Section 11.4. Questions and Answers

11.4. Questions and Answers


1. Q:

Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2?


No. Samba-3 fully supports Sign'n'seal as well as schannel operation. The registry change should not be applied when Samba-3 is used as a domain controller.

2. Q:

Does Samba-3 support Active Directory?


Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not provide Active Directory services. It cannot be used to replace a Microsoft Active Directory server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit, and it can function as an Active Directory domain member server.

3. Q:

When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was necessary with Samba-2?


No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation, because Samba-3 can join a native Windows 2003 Server ADS domain.

4. Q:

Is it safe to set share-level access controls in Samba?


Yes. Share-level access controls have been supported since early versions of Samba-2. This is very mature technology. Not enough sites make use of this powerful capability, neither on Windows server or with Samba servers.

5. Q:

Is it mandatory to set share ACLs to get a secure Samba-3 server?


No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides means of securing shares through share definition controls in the smb.conf file. The additional support for share-level ACLs is like frosting on the cake. It adds to security but is not essential to it.

6. Q:

The valid users did not work on the [homes]. Has this functionality been restored yet?


Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard on the [homes] meta-service. The correct way to specify this is: valid users = %S.

7. Q:

Is the bias against use of the force user and force group really warranted?


There is no bias. There is a determination to recommend the right tool for the task at hand. After all, it is better than putting users through performance problems, isn't it?

8. Q:

The example given for file and directory access control forces all files to be owned by one particular user. I do not like that. Is there any way I can see who created the file?


Sure. You do not have to set the SUID bit on the directory. Simply execute the following command to permit file ownership to be retained by the user who created it:

root#  find /usr/data/finance -type d -exec chmod g+s {}\; 

Note that this required no more than removing the u argument so that the SUID bit is not set for the owner.

9. Q:

In the book, "The Official Samba-3 HOWTO and Reference Guide", you recommended use of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?


Either tool can be used with equal effect. There is no benefit of one over the other, except that the MMC utility is present on all Windows 200x/XP systems and does not require additional software to be downloaded and installed. Note that if you want to manage user and group accounts in your Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which is provided as part of the SRVTOOLS.EXE utility.

10. Q:

I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory domain member server. Has this been fixed now?


The use of this parameter has always required the full specification of the domain account, for example, valid users = @"MEGANET2\Domain Admins".

    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142 © 2008-2017.
    If you may any questions please contact us: