Context Navigation

← Previous Change
Next Change →

kerberos.html

Timestamp:

Mar 1, 2010, 3:05:48 PM (15 years ago)

Author:

Herwig Bauernfeind

Message:

Update Samba 3.3.x to 3.3.11

File:

: 1 edited

branches/samba-3.3.x/docs/htmldocs/Samba3-ByExample/kerberos.html (modified) (66 diffs)

Legend:

: Unmodified
: Added
: Removed

branches/samba-3.3.x/docs/htmldocs/Samba3-ByExample/kerberos.html

-              r368
+              r411
 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 11. Active Directory, Kerberos, and Security"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2616672">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2617322">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2617338">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2617736">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2619366">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2619714">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2620328">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2620740">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2621467">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2621601">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2616607"></a>
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2610586">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611237">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2611253">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611650">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2613280">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2613629">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614242">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614655">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2615382">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2615516">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2610522"></a>
         By this point in the book, you have been exposed to many Samba-3 features and capabilities.
         More importantly, if you have implemented the examples given, you are well on your way to becoming
 …
         practice, you likely have thought of improvements and scenarios with which you can experiment. You
         are rather well plugged in to the many flexible ways Samba can be used.
         </p><p><a class="indexterm" name="id2616626"></a>
+        </p><p><a class="indexterm" name="id2610541"></a>
         This is a book about Samba-3. Understandably, its intent is to present it in a positive light.
         The casual observer might conclude that this book is one-eyed about Samba. It is  what
 …
         decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of
         criticism develops with respect to Abmas.
         </p><p><a class="indexterm" name="id2616654"></a>
+        </p><p><a class="indexterm" name="id2610569"></a>
         This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled
         out of thin air. They were drawn from comments made by Samba users and from criticism during
 …
         as possible that of the original. The case presented is a straw-man example that is designed to
         permit each objection to be answered as it might occur in real life.
         </p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2616672"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2616678"></a><a class="indexterm" name="id2616686"></a><a class="indexterm" name="id2616694"></a><a class="indexterm" name="id2616702"></a><a class="indexterm" name="id2616710"></a>
+        </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2610586"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2610593"></a><a class="indexterm" name="id2610601"></a><a class="indexterm" name="id2610609"></a><a class="indexterm" name="id2610616"></a><a class="indexterm" name="id2610624"></a>
         Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took
         note of the spectacular projection of Abmas onto the global business stage. Abmas is building an
 …
         During the time that the acquisition was closing, the Video Rentals business upgraded its Windows
         NT4-based network to Windows 2003 Server and Active Directory.
         </p><p><a class="indexterm" name="id2616734"></a>
+        </p><p><a class="indexterm" name="id2610649"></a>
         You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory.
         The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform.
         Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to
         operate with a solution that is viewed by Christine and her group as <span class="quote">&#8220;<span class="quote">an island of broken
         technologies.</span>&#8221;</span> This comment was made by one of Christine's staff as they were installing a new
+        operate with a solution that is viewed by Christine and her group as &#8220;<span class="quote">an island of broken
+        technologies.</span>&#8221; This comment was made by one of Christine's staff as they were installing a new
         Samba-3 server at the new business.
         </p><p><a class="indexterm" name="id2616757"></a><a class="indexterm" name="id2616765"></a>
+        </p><p><a class="indexterm" name="id2610672"></a><a class="indexterm" name="id2610680"></a>
         Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer
         should make such a comment. He felt that he had to prepare in case he might be criticized for his
         decision to use Active Directory. He decided he would defend his decision by hiring the services
         of an outside security systems consultant to report<sup>[<a name="id2616780" href="#ftn.id2616780" class="footnote">12</a>]</sup> on his unit's operations
+        of an outside security systems consultant to report<sup>[<a name="id2610695" href="#ftn.id2610695" class="footnote">12</a>]</sup> on his unit's operations
         and to investigate the role of Samba at his site. Here are key extracts from this hypothetical
         report:
         </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2616791"></a><a class="indexterm" name="id2616799"></a><a class="indexterm" name="id2616807"></a><a class="indexterm" name="id2616814"></a>
+        </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2610706"></a><a class="indexterm" name="id2610714"></a><a class="indexterm" name="id2610721"></a><a class="indexterm" name="id2610729"></a>
         ... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site,
          has been examined. We find no evidence to support a notion that vulnerabilities exist at your site.
 …
         </p><p>
         ...
         </p><p><a class="indexterm" name="id2616836"></a><a class="indexterm" name="id2616847"></a><a class="indexterm" name="id2616858"></a><a class="indexterm" name="id2616866"></a><a class="indexterm" name="id2616874"></a><a class="indexterm" name="id2616882"></a>
+        </p><p><a class="indexterm" name="id2610750"></a><a class="indexterm" name="id2610762"></a><a class="indexterm" name="id2610773"></a><a class="indexterm" name="id2610781"></a><a class="indexterm" name="id2610789"></a><a class="indexterm" name="id2610797"></a>
         User and group accounts, and respective privileges, have been well thought out. File system shares are
         appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and
         effective off-site storage practices are considered to exceed industry norms.
         </p><p><a class="indexterm" name="id2616898"></a><a class="indexterm" name="id2616906"></a><a class="indexterm" name="id2616914"></a>
+        </p><p><a class="indexterm" name="id2610813"></a><a class="indexterm" name="id2610821"></a><a class="indexterm" name="id2610829"></a>
         Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain
         a secure network.
         </p><p><a class="indexterm" name="id2616931"></a><a class="indexterm" name="id2616939"></a><a class="indexterm" name="id2616946"></a><a class="indexterm" name="id2616954"></a>
+        </p><p><a class="indexterm" name="id2610846"></a><a class="indexterm" name="id2610853"></a><a class="indexterm" name="id2610861"></a><a class="indexterm" name="id2610869"></a>
         The recently installed Linux file and application server uses a tool called <code class="literal">winbind</code>
         that is indiscriminate about security. All user accounts in Active Directory can be used to access data
 …
         to great lengths to set fine-grained controls that limit information access to those who need access.
         It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work.
         </p><p><a class="indexterm" name="id2616994"></a><a class="indexterm" name="id2617002"></a><a class="indexterm" name="id2617010"></a>
+        </p><p><a class="indexterm" name="id2610909"></a><a class="indexterm" name="id2610917"></a><a class="indexterm" name="id2610925"></a>
         Graham Judd [head of network administration] has locked down the security of all systems and is following
         the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network
 …
         </p><p>
         ...
         </p><p><a class="indexterm" name="id2617035"></a><a class="indexterm" name="id2617042"></a><a class="indexterm" name="id2617050"></a><a class="indexterm" name="id2617058"></a>
+        </p><p><a class="indexterm" name="id2610949"></a><a class="indexterm" name="id2610957"></a><a class="indexterm" name="id2610965"></a><a class="indexterm" name="id2610973"></a>
         Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of
         all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft
 …
         Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that
         with trusted computing initiatives that the Samba developers do not participate in.
         </p><p><a class="indexterm" name="id2617082"></a><a class="indexterm" name="id2617089"></a><a class="indexterm" name="id2617097"></a><a class="indexterm" name="id2617105"></a><a class="indexterm" name="id2617113"></a><a class="indexterm" name="id2617121"></a><a class="indexterm" name="id2617129"></a>
+        </p><p><a class="indexterm" name="id2610996"></a><a class="indexterm" name="id2611004"></a><a class="indexterm" name="id2611012"></a><a class="indexterm" name="id2611020"></a><a class="indexterm" name="id2611028"></a><a class="indexterm" name="id2611036"></a><a class="indexterm" name="id2611044"></a>
         One wonders about the integrity of an open source program that is developed by a team of hackers
         who cannot be held accountable for the flaws in their code. The sheer number of updates and bug
         fixes they have released should ring alarm bells in any business.
         </p><p><a class="indexterm" name="id2617144"></a><a class="indexterm" name="id2617152"></a><a class="indexterm" name="id2617160"></a>
+        </p><p><a class="indexterm" name="id2611059"></a><a class="indexterm" name="id2611067"></a><a class="indexterm" name="id2611075"></a>
         Another factor that should be considered is that buying Microsoft products and services helps to
         provide employment in the IT industry. Samba and Open Source software place those jobs at risk.
         </p></blockquote></div><p><a class="indexterm" name="id2617175"></a><a class="indexterm" name="id2617183"></a>
+        </p></blockquote></div><p><a class="indexterm" name="id2611089"></a><a class="indexterm" name="id2611097"></a>
