That troublemaker again (replace domain logons =, domain master=)
abartlet at pcug.org.au
Mon Nov 12 06:27:05 GMT 2001
"Gerald (Jerry) Carter" wrote:
> On Mon, 12 Nov 2001, Simo Sorce wrote:
> > It is much more easier to understand the andrew's table than the
> > domain master/logons combination from an administrator point of view.
> > Sure black belts in smb.conf would find it easy, but having parameters
> > the clearly states what samba will be are more understandable. and yes
> > DMB is not so usefull but is here to provide you a way to use any
> > combination of the two parameters (to avoid loss in configurability).
> > We discussed this with volker at CIFS too and I'm for this change,
> > much more clear IMHO.
> I disagree. It is simply an alternative representation. Why not
> simply have documentation which presents this chart? Removing
> the "security" parameter will break all existing
> documentation, configuration files, and third party tools.
> Not to mention making sysadmins relearn how to configure Samba.
> For what? A chart that may or may not be clearer to admins?
> The payoff is debateable and not big enough.
As you will see in my other e-mail, the problem is not at the security=
end of things. At that end, I don't really care if we continue to have
'secruity=domain' and 'secruity=server' parameters that just set sane
defaults for 'auth order'.
However, there is a problem on the nmbd side of things. Normally I
simply don't care about nmbd, but nmbd is blocking my changes....
The problem is that without looking at 'security =' nmbd is unable to
correctly list itself as an NT PDC/BDC/Domain member/standalone. As
such I proposed to tell nmbd directly (server role =), and (as a further
addition, not actually required) to force the value of two existing
paramaters 'domain logons =' and 'domain master =' to their only
possible values in this situation.
The chart (showing how we get server role at present) is as follows:
Domain Master Domain Logons Security
Y Y USER = PDC
N N DOMAIN = BDC
N N SERVER = BDC
N N DOMAIN = DOMAIN MEM
N N USER = STANDALONE
* * SHARE = STANDALONE
Not in particular that it is quite possible to construct a BDC without
using secuirty=server/domain, but we can't advertise this with the
current crippled arrangement.
I hope this makes the dependency on security= clearer, and therefore why
we need 'server role' to specify this explicitly.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical