Section 11.4. Questions and Answers


11.4. Questions and Answers

F.A.Q.

1. Q:

Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2?

A:

No. Samba-3 fully supports Sign'n'seal as well as schannel operation. The registry change should not be applied when Samba-3 is used as a domain controller.

2. Q:

Does Samba-3 support Active Directory?

A:

Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not provide Active Directory services. It cannot be used to replace a Microsoft Active Directory server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, and it can function as an Active Directory domain member server.

3. Q:

When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2?

A:

No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, because Samba-3 can join a native Windows 2003 Server ADS domain.

4. Q:

Is it safe to set share-level access controls in Samba?

A:

Yes. Share-level access controls have been supported since early versions of Samba-2. This is very mature technology. Not enough sites make use of this powerful capability, neither on Windows server or with Samba servers.

5. Q:

Is it mandatory to set share ACLs to get a secure Samba-3 server?

A:

No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides means of securing shares through share definition controls in the smb.conf file. The additional support for share-level ACLs is like frosting on the cake. It adds to security but is not essential to it.

6. Q:

The valid users did not work on the [homes]. Has this functionality been restored yet?

A:

Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard on the [homes] meta-service. The correct way to specify this is: valid users = %S.

7. Q:

Is the bias against use of the force user and force group really warranted?

A:

There is no bias. There is a determination to recommend the right tool for the task at hand. After all, it is better than putting users through performance problems, isn't it?

8. Q:

The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file?

A:

Sure. You do not have to set the SUID bit on the directory. Simply execute the following command to permit file ownership to be retained by the user who created it:

root#  find /usr/data/finance -type d -exec chmod g+s {}\; 

Note that this required no more than removing the u argument so that the SUID bit is not set for the owner.

9. Q:

In the book, "The Official Samba-3 HOWTO and Reference Guide", you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?

A:

Either tool can be used with equal effect. There is no benefit of one over the other, except that the MMC utility is present on all Windows 200x/XP systems and does not require additional software to be downloaded and installed. Note that if you want to manage user and group accounts in your Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which is provided as part of the SRVTOOLS.EXE utility.

10. Q:

I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now?

A:

The use of this parameter has always required the full specification of the domain account, for example, valid users = @"MEGANET2\Domain Admins".



    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net