         This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple
         discussion, but it gets further out of hand.  When you return to your office, you find the following
 …
         across all systems. I concur with the desire to improve security. One of the new guys who is championing
         the move to Kerberos was responsible for the comment that caused the embarrassment.
         </p><p><a class="indexterm" name="id2617219"></a><a class="indexterm" name="id2617227"></a><a class="indexterm" name="id2617235"></a><a class="indexterm" name="id2617243"></a>
+        </p><p><a class="indexterm" name="id2611134"></a><a class="indexterm" name="id2611142"></a><a class="indexterm" name="id2611150"></a><a class="indexterm" name="id2611158"></a>
         I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP,
         plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect
         to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent,
         I would like to hire the services of a well-known Samba consultant to set the record straight.
         </p><p><a class="indexterm" name="id2617261"></a><a class="indexterm" name="id2617269"></a><a class="indexterm" name="id2617277"></a><a class="indexterm" name="id2617285"></a><a class="indexterm" name="id2617293"></a><a class="indexterm" name="id2617301"></a>
+        </p><p><a class="indexterm" name="id2611176"></a><a class="indexterm" name="id2611184"></a><a class="indexterm" name="id2611192"></a><a class="indexterm" name="id2611200"></a><a class="indexterm" name="id2611208"></a><a class="indexterm" name="id2611216"></a>
         I intend to use this report to answer the criticism raised and would like to establish a policy that we
         will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered
 …
         use of any centrally proposed standards, but make all noncompliance the financial responsibility of the
         out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone.
         </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id2617322"></a>Assignment Tasks</h3></div></div></div><p>
+        </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2611237"></a>Assignment Tasks</h3></div></div></div><p>
                 You agreed with Stan's recommendations and hired a consultant to help defuse the powder
                 keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
                 to support his or her claims, keep emotions to the side, and answer technically.
                 </p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2617338"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id2617345"></a><a class="indexterm" name="id2617353"></a><a class="indexterm" name="id2617361"></a><a class="indexterm" name="id2617369"></a><a class="indexterm" name="id2617377"></a><a class="indexterm" name="id2617385"></a><a class="indexterm" name="id2617392"></a>
+                </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2611253"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id2611260"></a><a class="indexterm" name="id2611268"></a><a class="indexterm" name="id2611276"></a><a class="indexterm" name="id2611284"></a><a class="indexterm" name="id2611291"></a><a class="indexterm" name="id2611299"></a><a class="indexterm" name="id2611307"></a>
         Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to
         make or reject. It is likely that your decision to use Samba can greatly benefit your company.
 …
         money saved by not spending in the IT area can be spent elsewhere in the business. All money saved
         or spent creates employment.
         </p><p><a class="indexterm" name="id2617414"></a><a class="indexterm" name="id2617422"></a><a class="indexterm" name="id2617430"></a><a class="indexterm" name="id2617438"></a><a class="indexterm" name="id2617446"></a>
+        </p><p><a class="indexterm" name="id2611329"></a><a class="indexterm" name="id2611337"></a><a class="indexterm" name="id2611345"></a><a class="indexterm" name="id2611353"></a><a class="indexterm" name="id2611361"></a>
         In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted
         purely to provide file and print service interoperability on platforms that otherwise cannot provide
 …
         effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an
         alternative to the use of a Microsoft file and print serving platforms with no consideration of costs.
         </p><p><a class="indexterm" name="id2617466"></a><a class="indexterm" name="id2617474"></a><a class="indexterm" name="id2617482"></a><a class="indexterm" name="id2617490"></a>
+        </p><p><a class="indexterm" name="id2611381"></a><a class="indexterm" name="id2611389"></a><a class="indexterm" name="id2611397"></a><a class="indexterm" name="id2611405"></a>
         It would be foolish to adopt a technology that might put any data or users at risk. Security affects
         everyone. The Samba-Team is fully cognizant of the responsibility they have to their users.
         The Samba documentation clearly reveals that full responsibility is accepted to fix anything
         that is broken.
         </p><p><a class="indexterm" name="id2617506"></a><a class="indexterm" name="id2617514"></a><a class="indexterm" name="id2617522"></a><a class="indexterm" name="id2617530"></a><a class="indexterm" name="id2617542"></a><a class="indexterm" name="id2617550"></a><a class="indexterm" name="id2617557"></a><a class="indexterm" name="id2617565"></a><a class="indexterm" name="id2617573"></a><a class="indexterm" name="id2617581"></a><a class="indexterm" name="id2617589"></a>
+        </p><p><a class="indexterm" name="id2611421"></a><a class="indexterm" name="id2611429"></a><a class="indexterm" name="id2611437"></a><a class="indexterm" name="id2611445"></a><a class="indexterm" name="id2611456"></a><a class="indexterm" name="id2611464"></a><a class="indexterm" name="id2611472"></a><a class="indexterm" name="id2611480"></a><a class="indexterm" name="id2611488"></a><a class="indexterm" name="id2611496"></a><a class="indexterm" name="id2611504"></a>
         There is a mistaken perception in the IT industry that commercial software providers are fully
         accountable for the defects in products. Open Source software comes with no warranty, so it is
 …
         commercial software vendors are willingly accountable for product defects. In many cases, the
         commercial vendor accepts liability only to reimburse the price paid for the software.
         </p><p><a class="indexterm" name="id2617611"></a><a class="indexterm" name="id2617619"></a><a class="indexterm" name="id2617627"></a><a class="indexterm" name="id2617635"></a><a class="indexterm" name="id2617643"></a><a class="indexterm" name="id2617651"></a>
+        </p><p><a class="indexterm" name="id2611526"></a><a class="indexterm" name="id2611534"></a><a class="indexterm" name="id2611542"></a><a class="indexterm" name="id2611550"></a><a class="indexterm" name="id2611558"></a><a class="indexterm" name="id2611566"></a>
         The real issues that a consumer (like you) needs answered are What is the way of escape from technical
         problems, and how long will it take? The average problem turnaround time in the Open Source community is
         approximately 48 hours. What does the EULA offer? What is the track record in the commercial software
         industry? What happens when your commercial vendor decides to cease providing support?
         </p><p><a class="indexterm" name="id2617676"></a><a class="indexterm" name="id2617684"></a><a class="indexterm" name="id2617692"></a><a class="indexterm" name="id2617699"></a><a class="indexterm" name="id2617707"></a><a class="indexterm" name="id2617715"></a><a class="indexterm" name="id2617723"></a>
+        </p><p><a class="indexterm" name="id2611591"></a><a class="indexterm" name="id2611598"></a><a class="indexterm" name="id2611606"></a><a class="indexterm" name="id2611614"></a><a class="indexterm" name="id2611622"></a><a class="indexterm" name="id2611630"></a><a class="indexterm" name="id2611638"></a>
         Open Source software at least puts you in possession of the source code. This means that when
         all else fails, you can hire a programmer to solve the problem.
         </p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2617736"></a>Technical Issues</h3></div></div></div><p>
+        </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2611650"></a>Technical Issues</h3></div></div></div><p>
                 Each issue is now discussed and, where appropriate, example implementation steps are
                 provided.
                 </p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id2617756"></a><a class="indexterm" name="id2617764"></a><a class="indexterm" name="id2617772"></a><a class="indexterm" name="id2617784"></a><a class="indexterm" name="id2617792"></a><a class="indexterm" name="id2617800"></a><a class="indexterm" name="id2617808"></a><a class="indexterm" name="id2617816"></a><a class="indexterm" name="id2617824"></a><a class="indexterm" name="id2617832"></a>
+                </p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id2611671"></a><a class="indexterm" name="id2611679"></a><a class="indexterm" name="id2611687"></a><a class="indexterm" name="id2611698"></a><a class="indexterm" name="id2611706"></a><a class="indexterm" name="id2611714"></a><a class="indexterm" name="id2611722"></a><a class="indexterm" name="id2611730"></a><a class="indexterm" name="id2611738"></a><a class="indexterm" name="id2611746"></a>
                                 Windows network administrators may be dismayed to find that <code class="literal">winbind</code>
                                 exposes all domain users so that they may use their domain account credentials to
 …
                                 UNIX/Linux server in their Network Neighborhood and can browse the shares on the
                                 server seems to excite them further.
                                 </p><p><a class="indexterm" name="id2617855"></a><a class="indexterm" name="id2617863"></a><a class="indexterm" name="id2617871"></a><a class="indexterm" name="id2617879"></a>
+                                </p><p><a class="indexterm" name="id2611770"></a><a class="indexterm" name="id2611778"></a><a class="indexterm" name="id2611786"></a><a class="indexterm" name="id2611794"></a>
                                 <code class="literal">winbind</code> provides for the UNIX/Linux domain member server or
                                 client, the same as one would obtain by adding a Microsoft Windows server or
 …
                                 and therefore requires handling a little differently from the familiar Windows systems.
                                 One must recognize fear of the unknown.
                                 </p><p><a class="indexterm" name="id2617902"></a><a class="indexterm" name="id2617910"></a><a class="indexterm" name="id2617918"></a><a class="indexterm" name="id2617926"></a><a class="indexterm" name="id2617934"></a><a class="indexterm" name="id2617945"></a>
+                                </p><p><a class="indexterm" name="id2611817"></a><a class="indexterm" name="id2611825"></a><a class="indexterm" name="id2611833"></a><a class="indexterm" name="id2611841"></a><a class="indexterm" name="id2611848"></a><a class="indexterm" name="id2611860"></a>
