diff options
Diffstat (limited to 'docs/htmldocs/Samba3-ByExample/kerberos.html')
| -rw-r--r-- | docs/htmldocs/Samba3-ByExample/kerberos.html | 102 |
1 files changed, 52 insertions, 50 deletions
diff --git a/docs/htmldocs/Samba3-ByExample/kerberos.html b/docs/htmldocs/Samba3-ByExample/kerberos.html index a67fc182eb..f5969d665c 100644 --- a/docs/htmldocs/Samba3-ByExample/kerberos.html +++ b/docs/htmldocs/Samba3-ByExample/kerberos.html @@ -1,4 +1,4 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2610613">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611264">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2611280">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611677">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2613307">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2613656">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614269">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614672">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2615399">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2615533">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2610549"></a> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2610613">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611264">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2611280">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2611677">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2613307">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2613656">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614269">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2614682">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2615408">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2615543">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2610549"></a> By this point in the book, you have been exposed to many Samba-3 features and capabilities. More importantly, if you have implemented the examples given, you are well on your way to becoming a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to @@ -526,8 +526,10 @@ One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence: </p><div class="orderedlist"><ol type="1"><li><p> - A user opens a Work document from a network drive. The file was owned by user <code class="constant">janetp</code> + A user opens a Word document from a network drive. The file was owned by user <code class="constant">janetp</code> and [users], and was set read/write-enabled for everyone. + A user opens a Word document from a network drive. The file was owned by user <code class="constant">janetp</code> + and <code class="constant">users</code>, and was set read/write-enabled for everyone. </p></li><li><p> File changes and edits are made. </p></li><li><p> @@ -542,7 +544,7 @@ There have been many postings over the years that report the same basic problem. Frequently Samba users want to know when this “<span class="quote">bug</span>” will be fixed. The fact is, this is not a bug in Samba at all. Here is the real sequence of what happens in this case. - </p><p><a class="indexterm" name="id2614430"></a><a class="indexterm" name="id2614438"></a><a class="indexterm" name="id2614446"></a> + </p><p><a class="indexterm" name="id2614440"></a><a class="indexterm" name="id2614448"></a><a class="indexterm" name="id2614456"></a> When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned by the user who creates the file (<code class="constant">billc</code>) and has the permissions that follow that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing @@ -560,7 +562,7 @@ The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these simple steps to create a share in which all files will consistently be owned by the same user and the same group: - </p><div class="procedure"><a name="id2614493"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p> + </p><div class="procedure"><a name="id2614502"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p> Change your share definition so that it matches this pattern: </p><pre class="screen"> [finance] @@ -568,18 +570,18 @@ browseable = Yes read only = No </pre><p> - </p></li><li><p><a class="indexterm" name="id2614519"></a><a class="indexterm" name="id2614530"></a> + </p></li><li><p><a class="indexterm" name="id2614528"></a><a class="indexterm" name="id2614539"></a> Set consistent user and group permissions recursively down the directory tree as shown here: </p><pre class="screen"> <code class="prompt">root# </code> chown -R janetp.users /usr/data/finance </pre><p> - </p></li><li><p><a class="indexterm" name="id2614562"></a> + </p></li><li><p><a class="indexterm" name="id2614571"></a> Set the files and directory permissions to be read/write for owner and group, and not accessible to others (everyone), using the following command: </p><pre class="screen"> <code class="prompt">root# </code> chmod ug+rwx,o-rwx /usr/data/finance </pre><p> - </p></li><li><p><a class="indexterm" name="id2614591"></a> + </p></li><li><p><a class="indexterm" name="id2614600"></a> Set the SGID (supergroup) bit on all directories from the top down. This means all files can be created with the permissions of the group set on the directory. It means all users who are members of the group <code class="constant">finance</code> can read and write all files in @@ -589,11 +591,11 @@ <code class="prompt">root# </code> find /usr/data/finance -type d -exec chmod ug+s {}\; </pre><p> - </p></li><li><p><a class="indexterm" name="id2614631"></a><a class="indexterm" name="id2614639"></a><a class="indexterm" name="id2614647"></a> + </p></li><li><p><a class="indexterm" name="id2614641"></a><a class="indexterm" name="id2614649"></a><a class="indexterm" name="id2614657"></a> Make sure all users that must have read/write access to the directory have <code class="constant">finance</code> group membership as their primary group, for example, the group they belong to in <code class="filename">/etc/passwd</code>. - </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614672"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2614679"></a><a class="indexterm" name="id2614687"></a><a class="indexterm" name="id2614695"></a><a class="indexterm" name="id2614703"></a> + </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2614682"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2614688"></a><a