--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Active Directory, Kerberos, and Security</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="RefSection.html" title="Part III. Reference Section"><link rel="next" href="DomApps.html" title="Chapter 12. Integrating Additional Services"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Active Directory, Kerberos, and Security</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="kerberos"></a>Chapter 11. Active Directory, Kerberos, and Security</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="kerberos.html#id2578889">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2579543">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2579560">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2579950">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#ch10expl">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="kerberos.html#id2581817">Share Access Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2582166">Share Definition Controls</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2582774">Share Point Directory and File Permissions</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2583178">Managing Windows 200x ACLs</a></span></dt><dt><span class="sect2"><a href="kerberos.html#id2583904">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="kerberos.html#id2584039">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2578825"></a>
+ By this point in the book, you have been exposed to many Samba-3 features and capabilities.
+ More importantly, if you have implemented the examples given, you are well on your way to becoming
+ a Samba-3 networking guru who knows a lot about Microsoft Windows. If you have taken the time to
+ practice, you likely have thought of improvements and scenarios with which you can experiment. You
+ are rather well plugged in to the many flexible ways Samba can be used.
+ </p><p><a class="indexterm" name="id2578844"></a>
+ This is a book about Samba-3. Understandably, its intent is to present it in a positive light.
+ The casual observer might conclude that this book is one-eyed about Samba. It is what
+ would you expect? This chapter exposes some criticisms that have been raised concerning
+ the use of Samba. For each criticism, there are good answers and appropriate solutions.
+ </p><p>
+ Some criticism always comes from deep inside ranks that one would expect to be supportive of a particular
+ decision. Criticism can be expected from the outside. Let's see how the interesting dynamic of
+ criticism develops with respect to Abmas.
+ </p><p><a class="indexterm" name="id2578872"></a>
+ This chapter provides a shameless self-promotion of Samba-3. The objections raised were not pulled
+ out of thin air. They were drawn from comments made by Samba users and from criticism during
+ discussions with Windows network administrators. The tone of the objections reflects as closely
+ as possible that of the original. The case presented is a straw-man example that is designed to
+ permit each objection to be answered as it might occur in real life.
+ </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2578889"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2578895"></a><a class="indexterm" name="id2578903"></a><a class="indexterm" name="id2578911"></a><a class="indexterm" name="id2578919"></a><a class="indexterm" name="id2578927"></a>
+ Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took
+ note of the spectacular projection of Abmas onto the global business stage. Abmas is building an
+ interesting portfolio of companies that includes accounting services, financial advice, investment
+ portfolio management, property insurance, risk assessment, and the recent addition of a a video rental
+ business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an
+ interesting business growth and development plan. Abmas Video Rentals was recently acquired.
+ During the time that the acquisition was closing, the Video Rentals business upgraded its Windows
+ NT4-based network to Windows 2003 Server and Active Directory.
+ </p><p><a class="indexterm" name="id2578964"></a>
+ You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory.
+ The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform.
+ Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to
+ operate with a solution that is viewed by Christine and her group as “<span class="quote">an island of broken
+ technologies.</span>” This comment was made by one of Christine's staff as they were installing a new
+ Samba-3 server at the new business.
+ </p><p><a class="indexterm" name="id2578988"></a><a class="indexterm" name="id2578995"></a>
+ Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer
+ should make such a comment. He felt that he had to prepare in case he might be criticized for his
+ decision to use Active Directory. He decided he would defend his decision by hiring the services
+ of an outside security systems consultant to report<sup>[<a name="id2579010" href="#ftn.id2579010">12</a>]</sup> on his unit's operations
+ and to investigate the role of Samba at his site. Here are key extracts from this hypothetical
+ report:
+ </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2579021"></a><a class="indexterm" name="id2579029"></a><a class="indexterm" name="id2579037"></a><a class="indexterm" name="id2579045"></a>
+ ... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site,
+ has been examined. We find no evidence to support a notion that vulnerabilities exist at your site.
+ ... we took additional steps to validate the integrity of the installation and operation of Active
+ Directory and are pleased that your staff are following sound practices.
+ </p><p>
+ ...
+ </p><p><a class="indexterm" name="id2579066"></a><a class="indexterm" name="id2579077"></a><a class="indexterm" name="id2579089"></a><a class="indexterm" name="id2579096"></a><a class="indexterm" name="id2579104"></a><a class="indexterm" name="id2579112"></a>
+ User and group accounts, and respective privileges, have been well thought out. File system shares are
+ appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and
+ effective off-site storage practices are considered to exceed industry norms.
+ </p><p><a class="indexterm" name="id2579128"></a><a class="indexterm" name="id2579136"></a><a class="indexterm" name="id2579144"></a>
+ Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain
+ a secure network.
+ </p><p><a class="indexterm" name="id2579161"></a><a class="indexterm" name="id2579169"></a><a class="indexterm" name="id2579177"></a><a class="indexterm" name="id2579185"></a>
+ The recently installed Linux file and application server uses a tool called <span><strong class="command">winbind</strong></span>
+ that is indiscriminate about security. All user accounts in Active Directory can be used to access data
+ stored on the Linux system. We are alarmed that secure information is accessible to staff who should
+ not even be aware that it exists. We share the concerns of your network management staff who have gone
+ to great lengths to set fine-grained controls that limit information access to those who need access.
+ It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work.
+ </p><p><a class="indexterm" name="id2579216"></a><a class="indexterm" name="id2579223"></a><a class="indexterm" name="id2579231"></a>
+ Graham Judd [head of network administration] has locked down the security of all systems and is following
+ the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network
+ is isolated from the outside world, the [product name removed] firewall is under current contract
+ maintenance support from [the manufacturer]. ... our attempts to penetrate security of your systems
+ failed to find problems common to Windows networking sites. We commend your staff on their attention to
+ detail and for following Microsoft recommended best practices.
+ </p><p>
+ ...
+ </p><p><a class="indexterm" name="id2579256"></a><a class="indexterm" name="id2579264"></a><a class="indexterm" name="id2579272"></a><a class="indexterm" name="id2579280"></a>
+ Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of
+ all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft
+ ... what worries us regarding Samba is the need to disable essential Windows security features such as
+ secure channel support, digital sign'n'seal on all communication traffic, and running Active Directory in
+ mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that
+ Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that
+ with trusted computing initiatives that the Samba developers do not participate in.
+ </p><p><a class="indexterm" name="id2579303"></a><a class="indexterm" name="id2579311"></a><a class="indexterm" name="id2579319"></a><a class="indexterm" name="id2579326"></a><a class="indexterm" name="id2579334"></a><a class="indexterm" name="id2579342"></a><a class="indexterm" name="id2579350"></a>
+ One wonders about the integrity of an open source program that is developed by a team of hackers
+ who cannot be held accountable for the flaws in their code. The sheer number of updates and bug
+ fixes they have released should ring alarm bells in any business.
+ </p><p><a class="indexterm" name="id2579366"></a><a class="indexterm" name="id2579374"></a><a class="indexterm" name="id2579381"></a>
+ Another factor that should be considered is that buying Microsoft products and services helps to
+ provide employment in the IT industry. Samba and Open Source software place those jobs at risk.
+ </p></blockquote></div><p><a class="indexterm" name="id2579396"></a><a class="indexterm" name="id2579404"></a>
+ This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple
+ discussion, but it gets further out of hand. When you return to your office, you find the following
+ email in your in-box:
+ </p><p>
+ Good afternoon,
+ </p><div class="blockquote"><table border="0" width="100%" cellspacing="0" cellpadding="0" class="blockquote" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p>
+ I apologize for the leak of internal discussions to the new business. It reflects poorly on our
+ professionalism and has put you in an unpleasant position. I regret the incident.
+ </p><p>
+ I also wish to advise that two of the recent recruits want to implement Kerberos authentication
+ across all systems. I concur with the desire to improve security. One of the new guys who is championing
+ the move to Kerberos was responsible for the comment that caused the embarrassment.
+ </p><p><a class="indexterm" name="id2579441"></a><a class="indexterm" name="id2579449"></a><a class="indexterm" name="id2579456"></a><a class="indexterm" name="id2579464"></a>
+ I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP,
+ plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect
+ to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent,
+ I would like to hire the services of a well-known Samba consultant to set the record straight.
+ </p><p><a class="indexterm" name="id2579483"></a><a class="indexterm" name="id2579491"></a><a class="indexterm" name="id2579498"></a><a class="indexterm" name="id2579506"></a><a class="indexterm" name="id2579514"></a><a class="indexterm" name="id2579522"></a>
+ I intend to use this report to answer the criticism raised and would like to establish a policy that we
+ will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered
+ out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain
+ responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce
+ use of any centrally proposed standards, but make all noncompliance the financial responsibility of the
+ out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone.
+ </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">Stan</span></td></tr></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2579543"></a>Assignment Tasks</h3></div></div></div><p>
+ You agreed with Stan's recommendations and hired a consultant to help defuse the powder
+ keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able
+ to support his or her claims, keep emotions to the side, and answer technically.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2579560"></a>Dissection and Discussion</h2></div></div></div><p><a class="indexterm" name="id2579566"></a><a class="indexterm" name="id2579574"></a><a class="indexterm" name="id2579582"></a><a class="indexterm" name="id2579590"></a><a class="indexterm" name="id2579598"></a><a class="indexterm" name="id2579606"></a><a class="indexterm" name="id2579614"></a>
+ Samba-3 is a tool. No one is pounding your door to make you use Samba. That is a choice that you are free to
+ make or reject. It is likely that your decision to use Samba can greatly benefit your company.
+ The Samba Team obviously believes that the Samba software is a worthy choice.
+ If you hire a consultant to assist with the installation and/or deployment of Samba, or if you hire
+ someone to help manage your Samba installation, you can create income and employment. Alternately,
+ money saved by not spending in the IT area can be spent elsewhere in the business. All money saved
+ or spent creates employment.
+ </p><p><a class="indexterm" name="id2579635"></a><a class="indexterm" name="id2579644"></a><a class="indexterm" name="id2579652"></a><a class="indexterm" name="id2579660"></a><a class="indexterm" name="id2579668"></a>
+ In the long term, the use of Samba must be economically sustainable. In some situations, Samba is adopted
+ purely to provide file and print service interoperability on platforms that otherwise cannot provide
+ access to data and to printers for Microsoft Windows clients. Samba is used by some businesses to
+ effect a reduction in the cost of providing IT services. Obviously, it is also used by some as an
+ alternative to the use of a Microsoft file and print serving platforms with no consideration of costs.
+ </p><p><a class="indexterm" name="id2579687"></a><a class="indexterm" name="id2579695"></a><a class="indexterm" name="id2579703"></a><a class="indexterm" name="id2579711"></a>
+ It would be foolish to adopt a technology that might put any data or users at risk. Security affects
+ everyone. The Samba-Team is fully cognizant of the responsibility they have to their users.
+ The Samba documentation clearly reveals that full responsibility is accepted to fix anything
+ that is broken.
+ </p><p><a class="indexterm" name="id2579727"></a><a class="indexterm" name="id2579735"></a><a class="indexterm" name="id2579743"></a><a class="indexterm" name="id2579751"></a><a class="indexterm" name="id2579763"></a><a class="indexterm" name="id2579770"></a><a class="indexterm" name="id2579778"></a><a class="indexterm" name="id2579786"></a><a class="indexterm" name="id2579794"></a><a class="indexterm" name="id2579802"></a><a class="indexterm" name="id2579810"></a>
+ There is a mistaken perception in the IT industry that commercial software providers are fully
+ accountable for the defects in products. Open Source software comes with no warranty, so it is
+ often assumed that its use confers a higher degree of risk. Everyone should read commercial software
+ End User License Agreements (EULAs). You should determine what real warranty is offered and the
+ extent of liability that is accepted. Doing so soon dispels the popular notion that
+ commercial software vendors are willingly accountable for product defects. In many cases, the
+ commercial vendor accepts liability only to reimburse the price paid for the software.
+ </p><p><a class="indexterm" name="id2579832"></a><a class="indexterm" name="id2579840"></a><a class="indexterm" name="id2579848"></a><a class="indexterm" name="id2579856"></a><a class="indexterm" name="id2579864"></a><a class="indexterm" name="id2579872"></a>
+ The real issues that a consumer (like you) needs answered are What is the way of escape from technical
+ problems, and how long will it take? The average problem turnaround time in the Open Source community is
+ approximately 48 hours. What does the EULA offer? What is the track record in the commercial software
+ industry? What happens when your commercial vendor decides to cease providing support?
+ </p><p><a class="indexterm" name="id2579890"></a><a class="indexterm" name="id2579898"></a><a class="indexterm" name="id2579906"></a><a class="indexterm" name="id2579914"></a><a class="indexterm" name="id2579921"></a><a class="indexterm" name="id2579929"></a><a class="indexterm" name="id2579937"></a>
+ Open Source software at least puts you in possession of the source code. This means that when
+ all else fails, you can hire a programmer to solve the problem.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2579950"></a>Technical Issues</h3></div></div></div><p>
+ Each issue is now discussed and, where appropriate, example implementation steps are
+ provided.
+ </p><div class="variablelist"><dl><dt><span class="term">Winbind and Security</span></dt><dd><p><a class="indexterm" name="id2579971"></a><a class="indexterm" name="id2579978"></a><a class="indexterm" name="id2579986"></a><a class="indexterm" name="id2579998"></a><a class="indexterm" name="id2580006"></a><a class="indexterm" name="id2580014"></a><a class="indexterm" name="id2580022"></a><a class="indexterm" name="id2580030"></a><a class="indexterm" name="id2580038"></a><a class="indexterm" name="id2580046"></a>
+ Windows network administrators may be dismayed to find that <span><strong class="command">winbind</strong></span>
+ exposes all domain users so that they may use their domain account credentials to
+ log on to a UNIX/Linux system. The fact that all users in the domain can see the
+ UNIX/Linux server in their Network Neighborhood and can browse the shares on the
+ server seems to excite them further.
+ </p><p><a class="indexterm" name="id2580069"></a><a class="indexterm" name="id2580077"></a><a class="indexterm" name="id2580085"></a><a class="indexterm" name="id2580093"></a>
+ <span><strong class="command">winbind</strong></span> provides for the UNIX/Linux domain member server or
+ client, the same as one would obtain by adding a Microsoft Windows server or
+ client to the domain. The real objection is the fact that Samba is not MS Windows
+ and therefore requires handling a little differently from the familiar Windows systems.
+ One must recognize fear of the unknown.
+ </p><p><a class="indexterm" name="id2580116"></a><a class="indexterm" name="id2580124"></a><a class="indexterm" name="id2580132"></a><a class="indexterm" name="id2580140"></a><a class="indexterm" name="id2580147"></a><a class="indexterm" name="id2580159"></a>
+ Windows network administrators need to recognize that <span><strong class="command">winbind</strong></span> does
+ not, and cannot, override account controls set using the Active Directory management
+ tools. The control is the same. Have no fear.
+ </p><p><a class="indexterm" name="id2580180"></a><a class="indexterm" name="id2580187"></a><a class="indexterm" name="id2580199"></a><a class="indexterm" name="id2580207"></a><a class="indexterm" name="id2580214"></a><a class="indexterm" name="id2580222"></a><a class="indexterm" name="id2580230"></a><a class="indexterm" name="id2580238"></a><a class="indexterm" name="id2580246"></a><a class="indexterm" name="id2580254"></a>
+ Where Samba and the ADS domain account information obtained through the use of
+ <span><strong class="command">winbind</strong></span> permits access, by browsing or by the drive mapping to
+ a share, to data that should be better protected. This can only happen when security
+ controls have not been properly implemented. Samba permits access controls to be set
+ on:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>Shares themselves (i.e., the logical share itself)</p></li><li><p>The share definition in <code class="filename">smb.conf</code></p></li><li><p>The shared directories and files using UNIX permissions</p></li><li><p>Using Windows 2000 ACLs if the file system is POSIX enabled</p></li></ul></div><p>
+ Examples of each are given in <a href="kerberos.html#ch10expl" title="Implementation">???</a>.
+ </p></dd><dt><span class="term">User and Group Controls</span></dt><dd><p><a class="indexterm" name="id2580328"></a><a class="indexterm" name="id2580337"></a><a class="indexterm" name="id2580348"></a><a class="indexterm" name="id2580359"></a><a class="indexterm" name="id2580367"></a><a class="indexterm" name="id2580375"></a><a class="indexterm" name="id2580383"></a><a class="indexterm" name="id2580390"></a><a class="indexterm" name="id2580398"></a>
+ User and group management facilities as known in the Windows ADS environment may be
+ used to provide equivalent access control constraints or to provide equivalent
+ permissions and privileges on Samba servers. Samba offers greater flexibility in the
+ use of user and group controls because it has additional layers of control compared to
+ Windows 200x/XP. For example, access controls on a Samba server may be set within
+ the share definition in a manner for which Windows has no equivalent.
+ </p><p><a class="indexterm" name="id2516957"></a><a class="indexterm" name="id2516965"></a><a class="indexterm" name="id2516973"></a><a class="indexterm" name="id2516981"></a><a class="indexterm" name="id2516992"></a><a class="indexterm" name="id2517000"></a><a class="indexterm" name="id2517008"></a>
+ In any serious analysis of system security, it is important to examine the safeguards
+ that remain when all other protective measures fail. An administrator may inadvertently
+ set excessive permissions on the file system of a shared resource, or he may set excessive
+ privileges on the share itself. If that were to happen in a Windows 2003 Server environment,
+ the data would indeed be laid bare to abuse. Yet, within a Samba share definition, it is
+ possible to guard against that by enforcing controls on the share definition itself. You
+ see a practical example of this a little later in this chapter.
+ </p><p><a class="indexterm" name="id2517030"></a><a class="indexterm" name="id2517038"></a>
+ The report that is critical of Samba really ought to have exercised greater due
+ diligence: the real weakness is on the side of a Microsoft Windows environment.
+ </p></dd><dt><span class="term">Security Overall</span></dt><dd><p><a class="indexterm" name="id2517060"></a>
+ Samba is designed in such a manner that weaknesses inherent in the design of
+ Microsoft Windows networking ought not to expose the underlying UNIX/Linux file
+ system in any way. All software has potential defects, and Samba is no exception.
+ What matters more is how defects that are discovered get dealt with.
+ </p><p><a class="indexterm" name="id2517076"></a><a class="indexterm" name="id2517084"></a><a class="indexterm" name="id2517092"></a><a class="indexterm" name="id2517100"></a>
+ The Samba Team totally agrees with the necessity to observe and fully implement
+ every security facility to provide a level of protection and security that is necessary
+ and that the end user (or network administrator) needs. Never would the Samba Team
+ recommend a compromise to system security, nor would deliberate defoliation of
+ security be publicly condoned; yet this is the practice by many Windows network
+ administrators just to make happy users who have no notion of consequential risk.
+ </p><p><a class="indexterm" name="id2517120"></a><a class="indexterm" name="id2517128"></a><a class="indexterm" name="id2517136"></a><a class="indexterm" name="id2517144"></a><a class="indexterm" name="id2517151"></a><a class="indexterm" name="id2517159"></a><a class="indexterm" name="id2517167"></a>
+ The report condemns Samba for releasing updates and security fixes, yet Microsoft
+ online updates need to be applied almost weekly. The answer to the criticism
+ lies in the fact that Samba development is continuing, documentation is improving,
+ user needs are being increasingly met or exceeded, and security updates are issued
+ with a short turnaround time.
+ </p><p><a class="indexterm" name="id2517185"></a><a class="indexterm" name="id2517193"></a><a class="indexterm" name="id2517201"></a><a class="indexterm" name="id2517209"></a><a class="indexterm" name="id2517217"></a>
+ The release of Samba-4 is expected around late 2004 to early 2005 and involves a near
+ complete rewrite to permit extensive modularization and to prepare Samba for new
+ functionality planned for addition during the next-generation series. The Samba Team
+ is responsible and can be depended upon; the history to date suggests a high
+ degree of dependability and on charter development consistent with published
+ roadmap projections.
+ </p><p><a class="indexterm" name="id2580975"></a><a class="indexterm" name="id2580982"></a><a class="indexterm" name="id2580994"></a><a class="indexterm" name="id2581005"></a><a class="indexterm" name="id2581013"></a><a class="indexterm" name="id2581021"></a><a class="indexterm" name="id2581029"></a>
+ Not well published is the fact that Microsoft was a foundation member of
+ the Common Internet File System (CIFS) initiative, together with the participation
+ of the network attached storage (NAS) industry. Unfortunately, for the past few years,
+ Microsoft has been absent from active involvement at CIFS conferences and has
+ not exercised the leadership expected of a major force in the networking technology
+ space. The Samba Team has maintained consistent presence and leadership at all
+ CIFS conferences and at the interoperability laboratories run concurrently with
+ them.
+ </p></dd><dt><span class="term">Cryptographic Controls (schannel, sign'n'seal)</span></dt><dd><p><a class="indexterm" name="id2581059"></a><a class="indexterm" name="id2581067"></a><a class="indexterm" name="id2581075"></a>
+ The report correctly mentions that Samba did not support the most recent
+ <code class="constant">schannel</code> and <code class="constant">digital sign'n'seal</code> features
+ of Microsoft Windows NT/200x/XPPro products. This is one of the key features
+ of the Samba-3 release. Market research reports take so long to generate that they are
+ seldom a reflection of current practice, and in many respects reports are like a
+ pathology report they reflect accurately (at best) status at a snapshot in time.
+ Meanwhile, the world moves on.
+ </p><p><a class="indexterm" name="id2581105"></a><a class="indexterm" name="id2581112"></a><a class="indexterm" name="id2581120"></a><a class="indexterm" name="id2581128"></a><a class="indexterm" name="id2581136"></a><a class="indexterm" name="id2581151"></a><a class="indexterm" name="id2581159"></a>
+ It should be pointed out that had clear public specifications for the protocols
+ been published, it would have been much easier to implement these features and would have
+ taken less time to do. The sole mechanism used to find an algorithm that is compatible
+ with the methods used by Microsoft has been based on observation of network traffic
+ and trial-and-error implementation of potential techniques. The real value of public
+ and defensible standards is obvious to all and would have enabled more secure networking
+ for everyone.
+ </p><p><a class="indexterm" name="id2581179"></a><a class="indexterm" name="id2581187"></a>
+ Critics of Samba often ignore fundamental problems that may plague (or may have plagued)
+ the users of Microsoft's products also. Those who are first to criticize Samba
+ for not rushing into release of <code class="constant">digital sign'n'seal</code> support
+ often dismiss the problems that Microsoft has
+ <a href="http://support.microsoft.com/default.aspx?kbid=321733" target="_top">acknowledged</a>
+ and for which a fix was provided. In fact,
+ <a href="http://www.tangent-systems.com/support/delayedwrite.html" target="_top">Tangent Systems</a>
+ have documented a significant problem with delays writes that can be connected with the
+ implementation of sign'n'seal. They provide a work-around that is not trivial for many
+ Windows networking sites. From notes such as this it is clear that there are benefits
+ from not rushing new technology out of the door too soon.
+ </p><p><a class="indexterm" name="id2581227"></a><a class="indexterm" name="id2581235"></a><a class="indexterm" name="id2581243"></a><a class="indexterm" name="id2581251"></a><a class="indexterm" name="id2581259"></a><a class="indexterm" name="id2581267"></a><a class="indexterm" name="id2581275"></a><a class="indexterm" name="id2581283"></a><a class="indexterm" name="id2581291"></a>
+ One final comment is warranted. If companies want more secure networking protocols,
+ the most effective method by which this can be achieved is by users seeking
+ and working together to help define open and publicly refereed standards. The
+ development of closed source, proprietary methods that are developed in a
+ clandestine framework of secrecy, under claims of digital rights protection, does
+ not favor the diffusion of safe networking protocols and certainly does not
+ help the consumer to make a better choice.