                                 Windows network administrators need to recognize that <code class="literal">winbind</code> does
                                 not, and cannot, override account controls set using the Active Directory management
                                 tools. The control is the same. Have no fear.
                                 </p><p><a class="indexterm" name="id2617966"></a><a class="indexterm" name="id2617974"></a><a class="indexterm" name="id2617985"></a><a class="indexterm" name="id2617993"></a><a class="indexterm" name="id2618001"></a><a class="indexterm" name="id2618009"></a><a class="indexterm" name="id2618016"></a><a class="indexterm" name="id2618024"></a><a class="indexterm" name="id2618032"></a><a class="indexterm" name="id2618040"></a>
+                                </p><p><a class="indexterm" name="id2611881"></a><a class="indexterm" name="id2611888"></a><a class="indexterm" name="id2611900"></a><a class="indexterm" name="id2611908"></a><a class="indexterm" name="id2611916"></a><a class="indexterm" name="id2611923"></a><a class="indexterm" name="id2611931"></a><a class="indexterm" name="id2611939"></a><a class="indexterm" name="id2611947"></a><a class="indexterm" name="id2611955"></a>
                                 Where Samba and the ADS domain account information obtained through the use of
                                 <code class="literal">winbind</code> permits access, by browsing or by the drive mapping to
 …
                                 controls have not been properly implemented. Samba permits access controls to be set
                                 on:
                                 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Shares themselves (i.e., the logical share itself)</p></li><li class="listitem"><p>The share definition in <code class="filename">smb.conf</code></p></li><li class="listitem"><p>The shared directories and files using UNIX permissions</p></li><li class="listitem"><p>Using Windows 2000 ACLs  if the file system is POSIX enabled</p></li></ul></div><p>
+                                </p><div class="itemizedlist"><ul type="disc"><li><p>Shares themselves (i.e., the logical share itself)</p></li><li><p>The share definition in <code class="filename">smb.conf</code></p></li><li><p>The shared directories and files using UNIX permissions</p></li><li><p>Using Windows 2000 ACLs  if the file system is POSIX enabled</p></li></ul></div><p>
                                 Examples of each are given in <a class="link" href="kerberos.html#ch10expl" title="Implementation">&#8220;Implementation&#8221;</a>.
                                 </p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id2618114"></a><a class="indexterm" name="id2618122"></a><a class="indexterm" name="id2618134"></a><a class="indexterm" name="id2618145"></a><a class="indexterm" name="id2618153"></a><a class="indexterm" name="id2618161"></a><a class="indexterm" name="id2618168"></a><a class="indexterm" name="id2618176"></a><a class="indexterm" name="id2618184"></a>
+                                </p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id2612029"></a><a class="indexterm" name="id2612037"></a><a class="indexterm" name="id2612049"></a><a class="indexterm" name="id2612060"></a><a class="indexterm" name="id2612068"></a><a class="indexterm" name="id2612075"></a><a class="indexterm" name="id2612083"></a><a class="indexterm" name="id2612091"></a><a class="indexterm" name="id2612099"></a>
                                 User and group management facilities as known in the Windows ADS environment may be
                                 used to provide equivalent access control constraints or to provide equivalent
 …
                                 Windows 200x/XP. For example, access controls on a Samba server may be set within
                                 the share definition in a manner for which Windows has no equivalent.
                                 </p><p><a class="indexterm" name="id2618204"></a><a class="indexterm" name="id2618212"></a><a class="indexterm" name="id2618220"></a><a class="indexterm" name="id2618228"></a><a class="indexterm" name="id2618239"></a><a class="indexterm" name="id2618247"></a><a class="indexterm" name="id2618255"></a>
+                                </p><p><a class="indexterm" name="id2612119"></a><a class="indexterm" name="id2612127"></a><a class="indexterm" name="id2612135"></a><a class="indexterm" name="id2612143"></a><a class="indexterm" name="id2612154"></a><a class="indexterm" name="id2612162"></a><a class="indexterm" name="id2612170"></a>
                                 In any serious analysis of system security, it is important to examine the safeguards
                                 that remain when all other protective measures fail. An administrator may inadvertently
 …
                                 possible to guard against that by enforcing controls on the share definition itself. You
                                 see a practical example of this a little later in this chapter.
                                 </p><p><a class="indexterm" name="id2618277"></a><a class="indexterm" name="id2618285"></a>
+                                </p><p><a class="indexterm" name="id2612192"></a><a class="indexterm" name="id2612200"></a>
                                 The report that is critical of Samba really ought to have exercised greater due
                                 diligence: the real weakness is on the side of a Microsoft Windows environment.
                                 </p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id2618307"></a>
+                                </p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id2612222"></a>
                                 Samba is designed in such a manner that weaknesses inherent in the design of
                                 Microsoft Windows networking ought not to expose the underlying UNIX/Linux file
                                 system in any way. All software has potential defects, and Samba is no exception.
                                 What matters more is how defects that are discovered get dealt with.
                                 </p><p><a class="indexterm" name="id2618324"></a><a class="indexterm" name="id2618332"></a><a class="indexterm" name="id2618339"></a><a class="indexterm" name="id2618347"></a>
+                                </p><p><a class="indexterm" name="id2612238"></a><a class="indexterm" name="id2612246"></a><a class="indexterm" name="id2612254"></a><a class="indexterm" name="id2612262"></a>
                                 The Samba Team totally agrees with the necessity to observe and fully implement
                                 every security facility to provide a level of protection and security that is necessary
 …
                                 security be publicly condoned; yet this is the practice by many Windows network
                                 administrators just to make happy users who have no notion of consequential risk.
                                 </p><p><a class="indexterm" name="id2618367"></a><a class="indexterm" name="id2618375"></a><a class="indexterm" name="id2618383"></a><a class="indexterm" name="id2618391"></a><a class="indexterm" name="id2618399"></a><a class="indexterm" name="id2618407"></a><a class="indexterm" name="id2618415"></a>
+                                </p><p><a class="indexterm" name="id2612282"></a><a class="indexterm" name="id2612290"></a><a class="indexterm" name="id2612298"></a><a class="indexterm" name="id2612306"></a><a class="indexterm" name="id2612314"></a><a class="indexterm" name="id2612322"></a><a class="indexterm" name="id2612330"></a>
                                 The report condemns Samba for releasing updates and security fixes, yet Microsoft
                                 online updates need to be applied almost weekly. The answer to the criticism
 …
                                 user needs are being increasingly met or exceeded, and security updates are issued
                                 with a short turnaround time.
                                 </p><p><a class="indexterm" name="id2618433"></a><a class="indexterm" name="id2618441"></a><a class="indexterm" name="id2618449"></a><a class="indexterm" name="id2618456"></a><a class="indexterm" name="id2618464"></a>
+                                </p><p><a class="indexterm" name="id2612347"></a><a class="indexterm" name="id2612355"></a><a class="indexterm" name="id2612363"></a><a class="indexterm" name="id2612371"></a><a class="indexterm" name="id2612379"></a>
                                 The release of Samba-4 is expected around late 2004 to early 2005 and involves a near
                                 complete rewrite to permit extensive modularization and to prepare Samba for new
 …
                                 degree of dependability and on charter development consistent with published
                                 roadmap projections.
                                 </p><p><a class="indexterm" name="id2618494"></a><a class="indexterm" name="id2618502"></a><a class="indexterm" name="id2618514"></a><a class="indexterm" name="id2618525"></a><a class="indexterm" name="id2618533"></a><a class="indexterm" name="id2618541"></a><a class="indexterm" name="id2618549"></a>
+                                </p><p><a class="indexterm" name="id2612409"></a><a class="indexterm" name="id2612417"></a><a class="indexterm" name="id2612429"></a><a class="indexterm" name="id2612440"></a><a class="indexterm" name="id2612448"></a><a class="indexterm" name="id2612456"></a><a class="indexterm" name="id2612464"></a>
                                 Not well published is the fact that Microsoft was a foundation member of
                                 the Common Internet File System (CIFS) initiative, together with the participation
 …
                                 CIFS conferences and at the interoperability laboratories run concurrently with
                                 them.
                                 </p></dd><dt><span class="term">Cryptographic Controls (schannel, sign'n'seal)</span></dt><dd><p><a class="indexterm" name="id2618579"></a><a class="indexterm" name="id2618587"></a><a class="indexterm" name="id2618595"></a>
+                                </p></dd><dt><span class="term">Cryptographic Controls (schannel, sign'n'seal)</span></dt><dd><p><a class="indexterm" name="id2612494"></a><a class="indexterm" name="id2612502"></a><a class="indexterm" name="id2612510"></a>
                                 The report correctly mentions that Samba did not support the most recent
                                 <code class="constant">schannel</code> and <code class="constant">digital sign'n'seal</code> features
 …
                                 pathology report  they reflect accurately (at best) status at a snapshot in time.
                                 Meanwhile, the world moves on.
                                 </p><p><a class="indexterm" name="id2618625"></a><a class="indexterm" name="id2618633"></a><a class="indexterm" name="id2618640"></a><a class="indexterm" name="id2618648"></a><a class="indexterm" name="id2618656"></a><a class="indexterm" name="id2618671"></a><a class="indexterm" name="id2618679"></a>
+                                </p><p><a class="indexterm" name="id2612540"></a><a class="indexterm" name="id2612548"></a><a class="indexterm" name="id2612555"></a><a class="indexterm" name="id2612563"></a><a class="indexterm" name="id2612571"></a><a class="indexterm" name="id2612586"></a><a class="indexterm" name="id2612594"></a>
                                 It should be pointed out that had clear public specifications for the protocols
                                 been published, it would have been much easier to implement these features and would have
 …
                                 and defensible standards is obvious to all and would have enabled more secure networking
                                 for everyone.
                                 </p><p><a class="indexterm" name="id2618700"></a><a class="indexterm" name="id2618708"></a>
+                                </p><p><a class="indexterm" name="id2612614"></a><a class="indexterm" name="id2612622"></a>
                                 Critics of Samba often ignore fundamental problems that may plague (or may have plagued)
                                 the users of Microsoft's products also. Those who are first to criticize Samba
 …
                                 Windows networking sites. From notes such as this it is clear that there are benefits
                                 from not rushing new technology out of the door too soon.
                                 </p><p><a class="indexterm" name="id2618748"></a><a class="indexterm" name="id2618756"></a><a class="indexterm" name="id2618764"></a><a class="indexterm" name="id2618772"></a><a class="indexterm" name="id2618780"></a><a class="indexterm" name="id2618787"></a><a class="indexterm" name="id2618796"></a><a class="indexterm" name="id2618803"></a><a class="indexterm" name="id2618811"></a>
+                                </p><p><a class="indexterm" name="id2612662"></a><a class="indexterm" name="id2612670"></a><a class="indexterm" name="id2612678"></a><a class="indexterm" name="id2612686"></a><a class="indexterm" name="id2612694"></a><a class="indexterm" name="id2612702"></a><a class="indexterm" name="id2612710"></a><a class="indexterm" name="id2612718"></a><a class="indexterm" name="id2612726"></a>
                                 One final comment is warranted. If companies want more secure networking protocols,
                                 the most effective method by which this can be achieved is by users seeking
 …
                                 and yet by which they are made to interoperate in ways that the components do not
                                 support.
                                 </p><p><a class="indexterm" name="id2618899"></a><a class="indexterm" name="id2618910"></a><a class="indexterm" name="id2618918"></a><a class="indexterm" name="id2618926"></a><a class="indexterm" name="id2618934"></a>
+                                </p><p><a class="indexterm" name="id2612814"></a><a class="indexterm" name="id2612825"></a><a class="indexterm" name="id2612833"></a><a class="indexterm" name="id2612841"></a><a class="indexterm" name="id2612849"></a>
                                 In order to make the popular request for Samba to be an Active Directory Server a
                                 reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls
 …
                                 the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality
                                 into the Samba project, this dream request cannot become a reality.
                                 </p><p><a class="indexterm" name="id2618965"></a><a class="indexterm" name="id2618973"></a><a class="indexterm" name="id2618981"></a><a class="indexterm" name="id2618992"></a><a class="indexterm" name="id2619000"></a>
+                                </p><p><a class="indexterm" name="id2612880"></a><a class="indexterm" name="id2612888"></a><a class="indexterm" name="id2612896"></a><a class="indexterm" name="id2612907"></a><a class="indexterm" name="id2612914"></a>
                                 At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the
                                 Samba development roadmap. If it is not on the published roadmap, it cannot be delivered
 …
                                 The Samba Team is most committed to permitting Samba to be a full ADS domain member
                                 that is increasingly capable of being managed using Microsoft Windows MMC tools.
                                 </p></dd></dl></div><div class="sect3" title="Kerberos Exposed"><div class="titlepage"><div><div><h4 class="title"><a name="id2619019"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id2619026"></a><a class="indexterm" name="id2619034"></a><a class="indexterm" name="id2619042"></a>
+                                </p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2612934"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id2612941"></a><a class="indexterm" name="id2612949"></a><a class="indexterm" name="id2612957"></a>
         Kerberos is a network authentication protocol that provides secure authentication for
         client-server applications by using secret-key cryptography. Firewalls are an insufficient
 …
         traffic but cannot prevent network traffic that comes from authorized locations from
         performing unauthorized activities.
         </p><p><a class="indexterm" name="id2619060"></a><a class="indexterm" name="id2619068"></a><a class="indexterm" name="id2619076"></a>
+        </p><p><a class="indexterm" name="id2612975"></a><a class="indexterm" name="id2612983"></a><a class="indexterm" name="id2612991"></a>
         Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses
         strong cryptography so that a client can prove its identity to a server (and vice versa) across an
 …
         they can also encrypt all of their communications to assure privacy and data integrity as they go
         about their business.
         </p><p><a class="indexterm" name="id2619094"></a><a class="indexterm" name="id2619102"></a><a class="indexterm" name="id2619110"></a><a class="indexterm" name="id2619118"></a><a class="indexterm" name="id2619129"></a>
+        </p><p><a class="indexterm" name="id2613009"></a><a class="indexterm" name="id2613017"></a><a class="indexterm" name="id2613025"></a><a class="indexterm" name="id2613033"></a><a class="indexterm" name="id2613044"></a>
         Kerberos is a trusted third-party service. That means that there is a third party (the kerberos
         server) that is trusted by all the entities on the network (users and services, usually called
 …
         trusting the kerberos server, users and services can authenticate each other.
         </p><p>
         <a class="indexterm" name="id2619149"></a>
         <a class="indexterm" name="id2619156"></a>
         <a class="indexterm" name="id2619163"></a>
+        <a class="indexterm" name="id2613064"></a>
+        <a class="indexterm" name="id2613071"></a>
+        <a class="indexterm" name="id2613078"></a>
         Kerberos was, until recently, a technology that was restricted from being exported from the United States.
         For many years that hindered global adoption of more secure networking technologies both within the United States
 …
         and use of Kerberos across the spectrum of the information technology industry.
         </p><p>
         <a class="indexterm" name="id2619193"></a>
+        <a class="indexterm" name="id2613107"></a>
         A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation
         of it. For example, a 2002
         <a class="ulink" href="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument" target="_top">IDG</a>
         report<sup>[<a name="id2619212" href="#ftn.id2619212" class="footnote">13</a>]</sup> by
+        report<sup>[<a name="id2613126" href="#ftn.id2613126" class="footnote">13</a>]</sup> by
         states:
         </p><div class="blockquote"><blockquote class="blockquote"><p>
 …
         use of the Kerberos authentication specification, not everyone agrees.
         </p><p>
         <a class="indexterm" name="id2619238"></a>
+        <a class="indexterm" name="id2613152"></a>
         Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared
         before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version
 …
         that software developers could add their own authorization information, he said.
         </p></blockquote></div><p>
         <a class="indexterm" name="id2619261"></a>
         <a class="indexterm" name="id2619267"></a>
+        <a class="indexterm" name="id2613176"></a>
+        <a class="indexterm" name="id2613182"></a>
         It so happens that Microsoft Windows clients depend on and expect the contents of the <span class="emphasis"><em>unspecified
         fields</em></span> in the Kerberos 5 communications data stream for their Windows interoperability,
 …
         <a class="ulink" href="http://www.microsoft.com/technet/itsolutions/interop/mgmt/kerberos.asp" target="_top">
         technet</a> article:
         </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2619303"></a><a class="indexterm" name="id2619314"></a>
+        </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2613217"></a><a class="indexterm" name="id2613229"></a>
         The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC
         representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos
 …
         is not an issue with Kerberos interoperability, but rather an issue of interoperability between DCE and
         Windows NT access control information.
         </p></blockquote></div></div></div></div><div class="sect1" title="Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch10expl"></a>Implementation</h2></div></div></div><p>
+        </p></blockquote></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch10expl"></a>Implementation</h2></div></div></div><p>
         The following procedures outline the implementation of the security measures discussed so far.
         </p><div class="sect2" title="Share Access Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id2619366"></a>Share Access Controls</h3></div></div></div><p><a class="indexterm" name="id2619373"></a><a class="indexterm" name="id2619380"></a><a class="indexterm" name="id2619388"></a>
+        </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2613280"></a>Share Access Controls</h3></div></div></div><p><a class="indexterm" name="id2613287"></a><a class="indexterm" name="id2613295"></a><a class="indexterm" name="id2613303"></a>
         Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as
         Windows XP Pro) attempts to make a connection to the Samba server.
         </p><div class="procedure" title="Procedure 11.1. Create/Edit/Delete Share ACLs"><a name="id2619402"></a><p class="title"><b>Procedure 11.1. Create/Edit/Delete Share ACLs</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p><a class="indexterm" name="id2619412"></a><a class="indexterm" name="id2619420"></a>
+        </p><div class="procedure"><a name="id2613316"></a><p class="title"><b>Procedure 11.1. Create/Edit/Delete Share ACLs</b></p><ol type="1"><li><p><a class="indexterm" name="id2613327"></a><a class="indexterm" name="id2613335"></a>
                 From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator
                 account (on Samba domains, this is usually the account called <code class="constant">root</code>).
                 </p></li><li class="step" title="Step 2"><p>
+                </p></li><li><p>
                 Click
                 <span class="guimenu">Start</span> &#8594; <span class="guimenuitem">Settings</span> &#8594; <span class="guimenuitem">Control Panel</span> &#8594; <span class="guimenuitem">Administrative Tools</span> &#8594; <span class="guimenuitem">Computer Management</span>.
                 </p></li><li class="step" title="Step 3"><p>
+                </p></li><li><p>
                 In the left panel,
                 <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> &#8594; <span class="guimenuitem">Connect to another computer ...</span> &#8594; <span class="guimenuitem">Browse...</span> &#8594; <span class="guimenuitem">Advanced</span> &#8594; <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to
                 administer. Click <span class="guimenu">OK</span> &#8594; <span class="guimenuitem">OK</span> &#8594; <span class="guimenuitem">OK</span>.<a class="indexterm" name="id2619543"></a>
+                administer. Click <span class="guimenu">OK</span> &#8594; <span class="guimenuitem">OK</span> &#8594; <span class="guimenuitem">OK</span>.<a class="indexterm" name="id2613458"></a>
                 In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect
                 the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>,
                 the Computer Management entry should now say <span class="guimenu">Computer Management (FRODO)</span>.
                 </p></li><li class="step" title="Step 4"><p>
+                </p></li><li><p>
                 In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> &#8594; <span class="guimenuitem">[+] Shared Folders</span> &#8594; <span class="guimenuitem">Shares</span>.
                 </p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id2619607"></a><a class="indexterm" name="id2619615"></a>
+                </p></li><li><p><a class="indexterm" name="id2613522"></a><a class="indexterm" name="id2613530"></a>
                 In the right panel, double-click on the share on which you wish to set/edit ACLs. This
                 will bring up the Properties panel. Click the <span class="guimenu">Share Permissions</span> tab.
                 </p></li><li class="step" title="Step 6"><p><a class="indexterm" name="id2619638"></a><a class="indexterm" name="id2619646"></a><a class="indexterm" name="id2619654"></a><a class="indexterm" name="id2619662"></a><a class="indexterm" name="id2619670"></a><a class="indexterm" name="id2619678"></a>
+                </p></li><li><p><a class="indexterm" name="id2613553"></a><a class="indexterm" name="id2613561"></a><a class="indexterm" name="id2613569"></a><a class="indexterm" name="id2613577"></a><a class="indexterm" name="id2613585"></a><a class="indexterm" name="id2613593"></a>
                 You may now edit/add/remove access control settings. Be very careful. Many problems have been
                 created by people who decided that everyone should be rejected but one particular group should
 …
                 belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions
                 set for the permitted group.
                 </p></li><li class="step" title="Step 7"><p>
+                </p></li><li><p>
                 When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span>
                 buttons.
                 </p></li></ol></div></div><div class="sect2" title="Share Definition Controls"><div class="titlepage"><div><div><h3 class="title"><a name="id2619714"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id2619721"></a><a class="indexterm" name="id2619733"></a><a class="indexterm" name="id2619741"></a><a class="indexterm" name="id2619748"></a><a class="indexterm" name="id2619756"></a><a class="indexterm" name="id2619764"></a>
+                </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2613629"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id2613636"></a><a class="indexterm" name="id2613648"></a><a class="indexterm" name="id2613655"></a><a class="indexterm" name="id2613663"></a><a class="indexterm" name="id2613671"></a><a class="indexterm" name="id2613679"></a>
         Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a
         checkpoint can be used to require someone who wants to get through to meet certain requirements, so
 …
         credential-related objectives, the user can be granted powers and privileges that would not normally be
         available under default settings.
         </p><p><a class="indexterm" name="id2619785"></a><a class="indexterm" name="id2619793"></a><a class="indexterm" name="id2619800"></a><a class="indexterm" name="id2619809"></a>
+        </p><p><a class="indexterm" name="id2613699"></a><a class="indexterm" name="id2613707"></a><a class="indexterm" name="id2613715"></a><a class="indexterm" name="id2613723"></a>
         It must be emphasized that the controls discussed here can act as a filter or give rights of passage
         that act as a superstructure over normal directory and file access controls. However, share-level
 …
         share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
         by Samba and Windows networking consists of:
         </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Share-level ACLs</p></li><li class="listitem"><p>Share-definition controls</p></li><li class="listitem"><p>Directory and file permissions</p></li><li class="listitem"><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" title="Checkpoint Controls"><div class="titlepage"><div><div><h4 class="title"><a name="id2619854"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id2619861"></a>
+        </p><div class="orderedlist"><ol type="1"><li><p>Share-level ACLs</p></li><li><p>Share-definition controls</p></li><li><p>Directory and file permissions</p></li><li><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2613769"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id2613775"></a>
         Consider the following extract from a <code class="filename">smb.conf</code> file defining the share called <code class="constant">Apps</code>:
 </p><pre class="screen">
 …
         This definition permits only those who are members of the group called <code class="constant">Employees</code> to
         access the share.
         </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2619896"></a><a class="indexterm" name="id2619908"></a><a class="indexterm" name="id2619916"></a><a class="indexterm" name="id2619924"></a><a class="indexterm" name="id2619932"></a>
+        </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2613811"></a><a class="indexterm" name="id2613822"></a><a class="indexterm" name="id2613831"></a><a class="indexterm" name="id2613839"></a><a class="indexterm" name="id2613846"></a>
         On domain member servers and clients, even when the <em class="parameter"><code>winbind use default domain</code></em> has
         been specified, the use of domain accounts in security controls requires fully qualified domain specification,
 …
         Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a
         delimiter.
         </p></div><p><a class="indexterm" name="id2619967"></a><a class="indexterm" name="id2619974"></a><a class="indexterm" name="id2619982"></a>
+        </p></div><p><a class="indexterm" name="id2613882"></a><a class="indexterm" name="id2613889"></a><a class="indexterm" name="id2613897"></a>
         If there is an ACL on the share itself to permit read/write access for all <code class="constant">Employees</code>
         as well as read/write for the group <code class="constant">Doctors</code>, both groups are permitted through
 …
         the group <code class="constant">Doctors</code>, who is not also a member of the group <code class="constant">Employees</code>,
         would immediately fail to validate.
         </p><p><a class="indexterm" name="id2620013"></a>
+        </p><p><a class="indexterm" name="id2613928"></a>
         Consider another example. In this case, you want to permit all members of the group <code class="constant">Employees</code>
         except the user <code class="constant">patrickj</code> to access the <code class="constant">Apps</code> share. This can be
 …
         invalid users = patrickj
 </pre><p>
             <a class="indexterm" name="id2620054"></a>
+            <a class="indexterm" name="id2613969"></a>
         Let us assume that you want to permit the user <code class="constant">gbshaw</code> to manage any file in the
         UNIX/Linux file system directory <code class="filename">/data/apps</code>, but you do not want to grant any write
 …
         admin users = gbshaw
 </pre><p>
             <a class="indexterm" name="id2620085"></a>
+            <a class="indexterm" name="id2613999"></a>
         Now we have a set of controls that permits only <code class="constant">Employees</code> who are also members of
         the group <code class="constant">Doctors</code>, excluding the user <code class="constant">patrickj</code>, to have
 …
         write list = peters
 </pre><p>
             <a class="indexterm" name="id2620145"></a>
+            <a class="indexterm" name="id2614059"></a>
         This is a particularly complex example at this point, but it begins to demonstrate the possibilities.
         You should refer to the online manual page for the <code class="filename">smb.conf</code> file for more information regarding
         the checkpoint controls that Samba implements.
         </p></div><div class="sect3" title="Override Controls"><div class="titlepage"><div><div><h4 class="title"><a name="id2620166"></a>Override Controls</h4></div></div></div><p><a class="indexterm" name="id2620173"></a>
+        </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2614081"></a>Override Controls</h4></div></div></div><p><a class="indexterm" name="id2614088"></a>
         Override controls implemented by Samba permit actions like the adoption of a different identity
         during file system operations, the forced overwriting of normal file and directory permissions,
 …
         force group = Mentors
 </pre><p>
             <a class="indexterm" name="id2620217"></a><a class="indexterm" name="id2620225"></a>
+            <a class="indexterm" name="id2614132"></a><a class="indexterm" name="id2614140"></a>
         That is all there is to it. Well, it is almost that simple. The downside of this method is that
         users are logged onto the Windows client as themselves, and then immediately before accessing the
 …
         This imposes significant overhead on Samba. The alternative way to effectively achieve the same result
         (but with lower system CPU overheads) is described next.
         </p><p><a class="indexterm" name="id2620245"></a><a class="indexterm" name="id2620253"></a><a class="indexterm" name="id2620261"></a><a class="indexterm" name="id2620272"></a><a class="indexterm" name="id2620280"></a>
+        </p><p><a class="indexterm" name="id2614160"></a><a class="indexterm" name="id2614168"></a><a class="indexterm" name="id2614176"></a><a class="indexterm" name="id2614187"></a><a class="indexterm" name="id2614195"></a>