class="indexterm" name="id2614696"></a><a class="indexterm" name="id2614704"></a><a class="indexterm" name="id2614712"></a> Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means that some transactions are not possible from MS Windows clients. One of these is to reset the ownership @@ -601,7 +603,7 @@ </p><p> There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation, either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface. - </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2614727"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p> + </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2614736"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p> From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator account (on Samba domains, this is usually the account called <code class="constant">root</code>). </p></li><li><p> @@ -616,14 +618,14 @@ the Computer Management entry should now say: <span class="guimenu">Computer Management (FRODO)</span>. </p></li><li><p> In the left panel, click <span class="guimenu">Computer Management (FRODO)</span> → <span class="guimenuitem">[+] Shared Folders</span> → <span class="guimenuitem">Shares</span>. - </p></li><li><p><a class="indexterm" name="id2614910"></a><a class="indexterm" name="id2614918"></a><a class="indexterm" name="id2614925"></a><a class="indexterm" name="id2614933"></a> + </p></li><li><p><a class="indexterm" name="id2614919"></a><a class="indexterm" name="id2614927"></a><a class="indexterm" name="id2614935"></a><a class="indexterm" name="id2614943"></a> In the right panel, double-click on the share on which you wish to set/edit ACLs. This brings up the Properties panel. Click the <span class="guimenu">Security</span> tab. It is best to edit ACLs using the <code class="constant">Advanced</code> editing features. Click the <span class="guimenu">Advanced</span> button. This opens a panel that has four tabs. Only the functionality under the <code class="constant">Permissions</code> tab can be utilized with respect to a Samba domain server. - </p></li><li><p><a class="indexterm" name="id2614973"></a><a class="indexterm" name="id2614981"></a> + </p></li><li><p><a class="indexterm" name="id2614982"></a><a class="indexterm" name="id2614990"></a> You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -632,7 +634,7 @@ </p></li><li><p> When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> buttons until the last panel closes. - </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615018"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615027"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p> The following alternative method may be used from a Windows workstation. In this example we work with a domain called <code class="constant">MEGANET</code>, a server called <code class="constant">MASSIVE</code>, and a share called <code class="constant">Apps</code>. The underlying UNIX/Linux share point for this share is @@ -640,7 +642,7 @@ </p><div class="procedure"><ol type="1"><li><p> Click <span class="guimenu">Start</span> → <span class="guimenuitem">[right-click] My Computer</span> → <span class="guimenuitem">Explore</span> → <span class="guimenuitem">[left panel] [+] My Network Places</span> → <span class="guimenuitem">[+] Entire Network</span> → <span class="guimenuitem">[+] Microsoft Windows Network</span> → <span class="guimenuitem">[+] Meganet</span> → <span class="guimenuitem">[+] Massive</span> → <span class="guimenuitem">[right-click] Apps</span> → <span class="guimenuitem">Properties</span> → <span class="guimenuitem">Security</span> → <span class="guimenuitem">Advanced</span>. This opens a panel that has four tabs. Only the functionality under the <code class="constant">Permissions</code> tab can be utilized for a Samba domain server. - </p></li><li><p><a class="indexterm" name="id2615142"></a><a class="indexterm" name="id2615150"></a> + </p></li><li><p><a class="indexterm" name="id2615152"></a><a class="indexterm" name="id2615160"></a> You may now edit/add/remove access control settings. Be very careful. Many problems have been created by people who decided that everyone should be rejected but one particular group should have full control. This is a catch-22 situation because members of that particular group also @@ -649,7 +651,7 @@ </p></li><li><p> When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span> buttons until the last panel closes. - </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615189"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2615196"></a><a class="indexterm" name="id2615204"></a> + </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2615198"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2615205"></a><a class="indexterm" name="id2615213"></a> Yet another alternative method for setting desired security settings on the shared resource files and directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9 @@ -672,7 +674,7 @@ user::rwx group::rwx other::r-x </pre><p> - </p></li><li><p><a class="indexterm" name="id2615278"></a> + </p></li><li><p><a class="indexterm" name="id2615287"></a> You want to add permission for <code class="constant">AppsMgrs</code> to enable them to manage the applications (apps) share. It is important to set the ACL recursively so that the AppsMgrs have this capability throughout the directory tree that is @@ -695,26 +697,26 @@ mask::rwx other::r-x </pre><p> This confirms that the change of POSIX ACL permissions has been effective. - </p></li><li><p><a class="indexterm" name="id2615334"></a><a class="indexterm" name="id2615341"></a><a class="indexterm" name="id2615349"></a><a class="indexterm" name="id2615357"></a><a class="indexterm" name="id2615365"></a> + </p></li><li><p><a class="indexterm" name="id2615343"></a><a class="indexterm" name="id2615351"></a><a class="indexterm" name="id2615359"></a><a class="indexterm" name="id2615367"></a><a class="indexterm" name="id2615375"></a> It is highly recommended that you read the online manual page for the <code class="literal">setfacl</code> and <code class="literal">getfacl</code> commands. This provides information regarding how to set/read the default ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent of setting <code