+ </p></dd><dt><span class="term">Active Directory Replacement with Kerberos, LDAP, and Samba</span></dt><dd><p>
+ </p><div class="literallayout"><p> </p></div><p>
+ The Microsoft networking protocols extensively make use of remote procedure call (RPC)
+ technology. Active Directory is not a simple mixture of LDAP and Kerberos together
+ with file and print services, but rather is a complex, intertwined implementation
+ of them that uses RPCs that are not supported by any of these component technologies
+ and yet by which they are made to interoperate in ways that the components do not
+ support.
+ </p><p><a class="indexterm" name="id2581379"></a><a class="indexterm" name="id2581390"></a><a class="indexterm" name="id2581398"></a><a class="indexterm" name="id2581406"></a><a class="indexterm" name="id2581414"></a>
+ In order to make the popular request for Samba to be an Active Directory Server a
+ reality, it is necessary to add to OpenLDAP, Kerberos, as well as Samba, RPC calls
+ that are not presently supported. The Samba Team has not been able to gain critical
+ overall support for all project maintainers to work together on the complex
+ challenge of developing and integrating the necessary technologies. Therefore, if
+ the Samba Team does not make it a priority to absorb Kerberos and LDAP functionality
+ into the Samba project, this dream request cannot become a reality.
+ </p><p><a class="indexterm" name="id2581435"></a><a class="indexterm" name="id2581443"></a><a class="indexterm" name="id2581451"></a><a class="indexterm" name="id2581462"></a><a class="indexterm" name="id2581469"></a>
+ At this time, the integration of LDAP, Kerberos, and the missing RPCs is not on the
+ Samba development roadmap. If it is not on the published roadmap, it cannot be delivered
+ anytime soon. Ergo, ADS server support is not a current goal for Samba development.
+ The Samba Team is most committed to permitting Samba to be a full ADS domain member
+ that is increasingly capable of being managed using Microsoft Windows MMC tools.
+ </p></dd></dl></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2581489"></a>Kerberos Exposed</h4></div></div></div><p><a class="indexterm" name="id2581496"></a><a class="indexterm" name="id2581504"></a><a class="indexterm" name="id2581512"></a>
+ Kerberos is a network authentication protocol that provides secure authentication for
+ client-server applications by using secret-key cryptography. Firewalls are an insufficient
+ barrier mechanism in today's networking world; at best they only restrict incoming network
+ traffic but cannot prevent network traffic that comes from authorized locations from
+ performing unauthorized activities.
+ </p><p><a class="indexterm" name="id2581530"></a><a class="indexterm" name="id2581538"></a><a class="indexterm" name="id2581546"></a>
+ Kerberos was created by MIT as a solution to network security problems. The Kerberos protocol uses
+ strong cryptography so that a client can prove its identity to a server (and vice versa) across an
+ insecure network connection. After a client and server has used Kerberos to prove their identity,
+ they can also encrypt all of their communications to assure privacy and data integrity as they go
+ about their business.
+ </p><p><a class="indexterm" name="id2581564"></a><a class="indexterm" name="id2581572"></a><a class="indexterm" name="id2581580"></a><a class="indexterm" name="id2581588"></a><a class="indexterm" name="id2581599"></a>
+ Kerberos is a trusted third-party service. That means that there is a third party (the kerberos
+ server) that is trusted by all the entities on the network (users and services, usually called
+ principals). All principals share a secret password (or key) with the kerberos server and this
+ enables principals to verify that the messages from the kerberos server are authentic. Therefore,
+ trusting the kerberos server, users and services can authenticate each other.
+ </p><p>
+ <a class="indexterm" name="id2581619"></a>
+ <a class="indexterm" name="id2581626"></a>
+ <a class="indexterm" name="id2581633"></a>
+ Kerberos was, until recently, a technology that was restricted from being exported from the United States.
+ For many years that hindered global adoption of more secure networking technologies both within the United States
+ and abroad. A free and unencumbered implementation of MIT Kerberos has been produced in Europe
+ and is available from the University of Paderborn, Sweden. It is known as the Heimdal Kerberos project.
+ In recent times the U.S. government has removed sanctions affecting the global distribution of MIT Kerberos.
+ It is likely that there will be a significant surge forward in the development of Kerberos-enabled applications
+ and in the general deployment and use of Kerberos across the spectrum of the information technology industry.
+ </p><p>
+ <a class="indexterm" name="id2581656"></a>
+ A storm has broken out concerning interoperability between MIT Kerberos and Microsofts' implementation
+ of it. For example, a 2002
+ <a href="http://www.idg.com.sg/idgwww.nsf/0/5DDA8D153A7505A748256BAB000D992A?OpenDocument" target="_top">IDG</a>
+ report<sup>[<a name="id2581675" href="#ftn.id2581675">13</a>]</sup> by
+ states:
+ </p><div class="blockquote"><blockquote class="blockquote"><p>
+ A Microsoft Corp. executive testified at the software giant's remedy hearing that the company goes to
+ great lengths to disclose interfaces and protocols that allow third-party software products to interact
+ with Windows. But a lawyer with the states suing Microsoft pointed out that when it comes to the company's
+ use of the Kerberos authentication specification, not everyone agrees.
+ </p><p>
+ <a class="indexterm" name="id2581701"></a>
+ Robert Short, vice president of Windows core technology at Microsoft, wrote in his direct testimony prepared
+ before his appearance that non-Microsoft operating systems can disregard the portion of the Kerberos version
+ 5 specification that Windows clients use for proprietary purposes and still achieve interoperability with
+ the Microsoft OS. Microsoft takes advantage of unspecified fields in the Kerberos specification for storing
+ Windows-specific authorization data, Short wrote. The designers of Kerberos left these fields undefined so
+ that software developers could add their own authorization information, he said.
+ </p></blockquote></div><p>
+ <a class="indexterm" name="id2581724"></a>
+ <a class="indexterm" name="id2581730"></a>
+ It so happens that Microsoft Windows clients depend on and expect the contents of the <span class="emphasis"><em>unspecified
+ fields</em></span> in the Kerberos 5 communications data stream for their Windows interoperability,
+ particularly when Samba is expected to emulate a Windows Server 200x domain controller. But the interoperability
+ issue goes far deeper than this. In the domain control protocols that are used by MS Windows XP Professional,
+ there is a tight interdependency between the Kerberos protocols and the Microsoft distributed computing environment
+ (DCE) RPCs that themselves are an integral part of the SMB/CIFS protocols as used by
+ Microsoft.
+ </p><p>
+ Microsoft makes the following comment in a reference in a
+ <a href="http://www.microsoft.com/technet/itsolutions/interop/mgmt/kerberos.asp" target="_top">
+ technet</a> article:
+ </p><div class="blockquote"><blockquote class="blockquote"><p><a class="indexterm" name="id2581766"></a><a class="indexterm" name="id2581778"></a>
+ The DCE Security Services are also layered on the Kerberos protocol. DCE authentication services use RPC
+ representation of Kerberos protocol messages. In addition, DCE uses the authorization data field in Kerberos
+ tickets to convey Privilege Attribute Certificates (PACs) that define user identity and group membership.
+ The DCE PAC is used in a similar manner as Windows NT Security IDs for user authorization and access control.
+ Windows NT services will not be able to translate DCE PACs into Windows NT user and group identifiers. This
+ is not an issue with Kerberos interoperability, but rather an issue of interoperability between DCE and
+ Windows NT access control information.
+ </p></blockquote></div></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="ch10expl"></a>Implementation</h2></div></div></div><p>
+ The following procedures outline the implementation of the security measures discussed so far.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2581817"></a>Share Access Controls</h3></div></div></div><p><a class="indexterm" name="id2581824"></a><a class="indexterm" name="id2581832"></a><a class="indexterm" name="id2581840"></a>
+ Access control entries placed on the share itself act as a filter at the time a when CIFS/SMB client (such as
+ Windows XP Pro) attempts to make a connection to the Samba server.
+ </p><div class="procedure"><a name="id2581853"></a><p class="title"><b>Procedure 11.1. Create/Edit/Delete Share ACLs</b></p><ol type="1"><li><p><a class="indexterm" name="id2581863"></a><a class="indexterm" name="id2581872"></a>
+ From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator
+ account (on Samba domains, this is usually the account called <code class="constant">root</code>).
+ </p></li><li><p>
+ Click
+ <span class="guimenu">Start</span>-><span class="guimenuitem">Settings</span>-><span class="guimenuitem">Control Panel</span>-><span class="guimenuitem">Administrative Tools</span>-><span class="guimenuitem">Computer Management</span>.
+ </p></li><li><p>
+ In the left panel,
+ <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span>-><span class="guimenuitem">Connect to another computer ...</span>-><span class="guimenuitem">Browse...</span>-><span class="guimenuitem">Advanced</span>-><span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to
+ administer. Click <span class="guimenu">OK</span>-><span class="guimenuitem">OK</span>-><span class="guimenuitem">OK</span>.<a class="indexterm" name="id2581995"></a>
+ In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect
+ the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>,
+ the Computer Management entry should now say <span class="guimenu">Computer Management (FRODO)</span>.
+ </p></li><li><p>
+ In the left panel, click <span class="guimenu">Computer Management (FRODO)</span>-><span class="guimenuitem">[+] Shared Folders</span>-><span class="guimenuitem">Shares</span>.
+ </p></li><li><p><a class="indexterm" name="id2582059"></a><a class="indexterm" name="id2582067"></a>
+ In the right panel, double-click on the share on which you wish to set/edit ACLs. This
+ will bring up the Properties panel. Click the <span class="guimenu">Share Permissions</span> tab.
+ </p></li><li><p><a class="indexterm" name="id2582090"></a><a class="indexterm" name="id2582098"></a><a class="indexterm" name="id2582106"></a><a class="indexterm" name="id2582114"></a><a class="indexterm" name="id2582122"></a><a class="indexterm" name="id2582130"></a>
+ You may now edit/add/remove access control settings. Be very careful. Many problems have been
+ created by people who decided that everyone should be rejected but one particular group should
+ have full control. This is a catch-22 situation because members of that particular group also
+ belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions
+ set for the permitted group.
+ </p></li><li><p>
+ When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span>
+ buttons.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582166"></a>Share Definition Controls</h3></div></div></div><p><a class="indexterm" name="id2582173"></a><a class="indexterm" name="id2582184"></a><a class="indexterm" name="id2582192"></a><a class="indexterm" name="id2582200"></a><a class="indexterm" name="id2582208"></a><a class="indexterm" name="id2582216"></a>
+ Share-definition-based access controls can be used like a checkpoint or like a pile-driver. Just as a
+ checkpoint can be used to require someone who wants to get through to meet certain requirements, so
+ it is possible to require the user (or group the user belongs to) to meet specified credential-related
+ objectives. It can be likened to a pile-driver by overriding default controls in that having met the
+ credential-related objectives, the user can be granted powers and privileges that would not normally be
+ available under default settings.
+ </p><p><a class="indexterm" name="id2582236"></a><a class="indexterm" name="id2582244"></a><a class="indexterm" name="id2582252"></a><a class="indexterm" name="id2582260"></a>
+ It must be emphasized that the controls discussed here can act as a filter or give rights of passage
+ that act as a superstructure over normal directory and file access controls. However, share-level
+ ACLs act at a higher level than do share definition controls because the user must filter through the
+ share-level controls to get to the share-definition controls. The proper hierarchy of controls implemented
+ by Samba and Windows networking consists of:
+ </p><div class="orderedlist"><ol type="1"><li><p>Share-level ACLs</p></li><li><p>Share-definition controls</p></li><li><p>Directory and file permissions</p></li><li><p>Directory and file POSIX ACLs</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2582305"></a>Checkpoint Controls</h4></div></div></div><p><a class="indexterm" name="id2582312"></a>
+ Consider the following extract from a <code class="filename">smb.conf</code> file defining the share called <code class="constant">Apps</code>:
+</p><pre class="screen">
+[Apps]
+ comment = Application Share
+ path = /data/apps
+ read only = Yes
+ valid users = @Employees
+</pre><p>
+ This definition permits only those who are members of the group called <code class="constant">Employees</code> to
+ access the share.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2582348"></a><a class="indexterm" name="id2582359"></a><a class="indexterm" name="id2582367"></a><a class="indexterm" name="id2582375"></a><a class="indexterm" name="id2582383"></a>
+ On domain member servers and clients, even when the <em class="parameter"><code>winbind use default domain</code></em> has
+ been specified, the use of domain accounts in security controls requires fully qualified domain specification,
+ for example, <a class="indexterm" name="id2582401"></a>valid users = @"MEGANET\Northern Engineers".
+ Note the necessity to use the double quotes to avoid having the space in the Windows group name interpreted as a
+ delimiter.
+ </p></div><p><a class="indexterm" name="id2582413"></a><a class="indexterm" name="id2582421"></a><a class="indexterm" name="id2582429"></a>
+ If there is an ACL on the share itself to permit read/write access for all <code class="constant">Employees</code>
+ as well as read/write for the group <code class="constant">Doctors</code>, both groups are permitted through
+ to the share. However, at the moment an attempt is made to set up a connection to the share, a member of
+ the group <code class="constant">Doctors</code>, who is not also a member of the group <code class="constant">Employees</code>,
+ would immediately fail to validate.
+ </p><p><a class="indexterm" name="id2582460"></a>
+ Consider another example. In this case, you want to permit all members of the group <code class="constant">Employees</code>
+ except the user <code class="constant">patrickj</code> to access the <code class="constant">Apps</code> share. This can be
+ easily achieved by setting a share-level ACL permitting only <code class="constant">Employees</code> to access the share,
+ and then in the share definition controls excluding just <code class="constant">patrickj</code>. Here is how that might
+ be done:
+</p><pre class="screen">
+[Apps]
+ comment = Application Share
+ path = /data/apps
+ read only = Yes
+ invalid users = patrickj
+</pre><p>
+ <a class="indexterm" name="id2582501"></a>
+ Let us assume that you want to permit the user <code class="constant">gbshaw</code> to manage any file in the
+ UNIX/Linux file system directory <code class="filename">/data/apps</code>, but you do not want to grant any write
+ permissions beyond that directory tree. Here is one way this can be done:
+</p><pre class="screen">
+[Apps]
+ comment = Application Share
+ path = /data/apps
+ read only = Yes
+ invalid users = patrickj
+ admin users = gbshaw
+</pre><p>
+ <a class="indexterm" name="id2582532"></a>
+ Now we have a set of controls that permits only <code class="constant">Employees</code> who are also members of
+ the group <code class="constant">Doctors</code>, excluding the user <code class="constant">patrickj</code>, to have
+ read-only privilege, but the user <code class="constant">gbshaw</code> is granted administrative rights.
+ The administrative rights conferred upon the user <code class="constant">gbshaw</code> permit operation as
+ if that user has logged in as the user <code class="constant">root</code> on the UNIX/Linux system and thus,
+ for access to the directory tree that has been shared (exported), permit the user to override controls
+ that apply to all other users on that resource.
+ </p><p>
+ There are additional checkpoint controls that may be used. For example, if for the same share we now
+ want to provide the user <code class="constant">peters</code> with the ability to write to one directory to
+ which he has write privilege in the UNIX file system, you can specifically permit that with the
+ following settings:
+</p><pre class="screen">
+[Apps]
+ comment = Application Share
+ path = /data/apps
+ read only = Yes
+ invalid users = patrickj
+ admin users = gbshaw
+ write list = peters
+</pre><p>
+ <a class="indexterm" name="id2582592"></a>
+ This is a particularly complex example at this point, but it begins to demonstrate the possibilities.
+ You should refer to the online manual page for the <code class="filename">smb.conf</code> file for more information regarding
+ the checkpoint controls that Samba implements.
+ </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2582613"></a>Override Controls</h4></div></div></div><p><a class="indexterm" name="id2582620"></a>
+ Override controls implemented by Samba permit actions like the adoption of a different identity
+ during file system operations, the forced overwriting of normal file and directory permissions,
+ and so on. You should refer to the online manual page for the <code class="filename">smb.conf</code> file for more information regarding
+ the override controls that Samba implements.
+ </p><p>
+ In the following example, you want to create a Windows networking share that any user can access.
+ However, you want all read and write operations to be performed as if the user <code class="constant">billc</code>
+ and member of the group <code class="constant">Mentors</code> read/write the files. Here is one way this
+ can be done:
+</p><pre class="screen">
+[someshare]
+ comment = Some Files Everyone May Overwrite
+ path = /data/somestuff
+ read only = No
+ force user = billc
+ force group = Mentors
+</pre><p>
+ <a class="indexterm" name="id2582664"></a><a class="indexterm" name="id2582672"></a>
+ That is all there is to it. Well, it is almost that simple. The downside of this method is that
+ users are logged onto the Windows client as themselves, and then immediately before accessing the
+ file, Samba makes system calls to change the effective user and group to the forced settings
+ specified, completes the file transaction, and then reverts to the actually logged-on identity.
+ This imposes significant overhead on Samba. The alternative way to effectively achieve the same result
+ (but with lower system CPU overheads) is described next.
+ </p><p><a class="indexterm" name="id2582692"></a><a class="indexterm" name="id2582700"></a><a class="indexterm" name="id2582708"></a><a class="indexterm" name="id2582719"></a><a class="indexterm" name="id2582727"></a>
+ The use of the <em class="parameter"><code>force user</code></em> or the <em class="parameter"><code>force group</code></em> may
+ also have a severe impact on system (particularly on Windows client) performance. If opportunistic
+ locking is enabled on the share (the default), it causes an <code class="constant">oplock break</code> to be
+ sent to the client even if the client has not opened the file. On networks that have high traffic
+ density, or on links that are routed to a remote network segment, <code class="constant">oplock breaks</code>
+ can be lost. This results in possible retransmission of the request, or the client may time-out while
+ waiting for the file system transaction (read or write) to complete. The result can be a profound
+ apparent performance degradation as the client continually attempts to reconnect to overcome the
+ effect of the lost <code class="constant">oplock break</code>, or time-out.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2582774"></a>Share Point Directory and File Permissions</h3></div></div></div><p><a class="indexterm" name="id2582782"></a><a class="indexterm" name="id2582790"></a><a class="indexterm" name="id2582798"></a><a class="indexterm" name="id2582805"></a>
+ Samba has been designed and implemented so that it respects as far as is feasible the security and
+ user privilege controls that are built into the UNIX/Linux operating system. Samba does nothing
+ with respect to file system access that violates file system permission settings, unless it is
+ explicitly instructed to do otherwise through share definition controls. Given that Samba obeys
+ UNIX file system controls, this chapter does not document simple information that can be obtained
+ from a basic UNIX training guide. Instead, one common example of a typical problem is used
+ to demonstrate the most effective solution referred to in the immediately preceding paragraph.
+ </p><p><a class="indexterm" name="id2582828"></a><a class="indexterm" name="id2582836"></a><a class="indexterm" name="id2582844"></a>
+ One of the common issues that repeatedly pops up on the Samba mailing lists involves the saving of
+ Microsoft Office files (Word and Excel) to a network drive. Here is the typical sequence:
+ </p><div class="orderedlist"><ol type="1"><li><p>
+ A user opens a Work document from a network drive. The file was owned by user <code class="constant">janetp</code>
+ and [users], and was set read/write-enabled for everyone.
+ </p></li><li><p>
+ File changes and edits are made.
+ </p></li><li><p>
+ The file is saved, and MS Word is closed.
+ </p></li><li><p>
+ The file is now owned by the user <code class="constant">billc</code> and group <code class="constant">doctors</code>,
+ and is set read/write by <code class="constant">billc</code>, read-only by <code class="constant">doctors</code>, and
+ no access by everyone.
+ </p></li><li><p>
+ The original owner cannot now access her own file and is “<span class="quote">justifiably</span>” upset.
+ </p></li></ol></div><p>
+ There have been many postings over the years that report the same basic problem. Frequently Samba users
+ want to know when this “<span class="quote">bug</span>” will be fixed. The fact is, this is not a bug in Samba at all.
+ Here is the real sequence of what happens in this case.
+ </p><p><a class="indexterm" name="id2582936"></a><a class="indexterm" name="id2582944"></a><a class="indexterm" name="id2582952"></a>
+ When the user saves a file, MS Word creates a new (temporary) file. This file is naturally owned
+ by the user who creates the file (<code class="constant">billc</code>) and has the permissions that follow
+ that user's default settings within the operating system (UNIX/Linux). When MS Word has finished writing
+ the file to disk, it then renames the new (temporary) file to the name of the old one. MS Word does not
+ change the ownership or permissions to what they were on the original file. The file is thus a totally
+ new file, and the old one has been deleted in the process.
+ </p><p>
+ Samba received a request to create a new file, and then to rename the file to a new name. The old file that
+ has the same name is now automatically deleted. Samba has no way of knowing that the new file should
+ perhaps have the same ownership and permissions as the old file. To Samba, these are entirely independent
+ operations.
+ </p><p>
+ The question is, “<span class="quote">How can we solve the problem?</span>”
+ </p><p>
+ The solution is simple. Use UNIX file system permissions and controls to your advantage. Follow these
+ simple steps to create a share in which all files will consistently be owned by the same user and the
+ same group:
+ </p><div class="procedure"><a name="id2582998"></a><p class="title"><b>Procedure 11.2. Using Directory Permissions to Force File User and Group Ownership</b></p><ol type="1"><li><p>
+ Change your share definition so that it matches this pattern:
+</p><pre class="screen">
+[finance]
+ path = /usr/data/finance
+ browseable = Yes
+ read only = No
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2583024"></a><a class="indexterm" name="id2583035"></a>
+ Set consistent user and group permissions recursively down the directory tree as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> chown -R janetp.users /usr/data/finance
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2583067"></a>
+ Set the files and directory permissions to be read/write for owner and group, and not accessible
+ to others (everyone), using the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> chmod ug+rwx,o-rwx /usr/data/finance
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2583096"></a>
+ Set the SGID (supergroup) bit on all directories from the top down. This means all files
+ can be created with the permissions of the group set on the directory. It means all users
+ who are members of the group <code class="constant">finance</code> can read and write all files in
+ the directory. The directory is not readable or writable by anyone who is not in the
+ <code class="constant">finance</code> group. Simply follow this example:
+</p><pre class="screen">
+<code class="prompt">root# </code> find /usr/data/finance -type d -exec chmod ug+s {}\;
+</pre><p>
+
+ </p></li><li><p><a class="indexterm" name="id2583137"></a><a class="indexterm" name="id2583145"></a><a class="indexterm" name="id2583153"></a>
+ Make sure all users that must have read/write access to the directory have
+ <code class="constant">finance</code> group membership as their primary group,
+ for example, the group they belong to in <code class="filename">/etc/passwd</code>.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583178"></a>Managing Windows 200x ACLs</h3></div></div></div><p><a class="indexterm" name="id2583184"></a><a class="indexterm" name="id2583192"></a><a class="indexterm" name="id2583200"></a><a class="indexterm" name="id2583208"></a>
+ Samba must translate Windows 2000 ACLs to UNIX POSIX ACLs. This has some interesting side effects because
+ there is not a one-to-one equivalence between them. The as-close-as-possible ACLs match means
+ that some transactions are not possible from MS Windows clients. One of these is to reset the ownership
+ of directories and files. If you want to reset ownership, this must be done from a UNIX/Linux login.
+ </p><p>
+ There are two possible ways to set ACLs on UNIX/Linux file systems from a Windows network workstation,
+ either via File Manager or via the Microsoft Management Console (MMC) Computer Management interface.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2583232"></a>Using the MMC Computer Management Interface</h4></div></div></div><div class="procedure"><ol type="1"><li><p>
+ From a Windows 200x/XP Professional workstation, log on to the domain using the Domain Administrator
+ account (on Samba domains, this is usually the account called <code class="constant">root</code>).
+ </p></li><li><p>
+ Click
+ <span class="guimenu">Start</span>-><span class="guimenuitem">Settings</span>-><span class="guimenuitem">Control Panel</span>-><span class="guimenuitem">Administrative Tools</span>-><span class="guimenuitem">Computer Management</span>.
+ </p></li><li><p>
+ In the left panel,
+ <span class="guimenu">[Right mouse menu item] Computer Management (Local)</span>-><span class="guimenuitem">Connect to another computer ...</span>-><span class="guimenuitem">Browse...</span>-><span class="guimenuitem">Advanced</span>-><span class="guimenuitem">Find Now</span>. In the lower panel, click on the name of the server you wish to
+ administer. Click <span class="guimenu">OK</span>-><span class="guimenuitem">OK</span>-><span class="guimenuitem">OK</span>.
+ In the left panel, the entry <span class="guimenu">Computer Management (Local)</span> should now reflect
+ the change made. For example, if the server you are administering is called <code class="constant">FRODO</code>,
+ the Computer Management entry should now say: <span class="guimenu">Computer Management (FRODO)</span>.
+ </p></li><li><p>
+ In the left panel, click <span class="guimenu">Computer Management (FRODO)</span>-><span class="guimenuitem">[+] Shared Folders</span>-><span class="guimenuitem">Shares</span>.
+ </p></li><li><p><a class="indexterm" name="id2583415"></a><a class="indexterm" name="id2583423"></a><a class="indexterm" name="id2583431"></a><a class="indexterm" name="id2583439"></a>
+ In the right panel, double-click on the share on which you wish to set/edit ACLs. This
+ brings up the Properties panel. Click the <span class="guimenu">Security</span> tab. It is best
+ to edit ACLs using the <code class="constant">Advanced</code> editing features. Click the
+ <span class="guimenu">Advanced</span> button. This opens a panel that has four tabs. Only the
+ functionality under the <code class="constant">Permissions</code> tab can be utilized with respect
+ to a Samba domain server.
+ </p></li><li><p><a class="indexterm" name="id2583478"></a><a class="indexterm" name="id2583486"></a>
+ You may now edit/add/remove access control settings. Be very careful. Many problems have been
+ created by people who decided that everyone should be rejected but one particular group should
+ have full control. This is a catch-22 situation because members of that particular group also
+ belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions
+ set for the permitted group.
+ </p></li><li><p>
+ When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span>
+ buttons until the last panel closes.
+ </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2583523"></a>Using MS Windows Explorer (File Manager)</h4></div></div></div><p>
+ The following alternative method may be used from a Windows workstation. In this example we work
+ with a domain called <code class="constant">MEGANET</code>, a server called <code class="constant">MASSIVE</code>, and a
+ share called <code class="constant">Apps</code>. The underlying UNIX/Linux share point for this share is
+ <code class="filename">/data/apps</code>.
+ </p><div class="procedure"><ol type="1"><li><p>
+ Click <span class="guimenu">Start</span>-><span class="guimenuitem">[right-click] My Computer</span>-><span class="guimenuitem">Explore</span>-><span class="guimenuitem">[left panel] [+] My Network Places</span>-><span class="guimenuitem">[+] Entire Network</span>-><span class="guimenuitem">[+] Microsoft Windows Network</span>-><span class="guimenuitem">[+] Meganet</span>-><span class="guimenuitem">[+] Massive</span>-><span class="guimenuitem">[right-click] Apps</span>-><span class="guimenuitem">Properties</span>-><span class="guimenuitem">Security</span>-><span class="guimenuitem">Advanced</span>. This opens a panel that has four tabs. Only the functionality under the
+ <code class="constant">Permissions</code> tab can be utilized for a Samba domain server.
+ </p></li><li><p><a class="indexterm" name="id2583648"></a><a class="indexterm" name="id2583656"></a>
+ You may now edit/add/remove access control settings. Be very careful. Many problems have been
+ created by people who decided that everyone should be rejected but one particular group should
+ have full control. This is a catch-22 situation because members of that particular group also
+ belong to the group <code class="constant">Everyone</code>, which therefore overrules any permissions
+ set for the permitted group.
+ </p></li><li><p>
+ When you are done with editing, close all panels by clicking through the <span class="guimenu">OK</span>
+ buttons until the last panel closes.
+ </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2583694"></a>Setting Posix ACLs in UNIX/Linux</h4></div></div></div><p><a class="indexterm" name="id2583701"></a><a class="indexterm" name="id2583709"></a>
+ Yet another alternative method for setting desired security settings on the shared resource files and
+ directories can be achieved by logging into UNIX/Linux and setting POSIX ACLs directly using command-line
+ tools. Here is an example session on the same resource as in the immediately preceding example on a SUSE 9
+ Linux system:
+ </p><div class="procedure"><ol type="1"><li><p>
+ Log into the Linux system as the user <code class="constant">root</code>.
+ </p></li><li><p>
+ Change directory to the location of the exported (shared) Windows file share (Apps), which is in
+ the directory <code class="filename">/data</code>. Execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> cd /data
+</pre><p>
+ Retrieve the existing POSIX ACLs entry by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> getfacl apps
+# file: apps
+# owner: root
+# group: root
+user::rwx
+group::rwx
+other::r-x
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2583783"></a>
+ You want to add permission for <code class="constant">AppsMgrs</code> to enable them to
+ manage the applications (apps) share. It is important to set the ACL recursively
+ so that the AppsMgrs have this capability throughout the directory tree that is
+ being shared. This is done using the <code class="constant">-R</code> option as shown.
+ Execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> setfacl -m -R group:AppsMgrs:rwx /data/apps
+</pre><p>
+ Because setting an ACL does not provide a response, you immediately validate the command executed
+ as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> getfacl /data/apps
+# file: apps
+# owner: root
+# group: root
+user::rwx
+group::rwx
+group:AppsMgrs:rwx
+mask::rwx
+other::r-x
+</pre><p>
+ This confirms that the change of POSIX ACL permissions has been effective.
+ </p></li><li><p><a class="indexterm" name="id2583839"></a><a class="indexterm" name="id2583847"></a><a class="indexterm" name="id2583855"></a><a class="indexterm" name="id2583863"></a><a class="indexterm" name="id2583871"></a>
+ It is highly recommended that you read the online manual page for the <span><strong class="command">setfacl</strong></span>
+ and <span><strong class="command">getfacl</strong></span> commands. This provides information regarding how to set/read the default
+ ACLs and how that may be propagated through the directory tree. In Windows ACLs terms, this is the equivalent
+ of setting <code class="constant">inheritance</code> properties.
+ </p></li></ol></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2583904"></a>Key Points Learned</h3></div></div></div><p>
+ The mish-mash of issues were thrown together into one chapter because it seemed like a good idea.
+ Looking back, this chapter could be broken into two, but it's too late now. It has been done.
+ The highlights covered are as follows:
+ </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2583922"></a><a class="indexterm" name="id2583930"></a><a class="indexterm" name="id2583938"></a><a class="indexterm" name="id2583946"></a>
+ Winbind honors and does not override account controls set in Active Directory.
+ This means that password change, logon hours, and so on, are (or soon will be) enforced
+ by Samba winbind. At this time, an out-of-hours login is denied and password
+ change is enforced. At this time, if logon hours expire, the user is not forcibly
+ logged off. That may be implemented at some later date.
+ </p></li><li><p><a class="indexterm" name="id2583964"></a><a class="indexterm" name="id2583972"></a>
+ Sign'n'seal (plus schannel support) has been implemented in Samba-3. Beware of potential
+ problems acknowledged by Microsoft as having been fixed but reported by some as still
+ possibly an open issue.
+ </p></li><li><p><a class="indexterm" name="id2583988"></a><a class="indexterm" name="id2583996"></a><a class="indexterm" name="id2584004"></a><a class="indexterm" name="id2584012"></a>
+ The combination of Kerberos 5, plus OpenLDAP, plus Samba, cannot replace Microsoft
+ Active Directory. The possibility to do this is not planned in the current Samba-3
+ roadmap. Samba-3 does aim to provide further improvements in interoperability so that
+ UNIX/Linux systems may be fully integrated into Active Directory domains.
+ </p></li><li><p>
+ This chapter reviewed mechanisms by which Samba servers may be kept secure. Each of
+ the four key methodologies was reviewed with specific reference to example deployment
+ techniques.
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2584039"></a>Questions and Answers</h2></div></div></div><p>
+ </p><div class="qandaset"><dl><dt> <a href="kerberos.html#id2584054">Sign'n'sealregistry hacks
+ Does Samba-3 require the Sign'n'seal registry hacks needed by Samba-2?
+ </a></dt><dt> <a href="kerberos.html#id2584125">
+ Does Samba-3 support Active Directory?
+ </a></dt><dt> <a href="kerberos.html#id2584156">mixed-mode
+ When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was
+ necessary with Samba-2?
+ </a></dt><dt> <a href="kerberos.html#id2584194">share level access controls
+ Is it safe to set share-level access controls in Samba?
+ </a></dt><dt> <a href="kerberos.html#id2584224">share ACLs
+ Is it mandatory to set share ACLs to get a secure Samba-3 server?
+ </a></dt><dt> <a href="kerberos.html#id2584300">valid users
+ The valid users did not work on the [homes].
+ Has this functionality been restored yet?
+ </a></dt><dt> <a href="kerberos.html#id2584361">force userforce groupbias
+ Is the bias against use of the force user and force group
+ really warranted?
+ </a></dt><dt> <a href="kerberos.html#id2584425">
+ The example given for file and directory access control forces all files to be owned by one
+ particular user. I do not like that. Is there any way I can see who created the file?
+ </a></dt><dt> <a href="kerberos.html#id2584473">Computer Management
+ In the book, The Official Samba-3 HOWTO and Reference Guide, you recommended use
+ of the Windows NT4 Server Manager (part of the SRVTOOLS.EXE) utility. Why
+ have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
+ </a></dt><dt> <a href="kerberos.html#id2584540">valid usersActive DirectoryDomain Member server
+ I tried to set valid users = @Engineers, but it does not work. My Samba
+ server is an Active Directory domain member server. Has this been fixed now?
+ </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2584054"></a><a name="id2584057"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584060"></a><a class="indexterm" name="id2584068"></a>
+ Does Samba-3 require the <code class="constant">Sign'n'seal</code> registry hacks needed by Samba-2?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584087"></a><a class="indexterm" name="id2584095"></a><a class="indexterm" name="id2584103"></a>
+ No. Samba-3 fully supports <code class="constant">Sign'n'seal</code> as well as <code class="constant">schannel</code>
+ operation. The registry change should not be applied when Samba-3 is used as a domain controller.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584125"></a><a name="id2584127"></a><b></b></td><td align="left" valign="top"><p>
+ Does Samba-3 support Active Directory?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584138"></a>
+ Yes. Samba-3 can be a fully participating native mode Active Directory client. Samba-3 does not
+ provide Active Directory services. It cannot be used to replace a Microsoft Active Directory
+ server implementation. Samba-3 can function as an Active Directory client (workstation) toolkit,
+ and it can function as an Active Directory domain member server.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584156"></a><a name="id2584158"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584161"></a>
+ When Samba-3 is used with Active Directory, is it necessary to run mixed-mode operation, as was
+ necessary with Samba-2?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584178"></a>
+ No. Samba-3 can be used with NetBIOS over TCP/IP disabled, just as can be done with Windows 200x
+ Server and 200x/XPPro client products. It is no longer necessary to run mixed-mode operation,
+ because Samba-3 can join a native Windows 2003 Server ADS domain.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584194"></a><a name="id2584197"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584200"></a>
+ Is it safe to set share-level access controls in Samba?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ Yes. Share-level access controls have been supported since early versions of Samba-2. This is
+ very mature technology. Not enough sites make use of this powerful capability, neither on
+ Windows server or with Samba servers.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584224"></a><a name="id2584226"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584229"></a>
+ Is it mandatory to set share ACLs to get a secure Samba-3 server?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584245"></a><a class="indexterm" name="id2584253"></a><a class="indexterm" name="id2584261"></a><a class="indexterm" name="id2584269"></a><a class="indexterm" name="id2584277"></a>
+ No. Samba-3 honors UNIX/Linux file system security, supports Windows 200x ACLs, and provides
+ means of securing shares through share definition controls in the <code class="filename">smb.conf</code> file. The additional
+ support for share-level ACLs is like frosting on the cake. It adds to security but is not essential
+ to it.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584300"></a><a name="id2584302"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584306"></a>
+ The <em class="parameter"><code>valid users</code></em> did not work on the <em class="parameter"><code>[homes]</code></em>.
+ Has this functionality been restored yet?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584333"></a>
+ Yes. This was fixed in Samba-3.0.2. The use of this parameter is strongly recommended as a safeguard
+ on the <em class="parameter"><code>[homes]</code></em> meta-service. The correct way to specify this is:
+ <a class="indexterm" name="id2584351"></a>valid users = %S.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584361"></a><a name="id2584364"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584367"></a><a class="indexterm" name="id2584375"></a><a class="indexterm" name="id2584382"></a>
+ Is the bias against use of the <em class="parameter"><code>force user</code></em> and <em class="parameter"><code>force group</code></em>
+ really warranted?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584410"></a>
+ There is no bias. There is a determination to recommend the right tool for the task at hand.
+ After all, it is better than putting users through performance problems, isn't it?
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584425"></a><a name="id2584427"></a><b></b></td><td align="left" valign="top"><p>
+ The example given for file and directory access control forces all files to be owned by one
+ particular user. I do not like that. Is there any way I can see who created the file?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584440"></a>
+ Sure. You do not have to set the SUID bit on the directory. Simply execute the following command
+ to permit file ownership to be retained by the user who created it:
+</p><pre class="screen">
+<code class="prompt">root# </code> find /usr/data/finance -type d -exec chmod g+s {}\;
+</pre><p>
+ Note that this required no more than removing the <code class="constant">u</code> argument so that the
+ SUID bit is not set for the owner.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584473"></a><a name="id2584475"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584479"></a>
+ In the book, “<span class="quote">The Official Samba-3 HOWTO and Reference Guide</span>”, you recommended use
+ of the Windows NT4 Server Manager (part of the <code class="filename">SRVTOOLS.EXE</code>) utility. Why
+ have you mentioned only the use of the Windows 200x/XP MMC Computer Management utility?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584507"></a><a class="indexterm" name="id2584514"></a>
+ Either tool can be used with equal effect. There is no benefit of one over the other, except that
+ the MMC utility is present on all Windows 200x/XP systems and does not require additional software
+ to be downloaded and installed. Note that if you want to manage user and group accounts in your
+ Samba-controlled domain, the only tool that permits that is the NT4 Domain User Manager, which
+ is provided as part of the <code class="filename">SRVTOOLS.EXE</code> utility.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2584540"></a><a name="id2584542"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2584545"></a><a class="indexterm" name="id2584553"></a><a class="indexterm" name="id2584561"></a>
+ I tried to set <em class="parameter"><code>valid users = @Engineers</code></em>, but it does not work. My Samba
+ server is an Active Directory domain member server. Has this been fixed now?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ The use of this parameter has always required the full specification of the domain account, for
+ example, <em class="parameter"><code>valid users = @"MEGANET2\Domain Admins"</code></em>.
+ </p></td></tr></tbody></table></div></div><div class="footnotes"><br><hr width="100" align="left"><div class="footnote"></div><div class="footnote"><a href="http://199.105.191.226/Man/2699/020430msdoj/" target="_top"><sup>[<a name="ftn.id2581675" href="#id2581675">13</a>] </sup>ITWorld.com</a></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="RefSection.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="DomApps.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Part III. Reference Section </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 12. Integrating Additional Services</td></tr></table></div></body></html>