         The use of the <em class="parameter"><code>force user</code></em> or the <em class="parameter"><code>force group</code></em> may
         also have a severe impact on system (particularly on Windows client) performance. If opportunistic
 …
         apparent performance degradation as the client continually attempts to reconnect to overcome the
         effect of the lost <code class="constant">oplock break</code>, or time-out.
         </p></div></div><div class="sect2" title="Share Point Directory and File Permissions"><div class="titlepage"><div><div><h3 class="title"><a name="id2620328"></a>Share Point Directory and File Permissions</h3></div></div></div><p><a class="indexterm" name="id2620335"></a><a class="indexterm" name="id2620343"></a><a class="indexterm" name="id2620351"></a><a class="indexterm" name="id2620358"></a>
+        </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614242"></a>Share Point Directory and File Permissions</h3></div></div></div><p><a class="indexterm" name="id2614250"></a><a class="indexterm" name="id2614257"></a><a class="indexterm" name="id2614265"></a><a class="indexterm" name="id2614273"></a>
         Samba has been designed and implemented so that it respects as far as is feasible the security and
         user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing
 …
         from a basic UNIX training guide. Instead, one common example of a typical problem is used
         to demonstrate the most effective solution referred to in the immediately preceding paragraph.
         </p><p><a class="indexterm" name="id2620381"></a><a class="indexterm" name="id2620389"></a><a class="indexterm" name="id2620397"></a>
+        </p><p><a class="indexterm" name="id2614296"></a><a class="indexterm" name="id2614304"></a><a class="indexterm" name="id2614312"></a>
         One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of
         Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence:
         </p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
+        </p><div class="orderedlist"><ol type="1"><li><p>
                 A user opens a Word document from a network drive. The file was owned by user <code class="constant">janetp</code>
                 and  [users], and was set read/write-enabled for everyone.
                 A user opens a Word document from a network drive. The file was owned by user <code class="constant">janetp</code>
                 and <code class="constant">users</code>, and was set read/write-enabled for everyone.
                 </p></li><li class="listitem"><p>
+                </p></li><li><p>
                 File changes and edits are made.
                 </p></li><li class="listitem"><p>
+                </p></li><li><p>
                 The file is saved, and MS Word is closed.
                 </p></li><li class="listitem"><p>
+                </p></li><li><p>
                 The file is now owned by the user <code class="constant">billc</code> and group <code class="constant">doctors</code>,
                 and is set read/write by <code class="constant">billc</code>, read-only by <code class="constant">doctors</code>, and
                 no access by everyone.
                 </p></li><li class="listitem"><p>
                 The original owner cannot now access her own file and is <span class="quote">&#8220;<span class="quote">justifiably</span>&#8221;</span> upset.
+                </p></li><li><p>
+                The original owner cannot now access her own file and is &#8220;<span class="quote">justifiably</span>&#8221; upset.
                 </p></li></ol></div><p>
         There have been many postings over the years that report the same basic problem. Frequently Samba users
         want to know when this <span class="quote">&#8220;<span class="quote">bug</span>&#8221;</span> will be fixed. The fact is, this is not a bug in Samba at all.
+        want to know when this &#8220;<span class="quote">bug</span>&#8221; will be fixed. The fact is, this is not a bug in Samba at all.
         Here is the real sequence of what happens in this case.
         </p><p><a class="indexterm" name="id2620498"></a><a class="indexterm" name="id2620506"></a><a class="indexterm" name="id2620514"></a>
+        </p><p><a class="indexterm" name="id2614413"></a><a class="indexterm" name="id2614421"></a><a class="indexterm" name="id2614429"></a>
         When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned
         by the user who creates the file (<code class="constant">billc</code>) and has the permissions that follow
 …
         operations.
         </p><p>
         The question is, <span class="quote">&#8220;<span class="quote">How can we solve the problem?</span>&#8221;</span>
+        The question is, &#8220;<span class="quote">How can we solve the problem?</span>&#8221;
         </p><p>
         The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these
         simple steps to create a share in which all files will consistently be owned by the same user and the
         same group:
         </p><div class="procedure" title="Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership"><a name="id2620561"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
+        </p><div class="procedure"><a name="id2614475"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p>
                 Change your share definition so that it matches this pattern:
 </p><pre class="screen">
 …
         read only = No
 </pre><p>
                 </p></li><li class="step" title="Step 2"><p><a class="indexterm" name="id2620587"></a><a class="indexterm" name="id2620598"></a>
+                </p></li><li><p><a class="indexterm" name="id2614501"></a><a class="indexterm" name="id2614513"></a>
                 Set consistent user and group permissions recursively down the directory tree as shown here:
 </p><pre class="screen">
 <code class="prompt">root# </code> chown -R janetp.users /usr/data/finance
 </pre><p>
                 </p></li><li class="step" title="Step 3"><p><a class="indexterm" name="id2620630"></a>
+                </p></li><li><p><a class="indexterm" name="id2614544"></a>
                 Set the files and directory permissions to be read/write for owner and group, and not accessible
                 to others (everyone), using the following command:
 …
 <code class="prompt">root# </code> chmod ug+rwx,o-rwx /usr/data/finance
 </pre><p>
                 </p></li><li class="step" title="Step 4"><p><a class="indexterm" name="id2620659"></a>
+                </p></li><li><p><a class="indexterm" name="id2614574"></a>
                 Set the SGID (supergroup) bit on all directories from the top down. This means all files
                 can be created with the permissions of the group set on the directory. It means all users
 …
 </pre><p>
                 </p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id2620699"></a><a class="indexterm" name="id2620707"></a><a class="indexterm" name="id2620715"></a>
+                </p></li><li><p><a class="indexterm" name="id2614614"></a><a class="indexterm" name="id2614622"></a><a class="indexterm" name="id2614630"></a>
                 Make sure all users that must have read/write access to the directory have
                 <code class="constant">finance</code> group membership as their primary group,
                 for example, the group they belong to in <code class="filename">/etc/passwd</code>.
                 </p></li></ol></div></div><div class="sect2" title="Managing Windows 200x ACLs"><div class="titlepage"><div><div><h3 class="title"><a name="id2620740"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2620747"></a><a class="indexterm" name="id2620755"></a><a class="indexterm" name="id2620763"></a><a class="indexterm" name="id2620771"></a>
+                </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614655"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2614662"></a><a class="indexterm" name="id2614670"></a><a class="indexterm" name="id2614678"></a><a class="indexterm" name="id2614686"></a>
         Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because
         there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means
 …
         There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation,
         either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface.
         </p><div class="sect3" title="Using the MMC Computer Management Interface"><div class="titlepage"><div><div><h4 class="title"><a name="id2620795"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
+        </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2614709"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p>
                 From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator
                 account (on Samba domains, this is usually the account called <code class="constant">root</code>).
                 </p></li><li class="step" title="Step 2"><p>
+                </p></li><li><p>
                 Click
                 <span class="guimenu">Start</span> &#8594; <span class="guimenuitem">Settings</span> &#8594; <span class="guimenuitem">Control Panel</span> &#8594; <span class="guimenuitem">Administrative Tools</span> &#8594; <span class="guimenuitem">Computer Management</span>.
                 </p></li><li class="step" title="Step 3"><p>
+                </p></li><li><p>
                 In the left panel,
                 <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span> &#8594; <span class="guimenuitem">Connect to another computer ...</span> &#8594; <span class="guimenuitem">Browse...</span> &#8594; <span class="guimenuitem">Advanced</span> &#8594; <span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to
 …
                 the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>,
                 the Computer Management entry should now say: <span class="guimenu">Computer Management (FRODO)</span>.
                 </p></li><li class="step" title="Step 4"><p>
+                </p></li><li><p>
                 In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> &#8594; <span class="guimenuitem">[+] Shared Folders</span> &#8594; <span class="guimenuitem">Shares</span>.
                 </p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id2620978"></a><a class="indexterm" name="id2620986"></a><a class="indexterm" name="id2620993"></a><a class="indexterm" name="id2621001"></a>
+                </p></li><li><p><a class="indexterm" name="id2614892"></a><a class="indexterm" name="id2614900"></a><a class="indexterm" name="id2614908"></a><a class="indexterm" name="id2614916"></a>
                 In the right panel, double-click on the share on which you wish to set/edit ACLs. This
                 brings up the Properties panel. Click the <span class="guimenu">Security</span> tab. It is best
 …
                 functionality under the <code class="constant">Permissions</code> tab can be utilized with respect
                 to a Samba domain server.
                 </p></li><li class="step" title="Step 6"><p><a class="indexterm" name="id2621041"></a><a class="indexterm" name="id2621049"></a>
+                </p></li><li><p><a class="indexterm" name="id2614956"></a><a class="indexterm" name="id2614964"></a>
