive modularization and to prepare Samba for new … … 222 222 degree of dependability and on charter development consistent with published 223 223 roadmap projections. 224 </p><p><a class="indexterm" name="id261 2436"></a><a class="indexterm" name="id2612444"></a><a class="indexterm" name="id2612456"></a><a class="indexterm" name="id2612467"></a><a class="indexterm" name="id2612475"></a><a class="indexterm" name="id2612483"></a><a class="indexterm" name="id2612491"></a>224 </p><p><a class="indexterm" name="id2618494"></a><a class="indexterm" name="id2618502"></a><a class="indexterm" name="id2618514"></a><a class="indexterm" name="id2618525"></a><a class="indexterm" name="id2618533"></a><a class="indexterm" name="id2618541"></a><a class="indexterm" name="id2618549"></a> 225 225 Not well published is the fact that Microsoft was a foundation member of 226 226 the Common Internet File System (CIFS) initiative, together with the participation … … 231 231 CIFS conferences and at the interoperability laboratories run concurrently with 232 232 them. 233 </p></dd><dt><span class="term">Cryptographic Controls (schannel, sign'n'seal)</span></dt><dd><p><a class="indexterm" name="id261 2521"></a><a class="indexterm" name="id2612529"></a><a class="indexterm" name="id2612536"></a>233 </p></dd><dt><span class="term">Cryptographic Controls (schannel, sign'n'seal)</span></dt><dd><p><a class="indexterm" name="id2618579"></a><a class="indexterm" name="id2618587"></a><a class="indexterm" name="id2618595"></a> 234 234 The report correctly mentions that Samba did not support the most recent 235 235 <code class="constant">schannel</code> and <code class="constant">digital sign'n'seal</code> features … … 239 239 pathology report they reflect accurately (at best) status at a snapshot in time. 240 240 Meanwhile, the world moves on. 241 </p><p><a class="indexterm" name="id261 2566"></a><a class="indexterm" name="id2612574"></a><a class="indexterm" name="id2612582"></a><a class="indexterm" name="id2612590"></a><a class="indexterm" name="id2612598"></a><a class="indexterm" name="id2612612"></a><a class="indexterm" name="id2612620"></a>241 </p><p><a class="indexterm" name="id2618625"></a><a class="indexterm" name="id2618633"></a><a class="indexterm" name="id2618640"></a><a class="indexterm" name="id2618648"></a><a class="indexterm" name="id2618656"></a><a class="indexterm" name="id2618671"></a><a class="indexterm" name="id2618679"></a> 242 242 It should be pointed out that had clear public specifications for the protocols 243 243 been published, it would have been much easier to implement these features and would have … … 247 247 and defensible standards is obvious to all and would have enabled more secure networking 248 248 for everyone. 249 </p><p><a class="indexterm" name="id261 2641"></a><a class="indexterm" name="id2612649"></a>249 </p><p><a class="indexterm" name="id2618700"></a><a class="indexterm" name="id2618708"></a> 250 250 Critics of Samba often ignore fundamental problems that may plague (or may have plagued) 251 251 the users of Microsoft's products also. Those who are first to criticize Samba … … 259 259 Windows networking sites. From notes such as this it is clear that there are benefits 260 260 from not rushing new technology out of the door too soon. 261 </p><p><a class="indexterm" name="id261 2689"></a><a class="indexterm" name="id2612697"></a><a class="indexterm" name="id2612705"></a><a class="indexterm" name="id2612713"></a><a class="indexterm" name="id2612721"></a><a class="indexterm" name="id2612729"></a><a class="indexterm" name="id2612737"></a><a class="indexterm" name="id2612745"></a><a class="indexterm" name="id2612753"></a>261 </p><p><a class="indexterm" name="id2618748"></a><a class="indexterm" name="id2618756"></a><a class="indexterm" name="id2618764"></a><a class="indexterm" name="id2618772"></a><a class="indexterm" name="id2618780"></a><a class="indexterm" name="id2618787"></a><a class="indexterm" name="id2618796"></a><a class="indexterm" name="id2618803"></a><a class="indexterm" name="id2618811"></a> 262 262 One final comment is warranted. If companies want more secure networking protocols, 263 263 the most effective method by which this can be achieved is by users seeking … … 275 275 and yet by which they are made to interoperate in ways that the components do not 276 276 support. 277 </p><p><a class="indexterm" name="id261 2840"></a><a class="indexterm" name="id2612852"></a><a class="indexterm" name="id2612860"></a><a class="indexterm" name="id2612868"></a><a class="indexterm" name="id2612876"></a>277 </p><p><a class="indexterm" name="id2618899"></a><a class="indexterm" name="id2618910"></a><a class="indexterm" name="id2618918"></a><a class="indexterm" name="id2618926"></a><a class="indexterm" name="id2618934"></a> 278 278 In order to make the popular request for Samba to be an Active Directory Server a 279 279 reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls … … 283 283 the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality 284 284 into the Samba project, this dream request cannot become a reality. 285 </p><p><a class="indexterm" name="id261 2906"></a><a class="indexterm" name="id2612914"></a><a class="indexterm" name="id2612922"></a><a class="indexterm" name="id2612933"></a><a class="indexterm" name="id2612941"></a>285 </p><p><a class="indexterm" name="id2618965"></a><a class="indexterm" name="id2618973"></a><a class="indexterm" name="id2618981"></a><a class="indexterm" name="id2618992"></a><a class="indexterm" name="id2619000"></a> 286 286 At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the 287 287 Samba development roadmap. If it is not on the published roadmap, it cannot be delivered … … 289 289 The Samba Team is most committed to permitting Samba to be a full ADS domain member 290 290 that is increasingly capable of being managed using Microsoft Windows MMC tools. 291 </p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2612961"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id2612968"></a><a class="indexterm" name="id2612975"></a><a class="indexterm" name="id2612984"></a>291 </p></dd></dl></div><div class="sect3" title="Kerberos Exposed"><div class="titlepage"><div><div><h4 class="title"><a name="id2619019"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id2619026"></a><a class="indexterm" name="id2619034"></a><a class="indexterm" name="id2619042"></a> 292 292 Kerberos is a network authentication protocol that provides secure authentication for 293 293 client-server applications by using secret-key cryptography. Firewalls are an insufficient … … 295 295 traffic but cannot prevent network traffic that comes from authorized locations from 296 296 performing unauthorized activities. 