That troublemaker again (replace domain logons =, domain master=)

Mon Nov 12 06:27:05 GMT 2001

"Gerald (Jerry) Carter" wrote:
> 
> On Mon, 12 Nov 2001, Simo Sorce wrote:
> 
> > It is much more easier to understand the andrew's table than the
> > domain master/logons combination from an administrator point of view.
> > Sure black belts in smb.conf would find it easy, but having parameters
> > the clearly states what samba will be are more understandable. and yes
> > DMB is not so usefull but is here to provide you a way to use any
> > combination of the two parameters (to avoid loss in configurability).
> >
> > We discussed this with volker at CIFS too and I'm for this change,
> > much more clear IMHO.
> 
> I disagree.  It is simply an alternative representation.  Why not
> simply have documentation which presents this chart?  Removing
> the "security" parameter will break all existing
> documentation, configuration files, and third party tools.
> Not to mention making sysadmins relearn how to configure Samba.
> 
> For what?  A chart that may or may not be clearer to admins?
> The payoff is debateable and not big enough.

As you will see in my other e-mail, the problem is not at the security=
end of things.  At that end, I don't really care if we continue to have
'secruity=domain' and 'secruity=server' parameters that just set sane
defaults for 'auth order'.  

However, there is a problem on the nmbd side of things.  Normally I
simply don't care about nmbd, but nmbd is blocking my changes....

The problem is that without looking at 'security =' nmbd is unable to
correctly list itself as an NT PDC/BDC/Domain member/standalone.  As
such I proposed to tell nmbd directly (server role =), and (as a further
addition, not actually required) to force the value of two existing
paramaters 'domain logons =' and 'domain master =' to their only
possible values in this situation.

The chart (showing how we get server role at present) is as follows:

  Domain Master    Domain Logons      Security
      Y                  Y             USER     = PDC
      N                  N             DOMAIN   = BDC
      N                  N             SERVER   = BDC
      N                  N             DOMAIN   = DOMAIN MEM
      N                  N             USER     = STANDALONE
      *                  *             SHARE    = STANDALONE

Not in particular that it is quite possible to construct a BDC without
using secuirty=server/domain, but we can't advertise this with the
current crippled arrangement.

I hope this makes the dependency on security= clearer, and therefore why
we need 'server role' to specify this explicitly.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net