Corporate Reactions to Linux (fwd)

Thu Oct 14 11:25:42 GMT 1999

> -----Original Message-----
> From: Luke Kenneth Casson Leighton [mailto:lkcl at samba.org]
> Sent: den 13 oktober 1999 23:08
> To: Multiple recipients of list SAMBA-NTDOM
> Subject: RE: Corporate Reactions to Linux (fwd)
> 
> 
> On Wed, 13 Oct 1999, Fredrik Norrman wrote:
> 
> > Luke, you are talking about adding more security for the
> > protocol itself so it can cope with evil attacks to the
> > NT domain system.
> 
> microsoft is doing this by abandoning the dependence on 
> NetBIOS.  this is
> done as follows:
> 
> - move to port 445 (SMB over TCP).  note that port 137 AND 
> port 138 are
> NOT involved here, where 138 is elections and 137 is NetBIOS name reg.
> 
> - use dynamic dns (undocumented but secure registration of ip 
> addresses).
> 
> - browsing _suspected_ to involve an LDAP front-end to the 
> trust accounts
> (i.e the domain-member workstations) but i really don't know.

Yup. W2K on a NetBIOS-less network is supposed to do this. I haven't
tested it yet.

WINS is replaced by DDNS. This is great. You can set static entries
for your servers and the workstations can use dynamic entries.

I wonder if someone has looked into the browser issue yet. I wonder about
the use of trust accounts though. It would imply that you have to 
have a Domain or Directory in order to get the browsing working.

> > What I suggested Samba takes care of is the case where 
> > a stupid user who sets up his first RedHat server and 
> > misconfigures Samba and brings down the corporate NT network
> > because of that. 
> > You can easily solve that by checking if _someone else_ is
> > already registered as PDC on the network.
> 
> in samba? yes, i believe we do this.  however, you still 
> cannot cater for
> the case where the stupid user sets up a PDC without a WINS 
> server entry
> (wins server = yes) as they will take over the local subnet 
> segment and
> therefore disrupt login services on that local subnet.

Can't you still search the local master browsers even if you are 
not configured with WINS? WINS should only stop you from passing
the boundaries of the local segment.

> > NT doesn't handle this very well. Samba can be better, right?
> 
> time.  priority.  someone want to address this?

Security is always important... maybe not as sexy as implementing
Active Directory and other cool stuff...

> > Another thing to add to the wishlist - A misconfigured
> > Samba box can screw up the browsing by incorrectly announcing 
> > itself as Master Browser. The result - the samba box will
> > only know about itself and 'network neighborhood' contains
> > nothing but the poor misconfigured samba box.
> > This seems to happen when WINS is not correctly configured.
> 
> yes.  it also happens with any other incorrectly configured 
> SMB system,
> where such systems are usually win95.

Well, win95 does not act as master browser by default. You have
to manually tell it to do so. Samba acts as a master browser
by default - that's the difference.

> microsoft's addition of "SMB signing" has thrown a new spanner in the
> works on this one.  the very presence of the "SMB signing" 
> data at the SMB
> layer will cause Win95 to stop working, even with anonymous SMB
> connections.  you need to install the "DFS Client 4.1" to get 
> it to work
> again.

Have you implemented this signing yet? I thought it was poorly 
documented.

> i have seen networks where rebooting a winnt client (domain 
> member) caused
> a network to operate correctly again.  this probably because 
> it happened
> to be the wksta that was up the longest, so it won elections. 
>  because it
> was not configured with "SMB signing" it caused the network-neigh to
> disappear on that subnet.

Yup. I truly dislike the dynamic behaviour of Windows browsing.
If Linux and Samba hadn't been so stable they wouldn't win the 
elections and cause this problem ;-)