1. Q: | Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2? |
A: | No. Samba-3 fully supports Sign'n'seal as well as schannel operation. The registry change should not be applied when Samba-3 is used as a domain controller. |
2. Q: | Does Samba-3 support Active Directory? |
A: | Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not provide Active Directory services. It cannot be used to replace a Microsoft Active Directory server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, and it can function as an Active Directory domain member server. |
3. Q: | When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2? |
A: | No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, because Samba-3 can join a native Windows 2003 Server ADS domain. |
4. Q: | Is it safe to set share-level access controls in Samba? |
A: | Yes. Share-level access controls have been supported since early versions of Samba-2. This is very mature technology. Not enough sites make use of this powerful capability, neither on Windows server or with Samba servers. |
5. Q: | Is it mandatory to set share ACLs to get a secure Samba-3 server? |
A: | No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides means of securing shares through share definition controls in the smb.conf file. The additional support for share-level ACLs is like frosting on the cake. It adds to security but is not essential to it. |
6. Q: | The valid users did not work on the [homes]. Has this functionality been restored yet? |
A: | Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard on the [homes] meta-service. The correct way to specify this is: valid users = %S. |
7. Q: | Is the bias against use of the force user and force group really warranted? |
A: | There is no bias. There is a determination to recommend the right tool for the task at hand. After all, it is better than putting users through performance problems, isn't it? |
8. Q: | The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file? |
A: | Sure. You do not have to set the SUID bit on the directory. Simply execute the following command to permit file ownership to be retained by the user who created it: root# find /usr/data/finance -type d -exec chmod g+s {}\; Note that this required no more than removing the u argument so that the SUID bit is not set for the owner. |
9. Q: | In the book, "The Official Samba-3 HOWTO and Reference Guide", you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility? |
A: | Either tool can be used with equal effect. There is no benefit of one over the other, except that the MMC utility is present on all Windows 200x/XP systems and does not require additional software to be downloaded and installed. Note that if you want to manage user and group accounts in your Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which is provided as part of the SRVTOOLS.EXE utility. |
10. Q: | I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now? |
A: | The use of this parameter has always required the full specification of the domain account, for example, valid users = @"MEGANET2\Domain Admins". |