class="constant">inheritance</code> properties. - </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2615399"></a>Key Points Learned</h3></div></div></div><p> + </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2615408"></a>Key Points Learned</h3></div></div></div><p> The mish-mash of issues were thrown together into one chapter because it seemed like a good idea. Looking back, this chapter could be broken into two, but it's too late now. It has been done. The highlights covered are as follows: - </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2615416"></a><a class="indexterm" name="id2615424"></a><a class="indexterm" name="id2615432"></a><a class="indexterm" name="id2615440"></a> + </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2615426"></a><a class="indexterm" name="id2615434"></a><a class="indexterm" name="id2615442"></a><a class="indexterm" name="id2615450"></a> Winbind honors and does not override account controls set in Active Directory. This means that password change, logon hours, and so on, are (or soon will be) enforced by Samba winbind. At this time, an out-of-hours login is denied and password change is enforced. At this time, if logon hours expire, the user is not forcibly logged off. That may be implemented at some later date. - </p></li><li><p><a class="indexterm" name="id2615459"></a><a class="indexterm" name="id2615467"></a> + </p></li><li><p><a class="indexterm" name="id2615468"></a><a class="indexterm" name="id2615476"></a> Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential problems acknowledged by Microsoft as having been fixed but reported by some as still possibly an open issue. - </p></li><li><p><a class="indexterm" name="id2615483"></a><a class="indexterm" name="id2615491"></a><a class="indexterm" name="id2615498"></a><a class="indexterm" name="id2615506"></a> + </p></li><li><p><a class="indexterm" name="id2615492"></a><a class="indexterm" name="id2615500"></a><a class="indexterm" name="id2615508"></a><a class="indexterm" name="id2615516"></a> The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft Active Directory. The possibility to do this is not planned in the current Samba-3 roadmap. Samba-3 does aim to provide further improvements in interoperability so that @@ -723,83 +725,83 @@ other::r-x This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of the four key methodologies was reviewed with specific reference to example deployment techniques. - </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2615533"></a>Questions and Answers</h2></div></div></div><p> - </p><div class="qandaset"><dl><dt> <a href="kerberos.html#id2615549"> + </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2615543"></a>Questions and Answers</h2></div></div></div><p> + </p><div class="qandaset"><dl><dt> <a href="kerberos.html#id2615558"> Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? - </a></dt><dt> <a href="kerberos.html#id2615619"> + </a></dt><dt> <a href="kerberos.html#id2615629"> Does Samba-3 support Active Directory? - </a></dt><dt> <a href="kerberos.html#id2615650"> + </a></dt><dt> <a href="kerberos.html#id2615660"> When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? - </a></dt><dt> <a href="kerberos.html#id2615689"> + </a></dt><dt> <a href="kerberos.html#id2615698"> Is it safe to set share-level access controls in Samba? - </a></dt><dt> <a href="kerberos.html#id2615718"> + </a></dt><dt> <a href="kerberos.html#id2615728"> Is it mandatory to set share ACLs to get a secure Samba-3 server? - </a></dt><dt> <a href="kerberos.html#id2615795"> + </a></dt><dt> <a href="kerberos.html#id2615804"> The valid users did not work on the [homes]. Has this functionality been restored yet? - </a></dt><dt> <a href="kerberos.html#id2615861"> + </a></dt><dt> <a href="kerberos.html#id2615870"> Is the bias against use of the force user and force group really warranted? - </a></dt><dt> <a href="kerberos.html#id2615924"> + </a></dt><dt> <a href="kerberos.html#id2615934"> The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file? - </a></dt><dt> <a href="kerberos.html#id2615972"> + </a></dt><dt> <a href="kerberos.html#id2615982"> In the book, “The Official Samba-3 HOWTO and Reference Guide”, you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? - </a></dt><dt> <a href="kerberos.html#id2616039"> + </a></dt><dt> <a href="kerberos.html#id2616048"> I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now? - </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2615549"></a><a name="id2615551"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615554"></a><a class="indexterm" name="id2615562"></a> + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2615558"></a><a name="id2615561"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615564"></a><a class="indexterm" name="id2615572"></a> Does Samba-3 require the <code class="constant">Sign'n'seal</code> registry hacks needed by Samba-2? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615582"></a><a class="indexterm" name="id2615589"></a><a class="indexterm" name="id2615597"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615591"></a><a class="indexterm" name="id2615599"></a><a class="indexterm" name="id2615607"></a> No. Samba-3 fully supports <code class="constant">Sign'n'seal</code> as well as <code class="constant">schannel</code> operation. The registry change should not be applied when Samba-3 is used as a domain controller. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615619"></a><a name="id2615622"></a></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615629"></a><a name="id2615631"></a></td><td align="left" valign="top"><p> Does Samba-3 support Active Directory? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615632"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615642"></a> Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not provide Active Directory services. It cannot be used to replace a Microsoft Active Directory server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, and it can function as an Active Directory domain member server. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615650"></a><a name="id2615653"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615656"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615660"></a><a name="id2615662"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615665"></a> When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615672"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615682"></a> No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, because Samba-3 can join a native Windows 2003 Server ADS domain. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615689"></a><a name="id2615691"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615694"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615698"></a><a name="id2615701"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615704"></a> Is it safe to set share-level access controls in Samba? </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> Yes. Share-level access controls have been supported since early versions of Samba-2. This is very mature technology. Not enough sites make use of this powerful capability, neither on Windows server or with Samba servers. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615718"></a><a name="id2615720"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615724"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615728"></a><a name="id2615730"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615733"></a> Is it mandatory to set share ACLs to get a secure Samba-3 server? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615739"></a><a class="indexterm" name="id2615747"></a><a class="indexterm" name="id2615755"></a><a class="indexterm" name="id2615764"></a><a class="indexterm" name="id2615772"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615749"></a><a class="indexterm" name="id2615757"></a><a class="indexterm" name="id2615765"></a><a class="indexterm" name="id2615773"></a><a class="indexterm" name="id2615781"></a> No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides means of securing shares through share definition controls in the <code class="filename">smb.conf</code> file. The additional support for share-level ACLs is like frosting on the cake. It adds to security but is not essential to it. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615795"></a><a name="id2615797"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615800"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615804"></a><a name="id2615806"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615810"></a> The <em class="parameter"><code>valid users</code></em> did not work on the <em class="parameter"><code>[homes]</code></em>. Has this functionality been restored yet? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615828"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615837"></a> Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard on the <em class="parameter"><code>[homes]</code></em> meta-service. The correct way to specify this is: <a class="link" href="smb.conf.5.html#VALIDUSERS" target="_top">valid users = %S</a>. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615861"></a><a name="id2615863"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615866"></a><a class="indexterm" name="id2615874"></a><a class="indexterm" name="id2615882"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615870"></a><a name="id2615872"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615876"></a><a class="indexterm" name="id2615883"></a><a class="indexterm" name="id2615891"></a> Is the bias against use of the <em class="parameter"><code>force user</code></em> and <em class="parameter"><code>force group</code></em> really warranted? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615909"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615918"></a> There is no bias. There is a determination to recommend the right tool for the task at hand. After all, it is better than putting users through performance problems, isn't it? - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615924"></a><a name="id2615926"></a></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615934"></a><a name="id2615936"></a></td><td align="left" valign="top"><p> The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615939"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2615948"></a> Sure. You do not have to set the SUID bit on the directory. Simply execute the following command to permit file ownership to be retained by the user who created it: </p><pre class="screen"> @@ -807,17 +809,17 @@ other::r-x </pre><p> Note that this required no more than removing the <code class="constant">u</code> argument so that the SUID bit is not set for the owner. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615972"></a><a name="id2615974"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615978"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2615982"></a><a name="id2615984"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2615987"></a> In the book, “<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>”, you recommended use of the Windows NT4 Server Manager (part of the <code class="filename">SRVTOOLS.EXE</code>) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? - </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2616006"></a><a class="indexterm" name="id2616013"></a> + </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2616015"></a><a class="indexterm" name="id2616023"></a> Either tool can be used with equal effect. There is no benefit of one over the other, except that the MMC utility is present on all Windows 200x/XP systems and does not require additional software to be downloaded and installed. Note that if you want to manage user and group accounts in your Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which is provided as part of the <code class="filename">SRVTOOLS.EXE</code> utility. - </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2616039"></a><a name="id2616041"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2616044"></a><a class="indexterm" name="id2616052"></a><a class="indexterm" name="id2616060"></a> + </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2616048"></a><a name="id2616051"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2616054"></a><a class="indexterm" name="id2616062"></a><a class="indexterm" name="id2616070"></a> I tried to set <em class="parameter"><code>valid users = @Engineers</code></em>, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now? </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p> |