297 </p><p><a class="indexterm" name="id261 3002"></a><a class="indexterm" name="id2613010"></a><a class="indexterm" name="id2613017"></a>297 </p><p><a class="indexterm" name="id2619060"></a><a class="indexterm" name="id2619068"></a><a class="indexterm" name="id2619076"></a> 298 298 Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses 299 299 strong cryptography so that a client can prove its identity to a server (and vice versa) across an … … 301 301 they can also encrypt all of their communications to assure privacy and data integrity as they go 302 302 about their business. 303 </p><p><a class="indexterm" name="id261 3036"></a><a class="indexterm" name="id2613044"></a><a class="indexterm" name="id2613052"></a><a class="indexterm" name="id2613059"></a><a class="indexterm" name="id2613071"></a>303 </p><p><a class="indexterm" name="id2619094"></a><a class="indexterm" name="id2619102"></a><a class="indexterm" name="id2619110"></a><a class="indexterm" name="id2619118"></a><a class="indexterm" name="id2619129"></a> 304 304 Kerberos is a trusted third-party service. That means that there is a third party (the kerberos 305 305 server) that is trusted by all the entities on the network (users and services, usually called … … 308 308 trusting the kerberos server, users and services can authenticate each other. 309 309 </p><p> 310 <a class="indexterm" name="id261 3091"></a>311 <a class="indexterm" name="id261 3098"></a>312 <a class="indexterm" name="id261 3105"></a>310 <a class="indexterm" name="id2619149"></a> 311 <a class="indexterm" name="id2619156"></a> 312 <a class="indexterm" name="id2619163"></a> 313 313 Kerberos was, until recently, a technology that was restricted from being exported from the United States. 314 314 For many years that hindered global adoption of more secure networking technologies both within the United States … … 320 320 and use of Kerberos across the spectrum of the information technology industry. 321 321 </p><p> 322 <a class="indexterm" name="id261 3134"></a>322 <a class="indexterm" name="id2619193"></a> 323 323 A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation 324 324 of it. For example, a 2002 325 325 <a class="ulink" href="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument" target="_top">IDG</a> 326 report<sup>[<a name="id261 3153" href="#ftn.id2613153" class="footnote">13</a>]</sup> by326 report<sup>[<a name="id2619212" href="#ftn.id2619212" class="footnote">13</a>]</sup> by 327 327 states: 328 328 </p><div class="blockquote"><blockquote class="blockquote"><p> … … 332 332 use of the Kerberos authentication specification, not everyone agrees. 333 333 </p><p> 334 <a class="indexterm" name="id261 3179"></a>334 <a class="indexterm" name="id2619238"></a> 335 335 Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared 336 336 before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version … … 340 340 that software developers could add their own authorization information, he said. 341 341 </p></blockquote></div><p> 342 <a class="indexterm" name="id261 3202"></a>343 <a class="indexterm" name="id261 3209"></a>342 <a class="indexterm" name="id2619261"></a> 343 <a class="indexterm" name="id2619267"></a> 344 344 It so happens that Microsoft Windows clients depend on and expect the contents of the <span class="emphasis"><em>unspecified 345 345 fields</em></span> in the Kerberos 5 communications data stream for their Windows interoperability, … … 353 353 <a class="ulink" href="http://www.microsoft.com/technet/itsolutions/interop/mgmt/kerberos.asp" target="_top"> 354 354 technet</a> article: 355 </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id261 3244"></a><a class="indexterm" name="id2613256"></a>355 </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2619303"></a><a class="indexterm" name="id2619314"></a> 356 356 The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC 357 357 representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos … … 361 361 is not an issue with Kerberos interoperability, but rather an issue of interoperability between DCE and 362 362 Windows NT access control information. 363 </p></blockquote></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch10expl"></a>Implementation</h2></div></div></div><p>363 </p></blockquote></div></div></div></div><div class="sect1" title="Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch10expl"></a>Implementation</h2></div></div></div><p> 364 364 The following procedures outline the implementation of the security measures discussed so far. 365 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2613307"></a>Share Access Controls</h3></div></div></div><p><a class="indexterm" name="id2613314"></a><a class="indexterm" name="id2613322"></a><a class="indexterm" name="id2613330"></a>365 </p><div class="sect2" title="Share Access Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id2619366"></a>Share Access Controls</h3></div></div></div><p><a class="indexterm" name="id2619373"></a><a class="indexterm" name="id2619380"></a><a class="indexterm" name="id2619388"></a> 366 366 Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as 367 367 Windows XP Pro) attempts to make a connection to the Samba server. 368 </p><div class="procedure" ><a name="id2613343"></a><p class="title"><b>Procedure 11.1. Create/Edit/Delete Share ACLs</b></p><ol type="1"><li><p><a class="indexterm" name="id2613353"></a><a class="indexterm" name="id2613362"></a>368 </p><div class="procedure" title="Procedure 11.1. Create/Edit/Delete Share ACLs"><a name="id2619402"></a><p class="title"><b>Procedure 11.1. Create/Edit/Delete Share ACLs</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p><a class="indexterm" name="id2619412"></a><a class="indexterm" name="id2619420"></a> 369 369 From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator 370 370 account (on Samba domains, this is usually the account called <code class="constant">root</code>). 371 </p></li><li ><p>371 </p></li><li class="step" title="Step 2"><p> 372 372 Click 373 373 <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Computer Management</span>. 374 </p></li><li ><p>374 </p></li><li class="step" title="Step 3"><p> 375 375 In the left panel, 376 376 <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> → <span class="guimenuitem">Connect to another computer ...</span> → <span class="guimenuitem">Browse...</span> → <span class="guimenuitem">Advanced</span> → <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to 377 administer. Click <span class="guimenu">OK</span> → <span class="guimenuitem">OK</span> → <span class="guimenuitem">OK</span>.<a class="indexterm" name="id261 3485"></a>377 administer. Click <span class="guimenu">OK</span> → <span class="guimenuitem">OK</span> → <span class="guimenuitem">OK</span>.<a class="indexterm" name="id2619543"></a> 378 378 In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect 379 379 the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>, 380 380 the Computer Management entry should now say <span class="guimenu">Computer Management (FRODO)</span>. 381 </p></li><li ><p>381 </p></li><li class="step" title="Step 4"><p> 382 382 In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>. 383 </p></li><li ><p><a class="indexterm" name="id2613549"></a><a class="indexterm" name="id2613557"></a>383 </p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id2619607"></a><a class="indexterm" name="id2619615"></a> 384 384 In the right panel, double-click on the share on which you wish to set/edit ACLs. This 385 385 will bring up the Properties panel. Click the <span class="guimenu">Share Permissions</span> tab. 386 </p></li><li ><p><a class="indexterm" name="id2613580"></a><a class="indexterm" name="id2613588"></a><a class="indexterm" name="id2613596"></a><a class="indexterm" name="id2613604"></a><a class="indexterm" name="id2613612"></a><a class="indexterm" name="id2613620"></a>386 </p></li><li class="step" title="Step 6"><p><a class="indexterm" name="id2619638"></a><a class="indexterm" name="id2619646"></a><a class="indexterm" name="id2619654"></a><a class="indexterm" name="id2619662"></a><a class="indexterm" name="id2619670"></a><a class="indexterm" name="id2619678"></a> 387 387 You may now edit/add/remove access control settings. Be very careful. Many problems have been 388 388 created by people who decided that everyone should be rejected but one particular group should … … 390 390 belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions 391 391 set for the permitted group. 392 </p></li><li ><p>392 </p></li><li class="step" title="Step 7"><p> 393 393 When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> 394 394 buttons. 395 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2613656"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id2613663"></a><a class="indexterm" name="id2613674"></a><a class="indexterm" name="id2613682"></a><a class="indexterm" name="id2613690"></a><a class="indexterm" name="id2613698"></a><a class="indexterm" name="id2613706"></a>395 </p></li></ol></div></div><div class="sect2" title="Share Definition Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id2619714"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id2619721"></a><a class="indexterm" name="id2619733"></a><a class="indexterm" name="id2619741"></a><a class="indexterm" name="id2619748"></a><a class="indexterm" name="id2619756"></a><a class="indexterm" name="id2619764"></a> 396 396 Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a 397 397 checkpoint can be used to require someone who wants to get through to meet certain requirements, so … … 400 400 credential-related objectives, the user can be granted powers and privileges that would not normally be 401 401 available under default settings. 402 </p><p><a class="indexterm" name="id261 3726"></a><a class="indexterm" name="id2613734"></a><a class="indexterm" name="id2613742"></a><a class="indexterm" name="id2613750"></a>402 </p><p><a class="indexterm" name="id2619785"></a><a class="indexterm" name="id2619793"></a><a class="indexterm" name="id2619800"></a><a class="indexterm" name="id2619809"></a> 403 403 It must be emphasized that the controls discussed here can act as a filter or give rights of passage 404 404 that act as a superstructure over normal directory and file access controls. However, share-level … … 406 406 share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented 407 407 by Samba and Windows networking consists of: 408 </p><div class="orderedlist"><ol type="1"><li><p>Share-level ACLs</p></li><li><p>Share-definition controls</p></li><li><p>Directory and file permissions</p></li><li><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2613795"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id2613802"></a>408 </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Share-level ACLs</p></li><li class="listitem"><p>Share-definition controls</p></li><li class="listitem"><p>Directory and file permissions</p></li><li class="listitem"><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" title="Checkpoint Controls"><div class="titlepage"><div><div><h4 class="title"><a name="id2619854"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id2619861"></a> 409 409 Consider the following extract from a <code class="filename">smb.conf</code> file defining the share called <code class="constant">Apps</code>: 410 410 </p><pre class="screen"> … … 417 417 This definition permits only those who are members of the group called <code class="constant">Employees</code> to 418 418 access the share. 419 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2613838"></a><a class="indexterm" name="id2613849"></a><a class="indexterm" name="id2613857"></a><a class="indexterm" name="id2613865"></a><a class="indexterm" name="id2613873"></a>419 </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2619896"></a><a class="indexterm" name="id2619908"></a><a class="indexterm" name="id2619916"></a><a class="indexterm" name="id2619924"></a><a class="indexterm" name="id2619932"></a> 420 420 On domain member servers and clients, even when the <em class="parameter"><code>winbind use default domain</code></em> has 421 421 been specified, the use of domain accounts in security controls requires fully qualified domain specification, … … 423 423 Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a 424 424 delimiter. 425 </p></div><p><a class="indexterm" name="id261 3908"></a><a class="indexterm" name="id2613916"></a><a class="indexterm" name="id2613923"></a>425 </p></div><p><a class="indexterm" name="id2619967"></a><a class="indexterm" name="id2619974"></a><a class="indexterm" name="id2619982"></a> 426 426 If there is an ACL on the share itself to permit read/write access for all <code class="constant">Employees</code> 427 427 as well as read/write for the group <code class="constant">Doctors</code>, both groups are permitted through … … 429 429 the group <code class="constant">Doctors</code>, who is not also a member of the group <code class="constant">Employees</code>, 430 430 would immediately fail to validate. 