Security model in samba-2
borsenkow.msk at sni.de
Mon Sep 7 15:01:27 GMT 1998
> -----Original Message-----
> From: samba-technical at samba.anu.edu.au
> [mailto:samba-technical at samba.anu.edu.au]On Behalf Of Luke Kenneth
> Casson Leighton
> Sent: Friday, September 04, 1998 8:05 PM
> To: Multiple recipients of list
> Subject: Re: Security model in samba-2
> > I should comment that Samba's security model
> > ``fits inside'' an orange book categoey and level.
> > A colleague and I described samba security as three-level,
> > but not in the ``secret" -vs- "top secret" sense
> > of levels: more like
> > 1) host level -- what machine can connect
> > 2) Service-level -- per-share limitations
> > 3) user-level -- limitations on particular users.
> > all sitting on top of (inside of) normal Unix
> > security.
> because you can include files inline using any %sub macro, you can do
> groups, caller's name, calling name etc etc. lots.
Unfortunately, I cannot access NT domain information now (or am I wrong?) There is no way to say:
valid domains = ...
valid domain groups = DOM1\gr1, DOM2\gr2 ...
valid domain users = DOM1\user1 ...
I repeat: in case of SAMBA particicpating in NT domain, the user name *only* is not enough. It simply does not provide enough authentication in case of trust relationships between domains. It is possible to emulate it, but it means, SAMBA server has to have complete knowledge of all possible domains/users/groups/hosts in any other domain.
More information about the samba-technical