Using remote announce w/ security=domain

Andrew Perrin - Demography aperrin at demog.Berkeley.EDU
Fri Apr 16 00:05:16 GMT 1999

Many thanks to all who've responded!

Here's what we've done, which *seems* to be working quite nicely:

1.) Placed our machine in their subnet, a junker (Sparc 1, name anasazi)
running Samba 1.9.18p10. (will upgrade it someday soon) This machine is
the main browser for the DEMOGRAPHY workgroup in the remote subnet. It is
set to wins proxy = yes and wins server = (our main wins server).  The
Win9x machines in the remote subnet do not have any wins server set up.

2.) Set up our main server with a netbios aliases=BARROWS-SVR and
include=/usr/LOCAL/samba/lib/smb.conf.%L .  Put most of the information -
including security stuff and all shares - in the smb.conf.* files.

3.) Set remote announce=(anasazi's IP address)

4.) Set smb.conf.barrows-svr to map to guest = Bad User to allow unknown
people to use the shares as guest.

It appears as if, eventually, the remote subnet gets the whole local
browselist, not just the machines that are set to remote announce, which
puzzles me; otherwise, it seems to work well.

Andrew J. Perrin - aperrin at - NT/Unix Admin/Support
Department of Demography    -    University of California at Berkeley
2232 Piedmont Avenue #2120  -    Berkeley, California, 94720-2120 USA --------------------------SEIU1199

On Fri, 16 Apr 1999, Luke Kenneth Casson Leighton wrote:

> On Wed, 14 Apr 1999, Andrew Perrin - Demography wrote:
> > So, let me see if I understand the upshot here: what we're hoping to do on
> > campus is (at least for now) not possible: that is, to plop samba servers
> > in 'foreign' subnets where we are unable to control the configuration of
> > the Win9x machines (except to guarantee that they have NetBIOS and TCP/IP)
> > and have users on those machines be able to view our server's shares and
> > grab stuff off of them.
> basically correct.
> solutions:
> 1) poison their WINS server database (either by using it as _your_ WINS
> server or getting its admin to add an entry for your server OR by writing
> a small program to register the samba server's ip address in TWO WINS
> servers :-) :-)
> 2) sneak a samba server onto that subnet with "wins proxy = yes" where
> that samba server uses the same WINS server as the rest of _your_ samba
> servers+windows clients.
> 3) rely on the remote clients using dns, plus you using remote announce:
> this is one of the _only_ situations under which i would recommend the use
> of remote announce
> 4) hack into all of those machines on the remote network and put your
> samba server in their lmhosts files (not recommended :-)
> 5) _ask_ individual users who wish to access your samba servers to add an
> entry in the lmhosts file.
> samba servers as PDCs need to have that odd #PRE DOMAIN_NAME system in
> clients' lmhosts.

More information about the samba-ntdom mailing list