                 You may now edit/add/remove access control settings. Be very careful. Many problems have been
                 created by people who decided that everyone should be rejected but one particular group should
 …
                 belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions
                 set for the permitted group.
                 </p></li><li class="step" title="Step 7"><p>
+                </p></li><li><p>
                 When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span>
                 buttons until the last panel closes.
                 </p></li></ol></div></div><div class="sect3" title="Using MS Windows Explorer (File Manager)"><div class="titlepage"><div><div><h4 class="title"><a name="id2621086"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p>
+                </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615000"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p>
         The following alternative method may be used from a Windows workstation. In this example we work
         with a domain called <code class="constant">MEGANET</code>, a server called <code class="constant">MASSIVE</code>, and a
         share called <code class="constant">Apps</code>. The underlying UNIX/Linux share point for this share is
         <code class="filename">/data/apps</code>.
         </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
+        </p><div class="procedure"><ol type="1"><li><p>
                 Click <span class="guimenu">Start</span> &#8594; <span class="guimenuitem">[right-click] My Computer</span> &#8594; <span class="guimenuitem">Explore</span> &#8594; <span class="guimenuitem">[left panel] [+] My Network Places</span> &#8594; <span class="guimenuitem">[+] Entire Network</span> &#8594; <span class="guimenuitem">[+] Microsoft Windows Network</span> &#8594; <span class="guimenuitem">[+] Meganet</span> &#8594; <span class="guimenuitem">[+] Massive</span> &#8594; <span class="guimenuitem">[right-click] Apps</span> &#8594; <span class="guimenuitem">Properties</span> &#8594; <span class="guimenuitem">Security</span> &#8594; <span class="guimenuitem">Advanced</span>. This opens a panel that has four tabs. Only the functionality under the
                 <code class="constant">Permissions</code> tab can be utilized for a Samba domain server.
                 </p></li><li class="step" title="Step 2"><p><a class="indexterm" name="id2621210"></a><a class="indexterm" name="id2621218"></a>
+                </p></li><li><p><a class="indexterm" name="id2615125"></a><a class="indexterm" name="id2615133"></a>
                 You may now edit/add/remove access control settings. Be very careful. Many problems have been
                 created by people who decided that everyone should be rejected but one particular group should
 …
                 belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions
                 set for the permitted group.
                 </p></li><li class="step" title="Step 3"><p>
+                </p></li><li><p>
                 When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span>
                 buttons until the last panel closes.
                 </p></li></ol></div></div><div class="sect3" title="Setting Posix ACLs in UNIX/Linux"><div class="titlepage"><div><div><h4 class="title"><a name="id2621257"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2621264"></a><a class="indexterm" name="id2621272"></a>
+                </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615172"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2615179"></a><a class="indexterm" name="id2615187"></a>
         Yet another alternative method for setting desired security settings on the shared resource files and
         directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line
         tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9
         Linux system:
         </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
+        </p><div class="procedure"><ol type="1"><li><p>
                 Log into the Linux system as the user <code class="constant">root</code>.
                 </p></li><li class="step" title="Step 2"><p>
+                </p></li><li><p>
                 Change directory to the location of the exported (shared) Windows file share (Apps), which is in
                 the directory <code class="filename">/data</code>. Execute the following:
 …
 other::r-x
 </pre><p>
                 </p></li><li class="step" title="Step 3"><p><a class="indexterm" name="id2621346"></a>
+                </p></li><li><p><a class="indexterm" name="id2615261"></a>
                 You want to add permission for <code class="constant">AppsMgrs</code> to enable them to
                 manage the applications (apps) share. It is important to set the ACL recursively
 …
 </pre><p>
                 This confirms that the change of POSIX ACL permissions has been effective.
                 </p></li><li class="step" title="Step 4"><p><a class="indexterm" name="id2621402"></a><a class="indexterm" name="id2621409"></a><a class="indexterm" name="id2621417"></a><a class="indexterm" name="id2621425"></a><a class="indexterm" name="id2621433"></a>
+                </p></li><li><p><a class="indexterm" name="id2615316"></a><a class="indexterm" name="id2615324"></a><a class="indexterm" name="id2615332"></a><a class="indexterm" name="id2615340"></a><a class="indexterm" name="id2615348"></a>
                 It is highly recommended that you read the online manual page for the <code class="literal">setfacl</code>
                 and <code class="literal">getfacl</code> commands. This provides information regarding how to set/read the default
                 ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
                 of setting <code class="constant">inheritance</code> properties.
                 </p></li></ol></div></div></div><div class="sect2" title="Key Points Learned"><div class="titlepage"><div><div><h3 class="title"><a name="id2621467"></a>Key Points Learned</h3></div></div></div><p>
+                </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2615382"></a>Key Points Learned</h3></div></div></div><p>
                 The mish-mash of issues were thrown together into one chapter because it seemed like a good idea.
                 Looking back, this chapter could be broken into two, but it's too late now. It has been done.
                 The highlights covered are as follows:
                 </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><a class="indexterm" name="id2621484"></a><a class="indexterm" name="id2621492"></a><a class="indexterm" name="id2621500"></a><a class="indexterm" name="id2621508"></a>
+                </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2615399"></a><a class="indexterm" name="id2615407"></a><a class="indexterm" name="id2615415"></a><a class="indexterm" name="id2615423"></a>
                         Winbind honors and does not override account controls set in Active Directory.
                         This means that password change, logon hours, and so on, are (or soon will be) enforced
 …
                         change is enforced. At this time, if logon hours expire, the user is not forcibly
                         logged off. That may be implemented at some later date.
                         </p></li><li class="listitem"><p><a class="indexterm" name="id2621527"></a><a class="indexterm" name="id2621535"></a>
+                        </p></li><li><p><a class="indexterm" name="id2615442"></a><a class="indexterm" name="id2615450"></a>
                         Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential
                         problems acknowledged by Microsoft as having been fixed but reported by some as still
                         possibly an open issue.
                         </p></li><li class="listitem"><p><a class="indexterm" name="id2621551"></a><a class="indexterm" name="id2621559"></a><a class="indexterm" name="id2621566"></a><a class="indexterm" name="id2621574"></a>
+                        </p></li><li><p><a class="indexterm" name="id2615466"></a><a class="indexterm" name="id2615473"></a><a class="indexterm" name="id2615481"></a><a class="indexterm" name="id2615489"></a>
                         The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft
                         Active Directory. The possibility to do this is not planned in the current Samba-3
                         roadmap. Samba-3 does aim to provide further improvements in interoperability so that
                         UNIX/Linux systems may be fully integrated into Active Directory domains.
                         </p></li><li class="listitem"><p>
+                        </p></li><li><p>
                         This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of
                         the four key methodologies was reviewed with specific reference to example deployment
                         techniques.
                         </p></li></ul></div></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2621601"></a>Questions and Answers</h2></div></div></div><p>
         </p><div class="qandaset" title="Frequently Asked Questions"><a name="id2621610"></a><dl><dt> <a href="kerberos.html#id2621617">
+                        </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2615516"></a>Questions and Answers</h2></div></div></div><p>
+        </p><div class="qandaset"><dl><dt> <a href="kerberos.html#id2615532">
                 Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2?
                 </a></dt><dt> <a href="kerberos.html#id2621687">
+                </a></dt><dt> <a href="kerberos.html#id2615602">
                 Does Samba-3 support Active Directory?
                 </a></dt><dt> <a href="kerberos.html#id2621718">
+                </a></dt><dt> <a href="kerberos.html#id2615633">
                 When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was
                 necessary with Samba-2?
                 </a></dt><dt> <a href="kerberos.html#id2621757">
+                </a></dt><dt> <a href="kerberos.html#id2615672">
                 Is it safe to set share-level access controls in Samba?
                 </a></dt><dt> <a href="kerberos.html#id2621786">
+                </a></dt><dt> <a href="kerberos.html#id2615701">
                 Is it mandatory to set share ACLs to get a secure Samba-3 server?
                 </a></dt><dt> <a href="kerberos.html#id2621863">
+                </a></dt><dt> <a href="kerberos.html#id2615778">
                 The valid users did not work on the [homes].
                 Has this functionality been restored yet?
                 </a></dt><dt> <a href="kerberos.html#id2621929">
+                </a></dt><dt> <a href="kerberos.html#id2615844">
                 Is the bias against use of the force user and force group
                 really warranted?
                 </a></dt><dt> <a href="kerberos.html#id2621992">
+                </a></dt><dt> <a href="kerberos.html#id2615907">
                 The example given for file and directory access control forces all files to be owned by one
                 particular user. I do not like that. Is there any way I can see who created the file?
                 </a></dt><dt> <a href="kerberos.html#id2622040">
+                </a></dt><dt> <a href="kerberos.html#id2615955">
                 In the book, &#8220;The Official Samba-3 HOWTO and Reference Guide&#8221;, you recommended use
                 of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why
                 have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
                 </a></dt><dt> <a href="kerberos.html#id2622107">
+                </a></dt><dt> <a href="kerberos.html#id2616022">
                 I tried to set valid users = @Engineers, but it does not work. My Samba
                 server is an Active Directory domain member server. Has this been fixed now?
                 </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id2621617"></a><a name="id2621619"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621622"></a><a class="indexterm" name="id2621630"></a>
+                </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2615532"></a><a name="id2615534"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615537"></a><a class="indexterm" name="id2615545"></a>
                 Does Samba-3 require the <code class="constant">Sign'n'seal</code> registry hacks needed by Samba-2?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621650"></a><a class="indexterm" name="id2621657"></a><a class="indexterm" name="id2621665"></a>
+                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615564"></a><a class="indexterm" name="id2615572"></a><a class="indexterm" name="id2615580"></a>
                 No. Samba-3 fully supports <code class="constant">Sign'n'seal</code> as well as <code class="constant">schannel</code>
                 operation. The registry change should not be applied when Samba-3 is used as a domain controller.
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621687"></a><a name="id2621690"></a></td><td align="left" valign="top"><p>
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615602"></a><a name="id2615604"></a></td><td align="left" valign="top"><p>
                 Does Samba-3 support Active Directory?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621700"></a>
+                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615615"></a>
                 Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not
                 provide Active Directory services. It cannot be used to replace a Microsoft Active Directory
                 server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit,
                 and it can function as an Active Directory domain member server.
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621718"></a><a name="id2621721"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621724"></a>
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615633"></a><a name="id2615635"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615639"></a>
                 When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was
                 necessary with Samba-2?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621740"></a>
+                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615655"></a>
                 No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x
                 Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation,
                 because Samba-3 can join a native Windows 2003 Server ADS domain.
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621757"></a><a name="id2621759"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621762"></a>
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615672"></a><a name="id2615674"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615677"></a>
                 Is it safe to set share-level access controls in Samba?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
 …
                 very mature technology. Not enough sites make use of this powerful capability, neither on
                 Windows server or with Samba servers.
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621786"></a><a name="id2621788"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621792"></a>
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615701"></a><a name="id2615703"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615706"></a>
                 Is it mandatory to set share ACLs to get a secure Samba-3 server?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621807"></a><a class="indexterm" name="id2621815"></a><a class="indexterm" name="id2621823"></a><a class="indexterm" name="id2621832"></a><a class="indexterm" name="id2621840"></a>
+                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615722"></a><a class="indexterm" name="id2615730"></a><a class="indexterm" name="id2615738"></a><a class="indexterm" name="id2615746"></a><a class="indexterm" name="id2615754"></a>
                 No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides
                 means of securing shares through share definition controls in the <code class="filename">smb.conf</code> file. The additional
                 support for share-level ACLs is like frosting on the cake. It adds to security but is not essential
                 to it.
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621863"></a><a name="id2621865"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621868"></a>
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615778"></a><a name="id2615780"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615783"></a>
                 The <em class="parameter"><code>valid users</code></em> did not work on the <em class="parameter"><code>[homes]</code></em>.
                 Has this functionality been restored yet?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621896"></a>
+                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615810"></a>
                 Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard
                 on the <em class="parameter"><code>[homes]</code></em> meta-service. The correct way to specify this is:
                 <a class="link" href="smb.conf.5.html#VALIDUSERS" target="_top">valid users = %S</a>.
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621929"></a><a name="id2621931"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2621934"></a><a class="indexterm" name="id2621942"></a><a class="indexterm" name="id2621950"></a>
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615844"></a><a name="id2615846"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615849"></a><a class="indexterm" name="id2615856"></a><a class="indexterm" name="id2615864"></a>
                 Is the bias against use of the <em class="parameter"><code>force user</code></em> and <em class="parameter"><code>force group</code></em>
                 really warranted?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2621977"></a>
+                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615892"></a>
                 There is no bias. There is a determination to recommend the right tool for the task at hand.
                 After all, it is better than putting users through performance problems, isn't it?
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2621992"></a><a name="id2621994"></a></td><td align="left" valign="top"><p>
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615907"></a><a name="id2615909"></a></td><td align="left" valign="top"><p>
                 The example given for file and directory access control forces all files to be owned by one
                 particular user. I do not like that. Is there any way I can see who created the file?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2622007"></a>
+                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615922"></a>
                 Sure. You do not have to set the SUID bit on the directory. Simply execute the following command
                 to permit file ownership to be retained by the user who created it:
 …
                 Note that this required no more than removing the <code class="constant">u</code> argument so that the
                 SUID bit is not set for the owner.
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2622040"></a><a name="id2622042"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2622046"></a>
                 In the book, <span class="quote">&#8220;<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>&#8221;</span>, you recommended use
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615955"></a><a name="id2615957"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615960"></a>
+                In the book, &#8220;<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>&#8221;, you recommended use
                 of the Windows NT4 Server Manager (part of the <code class="filename">SRVTOOLS.EXE</code>) utility. Why
                 have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
                 </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2622074"></a><a class="indexterm" name="id2622081"></a>
+                </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615988"></a><a class="indexterm" name="id2615996"></a>
                 Either tool can be used with equal effect. There is no benefit of one over the other, except that
                 the MMC utility is present on all Windows 200x/XP systems and does not require additional software
 …
                 Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which
                 is provided as part of the <code class="filename">SRVTOOLS.EXE</code> utility.
                 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2622107"></a><a name="id2622109"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2622112"></a><a class="indexterm" name="id2622120"></a><a class="indexterm" name="id2622128"></a>
+                </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2616022"></a><a name="id2616024"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2616027"></a><a class="indexterm" name="id2616035"></a><a class="indexterm" name="id2616043"></a>
                 I tried to set <em class="parameter"><code>valid users = @Engineers</code></em>, but it does not work. My Samba
                 server is an Active Directory domain member server. Has this been fixed now?
 …
                 The use of this parameter has always required the full specification of the domain account, for
                 example, <em class="parameter"><code>valid users = @"MEGANET2\Domain Admins"</code></em>.
                 </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a class="ulink" href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id2619212" href="#id2619212" class="ulink">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Integrating Additional Services</td></tr></table></div></body></html>
+                </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a class="ulink" href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id2613126" href="#id2613126" class="ulink">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Integrating Additional Services</td></tr></table></div></body></html>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 411 for branches/samba-3.3.x/docs/htmldocs/Samba3-ByExample/kerberos.html

Legend:

branches/samba-3.3.x/docs/htmldocs/Samba3-ByExample/kerberos.html

Download in other formats: