Corporate Reactions to Linux (fwd)

Fredrik Norrman fredrik.norrman at axis.com
Wed Oct 13 20:43:47 GMT 1999 

Luke, you are talking about adding more security for the
protocol itself so it can cope with evil attacks to the
NT domain system.

You are right that we cannot solve this problem since 
NetBIOS by design is dynamic and works through elections.


What I suggested Samba takes care of is the case where 
a stupid user who sets up his first RedHat server and 
misconfigures Samba and brings down the corporate NT network
because of that. 
You can easily solve that by checking if _someone else_ is
already registered as PDC on the network.

While you are at it - do the same thing with the normal 
name registration in order to avoid name collisions 
on the network. (btw, We (Axis) do that with _our_ CIFS server)


NT doesn't handle this very well. Samba can be better, right?


Another thing to add to the wishlist - A misconfigured
Samba box can screw up the browsing by incorrectly announcing 
itself as Master Browser. The result - the samba box will
only know about itself and 'network neighborhood' contains
nothing but the poor misconfigured samba box.
This seems to happen when WINS is not correctly configured.


Accidents _do_ happen, but they don't have to bring down 
corporate networks.

Regards
Fredrik








> -----Original Message-----
> From: Luke Kenneth Casson Leighton [mailto:lkcl at samba.org]
> Sent: den 12 oktober 1999 19:48
> To: Multiple recipients of list SAMBA-NTDOM
> Subject: Re: Corporate Reactions to Linux (fwd)
> 
> 
> On Tue, 12 Oct 1999, Mike Black wrote:
> 
> > Isn't it possible to query the name first to see if it's 
> registered already
> 
> this is what WINS servers should do.  it makes no difference.  failed
> registration of DOMAIN_NAME<1b> with the WINS server doesn't stop you
> registering DOMAIN_NAME<1b> on broadcast-isolated subnets, 
> particularly if
> you're not _using_ a WINS server.
> 
> > And, since SAMBA is TCP/IP based can't we do a lookup and 
> see if the name
> > matches our IP address?  If this didn't match we should 
> refuse to startup
> > (or maybe provide another force flag).
> 
> static entries in wins.dat / lmhosts.
>

More information about the samba-ntdom mailing list