431 </p><p><a class="indexterm" name="id26 13955"></a>431 </p><p><a class="indexterm" name="id2620013"></a> 432 432 Consider another example. In this case, you want to permit all members of the group <code class="constant">Employees</code> 433 433 except the user <code class="constant">patrickj</code> to access the <code class="constant">Apps</code> share. This can be … … 442 442 invalid users = patrickj 443 443 </pre><p> 444 <a class="indexterm" name="id26 13995"></a>444 <a class="indexterm" name="id2620054"></a> 445 445 Let us assume that you want to permit the user <code class="constant">gbshaw</code> to manage any file in the 446 446 UNIX/Linux file system directory <code class="filename">/data/apps</code>, but you do not want to grant any write … … 454 454 admin users = gbshaw 455 455 </pre><p> 456 <a class="indexterm" name="id26 14026"></a>456 <a class="indexterm" name="id2620085"></a> 457 457 Now we have a set of controls that permits only <code class="constant">Employees</code> who are also members of 458 458 the group <code class="constant">Doctors</code>, excluding the user <code class="constant">patrickj</code>, to have … … 476 476 write list = peters 477 477 </pre><p> 478 <a class="indexterm" name="id26 14086"></a>478 <a class="indexterm" name="id2620145"></a> 479 479 This is a particularly complex example at this point, but it begins to demonstrate the possibilities. 480 480 You should refer to the online manual page for the <code class="filename">smb.conf</code> file for more information regarding 481 481 the checkpoint controls that Samba implements. 482 </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2614108"></a>Override Controls</h4></div></div></div><p><a class="indexterm" name="id2614114"></a>482 </p></div><div class="sect3" title="Override Controls"><div class="titlepage"><div><div><h4 class="title"><a name="id2620166"></a>Override Controls</h4></div></div></div><p><a class="indexterm" name="id2620173"></a> 483 483 Override controls implemented by Samba permit actions like the adoption of a different identity 484 484 during file system operations, the forced overwriting of normal file and directory permissions, … … 498 498 force group = Mentors 499 499 </pre><p> 500 <a class="indexterm" name="id26 14158"></a><a class="indexterm" name="id2614166"></a>500 <a class="indexterm" name="id2620217"></a><a class="indexterm" name="id2620225"></a> 501 501 That is all there is to it. Well, it is almost that simple. The downside of this method is that 502 502 users are logged onto the Windows client as themselves, and then immediately before accessing the … … 505 505 This imposes significant overhead on Samba. The alternative way to effectively achieve the same result 506 506 (but with lower system CPU overheads) is described next. 507 </p><p><a class="indexterm" name="id26 14187"></a><a class="indexterm" name="id2614194"></a><a class="indexterm" name="id2614202"></a><a class="indexterm" name="id2614214"></a><a class="indexterm" name="id2614222"></a>507 </p><p><a class="indexterm" name="id2620245"></a><a class="indexterm" name="id2620253"></a><a class="indexterm" name="id2620261"></a><a class="indexterm" name="id2620272"></a><a class="indexterm" name="id2620280"></a> 508 508 The use of the <em class="parameter"><code>force user</code></em> or the <em class="parameter"><code>force group</code></em> may 509 509 also have a severe impact on system (particularly on Windows client) performance. If opportunistic … … 515 515 apparent performance degradation as the client continually attempts to reconnect to overcome the 516 516 effect of the lost <code class="constant">oplock break</code>, or time-out. 517 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614269"></a>Share Point Directory and File Permissions</h3></div></div></div><p><a class="indexterm" name="id2614276"></a><a class="indexterm" name="id2614284"></a><a class="indexterm" name="id2614292"></a><a class="indexterm" name="id2614300"></a>517 </p></div></div><div class="sect2" title="Share Point Directory and File Permissions"><div class="titlepage"><div><div><h3 class="title"><a name="id2620328"></a>Share Point Directory and File Permissions</h3></div></div></div><p><a class="indexterm" name="id2620335"></a><a class="indexterm" name="id2620343"></a><a class="indexterm" name="id2620351"></a><a class="indexterm" name="id2620358"></a> 518 518 Samba has been designed and implemented so that it respects as far as is feasible the security and 519 519 user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing … … 523 523 from a basic UNIX training guide. Instead, one common example of a typical problem is used 524 524 to demonstrate the most effective solution referred to in the immediately preceding paragraph. 525 </p><p><a class="indexterm" name="id26 14323"></a><a class="indexterm" name="id2614331"></a><a class="indexterm" name="id2614339"></a>525 </p><p><a class="indexterm" name="id2620381"></a><a class="indexterm" name="id2620389"></a><a class="indexterm" name="id2620397"></a> 526 526 One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of 527 527 Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence: 528 </p><div class="orderedlist"><ol type="1"><li><p>528 </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p> 529 529 A user opens a Word document from a network drive. The file was owned by user <code class="constant">janetp</code> 530 530 and [users], and was set read/write-enabled for everyone. 531 531 A user opens a Word document from a network drive. The file was owned by user <code class="constant">janetp</code> 532 532 and <code class="constant">users</code>, and was set read/write-enabled for everyone. 533 </p></li><li ><p>533 </p></li><li class="listitem"><p> 534 534 File changes and edits are made. 535 </p></li><li ><p>535 </p></li><li class="listitem"><p> 536 536 The file is saved, and MS Word is closed. 537 </p></li><li ><p>537 </p></li><li class="listitem"><p> 538 538 The file is now owned by the user <code class="constant">billc</code> and group <code class="constant">doctors</code>, 539 539 and is set read/write by <code class="constant">billc</code>, read-only by <code class="constant">doctors</code>, and 540 540 no access by everyone. 541 </p></li><li ><p>542 The original owner cannot now access her own file and is “<span class="quote">justifiably</span>”upset.541 </p></li><li class="listitem"><p> 542 The original owner cannot now access her own file and is <span class="quote">“<span class="quote">justifiably</span>”</span> upset. 543 543 </p></li></ol></div><p> 544 544 There have been many postings over the years that report the same basic problem. Frequently Samba users 545 want to know when this “<span class="quote">bug</span>”will be fixed. The fact is, this is not a bug in Samba at all.545 want to know when this <span class="quote">“<span class="quote">bug</span>”</span> will be fixed. The fact is, this is not a bug in Samba at all. 546 546 Here is the real sequence of what happens in this case. 547 </p><p><a class="indexterm" name="id26 14440"></a><a class="indexterm" name="id2614448"></a><a class="indexterm" name="id2614456"></a>547 </p><p><a class="indexterm" name="id2620498"></a><a class="indexterm" name="id2620506"></a><a class="indexterm" name="id2620514"></a> 548 548 When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned 549 549 by the user who creates the file (<code class="constant">billc</code>) and has the permissions that follow … … 558 558 operations. 559 559 </p><p> 560 The question is, “<span class="quote">How can we solve the problem?</span>”560 The question is, <span class="quote">“<span class="quote">How can we solve the problem?</span>”</span> 561 561 </p><p> 562 562 The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these 563 563 simple steps to create a share in which all files will consistently be owned by the same user and the 564 564 same group: 565 </p><div class="procedure" ><a name="id2614502"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p>565 </p><div class="procedure" title="Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership"><a name="id2620561"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 566 566 Change your share definition so that it matches this pattern: 567 567 </p><pre class="screen"> … … 571 571 read only = No 572 572 </pre><p> 573 </p></li><li ><p><a class="indexterm" name="id2614528"></a><a class="indexterm" name="id2614539"></a>573 </p></li><li class="step" title="Step 2"><p><a class="indexterm" name="id2620587"></a><a class="indexterm" name="id2620598"></a> 574 574 Set consistent user and group permissions recursively down the directory tree as shown here: 575 575 </p><pre class="screen"> 576 576 <code class="prompt">root# </code> chown -R janetp.users /usr/data/finance 577 577 </pre><p> 578 </p></li><li ><p><a class="indexterm" name="id2614571"></a>578 </p></li><li class="step" title="Step 3"><p><a class="indexterm" name="id2620630"></a> 579 579 Set the files and directory permissions to be read/write for owner and group, and not accessible 580 580 to others (everyone), using the following command: … … 582 582 <code class="prompt">root# </code> chmod ug+rwx,o-rwx /usr/data/finance 583 583 </pre><p> 584 </p></li><li ><p><a class="indexterm" name="id2614600"></a>584 </p></li><li class="step" title="Step 4"><p><a class="indexterm" name="id2620659"></a> 585 585 Set the SGID (supergroup) bit on all directories from the top down. This means all files 586 586 can be created with the permissions of the group set on the directory. It means all users … … 592 592 </pre><p> 593 593 594 </p></li><li ><p><a class="indexterm" name="id2614641"></a><a class="indexterm" name="id2614649"></a><a class="indexterm" name="id2614657"></a>594 </p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id2620699"></a><a class="indexterm" name="id2620707"></a><a class="indexterm" name="id2620715"></a> 595 595 Make sure all users that must have read/write access to the directory have 596 596 <code class="constant">finance</code> group membership as their primary group, 597 597 for example, the group they belong to in <code class="filename">/etc/passwd</code>. 598 </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614682"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2614688"></a><a class="indexterm" name="id2614696"></a><a class="indexterm" name="id2614704"></a><a class="indexterm" name="id2614712"></a>598 </p></li></ol></div></div><div class="sect2" title="Managing Windows 200x ACLs"><div class="titlepage"><div><div><h3 class="title"><a name="id2620740"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2620747"></a><a class="indexterm" name="id2620755"></a><a class="indexterm" name="id2620763"></a><a class="indexterm" name="id2620771"></a> 599 599 Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because 600 600 there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means … … 604 604 There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, 605 605 either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. 606 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2614736"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p>606 </p><div class="sect3" title="Using the MMC Computer Management Interface"><div class="titlepage"><div><div><h4 class="title"><a name="id2620795"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 607 607 From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator 608 608 account (on Samba domains, this is usually the account called <code class="constant">root</code>). 609 </p></li><li ><p>609 </p></li><li class="step" title="Step 2"><p> 610 610 Click 611 611 <span class="guimenu">Start</span> → <span class="guimenuitem">Settings</span> → <span class="guimenuitem">Control Panel</span> → <span class="guimenuitem">Administrative Tools</span> → <span class="guimenuitem">Computer Management</span>. 612 </p></li><li ><p>612 </p></li><li class="step" title="Step 3"><p> 613 613 In the left panel, 614 614 <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> → <span class="guimenuitem">Connect to another computer ...</span> → <span class="guimenuitem">Browse...</span> → <span class="guimenuitem">Advanced</span> → <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to … … 617 617 the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>, 618 618 the Computer Management entry should now say: <span class="guimenu">Computer Management (FRODO)</span>. 619 </p></li><li ><p>619 </p></li><li class="step" title="Step 4"><p> 620 620 In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>. 621 </p></li><li ><p><a class="indexterm" name="id2614919"></a><a class="indexterm" name="id2614927"></a><a class="indexterm" name="id2614935"></a><a class="indexterm" name="id2614943"></a>621 </p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id2620978"></a><a class="indexterm" name="id2620986"></a><a class="indexterm" name="id2620993"></a><a class="indexterm" name="id2621001"></a> 622 622 In the right panel, double-click on the share on which you wish to set/edit ACLs. This 623 623 brings up the Properties panel. Click the <span class="guimenu">Security</span> tab. It is best … … 626 626 functionality under the <code class="constant">Permissions</code> tab can be utilized with respect 627 627 to a Samba domain server. 628 </p></li><li ><p><a class="indexterm" name="id2614982"></a><a class="indexterm" name="id2614990"></a>628 </p></li><li class="step" title="Step 6"><p><a class="indexterm" name="id2621041"></a><a class="indexterm" name="id2621049"></a> 629 629 You may now edit/add/remove access control settings. Be very careful. Many problems have been 630 630 created by people who decided that everyone should be rejected but one particular group should … … 632 632 belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions 633 633 set for the permitted group. 634 </p></li><li ><p>634 </p></li><li class="step" title="Step 7"><p> 635 635 When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> 636 636 buttons until the last panel closes. 637 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615027"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p>637 </p></li></ol></div></div><div class="sect3" title="Using MS Windows Explorer (File Manager)"><div class="titlepage"><div><div><h4 class="title"><a name="id2621086"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p> 638 638 The following alternative method may be used from a Windows workstation. In this example we work 639 639 with a domain called <code class="constant">MEGANET</code>, a server called <code class="constant">MASSIVE</code>, and a 640 640 share called <code class="constant">Apps</code>. The underlying UNIX/Linux share point for this share is 641 641 <code class="filename">/data/apps</code>. 642 </p><div class="procedure"><ol type="1"><li><p>642 </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 643 643 Click <span class="guimenu">Start</span> → <span class="guimenuitem">[right-click] My Computer</span> → <span class="guimenuitem">Explore</span> → <span class="guimenuitem">[left panel] [+] My Network Places</span> → <span class="guimenuitem">[+] Entire Network</span> → <span class="guimenuitem">[+] Microsoft Windows Network</span> → <span class="guimenuitem">[+] Meganet</span> → <span class="guimenuitem">[+] Massive</span> → <span class="guimenuitem">[right-click] Apps</span> → <span class="guimenuitem">Properties</span> → <span class="guimenuitem">Security</span> → <span class="guimenuitem">Advanced</span>. This opens a panel that has four tabs. Only the functionality under the 644 644 <code class="constant">Permissions</code> tab can be utilized for a Samba domain server. 645 </p></li><li ><p><a class="indexterm" name="id2615152"></a><a class="indexterm" name="id2615160"></a>645 </p></li><li class="step" title="Step 2"><p><a class="indexterm" name="id2621210"></a><a class="indexterm" name="id2621218"></a> 646 646 You may now edit/add/remove access control settings. Be very careful. Many problems have been 647 647 created by people who decided that everyone should be rejected but one particular group should … … 649 649 belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions 650 650 set for the permitted group. 651 </p></li><li ><p>651 </p></li><li class="step" title="Step 3"><p> 652 652 When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> 653 653 buttons until the last panel closes. 654 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615198"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2615205"></a><a class="indexterm" name="id2615213"></a>654 </p></li></ol></div></div><div class="sect3" title="Setting Posix ACLs in UNIX/Linux"><div class="titlepage"><div><div><h4 class="title"><a name="id2621257"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2621264"></a><a class="indexterm" name="id2621272"></a> 655 655 Yet another alternative method for setting desired security settings on the shared resource files and 656 656 directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line 657 657 tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 658 658 Linux system: 659 </p><div class="procedure"><ol type="1"><li><p>659 </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> 660 660 Log into the Linux system as the user <code class="constant">root</code>. 661 </p></li><li ><p>661 </p></li><li class="step" title="Step 2"><p> 662 662 Change directory to the location of the exported (shared) Windows file share (Apps), which is in 663 663 the directory <code class="filename">/data</code>. Execute the following: … … 675 675 other::r-x 676 676 </pre><p> 677 </p></li><li ><p><a class="indexterm" name="id2615287"></a>677 </p></li><li class="step" title="Step 3"><p><a class="indexterm" name="id2621346"></a> 678 678 You want to add permission for <code class="constant">AppsMgrs</code> to enable them to 679 679 manage the applications (apps) share. It is important to set the ACL recursively … … 698 698 </pre><p> 699 699 This confirms that the change of POSIX ACL permissions has been effective. 700 </p></li><li ><p><a class="indexterm" name="id2615343"></a><a class="indexterm" name="id2615351"></a><a class="indexterm" name="id2615359"></a><a class="indexterm" name="id2615367"></a><a class="indexterm" name="id2615375"></a>700 </p></li><li class="step" title="Step 4"><p><a class="indexterm" name="id2621402"></a><a class="indexterm" name="id2621409"></a><a class="indexterm" name="id2621417"></a><a class="indexterm" name="id2621425"></a><a class="indexterm" name="id2621433"></a> 701 701 It is highly recommended that you read the online manual page for the <code class="literal">setfacl</code> 702 702 and <code class="literal">getfacl</code> commands. This provides information regarding how to set/read the default 703 703 ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent 704 704 of setting <code class="constant">inheritance</code> properties. 705 </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2615408"></a>Key Points Learned</h3></div></div></div><p>705 </p></li></ol></div></div></div><div class="sect2" title="Key Points Learned"><div class="titlepage"><div><div><h3 class="title"><a name="id2621467"></a>Key Points Learned</h3></div></div></div><p> 706 706 The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. 707 707 Looking back, this chapter could be broken into two, but it's too late now. It has been done. 708 708 The highlights covered are as follows: 709 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2615426"></a><a class="indexterm" name="id2615434"></a><a class="indexterm" name="id2615442"></a><a class="indexterm" name="id2615450"></a>709 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="indexterm" name="id2621484"></a><a class="indexterm" name="id2621492"></a><a class="indexterm" name="id2621500"></a><a class="indexterm" name="id2621508"></a> 710 710 Winbind honors and does not override account controls set in Active Directory. 711 711 This means that password change, logon hours, and so on, are (or soon will be) enforced … … 713 713 change is enforced. At this time, if logon hours expire, the user is not forcibly 714 714 logged off. That may be implemented at some later date. 715 </p></li><li ><p><a class="indexterm" name="id2615468"></a><a class="indexterm" name="id2615476"></a>715 </p></li><li class="listitem"><p><a class="indexterm" name="id2621527"></a><a class="indexterm" name="id2621535"></a> 716 716 Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential 717 717 problems acknowledged by Microsoft as having been fixed but reported by some as still 718 718 possibly an open issue. 719 </p></li><li ><p><a class="indexterm" name="id2615492"></a><a class="indexterm" name="id2615500"></a><a class="indexterm" name="id2615508"></a><a class="indexterm" name="id2615516"></a>719 </p></li><li class="listitem"><p><a class="indexterm" name="id2621551"></a><a class="indexterm" name="id2621559"></a><a class="indexterm" name="id2621566"></a><a class="indexterm" name="id2621574"></a> 720 720 The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft 721 721 Active Directory. The possibility to do this is not planned in the current Samba-3 722 722 roadmap. Samba-3 does aim to provide further improvements in interoperability so that 723 723 UNIX/Linux systems may be fully integrated into Active Directory domains. 724 </p></li><li ><p>724 </p></li><li class="listitem"><p> 725 725 This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of 726 726 the four key methodologies was reviewed with specific reference to example deployment 727 727 techniques. 728 </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2615543"></a>Questions and Answers</h2></div></div></div><p>729 </p><div class="qandaset" ><dl><dt> <a href="kerberos.html#id2615558">728 </p></li></ul></div></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2621601"></a>Questions and Answers</h2></div></div></div><p> 729 </p><div class="qandaset" title="Frequently Asked Questions"><a name="id2621610"></a><dl><dt> <a href="kerberos.html#id2621617"> 730 730 Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? 731 </a></dt><dt> <a href="kerberos.html#id26 15629">731 </a></dt><dt> <a href="kerberos.html#id2621687"> 732 732 Does Samba-3 support Active Directory? 733 </a></dt><dt> <a href="kerberos.html#id26 15660">733 </a></dt><dt> <a href="kerberos.html#id2621718"> 734 734 When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was 735 735 necessary with Samba-2? 736 </a></dt><dt> <a href="kerberos.html#id26 15698">736 </a></dt><dt> <a href="kerberos.html#id2621757"> 737 737 Is it safe to set share-level access controls in Samba? 738 </a></dt><dt> <a href="kerberos.html#id26 15728">738 </a></dt><dt> <a href="kerberos.html#id2621786"> 739 739 Is it mandatory to set share ACLs to get a secure Samba-3 server? 740 </a></dt><dt> <a href="kerberos.html#id26 15804">740 </a></dt><dt> <a href="kerberos.html#id2621863"> 741 741 The valid users did not work on the [homes]. 742 742 Has this functionality been restored yet? 743 </a></dt><dt> <a href="kerberos.html#id26 15870">743 </a></dt><dt> <a href="kerberos.html#id2621929"> 744 744 Is the bias against use of the force user and force group 745 745 really warranted? 746 </a></dt><dt> <a href="kerberos.html#id26 15934">746 </a></dt><dt> <a href="kerberos.html#id2621992"> 747 747 The example given for file and directory access control forces all files to be owned by one 748 748 particular user. I do not like that. Is there any way I can see who created the file? 749 </a></dt><dt> <a href="kerberos.html#id26 15982">749 </a></dt><dt> <a href="kerberos.html#id2622040"> 750 750 In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use 751 751 of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why 752 752 have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? 753 </a></dt><dt> <a href="kerberos.html#id26 16048">753 </a></dt><dt> <a href="kerberos.html#id2622107"> 754 754 I tried to set valid users = @Engineers, but it does not work. My Samba 755 755 server is an Active Directory domain member server. Has this been fixed now? 756 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2615558"></a><a name="id2615561"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615564"></a><a class="indexterm" name="id2615572"></a>756 </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id2621617"></a><a name="id2621619"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621622"></a><a class="indexterm" name="id2621630"></a> 757 757 Does Samba-3 require the <code class="constant">Sign'n'seal</code> registry hacks needed by Samba-2? 758 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26 15591"></a><a class="indexterm" name="id2615599"></a><a class="indexterm" name="id2615607"></a>758 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621650"></a><a class="indexterm" name="id2621657"></a><a class="indexterm" name="id2621665"></a> 759 759 No. Samba-3 fully supports <code class="constant">Sign'n'seal</code> as well as <code class="constant">schannel</code> 760 760 operation. The registry change should not be applied when Samba-3 is used as a domain controller. 761 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 15629"></a><a name="id2615631"></a></td><td align="left" valign="top"><p>761 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621687"></a><a name="id2621690"></a></td><td align="left" valign="top"><p> 762 762 Does Samba-3 support Active Directory? 763 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26 15642"></a>763 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621700"></a> 764 764 Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not 765 765 provide Active Directory services. It cannot be used to replace a Microsoft Active Directory 766 766 server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, 767 767 and it can function as an Active Directory domain member server. 768 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 15660"></a><a name="id2615662"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615665"></a>768 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621718"></a><a name="id2621721"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621724"></a> 769 769 When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was 770 770 necessary with Samba-2? 771 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26 15682"></a>771 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621740"></a> 772 772 No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x 773 773 Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, 774 774 because Samba-3 can join a native Windows 2003 Server ADS domain. 775 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 15698"></a><a name="id2615701"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615704"></a>775 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621757"></a><a name="id2621759"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621762"></a> 776 776 Is it safe to set share-level access controls in Samba? 777 777 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> … … 779 779 very mature technology. Not enough sites make use of this powerful capability, neither on 780 780 Windows server or with Samba servers. 