The following questions and answers draw from the examples in this chapter. Many design decisions are impacted by the configurations chosen. The intent is to expose some of the hidden implications.
What makes an anonymous Samba server more simple than a non-anonymous Samba server?
In the anonymous server, the only account used is the guest account. In a non-anonymous configuration, it is necessary to add real user accounts to both the UNIX system and to the Samba configuration. Non-anonymous servers require additional administration.
How is the operation of the parameter force user different from setting the root directory of the share SUID?
The parameter force user causes all operations on the share to assume the UID of the forced user. The new default GID that applies is the primary GID of the forced user. This gives all users of this resource the actual privilege of the forced user.
When a directory is set SUID, the operating system forces files that are written within it to be owned by the owner of the directory. While this happens, the user who is using the share has only the level of privilege he or she is assigned within the operating system context.
The parameter force user has potential security implications that go beyond the actual share root directory. Be careful and wary of using this parameter.
When would you both use the per share parameter force user and set the share root directory SUID?
You would use both parameters when it is necessary to guarantee that all share handling operations are conducted as the forced user, while all file and directory creation are done as the SUID directory owner.
What is better about CUPS printing than LPRng printing?
CUPS is a print spooling system that has integrated remote management facilities, provides completely automated print processing/preprocessing, and can be configured to automatically apply print preprocessing filters to ensure that a print job submitted is correctly rendered for the target printer. CUPS includes an image file RIP that supports printing of image files to non-PostScript printers. CUPS has lots of bells and whistles and is more like a supercharged MS Windows NT/200x print monitor and processor. Its complexity can be eliminated or turbocharged to suit any fancy.
The LPRng software is an enhanced, extended, and portable implementation of the Berkeley LPR print spooler functionality. It provides the same interface and meets RFC1179 requirements. LPRng can be configured to act like CUPS, but it is in principle a replacement for the old Berkeley lpr/lpd spooler. LPRng is generally preferred by those who are familiar with Berkeley lpr/lpd.
Which spooling system is better is a matter of personal taste. It depends on what you want to do and how you want to do it and manage it. Most modern Linux systems ship with CUPS as the default print management system.
When should Windows client IP addresses be hard-coded?
When there are few MS Windows clients, little client change, no mobile users, and users are not inclined to tamper with network settings, it is a safe and convenient matter to hard-code Windows client TCP/IP settings. Given that it is possible to lock down the Windows desktop and remove user ability to access network configuration controls, fixed configuration eliminates the need for a DHCP server. This reduces maintenance overheads and eliminates a possible point of network failure.
Under what circumstances is it best to use a DHCP server?
In network configurations where there are mobile users, or where Windows client PCs move around (particularly between offices or between subnets), it makes complete sense to control all Windows client configurations using a DHCP server. Additionally, when users do tamper with the network settings, DHCP can be used to normalize all client settings.
One underappreciated benefit of using a DHCP server to assign all network client device TCP/IP settings is that it makes it a pain-free process to change network TCP/IP settings, change network addressing, or enhance the ability of client devices to benefit from new network services.
Another benefit of modern DHCP servers is their ability to register dynamically assigned IP addresses with the DNS server. The benefits of Dynamic DNS (DDNS) are considerable in a large Windows network environment.
What is the purpose of setting the parameter guest ok on a share?
If this parameter is set to yes for a service, then no password is required to connect to the service. Privileges are those of the guest account.
When would you set the global parameter disable spoolss?
Setting this parameter to Yes disables Samba's support for the SPOOLSS set of MS-RPCs and yields behavior identical to Samba 2.0.x. Windows NT/2000 clients can downgrade to using LanMan style printing commands. Windows 9x/Me are unaffected by the parameter. However, this disables the ability to upload printer drivers to a Samba server via the Windows NT/200x Add Printer Wizard or by using the NT printer properties dialog window. It also disables the capability of Windows NT/200x clients to download print drivers from the Samba host on demand. Be extremely careful about setting this parameter.
The alternate parameter use client driver applies only to Windows NT/200x clients. It has no effect on Windows 95/98/Me clients. When serving a printer to Windows NT/200x clients without first installing a valid printer driver on the Samba host, the client is required to install a local printer driver. From this point on, the client treats the printer as a local printer and not a network printer connection. This is much the same behavior that occurs when disable spoolss = yes.
Under normal circumstances, the NT/200x client attempts to open the network printer using MS-RPC. Because the client considers the printer to be local, it attempts to issue the OpenPrinterEx() call requesting access rights associated with the logged on user. If the user possesses local administrator rights but not root privilege on the Samba host (often the case), the OpenPrinterEx() call fails. The result is that the client now displays an "Access Denied; Unable to connect" message in the printer queue window (even though jobs may be printed successfully). This parameter MUST not be enabled on a print share that has a valid print driver installed on the Samba server.
Why would you disable password caching on Windows 9x/Me clients?
Windows 9x/Me workstations that are set at default (password caching enabled) store the username and password in files located in the Windows master directory. Such files can be scavenged (read off a client machine) and decrypted, thus revealing the user's access credentials for all systems the user may have accessed. It is most insecure to allow any Windows 9x/Me client to operate with password caching enabled.
The example of Abmas Accounting uses User Mode security. How does this provide anonymous access?
The example used does not provide anonymous access. Since the clients are all Windows 2000 Professional, and given that users are logging onto their machines, by default the client attempts to connect to a remote server using currently logged in user credentials. By ensuring that the user's login ID and password are the same as those set on the Samba server, access is transparent and does not require separate user authentication.