different share for different workgroup - Howto??

David Collier-Brown David.Collier-Brown at canada.sun.com
Tue Sep 5 13:53:57 GMT 2000

[Crossposted to samba-technical as it may expose a log-file buglet

Bernard Dugas wrote:
> You are not alone with the problem of multiple workgroup ! Can we team
> up on this problem ?
> Ask any question if you need more on the context.
> 1-Network configuration :
> Here is the configuration :
>                            _____________
> OrgA ------|            |
>                            |  Routers   |
> OrgB ------|            |
>                            |  inside    |
> ........                   |----NAT-----|
>                            |  outside   |
> Server ---|            |
> For ORGA    |____________|
> For ORGB
> One computer is the server, with one physical interface eth0 at
> There is one alias IP address for each Organisation on this eth0
> interface :
> for ORGA, for ORGB, ...
> 2- Samba configuration :
> There is one smb configuration file for each organisation, each one
> using the
> dedicated ip alias on eth0. smb.conf.ORGA and smb.conf.ORGB are
> attached.
> Any user in OrgX must not access and must not even know the existence of
> any user
> or any server in other organisations. It's why each smb server is also
> WIN server for its organisation.

	This is slightly dangerous, but only slightly: Samba
	doesn't support secondary WINS servers yet, so if
	the samba server fails, so does wins. 

> 3- Observations :
> - the bind interfaces only = yes is necessary to let servers alive on
> the same computer. If not present, all smb servers except the first one
> refuse to bind on port 139 of eth0 basic ip address ;

	Yes, I hadn't mentioned that...
> - The is only name resolve order = wins to avoid that one nmbd broadcast
> to the
> others. But I'm not sure this is a right solution...

	If the groups must be distinct, order = wins hosts
	is about all you can do...

  - the use of the shares is possible, but I can't see the wins
> yet in the neighborhood window of an NT client. Some other difficulties
> are following.

	You should see only the samba file and print server: is
	it present? If not, work very carefully through the
	fault tree, looking for places where NAT might be preventing
	broadcasts from getting to the server... The first few
	steps in browsing use broadcast.

> 4- Questions :
> - there are 2 nmbd processes for each smb server, *why ?* ;

	One is a dns client, which is seperate so it can block
	waiting for a slow server without blocking the main nmbd.
> - the nmbd processes refuse to use the log files defined in conf files
> smb.conf.OrgX. All nmbd processes mix their log in one file in the same
> default
> /var/log/samba/log.nmbd file and the mixed result is impossible to
> understand. Isn't it an anomaly ? Would it be possible to have a
> dedicated
> log file for each nmbd process ?

	It sure should! Anyone know why this doesn't	
> [global]
>         workgroup = WRKGRPORGA
>         netbios name = SRVORGA
>         hosts allow = 192.168.10.
>         guest account = USRORGA
>         log file = /var/log/samba-ORGA/log_%I-%m-%U_
>         lock directory = /var/lock/samba-ORGA

	It appears to be correct in the code: cscope says...
  File       Function          Line
1 debug.c    reopen_logs        203 if ( lp_loaded() &&
(*lp_logfile()) )
2 debug.c    reopen_logs        204 pstrcpy( fname, lp_logfile() );
3 loadparm.c FN_GLOBAL_STRING  1181 FN_GLOBAL_STRING(lp_logfile,
4 proto.h    share_mode_forall 1019 char *lp_logfile(void );
	and reopen_logs seems to be the only place
	it's used.

> - what do I have to do with the domain master and local master
> options ? Does it depend if there is an NT client in the corresponding
> organisation ?

	Sorta try to make samba the master, setting the "os level"
	to somethihg more than the nt client uses, to keep it from
	fighting with samba.  Also try to eliminate protocols other
	than tcp/ ip from all the clinets, to keep browsing sane...
> - I have a NAT/PAT barrier between the organisations and the server. Is
> the WIN server protocol OK with such a protection ?

	WINS is, but browsing **may** not work.  If the NAT
	program forwards broadcasts, it should. 
> The idea of one multi-workgroup samba server seems still *very* simple
> compare to all that ;-)

	Yup!  I like to allow people to see things, but not
	touch (I like hosts allow).  That's a Unix "norm", because
	soem security-literate folks were involved in v6.
	 Security via obscurity never works.


More information about the samba-technical mailing list