781 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 15728"></a><a name="id2615730"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615733"></a>781 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621786"></a><a name="id2621788"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621792"></a> 782 782 Is it mandatory to set share ACLs to get a secure Samba-3 server? 783 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26 15749"></a><a class="indexterm" name="id2615757"></a><a class="indexterm" name="id2615765"></a><a class="indexterm" name="id2615773"></a><a class="indexterm" name="id2615781"></a>783 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621807"></a><a class="indexterm" name="id2621815"></a><a class="indexterm" name="id2621823"></a><a class="indexterm" name="id2621832"></a><a class="indexterm" name="id2621840"></a> 784 784 No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides 785 785 means of securing shares through share definition controls in the <code class="filename">smb.conf</code> file. The additional 786 786 support for share-level ACLs is like frosting on the cake. It adds to security but is not essential 787 787 to it. 788 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 15804"></a><a name="id2615806"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615810"></a>788 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621863"></a><a name="id2621865"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621868"></a> 789 789 The <em class="parameter"><code>valid users</code></em> did not work on the <em class="parameter"><code>[homes]</code></em>. 790 790 Has this functionality been restored yet? 791 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26 15837"></a>791 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621896"></a> 792 792 Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard 793 793 on the <em class="parameter"><code>[homes]</code></em> meta-service. The correct way to specify this is: 794 794 <a class="link" href="smb.conf.5.html#VALIDUSERS" target="_top">valid users = %S</a>. 795 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 15870"></a><a name="id2615872"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615876"></a><a class="indexterm" name="id2615883"></a><a class="indexterm" name="id2615891"></a>795 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621929"></a><a name="id2621931"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621934"></a><a class="indexterm" name="id2621942"></a><a class="indexterm" name="id2621950"></a> 796 796 Is the bias against use of the <em class="parameter"><code>force user</code></em> and <em class="parameter"><code>force group</code></em> 797 797 really warranted? 798 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26 15918"></a>798 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621977"></a> 799 799 There is no bias. There is a determination to recommend the right tool for the task at hand. 800 800 After all, it is better than putting users through performance problems, isn't it? 801 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 15934"></a><a name="id2615936"></a></td><td align="left" valign="top"><p>801 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621992"></a><a name="id2621994"></a></td><td align="left" valign="top"><p> 802 802 The example given for file and directory access control forces all files to be owned by one 803 803 particular user. I do not like that. Is there any way I can see who created the file? 804 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26 15948"></a>804 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2622007"></a> 805 805 Sure. You do not have to set the SUID bit on the directory. Simply execute the following command 806 806 to permit file ownership to be retained by the user who created it: … … 810 810 Note that this required no more than removing the <code class="constant">u</code> argument so that the 811 811 SUID bit is not set for the owner. 812 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 15982"></a><a name="id2615984"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615987"></a>813 In the book, “<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>”, you recommended use812 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2622040"></a><a name="id2622042"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2622046"></a> 813 In the book, <span class="quote">“<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>”</span>, you recommended use 814 814 of the Windows NT4 Server Manager (part of the <code class="filename">SRVTOOLS.EXE</code>) utility. Why 815 815 have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? 816 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id26 16015"></a><a class="indexterm" name="id2616023"></a>816 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2622074"></a><a class="indexterm" name="id2622081"></a> 817 817 Either tool can be used with equal effect. There is no benefit of one over the other, except that 818 818 the MMC utility is present on all Windows 200x/XP systems and does not require additional software … … 820 820 Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which 821 821 is provided as part of the <code class="filename">SRVTOOLS.EXE</code> utility. 822 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id26 16048"></a><a name="id2616051"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2616054"></a><a class="indexterm" name="id2616062"></a><a class="indexterm" name="id2616070"></a>822 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2622107"></a><a name="id2622109"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2622112"></a><a class="indexterm" name="id2622120"></a><a class="indexterm" name="id2622128"></a> 823 823 I tried to set <em class="parameter"><code>valid users = @Engineers</code></em>, but it does not work. My Samba 824 824 server is an Active Directory domain member server. Has this been fixed now? … … 826 826 The use of this parameter has always required the full specification of the domain account, for 827 827 example, <em class="parameter"><code>valid users = @"MEGANET2\Domain Admins"</code></em>. 828 </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a class="ulink" href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id261 3153" href="#id2613153" class="ulink">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Integrating Additional Services</td></tr></table></div></body></html>828 </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a class="ulink" href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id2619212" href="#id2619212" class="ulink">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Integrating Additional Services</td></tr></table></div></body></html>
Note:
See TracChangeset
for help on using the changeset viewer.
